**Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on web pages.
**Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout optimized for your screen size. While in reading view, you can also save web pages or PDF files to your reading list, for later viewing.
**Cortana.** Enabled by default in Microsoft Edge, Cortana lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage.
**Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls.
|IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support.
**Backward compatibility.** IE11 supports 9 document modes that include high-fidelity emulations for older versions of IE.
**Modern web standards.** IE11 supports modern web technologies like HTML5, CSS3, and WebGL, which help to ensure today's modern websites and apps work just as well as your old, legacy websites and apps.
**More secure.** IE11 was designed with security in mind and is more secure than older versions. Using security features like SmartScreen and Enhanced Protected Mode can help IE11 reduce your risk.
**Faster.** IE11 is significantly faster than previous versions of Internet Explorer, taking advantage of network optimization and hardware-accelerated text, graphics, and JavaScript rendering.
**Easier migration to Windows 10.** IE11 is the only version of IE that runs on Windows 7, Windows 8.1, and Windows 10. Upgrading to IE11 on Windows 7 can also help your organization support the next generation of software, services, and devices.
**Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment and includes more than 1,600 Group Policies and preferences for granular control.
|
+|Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
**Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on web pages.
**Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout optimized for your screen size. While in reading view, you can also save web pages or PDF files to your reading list, for later viewing.
**Cortana.** Enabled by default in Microsoft Edge, Cortana lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage.
**Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls.
|IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support.
**Backward compatibility.** IE11 supports 9 document modes that include high-fidelity emulations for older versions of IE.
**Modern web standards.** IE11 supports modern web technologies like HTML5, CSS3, and WebGL, which help to ensure today's modern websites and apps work just as well as your old, legacy websites and apps. **IE11 does not support some modern CSS properties, JavaScript modules and certain APIs.**
**More secure.** IE11 was designed with security in mind and is more secure than older versions. Using security features like SmartScreen and Enhanced Protected Mode can help IE11 reduce your risk.
**Faster.** IE11 is significantly faster than previous versions of Internet Explorer, taking advantage of network optimization and hardware-accelerated text, graphics, and JavaScript rendering.
**Easier migration to Windows 10.** IE11 is the only version of IE that runs on Windows 7, Windows 8.1, and Windows 10. Upgrading to IE11 on Windows 7 can also help your organization support the next generation of software, services, and devices.
**Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment and includes more than 1,600 Group Policies and preferences for granular control.
|
## Configure the Enterprise Mode Site List
diff --git a/browsers/edge/img-microsoft-edge-infographic-lg.md b/browsers/edge/img-microsoft-edge-infographic-lg.md
index 2a2ca7e399..722efc8aa2 100644
--- a/browsers/edge/img-microsoft-edge-infographic-lg.md
+++ b/browsers/edge/img-microsoft-edge-infographic-lg.md
@@ -9,7 +9,7 @@ author: eavena
---
Return to: [Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md)
-Download image: [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892)
+Download image: [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/download/details.aspx?id=53892)
diff --git a/browsers/edge/microsoft-edge-forrester.md b/browsers/edge/microsoft-edge-forrester.md
index 2407ccef53..b4035d8b3e 100644
--- a/browsers/edge/microsoft-edge-forrester.md
+++ b/browsers/edge/microsoft-edge-forrester.md
@@ -16,7 +16,7 @@ Forrester Research measures the return on investment (ROI) of Microsoft Edge in
## Forrester report video summary
View a brief overview of the Forrester TEI case study that Microsoft commissioned to examine the value your organization can achieve by utilizing Microsoft Edge:
-> ![VIDEO ]
+> ![VIDEO ]
## Forrester Study report
diff --git a/browsers/edge/troubleshooting-microsoft-edge.md b/browsers/edge/troubleshooting-microsoft-edge.md
index ba351d8b48..5cd394e473 100644
--- a/browsers/edge/troubleshooting-microsoft-edge.md
+++ b/browsers/edge/troubleshooting-microsoft-edge.md
@@ -34,4 +34,4 @@ If you want to deliver applications to users via Citrix through Microsoft Edge,
## Missing SettingSync.admx and SettingSync.adml files
-Make sure to [download](https://www.microsoft.com/en-us/download/windows.aspx) the latest templates to C:\windows\policydefinitions\.
+Make sure to [download](https://www.microsoft.com/download/windows.aspx) the latest templates to C:\windows\policydefinitions\.
diff --git a/browsers/includes/helpful-topics-include.md b/browsers/includes/helpful-topics-include.md
index 9d4ab636ca..0a0f72e971 100644
--- a/browsers/includes/helpful-topics-include.md
+++ b/browsers/includes/helpful-topics-include.md
@@ -24,7 +24,7 @@ ms.topic: include
- [Web Application Compatibility Lab Kit](https://technet.microsoft.com/microsoft-edge/mt612809.aspx)
-- [Microsoft Services Support](https://www.microsoft.com/en-us/microsoftservices/support.aspx)
+- [Microsoft Services Support](https://www.microsoft.com/microsoftservices/support.aspx)
- [Find a Microsoft partner on Pinpoint](https://partnercenter.microsoft.com/pcv/search)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
index a430073e9d..563f38160c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
@@ -25,7 +25,7 @@ Before you install Internet Explorer 11, you should:
- **Choose how you'll deploy your installation package.** Your deployment method should be based on whether you're installing to computers already running Windows, or if you're deploying IE11 as part of a Windows installation.
- - **Existing computers running Windows.** Use System Center R2 2012 System Center 2012 R2 Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790), and [Microsoft Intune Overview](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune).
+ - **Existing computers running Windows.** Use System Center R2 2012 System Center 2012 R2 Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790), and [Microsoft Intune Overview](https://www.microsoft.com/cloud-platform/microsoft-intune).
- **As part of a Windows deployment.** Update your Windows images to include IE11, and then add the update to your MDT deployment share or to your Windows image. For instructions about how to create and use Windows images, see [Create and Manage a Windows Image Using DISM](https://go.microsoft.com/fwlink/p/?LinkId=299408). For general information about deploying IE, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=331148), [Windows ADK Overview](https://go.microsoft.com/fwlink/p/?LinkId=276669).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
index 859cf8fbb7..7fc2191028 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
@@ -33,7 +33,7 @@ From AGPM you can:
- **Manage your GPO lifecycle with change control features.** You can use the available version-control, history, and auditing features to help you manage your GPOs while moving through your archive, to your editing process, and finally to your GPO deployment.
**Note**
-For more information about AGPM, and to get the license, see [Advanced Group Policy Management 4.0 Documents](https://www.microsoft.com/en-us/download/details.aspx?id=13975).
+For more information about AGPM, and to get the license, see [Advanced Group Policy Management 4.0 Documents](https://www.microsoft.com/download/details.aspx?id=13975).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
index 00029e6c5b..a4ca6348ac 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
@@ -127,7 +127,7 @@ We recommend that enterprise customers focus their new development on establishe
- [Document modes](https://msdn.microsoft.com/library/dn384051(v=vs.85).aspx)
- [What is Enterprise Mode?](what-is-enterprise-mode.md)
- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md)
-- [Enterprise Site Discovery Toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=44570)
+- [Enterprise Site Discovery Toolkit](https://www.microsoft.com/download/details.aspx?id=44570)
- [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md)
- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378)
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
index 0212685d25..0f89abe875 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
@@ -163,6 +163,6 @@ Because the tool is open-source, the source code is readily available for examin
- [Web Application Compatibility Lab Kit](https://technet.microsoft.com/microsoft-edge/mt612809.aspx)
-- [Microsoft Services Support](https://www.microsoft.com/en-us/microsoftservices/support.aspx)
+- [Microsoft Services Support](https://www.microsoft.com/microsoftservices/support.aspx)
- [Find a Microsoft partner on Pinpoint](https://partnercenter.microsoft.com/pcv/search)
diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md
index 6d0b1dcf12..f2d6ca4c03 100644
--- a/devices/hololens/hololens-requirements.md
+++ b/devices/hololens/hololens-requirements.md
@@ -35,7 +35,7 @@ Critical cloud services include:
- Azure active directory (AAD)
- Windows Update (WU)
-Commercial customers will need enterprise mobility management (EMM) or mobile device management (MDM) infrastructure in order to manage HoloLens devices at scale. This guide uses [Microsoft Intune](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune) as an example though any provider with full support for Microsoft Policy can support HoloLens. Ask your mobile device management provider if they support HoloLens 2.
+Commercial customers will need enterprise mobility management (EMM) or mobile device management (MDM) infrastructure in order to manage HoloLens devices at scale. This guide uses [Microsoft Intune](https://www.microsoft.com/enterprise-mobility-security/microsoft-intune) as an example though any provider with full support for Microsoft Policy can support HoloLens. Ask your mobile device management provider if they support HoloLens 2.
HoloLens does support a limited set of cloud disconnected experiences.
diff --git a/devices/hololens/hololens-status.md b/devices/hololens/hololens-status.md
index 22c5e995db..60289bad05 100644
--- a/devices/hololens/hololens-status.md
+++ b/devices/hololens/hololens-status.md
@@ -21,8 +21,8 @@ ms.sitesec: library
Area|HoloLens (1st gen)|HoloLens 2
----|:----:|:----:
[Azure services](https://status.azure.com/en-us/status)|✔️|✔️
-[Store app](https://www.microsoft.com/en-us/store/collections/hlgettingstarted/hololens)|✔️|✔️
-[Apps](https://www.microsoft.com/en-us/hololens/apps)|✔️|✔️
+[Store app](https://www.microsoft.com/store/collections/hlgettingstarted/hololens)|✔️|✔️
+[Apps](https://www.microsoft.com/hololens/apps)|✔️|✔️
[MDM](https://docs.microsoft.com/en-us/hololens/hololens-enroll-mdm)|✔️|✔️
## Notes and related topics
diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md
index fcbbab0ed1..2f7fc9fd1f 100644
--- a/devices/surface-hub/TOC.md
+++ b/devices/surface-hub/TOC.md
@@ -21,10 +21,10 @@
### [Configure Easy Authentication for Surface Hub 2S](surface-hub-2s-phone-authenticate.md)
## Deploy
+### [Surface Hub 2S adoption and training](surface-hub-2s-adoption-kit.md)
### [First time setup for Surface Hub 2S](surface-hub-2s-setup.md)
### [Connect devices to Surface Hub 2S](surface-hub-2s-connect.md)
### [Surface Hub 2S deployment checklist](surface-hub-2s-deploy-checklist.md)
-### [Surface Hub 2S adoption](surface-hub-2s-adoption-kit.md)
### [Create Surface Hub 2S device account](surface-hub-2s-account.md)
### [Create provisioning packages for Surface Hub 2S](surface-hub-2s-deploy.md)
### [Deploy apps to Surface Hub 2S using Intune](surface-hub-2s-deploy-apps-intune.md)
diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md
index 20f13c7d1b..a834e039ee 100644
--- a/devices/surface-hub/create-a-device-account-using-office-365.md
+++ b/devices/surface-hub/create-a-device-account-using-office-365.md
@@ -77,7 +77,7 @@ From here on, you'll need to finish the account creation process using PowerShel
In order to run cmdlets used by these PowerShell scripts, the following must be installed for the admin PowerShell console:
-- [Microsoft Online Services Sign-In Assistant for IT Professionals RTW](https://www.microsoft.com/en-us/download/details.aspx?id=41950)
+- [Microsoft Online Services Sign-In Assistant for IT Professionals RTW](https://www.microsoft.com/download/details.aspx?id=41950)
- [Windows Azure Active Directory Module for Windows PowerShell](https://www.microsoft.com/web/handlers/webpi.ashx/getinstaller/WindowsAzurePowershellGet.3f.3f.3fnew.appids)
- [Skype for Business Online, Windows PowerShell Module](https://www.microsoft.com/download/details.aspx?id=39366)
diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md
index d9a7bc204f..6d0b532210 100644
--- a/devices/surface-hub/index.md
+++ b/devices/surface-hub/index.md
@@ -65,9 +65,9 @@ Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platfor
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
index 5bea64a216..2e9e29bded 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
@@ -63,10 +63,12 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013
Once you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. You need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox—you may need to re-enable it and set the password again too.
```PowerShell
+ $acctUpn = Get-Mailbox -Identity ""
+ $credNewAccount.Password = ConvertTo-SecureString -String -AsPlainText -Force
Set-Mailbox $acctUpn -Type Regular
Set-CASMailbox $acctUpn -ActiveSyncMailboxPolicy $easPolicy
Set-Mailbox $acctUpn -Type Room
- Set-Mailbox $credNewAccount.UserName -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true
+ Set-Mailbox $acctUpn -RoomMailboxPassword $credNewAccount.Password -EnableRoomMailboxAccount $true
```
4. Various Exchange properties can be set on the device account to improve the meeting experience for people. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section.
diff --git a/devices/surface-hub/surface-hub-2s-account.md b/devices/surface-hub/surface-hub-2s-account.md
index b3e9822a05..1b73cf6980 100644
--- a/devices/surface-hub/surface-hub-2s-account.md
+++ b/devices/surface-hub/surface-hub-2s-account.md
@@ -83,7 +83,7 @@ Set-MsolUserLicense -UserPrincipalName "account@YourDomain.com" -AddLicenses "co
### Install prerequisites
- [Visual C++ 2017 Redistributable](https://aka.ms/vs/15/release/vc_redist.x64.exe)
-- [Skype for Business Online PowerShell Module](https://www.microsoft.com/en-us/download/confirmation.aspx?id=39366)
+- [Skype for Business Online PowerShell Module](https://www.microsoft.com/download/confirmation.aspx?id=39366)
```
Import-Module LyncOnlineConnector
diff --git a/devices/surface-hub/surface-hub-2s-adoption-kit.md b/devices/surface-hub/surface-hub-2s-adoption-kit.md
index bf1310a66d..de75086db3 100644
--- a/devices/surface-hub/surface-hub-2s-adoption-kit.md
+++ b/devices/surface-hub/surface-hub-2s-adoption-kit.md
@@ -1,5 +1,5 @@
---
-title: "Surface Hub 2S Adoption"
+title: "Surface Hub 2S Adoption and training guides"
description: "Microsoft has developed downloadable materials that you can make available for your users to aid in adoption of Surface Hub 2S."
keywords: separate values with commas
ms.prod: surface-hub
@@ -13,7 +13,7 @@ ms.date: 08/22/2019
ms.localizationpriority: Medium
---
-# Surface Hub 2S adoption
+# Surface Hub 2S adoption and training guides
Whether you are a small or large business, a Surface Hub adoption plan is critical in generating the right use cases and helping your users become comfortable with the device. Check out these downloadable guides designed to help you deliver training across your organization.
diff --git a/devices/surface-hub/surface-hub-2s-phone-authenticate.md b/devices/surface-hub/surface-hub-2s-phone-authenticate.md
index ae82ccdf36..53b8395f63 100644
--- a/devices/surface-hub/surface-hub-2s-phone-authenticate.md
+++ b/devices/surface-hub/surface-hub-2s-phone-authenticate.md
@@ -22,7 +22,7 @@ Password-less phone sign-in simplifies signing-in to your meetings and files on
## To set up password-less phone sign-in
-1. Download the [Microsoft Authenticator](https://www.microsoft.com/en-us/account/authenticator) app for iPhone or Android to your phone.
+1. Download the [Microsoft Authenticator](https://www.microsoft.com/account/authenticator) app for iPhone or Android to your phone.
2. From your PC, go to [https://aka.ms/MFASetup](https://aka.ms/MFASetup) , sign in with your account, and select **Next.**
3. In the Additional security verification screen, select Mobile App and Use verification code, and then select **Setup**.
diff --git a/devices/surface-hub/surface-hub-update-history.md b/devices/surface-hub/surface-hub-update-history.md
index 0f70604dac..f88eb20479 100644
--- a/devices/surface-hub/surface-hub-update-history.md
+++ b/devices/surface-hub/surface-hub-update-history.md
@@ -24,6 +24,17 @@ Please refer to the “[Surface Hub Important Information](https://support.micro
## Windows 10 Team Creators Update 1703
+
+August 17, 2019—update for Team edition based on KB4512474* (OS Build 15063.2021)
+
+This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include:
+
+ * Ensures that Video Out on Hub 2S defaults to "Duplicate" mode.
+
+Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface-hub/) for enabling/disabling device features and services.
+*[KB4503289](https://support.microsoft.com/help/4503289)
+
+
June 18, 2019—update for Team edition based on KB4503289* (OS Build 15063.1897)
@@ -31,6 +42,9 @@ This update to the Surface Hub includes quality improvements and security fixes.
* Addresses an issue with log collection for Microsoft Surface Hub 2S.
* Addresses an issue preventing a user from signing in to a Microsoft Surface Hub device with an Azure Active Directory account. This issue occurs because a previous session did not end successfully.
+* Adds support for TLS 1.2 connections to identity providers and Exchange in device account setup scenarios.
+* Fixes to improve reliability of Hardware Diagnostic App on Hub 2S.
+* Fix to improve consistency of first-run setup experience on Hub 2S.
Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface-hub/) for enabling/disabling device features and services.
*[KB4503289](https://support.microsoft.com/help/4503289)
diff --git a/devices/surface/assettag.md b/devices/surface/assettag.md
index e0df401dea..7ccc8ed708 100644
--- a/devices/surface/assettag.md
+++ b/devices/surface/assettag.md
@@ -29,7 +29,7 @@ for Surface devices. It works on Surface Pro 3 and all newer Surface devices.
To run Surface Asset Tag:
1. On the Surface device, download **Surface Asset Tag.zip** from the [Microsoft Download
- Center](https://www.microsoft.com/en-us/download/details.aspx?id=46703),
+ Center](https://www.microsoft.com/download/details.aspx?id=46703),
extract the zip file, and save AssetTag.exe in desired folder (in
this example, C:\\assets).
diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
index 4bad708b64..94094f2b60 100644
--- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
+++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
@@ -11,7 +11,7 @@ ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
author: dansimp
-ms.date: 08/13/2018
+ms.date: 08/13/2019
ms.author: dansimp
ms.topic: article
---
diff --git a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
index ea5592fb85..258912cc3d 100644
--- a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
+++ b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
@@ -55,7 +55,7 @@ Before you can perform a deployment with MDT, you must first supply a set of ope
>[!NOTE]
->The installation media generated from the [Get Windows 10](https://www.microsoft.com/en-us/software-download/windows10/) page differs from physical media or media downloaded from the VLSC, in that it contains an image file in Electronic Software Download (ESD) format rather than in the Windows Imaging (WIM) format. Installation media with an image file in WIM format is required for use with MDT. Installation media from the Get Windows 10 page cannot be used for Windows deployment with MDT.
+>The installation media generated from the [Get Windows 10](https://www.microsoft.com/software-download/windows10/) page differs from physical media or media downloaded from the VLSC, in that it contains an image file in Electronic Software Download (ESD) format rather than in the Windows Imaging (WIM) format. Installation media with an image file in WIM format is required for use with MDT. Installation media from the Get Windows 10 page cannot be used for Windows deployment with MDT.
#### Windows Server
@@ -64,7 +64,7 @@ Although MDT can be installed on a Windows client, to take full advantage of Win
>[!NOTE]
->To evaluate the deployment process for Surface devices or to test the deployment process described in this article with the upcoming release of Windows Server 2016, you can download evaluation and preview versions from the [TechNet Evaluation Center](https://www.microsoft.com/en-us/evalcenter).
+>To evaluate the deployment process for Surface devices or to test the deployment process described in this article with the upcoming release of Windows Server 2016, you can download evaluation and preview versions from the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter).
#### Windows Deployment Services
@@ -82,7 +82,7 @@ Because customizations are performed by MDT at the time of deployment, the goal
>[!NOTE]
->Hyper-V is available not only on Windows Server, but also on Windows clients, including Professional and Enterprise editions of Windows 8, Windows 8.1, and Windows 10. Find out more at [Client Hyper-V on Windows 10](https://msdn.microsoft.com/virtualization/hyperv_on_windows/windows_welcome) and [Client Hyper-V on Windows 8 and Windows 8.1](https://technet.microsoft.com/library/hh857623) in the TechNet Library. Hyper-V is also available as a standalone product, Microsoft Hyper-V Server, at no cost. You can download [Microsoft Hyper-V Server 2012 R2](https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-2012-r2) or [Microsoft Hyper-V Server 2016 Technical Preview](https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-technical-preview) from the TechNet Evaluation Center.
+>Hyper-V is available not only on Windows Server, but also on Windows clients, including Professional and Enterprise editions of Windows 8, Windows 8.1, and Windows 10. Find out more at [Client Hyper-V on Windows 10](https://msdn.microsoft.com/virtualization/hyperv_on_windows/windows_welcome) and [Client Hyper-V on Windows 8 and Windows 8.1](https://technet.microsoft.com/library/hh857623) in the TechNet Library. Hyper-V is also available as a standalone product, Microsoft Hyper-V Server, at no cost. You can download [Microsoft Hyper-V Server 2012 R2](https://www.microsoft.com/evalcenter/evaluate-hyper-v-server-2012-r2) or [Microsoft Hyper-V Server 2016 Technical Preview](https://www.microsoft.com/evalcenter/evaluate-hyper-v-server-technical-preview) from the TechNet Evaluation Center.
#### Surface firmware and drivers
diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index 3688553be3..a2d74d331c 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -68,7 +68,7 @@ Some scenarios where Microsoft Surface Data Eraser can be helpful include:
To create a Microsoft Surface Data Eraser USB stick, first install the Microsoft Surface Data Eraser setup tool from the Microsoft Download Center using the link provided at the beginning of this article. You do not need a Surface device to *create* the USB stick. After you have downloaded the installation file to your computer, follow these steps to install the Microsoft Surface Data Eraser creation tool:
-1. Run the DataEraserSetup.msi installation file that you downloaded from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=46703).
+1. Run the DataEraserSetup.msi installation file that you downloaded from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=46703).
2. Select the check box to accept the terms of the license agreement, and then click **Install**.
diff --git a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
index 47046fbd72..293aeafe93 100644
--- a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
+++ b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
@@ -36,6 +36,6 @@ The diagnosis and repair time averages 15 minutes but could take an hour or long
If the Surface Diagnostic Toolkit for Business didn’t fix the problem, you can also:
-- Make an in-store appointment: We might be able to fix the problem or provide a replacement Surface at your local Microsoft Store. [Locate a Microsoft Store near you](https://www.microsoft.com/en-us/store/locations/find-a-store?WT.mc_id=MSC_Solutions_en_us_scheduleappt).
+- Make an in-store appointment: We might be able to fix the problem or provide a replacement Surface at your local Microsoft Store. [Locate a Microsoft Store near you](https://www.microsoft.com/store/locations/find-a-store?WT.mc_id=MSC_Solutions_en_us_scheduleappt).
- Contact customer support: If you want to talk to someone about how to fix your problem, [contact us](https://support.microsoft.com/en-us/help/4037645/contact-surface-warranty-and-software-support-for-business).
- Get your Surface serviced: If your Surface product needs service, [request it online](https://mybusinessservice.surface.com/).
diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md
index df65b6c73d..5944375042 100644
--- a/devices/surface/surface-enterprise-management-mode.md
+++ b/devices/surface/surface-enterprise-management-mode.md
@@ -226,7 +226,9 @@ create a reset package using PowerShell to reset SEMM.
## Version History
-
+### Version 2.54.139.0
+* Support to Surface Hub 2S
+* Bug fixes
### Version 2.43.136.0
* Support to enable/disable simulatenous multithreating
diff --git a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
index fc7cf4147e..fc560e5345 100644
--- a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
+++ b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
@@ -52,7 +52,7 @@ You will also need to have available the following resources:
* Windows 10 installation files, such as the installation media downloaded from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx)
>[!NOTE]
- >Installation media for use with MDT must contain a Windows image in Windows Imaging Format (.wim). Installation media produced by the [Get Windows 10](https://www.microsoft.com/en-us/software-download/windows10/) page does not use a .wim file, instead using an Electronic Software Download (.esd) file, which is not compatible with MDT.
+ >Installation media for use with MDT must contain a Windows image in Windows Imaging Format (.wim). Installation media produced by the [Get Windows 10](https://www.microsoft.com/software-download/windows10/) page does not use a .wim file, instead using an Electronic Software Download (.esd) file, which is not compatible with MDT.
* [Surface firmware and drivers](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices) for Windows 10
* Application installation files for any applications you want to install, such as the Surface app
diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
index dff968bbf3..0432c65257 100644
--- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
+++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
@@ -44,7 +44,7 @@ Management of SEMM with Configuration Manager requires the installation of Micro
#### Download SEMM scripts for Configuration Manager
-After Microsoft Surface UEFI Manager is installed on the client Surface device, SEMM is deployed and managed with PowerShell scripts. You can download samples of the [SEMM management scripts](https://www.microsoft.com/en-us/download/details.aspx?id=46703) from the Download Center.
+After Microsoft Surface UEFI Manager is installed on the client Surface device, SEMM is deployed and managed with PowerShell scripts. You can download samples of the [SEMM management scripts](https://www.microsoft.com/download/details.aspx?id=46703) from the Download Center.
## Deploy Microsoft Surface UEFI Manager
@@ -378,7 +378,7 @@ The following code fragment, found on lines 380-477, is used to write these regi
### Settings names and IDs
-To configure Surface UEFI settings or permissions for Surface UEFI settings, you must refer to each setting by either its setting name or setting ID. With each new update for Surface UEFI, new settings may be added. The best way to get a complete list of the settings available on a Surface device, along with the settings name and settings IDs, is to use the ShowSettingsOptions.ps1 script from SEMM_Powershell.zip in [Surface Tools for IT Downloads](https://www.microsoft.com/en-us/download/details.aspx?id=46703)
+To configure Surface UEFI settings or permissions for Surface UEFI settings, you must refer to each setting by either its setting name or setting ID. With each new update for Surface UEFI, new settings may be added. The best way to get a complete list of the settings available on a Surface device, along with the settings name and settings IDs, is to use the ShowSettingsOptions.ps1 script from SEMM_Powershell.zip in [Surface Tools for IT Downloads](https://www.microsoft.com/download/details.aspx?id=46703)
The computer where ShowSettingsOptions.ps1 is run must have Microsoft Surface UEFI Manager installed, but the script does not require a Surface device.
diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md
index 8134359845..aee66dbdb7 100644
--- a/devices/surface/windows-autopilot-and-surface-devices.md
+++ b/devices/surface/windows-autopilot-and-surface-devices.md
@@ -19,39 +19,10 @@ Windows Autopilot is a cloud-based deployment technology available in Windows 10
With Surface devices, you can choose to register your devices at the time of purchase when purchasing from a Surface partner enabled for Windows Autopilot. New devices can be shipped directly to your end-users and will be automatically enrolled and configured when the units are unboxed and turned on for the first time. This process can eliminate need to reimage your devices as part of your deployment process, reducing the work required of your deployment staff and opening up new, agile methods for device management and distribution.
-In this article learn how to enroll your Surface devices in Windows Autopilot with a Surface partner and the options and considerations you will need to know along the way. This article focuses specifically on Surface devices, for more information about using Windows Autopilot with other devices, or to read more about Windows Autopilot and its capabilities, see [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot) in the Windows Docs Library.
-
-## Prerequisites
-Enrollment of Surface devices in Windows Autopilot with a Surface partner enabled for Windows Autopilot has the following licensing requirements for each enrolled Surface device:
-* **Azure Active Directory Premium** – Required to enroll your devices in your organization and to automatically enroll devices in your organization’s mobile management solution.
-* **Mobile Device Management (such as Microsoft Intune)** – Required to remotely deploy applications, configure, and manage your enrolled devices.
-* **Office 365 ProPlus** – Required to deploy Microsoft Office to your enrolled devices.
-
-These requirements are also met by the following solutions:
-* Microsoft 365 E3 or E5 (includes Azure Active Directory Premium, Microsoft Intune, and Office 365 ProPlus)
-
-Or
-* Enterprise Mobility + Security E3 or E5 (includes Azure Active Directory Premium and Microsoft Intune)
-* Office 365 ProPlus, E3, or E5 (includes Office 365 ProPlus)
-
->[!NOTE]
->Deployment of devices using Windows Autopilot to complete the Out-of-Box Experience (OOBE) is supported without these prerequisites, however will yield deployed devices without applications, configuration, or enrollment in a management solution and is highly discouraged.
+In this article learn how to enroll your Surface devices in Windows Autopilot with a Surface partner and the options and considerations you will need to know along the way. This article focuses specifically on Surface devices, for more information about using Windows Autopilot with other devices, or to read more about Windows Autopilot and its capabilities, see [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot) in the Windows Docs Library. For information about licensing and other prerequisites, see [Windows Autopilot requirements](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-requirements).
### Windows version considerations
-Support for broad deployments of Surface devices using Windows Autopilot, including enrollment performed by Surface partners at the time of purchase, requires devices manufactured with or otherwise installed with Windows 10 Version 1709 (Fall Creators Update). Windows 10 Version 1709 uses a secure 4096-bit (4k) hash value to uniquely identify devices for Windows Autopilot that is necessary for deployments at scale.
-
-### Surface device support
-Surface devices with support for out-of-box deployment with Windows Autopilot, enrolled during the purchase process with a Surface partner, include the following devices, where the devices ship from the factory with Windows 10 Version 1709:
-
-* Surface Pro (5th gen)
-* Surface Laptop(1st gen)
-* Surface Studio (1st gen)
-* Surface Pro 6
-* Surface Book 2
-* Surface Laptop 2
-* Surface Studio 2
-* Surface Go
-* Surface Go with LTE Advanced
+Support for broad deployments of Surface devices using Windows Autopilot, including enrollment performed by Surface partners at the time of purchase, requires devices manufactured with or otherwise installed with Windows 10 Version 1709 (Fall Creators Update) or later. These versions support a 4000-byte (4k) hash value to uniquely identify devices for Windows Autopilot that is necessary for deployments at scale. All new Surface devices ship with Windows 10 Version 1709 or above.
## Surface partners enabled for Windows Autopilot
Enrolling Surface devices in Windows Autopilot at the time of purchase is a capability provided by select Surface partners that are enabled with the capability to identify individual Surface devices during the purchase process and perform enrollment on an organization’s behalf. Devices enrolled by a Surface partner at time of purchase can be shipped directly to users and configured entirely through the zero-touch process of Windows Autopilot, Azure Active Directory, and Mobile Device Management.
@@ -63,4 +34,3 @@ When you purchase Surface devices from a Surface partner enabled for Windows Aut
- [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface/windows-autopilot.html)
- [SHI](https://www.shi.com/Surface)
-
diff --git a/education/index.md b/education/index.md
index 8dfa606f42..2bd9d1a152 100644
--- a/education/index.md
+++ b/education/index.md
@@ -26,7 +26,7 @@ ms.prod: w10
diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md
index b4cdaad1f4..04b239b53b 100644
--- a/education/trial-in-a-box/itadmin-tib-get-started.md
+++ b/education/trial-in-a-box/itadmin-tib-get-started.md
@@ -278,4 +278,4 @@ For more information about checking for updates, and how to optionally turn on a
## Get more info
* Learn more at microsoft.com/education
* Find out if your school is eligible for a device trial at aka.ms/EDUTrialInABox
-* Buy Windows 10 devices
+* Buy Windows 10 devices
diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md
index da30be64ef..af1534d6a3 100644
--- a/education/windows/change-to-pro-education.md
+++ b/education/windows/change-to-pro-education.md
@@ -37,7 +37,7 @@ Before you change to Windows 10 Pro Education, make sure you meet these requirem
- The user making the changes must be a member of the Azure AD global administrator group.
## Compare Windows 10 Pro and Pro Education editions
-You can [compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) to find out more about the features we support in other editions of Windows 10.
+You can [compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare) to find out more about the features we support in other editions of Windows 10.
For more info about Windows 10 default settings and recommendations for education customers, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
@@ -314,6 +314,6 @@ For more information about integrating on-premises AD DS domains with Azure AD,
[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
-[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
+[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
[Windows 10 subscription activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation)
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index bb621c32d8..027127211f 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -26,7 +26,7 @@ This guide shows you how to deploy the Windows 10 operating system in a school d
Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. Just as with building a house, you need a blueprint for what your district and individual schools should look like when it’s finished. The second step in preparation is to learn how you will manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district.
->**Note** This guide focuses on Windows 10 deployment and management in a district. For management of other devices and operating systems in education environments, see [Manage BYOD and corporate-owned devices with MDM solutions](https://www.microsoft.com/en-us/cloud-platform/mobile-device-management).
+>**Note** This guide focuses on Windows 10 deployment and management in a district. For management of other devices and operating systems in education environments, see [Manage BYOD and corporate-owned devices with MDM solutions](https://www.microsoft.com/cloud-platform/mobile-device-management).
### Plan a typical district configuration
@@ -115,7 +115,7 @@ The configuration process requires the following devices:
* **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK, MDT, and the System Center Configuration Manager Console on this device.
* **Reference devices.** These are the devices that you will use as a template for the faculty and student devices. You install Windows 10 and Windows desktop apps on these devices, and then capture an image (.wim file) of the devices.
- You will have a reference device for each type of device in your district. For example, if your district has Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you would have a reference device for each model. For more information about approved Windows 10 devices, see [Explore devices](https://www.microsoft.com/en-us/windows/view-all).
+ You will have a reference device for each type of device in your district. For example, if your district has Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you would have a reference device for each model. For more information about approved Windows 10 devices, see [Explore devices](https://www.microsoft.com/windows/view-all).
* **Faculty and staff devices.** These are the devices that the teachers, faculty, and staff use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices.
* **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them.
@@ -550,7 +550,7 @@ In this section, you installed the Windows ADK and MDT on the admin device. You
Office 365 is one of the core components of your classroom environment. You create and manage student identities in Office 365, and students and teachers use the suite as their email, contacts, and calendar system. They also use Office 365 collaboration features such as SharePoint, OneNote, and OneDrive for Business.
-As a first step in deploying your classroom, create an Office 365 Education subscription, and then configure Office 365 for the classroom. For more information about Office 365 Education deployment, see [School deployment of Office 365 Education](https://www.microsoft.com/en-us/education/products/office-365-deployment-resources/default.aspx).
+As a first step in deploying your classroom, create an Office 365 Education subscription, and then configure Office 365 for the classroom. For more information about Office 365 Education deployment, see [School deployment of Office 365 Education](https://www.microsoft.com/education/products/office-365-deployment-resources/default.aspx).
### Select the appropriate Office 365 Education license plan
@@ -991,7 +991,7 @@ Depending on your school’s requirements, you may need any combination of the f
>**Note** Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business—features not available in Windows 10 Home. For more information about how to upgrade Windows 10 Home to Windows 10 Pro or Windows 10 Education, see [Windows 10 edition upgrade](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades).
-For more information about the Windows 10 editions, see [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
+For more information about the Windows 10 editions, see [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32-bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above.
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index f1696a220d..ed3de28f37 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -164,7 +164,7 @@ In this section, you installed the Windows ADK and MDT on the admin device. You
Office 365 is one of the core components of your classroom environment. You create and manage student identities in Office 365, and students and teachers use the suite as their email, contacts, and calendar system. Teachers and students use Office 365 collaboration features such as SharePoint, OneNote, and OneDrive for Business.
-As a first step in deploying your classroom, create an Office 365 Education subscription, and then configure Office 365 for the classroom. For more information about Office 365 Education deployment, see [School deployment of Office 365 Education](https://www.microsoft.com/en-us/education/products/office-365-deployment-resources/default.aspx).
+As a first step in deploying your classroom, create an Office 365 Education subscription, and then configure Office 365 for the classroom. For more information about Office 365 Education deployment, see [School deployment of Office 365 Education](https://www.microsoft.com/education/products/office-365-deployment-resources/default.aspx).
### Select the appropriate Office 365 Education license plan
diff --git a/education/windows/index.md b/education/windows/index.md
index 0f1dedb139..80684834ef 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -19,8 +19,8 @@ ms.date: 10/13/2017
##  Learn
Windows 10 editions for education customers Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
-
Compare each Windows edition Find out more about the features and functionality we support in each edition of Windows.
##  Plan
diff --git a/education/windows/s-mode-switch-to-edu.md b/education/windows/s-mode-switch-to-edu.md
index 7c0eaafd0a..845f97f0c9 100644
--- a/education/windows/s-mode-switch-to-edu.md
+++ b/education/windows/s-mode-switch-to-edu.md
@@ -71,4 +71,4 @@ Tenant-wide Windows 10 Pro > Pro Education
[FAQs](https://support.microsoft.com/help/4020089/windows-10-in-s-mode-faq)
[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
-[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
+[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md
index 8f8f6c6aa2..1ec8ad81a4 100644
--- a/education/windows/test-windows10s-for-edu.md
+++ b/education/windows/test-windows10s-for-edu.md
@@ -51,7 +51,7 @@ Due to these reasons, we recommend that you use the installation tool and avoid
Before you install Windows 10 in S mode on your existing Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise device:
* Make sure that you updated your existing device to Windows 10, version 1703 (Creators Update).
- See [Download Windows 10](https://www.microsoft.com/en-us/software-download/windows10) and follow the instructions to update your device to Windows 10, version 1703. You can verify your current version in **Settings > System > About**.
+ See [Download Windows 10](https://www.microsoft.com/software-download/windows10) and follow the instructions to update your device to Windows 10, version 1703. You can verify your current version in **Settings > System > About**.
* Install the latest Windows Update.
@@ -184,7 +184,7 @@ If you see this message, follow these steps to stop receiving the message:
To use an installation media to reinstall Windows 10, follow these steps.
-1. On a working PC, go to the [Microsoft software download website](https://www.microsoft.com/en-us/software-download/windows10).
+1. On a working PC, go to the [Microsoft software download website](https://www.microsoft.com/software-download/windows10).
2. Download the Media Creation Tool and then run it.
3. Select **Create installation media for another PC**.
4. Choose a language, edition, and architecture (64-bit or 32-bit).
diff --git a/mdop/agpm/whats-new-in-agpm-40-sp3.md b/mdop/agpm/whats-new-in-agpm-40-sp3.md
index 4e65034c54..dbe0512e16 100644
--- a/mdop/agpm/whats-new-in-agpm-40-sp3.md
+++ b/mdop/agpm/whats-new-in-agpm-40-sp3.md
@@ -30,7 +30,7 @@ AGPM 4.0 SP3 adds support for the Windows 10 and Windows Server 2016 operating
### Support for PowerShell
-AGPM 4.0 SP3 adds support for PowerShell cmdlets. For a list of the cmdlets available in AGPM 4.0 SP3, including descriptions and syntax, see [Microsoft Desktop Optimization Pack Automation with Windows PowerShell](https://technet.microsoft.com/library/dn520245.aspx).
+AGPM 4.0 SP3 adds support for PowerShell cmdlets. For a list of the cmdlets available in AGPM 4.0 SP3, including descriptions and syntax, see [Microsoft Desktop Optimization Pack Automation with Windows PowerShell](https://docs.microsoft.com/powershell/mdop/get-started?view=win-mdop2-ps).
### Customer feedback and hotfix rollup
diff --git a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
index 3013d8a294..08d550209b 100644
--- a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
+++ b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
@@ -19,7 +19,7 @@ author: shortpatti
This topic describes the process for applying the hotfixes for Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1
### Before you begin, download the latest hotfix of Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1
-[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=58345)
+[Desktop Optimization Pack](https://www.microsoft.com/download/details.aspx?id=58345)
#### Steps to update the MBAM Server for existing MBAM environment
1. Remove MBAM server feature (do this by opening the MBAM Server Configuration Tool, then selecting Remove Features).
diff --git a/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md b/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md
index 185ace5f1b..166bfb30c5 100644
--- a/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md
+++ b/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md
@@ -26,7 +26,7 @@ MDOP Group Policy templates are available for download in a self-extracting, com
**How to download and deploy the MDOP Group Policy templates**
-1. Download the MDOP Group Policy templates from [Microsoft Desktop Optimization Pack Group Policy Administrative Templates](https://www.microsoft.com/en-us/download/details.aspx?id=55531).
+1. Download the MDOP Group Policy templates from [Microsoft Desktop Optimization Pack Group Policy Administrative Templates](https://www.microsoft.com/download/details.aspx?id=55531).
2. Run the downloaded file to extract the template folders.
diff --git a/mdop/mbam-v25/index.md b/mdop/mbam-v25/index.md
index e5988391c0..3f71f9edd8 100644
--- a/mdop/mbam-v25/index.md
+++ b/mdop/mbam-v25/index.md
@@ -14,7 +14,7 @@ ms.date: 04/19/2017
Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 provides a simplified administrative interface that you can use to manage BitLocker Drive Encryption. You configure MBAM Group Policy Templates that enable you to set BitLocker Drive Encryption policy options that are appropriate for your enterprise, and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the enterprise as a whole. In addition, you can access recovery key information when users forget their PIN or password or when their BIOS or boot record changes. For a more detailed description of MBAM, see [About MBAM 2.5](about-mbam-25.md).
-To obtain MBAM, see [How Do I Get MDOP](index.md#how-to-get-mdop).
+To obtain MBAM, see [How Do I Get MDOP](https://docs.microsoft.com/microsoft-desktop-optimization-pack/index#how-to-get-mdop).
## Outline
diff --git a/mdop/mbam-v25/mbam-25-supported-configurations.md b/mdop/mbam-v25/mbam-25-supported-configurations.md
index 970711d8a8..22f5eca17c 100644
--- a/mdop/mbam-v25/mbam-25-supported-configurations.md
+++ b/mdop/mbam-v25/mbam-25-supported-configurations.md
@@ -352,7 +352,7 @@ You must install SQL Server with the **SQL\_Latin1\_General\_CP1\_CI\_AS** colla
@@ -373,7 +373,7 @@ You must install SQL Server with the **SQL\_Latin1\_General\_CP1\_CI\_AS** colla
**Note**
-In order to support SQL 2016 you must install the March 2017 Servicing Release for MDOP https://www.microsoft.com/en-us/download/details.aspx?id=54967 and to support SQL 2017 you must install the July 2018 Servicing Release for MDOP https://www.microsoft.com/en-us/download/details.aspx?id=57157. In general stay current by always using the most recent servicing update as it also includes all bugfixes and new features.
+In order to support SQL 2016 you must install the March 2017 Servicing Release for MDOP https://www.microsoft.com/download/details.aspx?id=54967 and to support SQL 2017 you must install the July 2018 Servicing Release for MDOP https://www.microsoft.com/download/details.aspx?id=57157. In general stay current by always using the most recent servicing update as it also includes all bugfixes and new features.
### SQL Server processor, RAM, and disk space requirements – Stand-alone topology
diff --git a/mdop/mbam-v25/upgrade-mbam2.5-sp1.md b/mdop/mbam-v25/upgrade-mbam2.5-sp1.md
new file mode 100644
index 0000000000..045cee4b55
--- /dev/null
+++ b/mdop/mbam-v25/upgrade-mbam2.5-sp1.md
@@ -0,0 +1,49 @@
+---
+title: Upgrading from MBAM 2.5 to MBAM 2.5 SP1 Servicing Release Update
+author: TobyTu
+ms.author: ksharma
+manager: dcscontentpm
+audience: ITPro
+ms.topic: article
+ms.prod: mbam
+localization_priority: Normal
+---
+
+# Upgrading from MBAM 2.5 to MBAM 2.5 SP1 Servicing Release Update
+
+This article provides step-by-step instructions for upgrading Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 to MBAM 2.5 SP1 along with Microsoft Desktop Optimization Pack (MDOP) July 2018 Servicing update in a stand-alone configuration. In this guide we will use a two-server configuration. One of the two servers will be a database server that's running Microsoft SQL Server 2016. This server will host the MBAM databases and reports. The additional server will be a Windows Server 2012 R2 web server and will host "Administration and Monitoring Server" and "Self-Service Portal."
+
+## Preparation steps before you upgrade MBAM 2.5 SP1 server
+
+### Know the MBAM Servers in your environment
+
+1. SQL Server Database Engine: Server Hosting the MBAM Databases.
+2. SQL Server Reporting Services: Server Hosting the MBAM Reports.
+3. Internet Information Services (IIS) Web Servers: Server Hosting MBAM Web Applications and Services.
+4. (Optional) Microsoft System Center Configuration Manager (SCCM) Primary Site Server: MBAM Configuration Application is run on this server to integrate MBAM Repots with SCCM which are then merged with existing SCCM reports on the SCCM’s SQL Server Reporting Services (SSRS) instance.
+
+### Identify Service Accounts, Groups, Server Name and Reports URL
+
+1. Identify the MBAM App Pool Svc Account used by IIS web servers to Read and Write Data to MBAM Databases.
+2. Identify the Groups used during MBAM Web Features Configuration and the Reports Web Service URL.
+3. Identify the SQL Server Name and Instance Name.
+ > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE3ANP1]
+4. Identify the SQL Server Reporting Services Account used for reading compliance data from Compliance and Audit Database.
+ > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE3ALdZ]
+
+## Upgrade the MBAM Infrastructure to the latest version available
+
+> [!NOTE]
+> We recommend that you take a full database backup of the MBAM Databases before performing upgrades.
+
+### Upgrade the MBAM SQL Server
+
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE3ALew]
+
+### Upgrade MBAM Web Server
+
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE3ALex]
+
+## More information
+
+For more about MBAM 2.5 SP1 known issues, please refer [Release Notes for MBAM 2.5 SP1](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/release-notes-for-mbam-25-sp1).
diff --git a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
index bd1795d759..7b4be1ac47 100644
--- a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
+++ b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md
@@ -23,7 +23,7 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa
**How to download and deploy the MDOP Group Policy templates**
-1. Download the latest [MDOP Group Policy templates](https://www.microsoft.com/en-us/download/details.aspx?id=55531)
+1. Download the latest [MDOP Group Policy templates](https://www.microsoft.com/download/details.aspx?id=55531)
2. Expand the downloaded .cab file by running `expand \MDOP_ADMX_Templates.cab -F:* `
diff --git a/mdop/uev-v1/installing-the-ue-v-group-policy-admx-templates.md b/mdop/uev-v1/installing-the-ue-v-group-policy-admx-templates.md
index cbdc80df01..2701e18c6d 100644
--- a/mdop/uev-v1/installing-the-ue-v-group-policy-admx-templates.md
+++ b/mdop/uev-v1/installing-the-ue-v-group-policy-admx-templates.md
@@ -31,7 +31,7 @@ ADMX files can be installed and tested locally on any computer that runs the Win
**To download the UE-V ADMX templates**
-1. Download the UE-V ADMX template files: .
+1. Download the UE-V ADMX template files: .
2. For more information about how to deploy the Group Policy templates, see .
diff --git a/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md b/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md
index d918fb1b54..111954ec45 100644
--- a/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md
+++ b/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md
@@ -114,7 +114,7 @@ Before you proceed, make sure your environment includes these requirements for r
-**Note:** Starting with Windows 10, version 1607, UE-V is included with [Windows 10 for Enterprise](https://www.microsoft.com/en-us/WindowsForBusiness/windows-for-enterprise) and is no longer part of the Microsoft Desktop Optimization Pack
+**Note:** Starting with Windows 10, version 1607, UE-V is included with [Windows 10 for Enterprise](https://www.microsoft.com/WindowsForBusiness/windows-for-enterprise) and is no longer part of the Microsoft Desktop Optimization Pack
Also…
diff --git a/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md b/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
index 9d9a9348ec..157d07c277 100644
--- a/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
+++ b/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md
@@ -710,7 +710,7 @@ Also…
**Note**
-- Starting with WIndows 10, version 1607, UE-V is included with [Windows 10 for Enterprise](https://www.microsoft.com/en-us/WindowsForBusiness/windows-for-enterprise) and is no longer part of the Microsoft Desktop Optimization Pack.
+- Starting with WIndows 10, version 1607, UE-V is included with [Windows 10 for Enterprise](https://www.microsoft.com/WindowsForBusiness/windows-for-enterprise) and is no longer part of the Microsoft Desktop Optimization Pack.
- The UE-V Windows PowerShell feature of the UE-V Agent requires .NET Framework 4 or higher and Windows PowerShell 3.0 or higher to be enabled. Download Windows PowerShell 3.0 [here](https://go.microsoft.com/fwlink/?LinkId=309609).
diff --git a/store-for-business/add-profile-to-devices.md b/store-for-business/add-profile-to-devices.md
index de500f83cb..1215008fc9 100644
--- a/store-for-business/add-profile-to-devices.md
+++ b/store-for-business/add-profile-to-devices.md
@@ -23,7 +23,7 @@ Windows Autopilot simplifies device set up for IT Admins. For an overview of ben
Watch this video to learn more about Windows Autopilot in Microsoft Store for Business.
-> [!video https://www.microsoft.com/en-us/videoplayer/embed/3b30f2c2-a3e2-4778-aa92-f65dbc3ecf54?autoplay=false]
+> [!video https://www.microsoft.com/videoplayer/embed/3b30f2c2-a3e2-4778-aa92-f65dbc3ecf54?autoplay=false]
## What is Windows Autopilot?
In Microsoft Store for Business, you can manage devices for your organization and apply an *Autopilot deployment profile* to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device.
diff --git a/windows/application-management/app-v/appv-about-appv.md b/windows/application-management/app-v/appv-about-appv.md
index 91926ff30c..910454c958 100644
--- a/windows/application-management/app-v/appv-about-appv.md
+++ b/windows/application-management/app-v/appv-about-appv.md
@@ -42,7 +42,7 @@ Previous versions of App-V have required you to manually remove your unpublished
### App-V is now a feature in Windows 10
-With Windows 10, version 1607 and later releases, App-V is now included with [Windows 10 for Enterprise and Windows 10 for Education](https://www.microsoft.com/en-us/WindowsForBusiness/windows-product-home) and is no longer part of the Microsoft Desktop Optimization Pack.
+With Windows 10, version 1607 and later releases, App-V is now included with [Windows 10 for Enterprise and Windows 10 for Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home) and is no longer part of the Microsoft Desktop Optimization Pack.
To learn more about earlier versions of App-V, see [MDOP Information Experience](https://docs.microsoft.com/microsoft-desktop-optimization-pack/index).
diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
index 3dbd5d0ae9..a913ce8a38 100644
--- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
+++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
@@ -346,7 +346,7 @@ This process will recreate both the local and network locations for AppData and
In an App-V Full Infrastructure, after applications are sequenced they are managed and published to users or computers through the App-V Management and Publishing servers. This section details the operations that occur during the common App-V application lifecycle operations (Add, publishing, launch, upgrade, and removal) and the file and registry locations that are changed and modified from the App-V Client perspective. The App-V Client operations are input as PowerShell commands on the computer running the App-V Client.
-This document focuses on App-V Full Infrastructure solutions. For specific information on App-V Integration with Configuration Manager 2012, see [Integrating Virtual Application Management with App-V 5 and Configuration Manager 2012 SP1](https://www.microsoft.com/en-us/download/details.aspx?id=38177).
+This document focuses on App-V Full Infrastructure solutions. For specific information on App-V Integration with Configuration Manager 2012, see [Integrating Virtual Application Management with App-V 5 and Configuration Manager 2012 SP1](https://www.microsoft.com/download/details.aspx?id=38177).
The App-V application lifecycle tasks are triggered at user sign in (default), machine startup, or as background timed operations. The settings for the App-V Client operations, including Publishing Servers, refresh intervals, package script enablement, and others, are configured (after the client is enabled) with Windows PowerShell commands. See [App-V Client Configuration Settings: Windows PowerShell](appv-client-configuration-settings.md#app-v-client-configuration-settings-windows-powershell).
@@ -799,7 +799,7 @@ App-V packages contain the Manifest file inside of the App-V Package file, which
### Examples of dynamic configuration files
-The following example shows the combination of the Manifest, Deployment Configuration, and User Configuration files after publishing and during normal operation. These examples are abbreviated examples of each of the files. The purpose is show the combination of the files only, not to be a complete description of the specific categories available in each file. For more information, download the [App-V Sequencing Guide](https://www.microsoft.com/en-us/download/details.aspx?id=27760).
+The following example shows the combination of the Manifest, Deployment Configuration, and User Configuration files after publishing and during normal operation. These examples are abbreviated examples of each of the files. The purpose is show the combination of the files only, not to be a complete description of the specific categories available in each file. For more information, download the [App-V Sequencing Guide](https://www.microsoft.com/download/details.aspx?id=27760).
#### Manifest
diff --git a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
index 5af97d8c38..6e88aa4a89 100644
--- a/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
+++ b/windows/application-management/app-v/appv-auto-clean-unpublished-packages.md
@@ -62,5 +62,5 @@ Using Group Policy, you can turn on the **Enable automatic cleanup of unused App
## Related topics
- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
-- [Download the Microsoft Application Virtualization 5.0 Client UI Application](https://www.microsoft.com/en-us/download/details.aspx?id=41186)
+- [Download the Microsoft Application Virtualization 5.0 Client UI Application](https://www.microsoft.com/download/details.aspx?id=41186)
- [Using the App-V Client Management Console](appv-using-the-client-management-console.md)
diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md
index 79a0d77597..96b334816f 100644
--- a/windows/application-management/app-v/appv-deploy-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploy-the-appv-server.md
@@ -32,7 +32,7 @@ ms.topic: article
1. Download the App-V server components. All five App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package, which can be downloaded from either of the following locations:
* The [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215). You must have a MSDN subscription to download the MDOP ISO package from this site.
- * The [Volume Licensing Service Center](https://www.microsoft.com/en-us/licensing/default.aspx) if you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/en-us/WindowsForBusiness/windows-product-home).
+ * The [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx) if you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home).
2. Copy the App-V server installation files to the computer on which you want to install it.
3. Start the App-V server installation by right-clicking and running **appv\_server\_setup.exe** as an administrator, and then click **Install**.
4. Review and accept the license terms, and choose whether to enable Microsoft updates.
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
index 126da2945c..22c9ac4efb 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
@@ -86,7 +86,7 @@ The following table provides a full list of supported integration points for Off
### Office 2010 App-V Packages
-* [Microsoft Office 2010 Sequencing Kit for Microsoft Application Virtualization 5.0](https://www.microsoft.com/en-us/download/details.aspx?id=38399)
+* [Microsoft Office 2010 Sequencing Kit for Microsoft Application Virtualization 5.0](https://www.microsoft.com/download/details.aspx?id=38399)
* [Known issues when you create or use an App-V 5.0 Office 2010 package](https://support.microsoft.com/kb/2828619)
* [How To Sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](https://support.microsoft.com/kb/2830069)
diff --git a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
index 0bc8d491a1..09ff627f45 100644
--- a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
@@ -30,7 +30,7 @@ To learn how to configure the App-V client to enable only administrators to publ
## Related topics
-- [App-V and Citrix integration](https://www.microsoft.com/en-us/download/details.aspx?id=40885)
+- [App-V and Citrix integration](https://www.microsoft.com/download/details.aspx?id=40885)
- [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md
index ae16a7025e..cb14cc7f5c 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-server.md
@@ -45,7 +45,7 @@ App-V offers the following five server components, each of which serves a specif
All five App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package, which can be downloaded from either of the following locations:
* The [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215). You must have a MSDN subscription to download the MDOP ISO package from this site.
-* The [Volume Licensing Service Center](https://www.microsoft.com/en-us/licensing/default.aspx) if you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/en-us/WindowsForBusiness/windows-product-home).
+* The [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx) if you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home).
In large organizations, you might want to install more than one instance of the server components to get the following benefits.
diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md
index a05b56167e..f39cd72041 100644
--- a/windows/application-management/app-v/appv-getting-started.md
+++ b/windows/application-management/app-v/appv-getting-started.md
@@ -18,7 +18,7 @@ ms.topic: article
Microsoft Application Virtualization (App-V) for Windows 10 delivers Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service in real time and on an as-needed basis. Users launch virtual applications from familiar access points and interact with them as if they were installed locally.
-With the release of Windows 10, version 1607, App-V is included with the [Windows 10 for Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/windows-for-enterprise). If you're new to Windows 10 and App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. To learn what you need to know before getting started with App-V, see the [Application Virtualization (App-V) overview](appv-for-windows.md).
+With the release of Windows 10, version 1607, App-V is included with the [Windows 10 for Enterprise edition](https://www.microsoft.com/WindowsForBusiness/windows-for-enterprise). If you're new to Windows 10 and App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users. To learn what you need to know before getting started with App-V, see the [Application Virtualization (App-V) overview](appv-for-windows.md).
If you’re already using App-V, performing an in-place upgrade to Windows 10 on user devices automatically installs the App-V client and migrates users’ App-V applications and settings. For more information about how to configure an existing App-V installation after upgrading user devices to Windows 10, see [Upgrading to App-V for Windows 10 from an existing installation](appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md).
@@ -35,13 +35,13 @@ To start using App-V to deliver virtual applications to users, you’ll need to
| Component | What it does | Where to find it |
|------------|--|------|
-| App-V server components | App-V offers five server components that work together to allow you to host and publish virtual applications, generate usage reports, and manage your App-V environment. For more details, see [Deploying the App-V Server](appv-deploying-the-appv-server.md).
If you're already using App-V 5.x, you don't need to redeploy the App-V server components, as they haven't changed since App-V 5.0's release. | The App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package that can be downloaded from the following locations:
If you have a Microsoft Developer Network (MSDN) subscription, use the [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215) to download the MDOP ISO package.
If you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/en-us/WindowsForBusiness/windows-product-home), download it from the [Volume Licensing Service Center](https://www.microsoft.com/en-us/licensing/default.aspx).
See [Deploying the App-V Server](appv-deploying-the-appv-server.md) for more information about installing and using the server components.|
+| App-V server components | App-V offers five server components that work together to allow you to host and publish virtual applications, generate usage reports, and manage your App-V environment. For more details, see [Deploying the App-V Server](appv-deploying-the-appv-server.md).
If you're already using App-V 5.x, you don't need to redeploy the App-V server components, as they haven't changed since App-V 5.0's release. | The App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package that can be downloaded from the following locations:
If you have a Microsoft Developer Network (MSDN) subscription, use the [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215) to download the MDOP ISO package.
If you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home), download it from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/default.aspx).
See [Deploying the App-V Server](appv-deploying-the-appv-server.md) for more information about installing and using the server components.|
| App-V client and App-V Remote Desktop Services (RDS) client | The App-V client is the component that runs virtualized applications on user devices, allowing users to interact with icons and file names to start virtualized applications. | The App-V client is automatically installed with Windows 10, version 1607.
To learn how to enable the client, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). |
| App-V sequencer | Use the App-V sequencer to convert Win32 applications into virtual packages for deployment to user devices. Devices must run the App-V client to allow users to interact with virtual applications. | Installed with the [Windows Assessment and Deployment kit (ADK) for Windows 10, version 1607](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). |
For more information about these components, see [High Level Architecture for App-V](appv-high-level-architecture.md).
-If you're new to App-V, it's a good idea to read the documentation thoroughly. Before deploying App-V in a production environment, you can ensure installation goes smoothly by validating your deployment plan in a test network environment. You might also consider taking a class about relevant technologies. To get started, see the [Microsoft Training Overview](https://www.microsoft.com/en-us/learning/default.aspx).
+If you're new to App-V, it's a good idea to read the documentation thoroughly. Before deploying App-V in a production environment, you can ensure installation goes smoothly by validating your deployment plan in a test network environment. You might also consider taking a class about relevant technologies. To get started, see the [Microsoft Training Overview](https://www.microsoft.com/learning/default.aspx).
## Getting started with App-V
diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md
index 40047a8bd9..155f59650e 100644
--- a/windows/application-management/app-v/appv-performance-guidance.md
+++ b/windows/application-management/app-v/appv-performance-guidance.md
@@ -31,7 +31,7 @@ You should read and understand the following information before reading this doc
- [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md)
-- [App-V Sequencing Guide](https://www.microsoft.com/en-us/download/details.aspx?id=27760)
+- [App-V Sequencing Guide](https://www.microsoft.com/download/details.aspx?id=27760)
**Note**
Some terms used in this document may have different meanings depending on external source and context. For more information about terms used in this document followed by an asterisk * review the [Application Virtualization Performance Guidance Terminology](#bkmk-terms1) section of this document.
diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md
index 99a25f7fda..214bb3c9bd 100644
--- a/windows/application-management/app-v/appv-reporting.md
+++ b/windows/application-management/app-v/appv-reporting.md
@@ -30,7 +30,7 @@ The following list displays the end–to-end high-level workflow for reporting i
To confirm SQL Server Reporting Services is running, enter in a web browser as administrator on the server that will host App-V Reporting. The SQL Server Reporting Services Home page should appear.
2. Install the App-V reporting server and associated database. For more information about installing the reporting server see [How to install the Reporting Server on a standalone computer and connect it to the database](appv-install-the-reporting-server-on-a-standalone-computer.md). Configure the time when the computer running the App-V client should send data to the reporting server.
-3. If you are not using an electronic software distribution system such as Configuration Manager to view reports then you can define reports in SQL Server Reporting Service. Download predefined appvshort Reports from the Download Center at [Application Virtualization SSRS Reports](https://www.microsoft.com/en-us/download/details.aspx?id=42630).
+3. If you are not using an electronic software distribution system such as Configuration Manager to view reports then you can define reports in SQL Server Reporting Service. Download predefined appvshort Reports from the Download Center at [Application Virtualization SSRS Reports](https://www.microsoft.com/download/details.aspx?id=42630).
> [!NOTE]
>If you are using the Configuration Manager integration with App-V, most reports are generated from Configuration Manager rather than from App-V.
diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md
index 83bfa11219..e075bff689 100644
--- a/windows/application-management/app-v/appv-using-the-client-management-console.md
+++ b/windows/application-management/app-v/appv-using-the-client-management-console.md
@@ -22,7 +22,7 @@ This topic provides information about using the Application Virtualization (App-
## Obtain the client management console
-The client management console is separate from the App-V client itself. You can download the client management console from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=41186).
+The client management console is separate from the App-V client itself. You can download the client management console from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=41186).
> [!NOTE]
> To perform all of the actions available using the client management console, you must have administrative access on the computer running the App-V client.
diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md
index 53121c3c18..51a347d915 100644
--- a/windows/application-management/per-user-services-in-windows.md
+++ b/windows/application-management/per-user-services-in-windows.md
@@ -92,7 +92,7 @@ Revision=1
If a per-user service can't be disabled using a the security template, you can disable it by using Group Policy preferences.
-1. On a Windows Server domain controller or Windows 10 PC that has the [Remote Server Administration Tools (RSAT)](https://www.microsoft.com/en-us/download/details.aspx?id=45520) installed, click **Start**, type GPMC.MSC, and then press **Enter** to open the **Group Policy Management Console**.
+1. On a Windows Server domain controller or Windows 10 PC that has the [Remote Server Administration Tools (RSAT)](https://www.microsoft.com/download/details.aspx?id=45520) installed, click **Start**, type GPMC.MSC, and then press **Enter** to open the **Group Policy Management Console**.
2. Create a new Group Policy Object (GPO) or use an existing GPO.
diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md
index e83a4bf8bd..5f1c4ea9c9 100644
--- a/windows/client-management/advanced-troubleshooting-boot-problems.md
+++ b/windows/client-management/advanced-troubleshooting-boot-problems.md
@@ -14,8 +14,8 @@ ms.topic: troubleshooting
# Advanced troubleshooting for Windows boot problems
->[!NOTE]
->This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/help/12415).
+> [!NOTE]
+> This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/help/12415).
## Summary
@@ -58,14 +58,14 @@ Here is a summary of the boot sequence, what will be seen on the display, and ty
Each phase has a different approach to troubleshooting. This article provides troubleshooting techniques for problems that occur during the first three phases.
->[!NOTE]
->If the computer repeatedly boots to the recovery options, run the following command at a command prompt to break the cycle:
+> [!NOTE]
+> If the computer repeatedly boots to the recovery options, run the following command at a command prompt to break the cycle:
>
->`Bcdedit /set {default} recoveryenabled no`
+> `Bcdedit /set {default} recoveryenabled no`
>
->If the F8 options don't work, run the following command:
+> If the F8 options don't work, run the following command:
>
->`Bcdedit /set {default} bootmenupolicy legacy`
+> `Bcdedit /set {default} bootmenupolicy legacy`
## BIOS phase
@@ -98,11 +98,10 @@ The Startup Repair tool automatically fixes many common problems. The tool also
To do this, follow these steps.
->[!NOTE]
->For additional methods to start WinRE, see [Entry points into WinRE](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre).
+> [!NOTE]
+> For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre).
-1. Start the system to the installation media for the installed version of Windows.
- **Note** For more information, see [Create installation media for Windows](https://support.microsoft.com/help/15088).
+1. Start the system to the installation media for the installed version of Windows. For more information, see [Create installation media for Windows](https://support.microsoft.com/help/15088).
2. On the **Install Windows** screen, select **Next** > **Repair your computer**.
@@ -132,8 +131,8 @@ To repair the boot sector, run the following command:
BOOTREC /FIXBOOT
```
->[!NOTE]
->Running **BOOTREC** together with **Fixmbr** overwrites only the master boot code. If the corruption in the MBR affects the partition table, running **Fixmbr** may not fix the problem.
+> [!NOTE]
+> Running **BOOTREC** together with **Fixmbr** overwrites only the master boot code. If the corruption in the MBR affects the partition table, running **Fixmbr** may not fix the problem.
### Method 3: Fix BCD errors
@@ -152,20 +151,25 @@ If you receive BCD-related errors, follow these steps:
```
4. You might receive one of the following outputs:
-
- - Scanning all disks for Windows installations. Please wait, since this may take a while...Successfully scanned Windows installations. Total identified Windows installations: 0
+ ```dos
+ Scanning all disks for Windows installations. Please wait, since this may take a while ...
+ Successfully scanned Windows installations. Total identified Windows installations: 0
The operation completed successfully.
+ ```
- - Scanning all disks for Windows installations. Please wait, since this may take a while... Successfully scanned Windows installations. Total identified Windows installations: 1
+ ```dos
+ Scanning all disks for Windows installations. Please wait, since this may take a while ...
+ Successfully scanned Windows installations. Total identified Windows installations: 1
D:\Windows
Add installation to boot list? Yes/No/All:
+ ```
If the output shows **windows installation: 0**, run the following commands:
```dos
bcdedit /export c:\bcdbackup
-attrib c:\\boot\\bcd -h -r –s
+attrib c:\\boot\\bcd -r –s -h
ren c:\\boot\\bcd bcd.old
@@ -174,39 +178,41 @@ bootrec /rebuildbcd
After you run the command, you receive the following output:
- Scanning all disks for Windows installations. Please wait, since this may take a while...Successfully scanned Windows installations. Total identified Windows installations: 1{D}:\Windows
+```dos
+Scanning all disks for Windows installations. Please wait, since this may take a while ...
+Successfully scanned Windows installations. Total identified Windows installations: 1
+{D}:\Windows
Add installation to boot list? Yes/No/All: Y
+```
-5. Try again to start the system.
+5. Try restarting the system.
### Method 4: Replace Bootmgr
-If methods 1 and 2 do not fix the problem, replace the Bootmgr file from drive C to the System Reserved partition. To do this, follow these steps:
+If methods 1, 2 and 3 do not fix the problem, replace the Bootmgr file from drive C to the System Reserved partition. To do this, follow these steps:
1. At a command prompt, change the directory to the System Reserved partition.
2. Run the **attrib** command to unhide the file:
```dos
- attrib-s -h -r
+ attrib -r -s -h
```
3. Run the same **attrib** command on the Windows (system drive):
```dos
- attrib-s -h –r
+ attrib -r -s -h
```
4. Rename the Bootmgr file as Bootmgr.old:
```dos
- ren c:\\bootmgr bootmgr.old
+ ren c:\bootmgr bootmgr.old
```
-5. Start a text editor, such as Notepad.
+5. Navigate to the system drive.
-6. Navigate to the system drive.
+6. Copy the Bootmgr file, and then paste it to the System Reserved partition.
-7. Copy the Bootmgr file, and then paste it to the System Reserved partition.
-
-8. Restart the computer.
+7. Restart the computer.
### Method 5: Restore System Hive
@@ -267,16 +273,16 @@ For detailed instructions, see [How to perform a clean boot in Windows](https://
If the computer starts in Disable Driver Signature mode, start the computer in Disable Driver Signature Enforcement mode, and then follow the steps that are documented in the following article to determine which drivers or files require driver signature enforcement:
[Troubleshooting boot problem caused by missing driver signature (x64)](https://blogs.technet.microsoft.com/askcore/2012/04/15/troubleshooting-boot-issues-due-to-missing-driver-signature-x64/)
->[!NOTE]
->If the computer is a domain controller, try Directory Services Restore mode (DSRM).
+> [!NOTE]
+> If the computer is a domain controller, try Directory Services Restore mode (DSRM).
>
->This method is an important step if you encounter Stop error "0xC00002E1" or "0xC00002E2"
+> This method is an important step if you encounter Stop error "0xC00002E1" or "0xC00002E2"
**Examples**
->[!WARNING]
->Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these
+> [!WARNING]
+> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these
problems can be solved. Modify the registry at your own risk.
*Error code INACCESSIBLE_BOOT_DEVICE (STOP 0x7B)*
@@ -307,11 +313,11 @@ For additional troubleshooting steps, see the following articles:
To fix problems that occur after you install Windows updates, check for pending updates by using these steps:
-1. Open a Command Prompt winodw in WinRE.
+1. Open a Command Prompt window in WinRE.
2. Run the command:
```dos
- dism /image:C:\ /get-packages
+ DISM /image:C:\ /get-packages
```
3. If there are any pending updates, uninstall them by running the following commands:
@@ -319,7 +325,7 @@ To fix problems that occur after you install Windows updates, check for pending
DISM /image:C:\ /remove-package /packagename: name of the package
```
```dos
- Dism /Image:C:\ /Cleanup-Image /RevertPendingActions
+ DISM /Image:C:\ /Cleanup-Image /RevertPendingActions
```
Try to start the computer.
diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
index 4a0423c1e7..c6fe7134c8 100644
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@@ -98,7 +98,7 @@ As you review the roles in your organization, you can use the following generali
Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer.
-**MDM**: [MDM](https://www.microsoft.com/en-us/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premises domain-joined devices. This makes MDM the best choice for devices that are constantly on the go.
+**MDM**: [MDM](https://www.microsoft.com/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premises domain-joined devices. This makes MDM the best choice for devices that are constantly on the go.
**Group Policy** and **System Center Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer’s 1,500 configurable Group Policy settings. If so, Group Policy and System Center Configuration Manager continue to be excellent management choices:
diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
index 85de08a137..5c2dcefdc4 100644
--- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
+++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
@@ -114,7 +114,7 @@ Example: Export the Debug logs
## Collect logs from Windows 10 Mobile devices
-Since there is no Event Viewer in Windows 10 Mobile, you can use the [Field Medic](https://www.microsoft.com/en-us/p/field-medic/9wzdncrfjb82?activetab=pivot%3aoverviewtab) app to collect logs.
+Since there is no Event Viewer in Windows 10 Mobile, you can use the [Field Medic](https://www.microsoft.com/p/field-medic/9wzdncrfjb82?activetab=pivot%3aoverviewtab) app to collect logs.
**To collect logs manually**
diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md
index 44c558fde0..6b3a628eb7 100644
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@@ -9,18 +9,22 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 06/26/2017
+ms.date: 08/05/2019
---
# DiagnosticLog CSP
+The DiagnosticLog configuration service provider (CSP) is used in the following scenarios:
+- [Controlling ETW trace sessions](#diagnosticlog-csp-for-controlling-etw-trace-sessions)
+- [Triggering devices to upload existing event logs, log files, and registry values to cloud storage](#diagnosticlog-csp-for-triggering-devices-to-upload-files-to-cloud)
-The DiagnosticLog configuration service provider (CSP) is used for generating and collecting diagnostic information from the device: Event Tracing for Windows (ETW) log files and current MDM configured state of the device.
+## DiagnosticLog CSP for controlling ETW trace sessions
+The DiagnosticLog CSP is used for generating and collecting diagnostic information from the device: Event Tracing for Windows (ETW) log files and current MDM configured state of the device.
DiagnosticLog CSP supports the following type of event tracing:
-- Collector-based tracing
-- Channel-based tracing
+- Collector-based tracing
+- Channel-based tracing
### Collector-based tracing
@@ -49,11 +53,10 @@ For each registered provider in this collector, the user can:
The changes on **State**, **Keywords** and **TraceLevel** takes effect immediately while trace session is in progress.
-> **Note** Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
+> [!Note]
+> Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
-
-
-### Channel-based tracing
+ ### Channel-based tracing
The type of event tracing exports event data from a specific channel. This is only supported on the desktop.
@@ -73,36 +76,31 @@ Here are the links to the DDFs:
- [DiagnosticLog CSP version 1.2](diagnosticlog-ddf.md#version-1-2)
- [DiagnosticLog CSP version 1.3](diagnosticlog-ddf.md#version-1-3)
+- [DiagnosticLog CSP version 1.4](diagnosticlog-ddf.md#version-1-4)
-The following diagram shows the DiagnosticLog configuration service provider in tree format.
+The following diagram shows the DiagnosticLog CSP in tree format.
**./Vendor/MSFT/DiagnosticLog**
-The root node for the DiagnosticLog configuration service provider.
+The root node for the DiagnosticLog CSP.
-The following steps describe the process for gathering diagnostics using this CSP.
+To gather diagnostics using this CSP:
1. Specify a *CollectorName* for the container of the target ETW providers.
2. (Optional) Set logging and log file parameters using the following options:
- - **TraceLogFileMode**
- - **LogFileSizeLimitMB**
-
- Each of these are described later in this topic.
+ - TraceLogFileMode
+ - LogFileSizeLimitMB
3. Indicate one or more target ETW providers by supplying its *ProviderGUID* to the Add operation of EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*.
4. (Optional) Set logging and log file parameters using the following options:
-
- - **TraceLevel**
- - **Keywords**
-
- Each of these are described later in this topic.
-
-5. Start logging using **TraceControl** EXECUTE command “START”
+ - TraceLevel
+ - Keywords
+5. Start logging using **TraceControl** EXECUTE command “START”.
6. Perform actions on the target device that will generate activity in the log files.
-7. Stop logging using **TraceControl** EXECUTE command “STOP”
-8. Collect the log file located in the `%temp%` folder using the method described in [Reading a log file](#reading-a-log-file)
+7. Stop logging using **TraceControl** EXECUTE command “STOP”.
+8. Collect the log file located in the `%temp%` folder using the method described in [Reading a log file](#reading-a-log-file).
**EtwLog**
Node to contain the Error Tracing for Windows log.
@@ -174,8 +172,6 @@ The following table represents the possible values:
| 0 | Stopped |
| 1 | Started |
-
-
**EtwLog/Collectors/*CollectorName*/TraceLogFileMode**
Specifies the log file logging mode.
@@ -185,30 +181,10 @@ Supported operations are Get and Replace.
The following table lists the possible values:
-
-
-
-
-
-
-
-
Value
-
Description
-
-
-
-
-
EVENT_TRACE_FILE_MODE_SEQUENTIAL (0x00000001)
-
Writes events to a log file sequentially; stops when the file reaches its maximum size.
-
-
-
EVENT_TRACE_FILE_MODE_CIRCULAR (0x00000002)
-
Writes events to a log file. After the file reaches the maximum size, the oldest events are replaced with incoming events.
-
-
-
-
-
+| Value | Description |
+|-------|--------------------|
+| EVENT_TRACE_FILE_MODE_SEQUENTIAL (0x00000001) | Writes events to a log file sequentially; stops when the file reaches its maximum size. |
+| EVENT_TRACE_FILE_MODE_CIRCULAR (0x00000002) | Writes events to a log file. After the file reaches the maximum size, the oldest events are replaced with incoming events. |
**EtwLog/Collectors/*CollectorName*/TraceControl**
Specifies the logging and report action state.
@@ -222,8 +198,6 @@ The following table lists the possible values:
| START | Start log tracing. |
| STOP | Stop log tracing |
-
-
The supported operation is Execute.
After you have added a logging task, you can start a trace by running an Execute command on this node with the value START.
@@ -295,8 +269,6 @@ Dynamic nodes to represent active provider configuration per provider GUID.
> **Note** Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
-
-
Supported operations are Add, Delete, and Get.
Add a provider
@@ -347,44 +319,15 @@ The data type is an integer.
Supported operations are Get and Replace.
-The following table lists the possible values.
+The following table lists the possible values:
-
-
-
-
-
-
-
-
Value
-
Description
-
-
-
-
-
1 – TRACE_LEVEL_CRITICAL
-
Abnormal exit or termination events
-
-
-
2 – TRACE_LEVEL_ERROR
-
Severe error events
-
-
-
3 – TRACE_LEVEL_WARNING
-
Warning events such as allocation failures
-
-
-
4 – TRACE_LEVEL_INFORMATION
-
Non-error events, such as entry or exit events
-
-
-
5 – TRACE_LEVEL_VERBOSE
-
Detailed information
-
-
-
-
-
+| Value | Description |
+|-------|--------------------|
+| 1 – TRACE_LEVEL_CRITICAL | Abnormal exit or termination events |
+| 2 – TRACE_LEVEL_ERROR | Severe error events |
+| 3 – TRACE_LEVEL_WARNING | Warning events such as allocation failures |
+| 4 – TRACE_LEVEL_INFORMATION | Non-error events, such as entry or exit events |
+| 5 – TRACE_LEVEL_VERBOSE | Detailed information |
Set provider **TraceLevel**
@@ -412,7 +355,7 @@ Set provider **TraceLevel**
**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/Keywords**
Specifies the provider keywords to be used as MatchAnyKeyword for this provider.
-the data type is a string.
+The data type is a string.
Supported operations are Get and Replace.
@@ -470,32 +413,11 @@ The data type is a boolean.
Supported operations are Get and Replace. This change will be effective during active trace session.
-The following table lists the possible values. Default value is TRUE.
-
-
-
-
-
-
-
-
-
Value
-
Description
-
-
-
-
-
TRUE
-
Provider is enabled in the trace session.
-
-
-
FALSE
-
Provider is disables in the trace session.
-
-
-
-
-
+The following table lists the possible values:
+| Value | Description |
+|-------|--------------------|
+| TRUE | Provider is enabled in the trace session. This is the default. |
+| FALSE | Provider is disabled in the trace session. |
Set provider **State**
@@ -630,32 +552,12 @@ The data type is a boolean.
Supported operations are Get and Replace.
-The following table lists the possible values.
+The following table lists the possible values:
-
-
-
-
-
-
-
-
Value
-
Description
-
-
-
-
-
TRUE
-
Channel is enabled.
-
-
-
FALSE
-
Channel is disabled.
-
-
-
-
-
+| Value | Description |
+|-------|--------------------|
+| TRUE | Channel is enabled. |
+| FALSE | Channel is disabled. |
Get channel **State**
@@ -897,26 +799,585 @@ Node to transfer the selected log file block to the DM server.
**FileDownload/DMChannel/*FileContext*/DataBlocks/***BlockNumber*
The data type is Base64.
-The only supported operation is Get.
+The supported operation is Get.
+
+**Policy**
+Added in version 1.4 of the CSP in Windows 10, version 1903. Root node to control settings for channels in Event Log.
+
+The supported operation is Get.
+
+**Policy/Channels**
+Added in version 1.4 of the CSP in Windows 10, version 1903. Node that contains Event Log channel settings.
+
+The supported operation is Get.
+
+**Policy/Channels/_ChannelName_**
+Added in version 1.4 of the CSP in Windows 10, version 1903. Dynamic node to represent a registered channel. The node name must be a valid Windows event log channel name, such as ``Microsoft-Client-Licensing-Platform%2FAdmin``. When specifying the name in the LocURI, it must be URL encoded, otherwise it may unexpectedly translate into a different URI.
+
+Supported operations are Add, Delete, and Get.
+
+Add **Channel**
+``` xml
+
+
+
+ 2
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName
+
+
+
+ node
+
+
+
+
+
+
+
+```
+Delete **Channel**
+``` xml
+
+
+
+ 3
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName
+
+
+
+
+
+
+
+```
+Get **Channel**
+``` xml
+
+
+
+ 4
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName
+
+
+
+
+
+
+
+```
+**Policy/Channels/_ChannelName_/MaximumFileSize**
+Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting specifies the maximum size of the log file in megabytes.
+
+If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte and 2 terabytes in megabyte increments.
+
+If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte.
+
+Supported operations are Add, Delete, Get, and Replace.
+
+The data type is integer.
+
+Add **MaximumFileSize**
+``` xml
+
+
+
+ 6
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize
+
+
+
+ int
+ text/plain
+
+ 3
+
+
+
+
+
+```
+
+Delete **MaximumFileSize**
+``` xml
+
+
+
+ 7
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize
+
+
+
+
+
+
+
+```
+Get **MaximumFileSize**
+``` xml
+
+
+
+ 5
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize
+
+
+
+
+
+
+
+```
+
+Replace **MaximumFileSize**
+``` xml
+
+
+
+ 8
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize
+
+
+
+ int
+ text/plain
+
+ 5
+
+
+
+
+
+```
+
+**Policy/Channels/_ChannelName_/SDDL**
+Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting represents SDDL string controlling access to the channel.
+
+Supported operations are Add, Delete, Get, and Replace.
+
+The data type is string.
+
+Default string is as follows:
+
+https://docs.microsoft.com/en-us/windows/desktop/WES/eventmanifestschema-channeltype-complextype.
+
+Add **SDDL**
+``` xml
+
+
+
+ 10
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL
+
+
+
+ chr
+ text/plain
+
+ YourSDDL
+
+
+
+
+
+```
+
+Delete **SDDL**
+``` xml
+
+
+
+
+ 11
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL
+
+
+
+
+
+
+
+```
+
+Get **SDDL**
+``` xml
+
+
+
+ 9
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL
+
+
+
+
+
+
+
+```
+
+Replace **SDDL**
+``` xml
+
+
+
+ 12
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL
+
+
+
+ chr
+ text/plain
+
+ YourNewSDDL
+
+
+
+
+
+```
+
+**Policy/Channels/_ChannelName_/ActionWhenFull**
+Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting controls Event Log behavior when the log file reaches its maximum size.
+
+Supported operations are Add, Delete, Get, and Replace.
+
+The data type is string.
+
+The following are the possible values:
+- Truncate — When the log file reaches its maximum file size, new events are not written to the log and are lost.
+- Overwrite — When the log file reaches its maximum file size, new events overwrite old events.
+- Archive — When the log file reaches its maximum size, the log file is saved to the location specified by the "Archive Location" policy setting. If archive location value is not set, the new file is saved in the same directory as current log file.
+
+If you disable or do not configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but do not replace local configuration.
+
+
+Add **ActionWhenFull**
+``` xml
+
+
+
+ 14
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull
+
+
+
+ chr
+ text/plain
+
+ Archive
+
+
+
+
+
+```
+
+Delete **ActionWhenFull**
+``` xml
+
+
+
+ 15
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull
+
+
+
+
+
+
+
+```
+
+Get **ActionWhenFull**
+``` xml
+
+
+
+ 13
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull
+
+
+
+
+
+
+
+```
+
+Replace **ActionWhenFull**
+``` xml
+
+
+
+ 16
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull
+
+
+
+ chr
+ text/plain
+
+ Truncate
+
+
+
+
+
+```
+
+**Policy/Channels/_ChannelName_/Enabled**
+Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting specifies whether the channel should be enabled or disabled.
+
+Supported operations are Add, Delete, Get, and Replace.
+
+The data type is boolean.
+
+The following are the possible values:
+- TRUE — Enables the channel.
+- FALSE — Disables the channel.
+
+If you disable or do not configure this policy setting, the locally configured value is used as default.
+
+Get **Enabled**
+``` xml
+
+
+
+ 17
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled
+
+
+
+
+
+
+
+```
+
+Add **Enabled**
+``` xml
+
+
+
+ 18
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled
+
+
+
+ bool
+ text/plain
+
+ TRUE
+
+
+
+
+
+```
+
+Delete **Enabled**
+``` xml
+
+
+
+ 19
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled
+
+
+
+
+
+
+
+```
+
+Replace **Enabled**
+``` xml
+
+
+
+ 20
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled
+
+
+
+ bool
+ text/plain
+
+ FALSE
+
+
+
+
+
+```
+
+## DiagnosticLog CSP for triggering devices to upload files to cloud
+The DiagnosticLog CSP is used for triggering devices to upload existing event logs, log files, and registry values to cloud storage. The following section describes the nodes for the DiagnosticArchive functionality.
+
+**DiagnosticArchive**
+Added in version 1.4 of the CSP in Windows 10, version 1903. Root note for the DiagnosticArchive functionality.
+
+The supported operation is Get.
+
+**DiagnosticArchive/ArchiveDefinition**
+Added in version 1.4 of the CSP in Windows 10, version 1903.
+
+The supported operations are Add and Execute.
+
+The data type is string.
+
+Expected value:
+Set and Execute are functionality equivalent, and each accepts an XML snippet (as a string) describing what data to gather and where to upload it when done. This XML defines what should be collected and compressed into a zip file to be uploaded to Azure blog storage.
+
+The following is an example of the XML. This example instructs that a zip file be created containing the output from a dump of the specified registry key, all the files in a folder, the output of two commands, all the files in another folder, the output of a command, all the Application events, two sets of files, and another command output. All of this will be uploaded to the blob storage URL as specified in the tags and must be in the noted format with the container and the key in the URL. The administrator can retrieve this URL from Azure. The file uploaded will be in the format DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip.
+
+``` xml
+
+ f1e20cb4-9789-4f6b-8f6a-766989764c6d
+ {web address}/{container}{key}
+ HKLM\Software\Policies
+ C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\*.etl
+ %windir%\system32\ipconfig.exe /all
+ %windir%\system32\mdmdiagnosticstool.exe -out c:\ProgramData\temp\
+ c:\ProgramData\temp\*.*
+ %windir%\system32\ping.exe -n 50 localhost
+ Application
+ %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl
+ %SystemRoot%\System32\LogFiles\wmi\*.etl.*
+
+ %windir%\system32\pnputil.exe /enum-drivers
+
+
+```
+Where:
+
+- ID is a unique GUID value that defines this particular run of the DiagnosticLog CSP.
+- There can be multiple RegistryKey, FolderFiles, Command, and Events elements, which extract or execute and collect the output from the action specified.
+- SasUrl is generated from the Azure Blob Storage UX in Azure such that it will allow write access to the blob to upload the zip file created by all the actions specified.
+
+**DiagnosticArchive/ArchiveResults**
+Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting displays the results of the last archive run.
+
+The supported operation is Get.
+
+The data type is string.
+
+A Get to the above URI will return the results of the gathering of data for the last diagnostics request. For the example above it returns:
+
+``` xml
+
+
+
+
+ 1
+ 1
+ 0
+ SyncHdr
+ 200
+
+
+ 2
+ 1
+ 1
+ Get
+ 200
+
+
+ 3
+ 1
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/DiagnosticArchive/ArchiveResults
+
+
+
+ f1e20cb4-9789-4f6b-8f6a-766989764c6d
+ HKLM\Software\Policies
+ C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\*.etl
+ %windir%\system32\ipconfig.exe /all
+ %windir%\system32\mdmdiagnosticstool.exe -out c:\ProgramData\temp\
+ c:\ProgramData\temp\*.*
+ %windir%\system32\ping.exe -n 50 localhost
+ Application
+ %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl
+ %SystemRoot%\System32\LogFiles\wmi\*.etl.*
+ %windir%\system32\pnputil.exe /enum-drivers
+
+
+
+
+
+
+
+```
+> [!Note]
+> Each data gathering node is annotated with the HRESULT of the option and the collection is also annotated with an HRESULT. In this example, note that the mdmdiagnosticstool.exe command failed.
## Reading a log file
-
-
-1. Enumerate log file under **./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel**
-2. Select a log file in the Enumeration result
-3. Set **BlockSizeKB** per DM server payload limitation
-4. Get **BlockCount** to determine total read request
-5. Set **BlockIndexToRead** to initialize read start point
-6. Get **BlockData** for upload log block
-7. Increase **BlockIndexToRead**
-8. Repeat step 5 to 7 until **BlockIndexToRead == (BlockIndexToRead – 1)**
-
-
-
-
-
-
-
-
-
-
+To read a log file:
+1. Enumerate log file under **./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel**.
+2. Select a log file in the Enumeration result.
+3. Set **BlockSizeKB** per DM server payload limitation.
+4. Get **BlockCount** to determine total read request.
+5. Set **BlockIndexToRead** to initialize read start point.
+6. Get **BlockData** for upload log block.
+7. Increase **BlockIndexToRead**.
+8. Repeat step 5 to 7 until **BlockIndexToRead == (BlockIndexToRead – 1)**.
\ No newline at end of file
diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md
index dc23032029..ec63a3f303 100644
--- a/windows/client-management/mdm/diagnosticlog-ddf.md
+++ b/windows/client-management/mdm/diagnosticlog-ddf.md
@@ -23,6 +23,7 @@ The content below are the latest versions of the DDF files:
- [DiagnosticLog CSP version 1.2](#version-1-2)
- [DiagnosticLog CSP version 1.3](#version-1-3)
+- [DiagnosticLog CSP version 1.4](#version-1-4)
## DiagnosticLog CSP version 1.2
@@ -1284,6 +1285,893 @@ The content below are the latest versions of the DDF files:
```
+## DiagnosticLog CSP version 1.4
+```xml
+
+
+]>
+
+ 1.2
+
+ DiagnosticLog
+ ./Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ com.microsoft/1.4/MDM/DiagnosticLog
+
+
+
+ EtwLog
+
+
+
+
+ Root node of all types of event logging nodes that CSP manages.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Collectors
+
+
+
+
+ Root node of registered "Collector" nodes.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Each dynamic node represents a registered 'Collector' node. CSP will maintain an ETW trace session for this collector with its name used as a unique identifier. In a collector, a valid ETW provider can be registered and unregistered. The collector's associated trace session will enable the registered providers in it if the provider's state is 'Enabled'. Each provider's state, trace level and keywords can be controlled separately. The name of this node must not be a valid Windows event channel name. It can be a etw provider guid as long as it is not equal to an already registered 'Provider' node name.
+
+
+
+
+
+
+
+
+
+ CollectorName
+
+
+
+
+
+ TraceStatus
+
+
+
+
+ This node is used for getting the status of this collector node's associated trace session. 1 means "in progress"; 0 means "not started or stopped".
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TraceLogFileMode
+
+
+
+
+
+ 1
+ This node is used for setting or getting the trace log file mode of this collector node's associated trace session. The only two allowed values are 1 and 2, which are EVENT_TRACE_FILE_MODE_SEQUENTIAL and EVENT_TRACE_FILE_MODE_CIRCULAR. Default value is 1.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TraceControl
+
+
+
+
+
+ This node is to trigger "start" and "stop" of this collector node's associated trace session. "Get" returns the name of this node.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ LogFileSizeLimitMB
+
+
+
+
+
+ 4
+ This node is used for setting or getting the trace log file size limit(in Megabytes) of this collector node's associated trace session. The value range is 1~2048. Default value is 4.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Providers
+
+
+
+
+ Root node of all providers registered in this collector node.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Each dynamic node represents an ETW provider registered in this collector node. The node name must be a valid provider GUID.
+
+
+
+
+
+
+
+
+
+ ProviderGuid
+
+
+
+
+
+ Keywords
+
+
+
+
+
+ "0"
+ This node is used for setting or getting the keywords of the event provider in this collector node's associated trace session. The string is in the form of hexadecimal digits and 16 chars wide. It'll be internally converted into ULONGLONG data type in the CSP. Default value is "0", which means all events from this provider are included. If the associated trace session is in progress, new keywords setting is applied immediately; if not, it'll be applied next time that session is started.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ TraceLevel
+
+
+
+
+
+ 5
+ This node is used for setting or getting the trace level of this event provider in this collector node's associated trace session. Default value is 5, which is TRACE_LEVEL_VERBOSE. If the associated trace session is in progress, new trace level setting is applied immediately;if not, it'll be applied next time that session is started.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ State
+
+
+
+
+
+ true
+ This node is used for setting or getting the state of the event provider in this collector node's associated trace session. If the trace session isn't started, changing the value controls whether to enable the provider or not when session is started; if trace session is already started, changing its value causes enabling or disabling the provider in the live trace session. Default value is true.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+
+
+
+ Channels
+
+
+
+
+ Root node of registered "Channel" nodes.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Each dynamic node represents a registered 'Channel' node. The node name must be a valid Windows event log channel name, e.g. "Microsoft-Client-Licensing-Platform%2FAdmin". When specifying the name in the LocURI, it must be url encoded or it'll be translated into a different URI unexpectedly.
+
+
+
+
+
+
+
+
+
+ ChannelName
+
+
+
+
+
+ Export
+
+
+
+
+
+ This node is to trigger exporting events into a log file from this node's associated Windows event channel. The log file's extension is .evtx, which is the standard extension of windows event channel log. The "Get" command returns the name of this node.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ State
+
+
+
+
+
+ This node is used for setting or getting the 'Enabled' state of this node's associated windows event channel in the system. Setting it to "TRUE" enables the channel; setting it to "FALSE" disables the channel.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Filter
+
+
+
+
+
+ ""
+ This node is used for setting or getting the xpath query string to filter the events when exporting the log file from the channel. Default value is empty string.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+
+
+ DeviceStateData
+
+
+
+
+ Root node of all types of device state data that CSP exposes.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MdmConfiguration
+
+
+
+
+ This node is to trigger snapping of the Device Management state data with "SNAP".
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+ FileDownload
+
+
+
+
+ Root node of all csp nodes that are related to log file download in csp.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DMChannel
+
+
+
+
+ Root node of all csp nodes that are used for controlling file download for their associated log file generated by logging csp nodes.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Each dynamic node represents a 'FileContext' node corresponding to a log file generated by one of the logging CSP nodes(underneath 'EtwLog' node). The node name must be the name of a registered 'Provider', 'Collector' or 'Channel' node. The log file and its location will be determined by CSP based on the node name. File download is done by dividing the log file into multiple blocks of configured block size and then sending the blocks as requested by MDM server.
+
+
+
+
+
+
+
+
+
+ FileContext
+
+
+
+
+
+ BlockSizeKB
+
+
+
+
+
+ 4
+ This node is used for setting or getting the block size (in Kilobytes) for the download of assoicated log file. The value range is 1~16. Default value is 4.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ BlockCount
+
+
+
+
+ This node is used for getting the total number of blocks for the associated log file. If the log file isn't generated yet, the value returned is -1; if the trace session is in progress, the value returned is -2.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ BlockIndexToRead
+
+
+
+
+
+ This node is used for setting and getting the block index that points to the data block for 'BlockData' node. The value range is 0~(BlockCount-1).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ BlockData
+
+
+
+
+ This node is used to get the binary data of the block that 'BlockIndexToRead' node is pointing to.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ DataBlocks
+
+
+
+
+ Root node of all 'BlockNumber' nodes for the associated log file. The number of its children should be the total block count of the log file. No children nodes exist if 'BlockCount' node's value is less than 0.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Each dynamic node represents a 'BlockNumber' node. The node name is an integer equal to the index of the block which this node stands for. Therefore the node name should be ranging from 0 to (BlockCount -1). It returns the binary data of the block which this node is referring to.
+
+
+
+
+
+
+
+
+
+ BlockNumber
+
+
+
+
+
+
+
+
+
+
+ Policy
+
+
+
+
+ Contains policy for diagnostic settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Channels
+
+
+
+
+ Contains policy for Event Log channel settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Each dynamic node represents a registered 'Channel' node. The node name must be a valid Windows event log channel name, e.g. "Microsoft-Client-Licensing-Platform%2FAdmin". When specifying the name in the LocURI, it must be url encoded or it'll be translated into a different URI unexpectedly.
+
+
+
+
+
+
+
+
+
+ ChannelName
+
+
+
+
+
+ MaximumFileSize
+
+
+
+
+
+
+
+ Maximum size of the channel log file in MB.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ SDDL
+
+
+
+
+
+
+
+ SDDL String controlling access to the channel. Default: https://docs.microsoft.com/en-us/windows/desktop/WES/eventmanifestschema-channeltype-complextype
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ActionWhenFull
+
+
+
+
+
+
+
+ Action to take when the log file reaches maximum size. "Truncate", "Overwrite", "Archive".
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ Enabled
+
+
+
+
+
+
+
+ This policy setting specifies whether the channel should be enabled or disabled. Set value to TRUE to enable and FALSE to disable.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+
+
+ DiagnosticArchive
+
+
+
+
+ Root note for archive definition and collection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ArchiveDefinition
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ArchiveResults
+
+
+
+
+ Pull up the results of the last archive run.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
+
+```
+
## Related topics
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index 9f3f924a14..6360bcb775 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -22,6 +22,7 @@ Requirements:
- The enterprise has configured a mobile device management (MDM) service
- The enterprise AD must be [registered with Azure Active Directory (Azure AD)](azure-active-directory-integration-with-mdm.md)
- The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`)
+- The minimum Windows Server version requirement is based on the Hybrid AAD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan) for more information.
> [!TIP]
> For additional information, see the following topics:
@@ -155,8 +156,8 @@ Requirements:
>[!IMPORTANT]
>If you do not see the policy, it may be because you don’t have the ADMX installed for Windows 10, version 1803 or version 1809. To fix the issue, follow these steps:
> 1. Download:
-> 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/en-us/download/details.aspx?id=56880) or
-> 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/en-us/download/details.aspx?id=57576).
+> 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or
+> 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576).
> 2. Install the package on the Primary Domain Controller (PDC).
> 3. Navigate, depending on the version to the folder:
> 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or
diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md
index dff91fd372..12af80dacf 100644
--- a/windows/client-management/mdm/federated-authentication-device-enrollment.md
+++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md
@@ -167,6 +167,9 @@ AuthenticationServiceUrl?appru=&login_hint=
After authentication is complete, the auth server should return an HTML form document with a POST method action of appid identified in the query string parameter.
+> [!NOTE]
+> To make an application compatible with strict Content Security Policy, it is usually necessary to make some changes to HTML templates and client-side code, add the policy header, and test that everything works properly once the policy is deployed.
+
```
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
diff --git a/windows/client-management/mdm/images/provisioning-csp-diagnosticlog.png b/windows/client-management/mdm/images/provisioning-csp-diagnosticlog.png
index 44449d7e6f..9829586338 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-diagnosticlog.png and b/windows/client-management/mdm/images/provisioning-csp-diagnosticlog.png differ
diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
index 98f5020545..f1f4f5b05f 100644
--- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
+++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
@@ -81,43 +81,7 @@ For code samples, see [Microsoft Azure Active Directory Samples and Documentatio
## Configure your Azure AD application
-Here are the steps to configure your Azure AD app. For additional information, see [Integrating Applications with Azure Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=623021):
-
-1. Log into Microsoft Azure Management Portal (https:manage.windowsazure.com)
-2. Go to the Active Directory module.
-3. Select your directory.
-4. Click the **Applications** tab.
-
- 
-
-5. Click **Add**.
-
- 
-
-6. Select **Add an application that my organization is developing**.
-
- 
-
-7. Specify a name and then select **WEB APPLICATION AND/OR WEB API**.
-
- 
-
-8. Specify the **SIGN-ON URL** to your application.
-
- 
-
-9. Specify whether your app is multi-tenant or single tenant. For more information, see [Integrating Applications with Azure Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=623021).
-
- 
-
-10. Create a client key.
-
- 
-
- > **Note** In the prior version of the tool, an update to the app manifest was required to authorize the application. This is no longer necessary.
-
-11. Login to Store for Business and enable your application. For step-by-step guide, see [Configure an MDM provider](https://technet.microsoft.com/library/mt606939.aspx).
-
+See [Quickstart: Register an application with the Microsoft identity platform](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app) for the steps to configure your Azure AD app.
## Azure AD Authentication for MTS
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index f12fe88286..0e6b603e24 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -144,6 +144,13 @@ For details about Microsoft mobile device management protocols for Windows 10 s
Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes:
+Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelName/MaximumFileSize, Policy/Channels/ChannelName/SDDL, Policy/Channels/ChannelName/ActionWhenFull, Policy/Channels/ChannelName/Enabled, DiagnosticArchive, DiagnosticArchive/ArchiveDefinition, DiagnosticArchive/ArchiveResults.
+
@@ -1896,6 +1903,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
|New or updated topic | Description|
|--- | ---|
+|[DiagnosticLog CSP](diagnosticlog-csp.md) [DiagnosticLog DDF](diagnosticlog-ddf.md)|Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes: Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelName/MaximumFileSize, Policy/Channels/ChannelName/SDDL, Policy/Channels/ChannelName/ActionWhenFull, Policy/Channels/ChannelName/Enabled, DiagnosticArchive, DiagnosticArchive/ArchiveDefinition, DiagnosticArchive/ArchiveResults.|
|[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Enhanced the article to include additional reference links and the following two topics: Verify auto-enrollment requirements and settings, Troubleshoot auto-enrollment of devices.|
### July 2019
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index f796a9ae53..ca0dbef0a2 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 01/26/2019
+ms.date: 08/26/2019
ms.reviewer:
manager: dansimp
---
@@ -205,8 +205,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 – Not allowed.
-- 1 (default) – Allowed.
+- 0 – Not allowed. Turns off scanning on archived files.
+- 1 (default) – Allowed. Scans the archive files.
@@ -267,8 +267,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 – Not allowed.
-- 1 (default) – Allowed.
+- 0 – Not allowed. Turns off behavior monitoring.
+- 1 (default) – Allowed. Turns on real-time behavior monitoring.
@@ -330,8 +330,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 – Not allowed.
-- 1 (default) – Allowed.
+- 0 – Not allowed. Turns off the Microsoft Active Protection Service.
+- 1 (default) – Allowed. Turns on the Microsoft Active Protection Service.
@@ -392,8 +392,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) – Not allowed.
-- 1 – Allowed.
+- 0 (default) – Not allowed. Turns off email scanning.
+- 1 – Allowed. Turns on email scanning.
@@ -454,8 +454,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) – Not allowed.
-- 1 – Allowed.
+- 0 (default) – Not allowed. Disables scanning on mapped network drives.
+- 1 – Allowed. Scans mapped network drives.
@@ -502,7 +502,7 @@ The following list shows the supported values:
> This policy is only enforced in Windows 10 for desktop.
-Allows or disallows a full scan of removable drives.
+Allows or disallows a full scan of removable drives. During a quick scan, removable drives may still be scanned.
@@ -516,8 +516,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 – Not allowed.
-- 1 (default) – Allowed.
+- 0 – Not allowed. Turns off scanning on removable drives.
+- 1 (default) – Allowed. Scans removable drives.
@@ -756,8 +756,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 – Not allowed.
-- 1 (default) – Allowed.
+- 0 – Not allowed. Turns off the real-time monitoring service.
+- 1 (default) – Allowed. Turns on and runs the real-time monitoring service.
@@ -818,8 +818,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 – Not allowed.
-- 1 (default) – Allowed.
+- 0 – Not allowed. Turns off scanning of network files.
+- 1 (default) – Allowed. Scans network files.
@@ -934,8 +934,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 – Not allowed.
-- 1 (default) – Allowed.
+- 0 – Not allowed. Prevents users from accessing UI.
+- 1 (default) – Allowed. Lets users access UI.
@@ -1821,7 +1821,7 @@ ADMX Info:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-Added in Windows 10, version 1709. This policy allows you to turn network protection on (block/audit) or off in Windows Defender Exploit Guard. Network protection is a feature of Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer.
+Added in Windows 10, version 1709. This policy allows you to turn network protection on (block/audit) or off. Network protection protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Value type is integer.
If you enable this setting, network protection is turned on and employees can't turn it off. Its behavior can be controlled by the following options: Block and Audit.
If you enable this policy with the ""Block"" option, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.
@@ -2815,4 +2815,3 @@ Footnote:
- [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent)
- [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction)
-
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
index 8e0abebf9d..b1150dc1b9 100644
--- a/windows/client-management/mdm/policy-csp-exploitguard.md
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -65,7 +65,7 @@ manager: dansimp
-Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits with Windows Defender Exploit Guard](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).
+Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/exploit-protection) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).
The system settings require a reboot; the application settings do not require a reboot.
diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md
index fbb8abae88..dd82298d1b 100644
--- a/windows/client-management/mdm/vpnv2-profile-xsd.md
+++ b/windows/client-management/mdm/vpnv2-profile-xsd.md
@@ -23,7 +23,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
```xml
-
+
diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md
index 9790bdb770..da7f583966 100644
--- a/windows/client-management/windows-10-mobile-and-mdm.md
+++ b/windows/client-management/windows-10-mobile-and-mdm.md
@@ -108,7 +108,7 @@ MDM enrollment can also be initiated with a provisioning package. This option en
Employees can use only one account to initialize a device so it’s imperative that your organization controls which account is enabled first. The account chosen will determine who controls the device and influence your management capabilities.
->**Note:** Why must the user add an account to the device in OOBE? Windows 10 Mobile are single user devices and the user accounts give access to a number of default cloud services that enhance the productivity and entertainment value of the phone for the user. Such services are: Store for downloading apps, Groove for music and entertainment, Xbox for gaming, etc. Both an [MSA](https://www.microsoft.com/en-us/account/) and an [Azure AD account](https://www.microsoft.com/en-us/server-cloud/products/azure-active-directory/?WT.srch=1&WT.mc_id=SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=azure%20ad&utm_campaign=Enterprise_Mobility_Suite) give access to these services.
+>**Note:** Why must the user add an account to the device in OOBE? Windows 10 Mobile are single user devices and the user accounts give access to a number of default cloud services that enhance the productivity and entertainment value of the phone for the user. Such services are: Store for downloading apps, Groove for music and entertainment, Xbox for gaming, etc. Both an [MSA](https://www.microsoft.com/account/) and an [Azure AD account](https://www.microsoft.com/server-cloud/products/azure-active-directory/?WT.srch=1&WT.mc_id=SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=azure%20ad&utm_campaign=Enterprise_Mobility_Suite) give access to these services.
The following table describes the impact of identity choice on device management characteristics of the personal and corporate device scenarios.
@@ -186,7 +186,7 @@ For both personal and corporate deployment scenarios, an MDM system is the essen
Azure AD is a cloud-based directory service that provides identity and access management. You can integrate it with existing on-premises directories to create a hybrid identity solution. Organizations that use Microsoft Office 365 or Intune are already using Azure AD, which has three editions: Free Basic, and Premium (see [Azure Active Directory editions](https://azure.microsoft.com/documentation/articles/active-directory-editions/)). All editions support Azure AD device registration, but the Premium edition is required to enable MDM auto-enrollment and conditional access based on device state.
**Mobile Device Management**
-Microsoft [Intune](https://www.microsoft.com/en-us/server-cloud/products/microsoft-intune/overview.aspx), part of the Enterprise Mobility + Security, is a cloud-based MDM system that manages devices off premises. Like Office 365, Intune uses Azure AD for identity management so employees use the same credentials to enroll devices in Intune that they use to sign into Office 365. Intune supports devices that run other operating systems, such as iOS and Android, to provide a complete MDM solution.
+Microsoft [Intune](https://www.microsoft.com/server-cloud/products/microsoft-intune/overview.aspx), part of the Enterprise Mobility + Security, is a cloud-based MDM system that manages devices off premises. Like Office 365, Intune uses Azure AD for identity management so employees use the same credentials to enroll devices in Intune that they use to sign into Office 365. Intune supports devices that run other operating systems, such as iOS and Android, to provide a complete MDM solution.
You can also integrate Intune with Configuration Manager to gain a single console for managing all devices in the cloud and on premises, mobile or PC. For more information, see [Manage Mobile Devices with Configuration Manager and Microsoft Intune](https://technet.microsoft.com/library/jj884158.aspx). For guidance on choosing between a stand-alone Intune installation and Intune integrated with System Center Configuration Manager, see Choose between Intune by itself or integrating Intune with System Center Configuration Manager.
Multiple MDM systems support Windows 10 and most support personal and corporate device deployment scenarios. MDM providers that support Windows 10 Mobile currently include: AirWatch, Citrix, MobileIron, SOTI, Blackberry and others. Most industry-leading MDM vendors already support integration with Azure AD. You can find the MDM vendors that support Azure AD in [Azure Marketplace](https://azure.microsoft.com/marketplace/). If your organization doesn’t use Azure AD, the user must use an MSA during OOBE before enrolling the device in your MDM using a corporate account.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
index b3077aeaf7..cca8151178 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@@ -53,7 +53,7 @@ Your organization must have an Azure AD tenant and your employees’ devices mus
## Cortana and privacy
We understand that there are some questions about Cortana and your organization’s privacy, including concerns about what info is collected by Cortana, where the info is saved, how to manage what data is collected, how to turn Cortana off, how to opt completely out of data collection, and what info is shared with other Microsoft apps and services. For more details about these concerns, see the [Cortana, Search, and privacy: FAQ](https://windows.microsoft.com/windows-10/cortana-privacy-faq) topic.
-Cortana is covered under the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and [Microsoft Services Agreement](https://www.microsoft.com/en-us/servicesagreement).
+Cortana is covered under the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement).
## See also
- [What is Cortana?](https://go.microsoft.com/fwlink/p/?LinkId=746818)
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
index f731e345d8..7d96f06030 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
@@ -18,7 +18,7 @@ manager: dansimp
- Windows 10 Mobile, version 1703
>[!IMPORTANT]
->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. For more info, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Microsoft Services Agreement](https://www.microsoft.com/en-us/servicesagreement).
+>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. For more info, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement).
Cortana automatically finds patterns in your email, suggesting reminders based things that you said you would do so you don’t forget about them. For example, Cortana recognizes that if you include the text, _I’ll get this to you by the end of the week_ in an email, you're making a commitment to provide something by a specific date. Cortana can now suggest that you be reminded about this event, letting you decide whether to keep it or to cancel it.
diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md
index c3491784d7..af5a26163b 100644
--- a/windows/configuration/kiosk-prepare.md
+++ b/windows/configuration/kiosk-prepare.md
@@ -21,15 +21,15 @@ ms.topic: article
- Windows 10 Pro, Enterprise, and Education
->[!WARNING]
->For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account.
+> [!WARNING]
+> For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with the least privileges, such as a local standard user account.
>
->Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
+> Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that might allow an attacker subverting the assigned access application to gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
->[!IMPORTANT]
->[User account control (UAC)](https://docs.microsoft.com/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode.
+> [!IMPORTANT]
+> [User account control (UAC)](https://docs.microsoft.com/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode.
>
->Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
+> Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
## Configuration recommendations
@@ -60,19 +60,19 @@ Logs can help you [troubleshoot issues](multi-app-kiosk-troubleshoot.md) kiosk i
In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in.
->[!NOTE]
->If you are using a Windows 10 and later device restriction CSP to set "Preferred Azure AD tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile.
+> [!NOTE]
+> If you are using a Windows 10 and later device restriction CSP to set "Preferred Azure AD tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile.
->[!TIP]
->If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML.
+> [!TIP]
+> If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML.
**How to edit the registry to have an account sign in automatically**
1. Open Registry Editor (regedit.exe).
- >[!NOTE]
- >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).
+ > [!NOTE]
+ > If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).
2. Go to
@@ -94,8 +94,8 @@ In addition to the settings in the table, you may want to set up **automatic log
4. Close Registry Editor. The next time the computer restarts, the account will sign in automatically.
->[!TIP]
->You can also configure automatic sign-in [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon).
+> [!TIP]
+> You can also configure automatic sign-in [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon).
## Interactions and interoperability
@@ -245,13 +245,13 @@ The following table describes some features that have interoperability issues we
+
-
## Testing your kiosk in a virtual machine (VM)
Customers sometimes use virtual machines (VMs) to test configurations before deploying those configurations to physical devices. If you use a VM to test your single-app kiosk configuration, you need to know how to connect to the VM properly.
-A single-app kiosk configuration runs an app above the lockscreen. It doesn't work when it's accessed remotely, which includes *enhanced* sessions in Hyper-V.
+A single-app kiosk configuration runs an app above the lock screen. It doesn't work when it's accessed remotely, which includes *enhanced* sessions in Hyper-V.
When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** is not selected in the **View** menu; that means it's a basic session.
@@ -259,4 +259,4 @@ When you connect to a VM configured as a single-app kiosk, you need a *basic* se
To connect to a VM in a basic session, do not select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog.
-
+
diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md
index fec62e33fd..92c0f753d1 100644
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@@ -51,6 +51,7 @@ Method | Description
+
## Set up a kiosk in local Settings
>App type: UWP
@@ -122,6 +123,7 @@ To remove assigned access, choose **Turn off assigned access and sign out of the
+
## Set up a kiosk using Windows PowerShell
@@ -182,6 +184,7 @@ Clear-AssignedAccess
+
## Set up a kiosk using the kiosk wizard in Windows Configuration Designer
>App type: UWP or Windows desktop application
@@ -234,6 +237,7 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
+
## Set up a kiosk or digital sign using Microsoft Intune or other MDM service
>App type: UWP
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 2b237f1092..b88f801492 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -591,6 +591,7 @@ To create a multi-app kiosk that can run mixed reality apps, you must include th
+
```
These are in addition to any mixed reality apps that you allow.
diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md
index ad7c341563..02c28c2b6d 100644
--- a/windows/configuration/provisioning-packages/provisioning-powershell.md
+++ b/windows/configuration/provisioning-packages/provisioning-powershell.md
@@ -26,7 +26,7 @@ Windows 10, version 1703, ships with Windows Provisioning PowerShell cmdlets. Th
diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md
index fd49af9302..2cdfa8a68e 100644
--- a/windows/configuration/start-secondary-tiles.md
+++ b/windows/configuration/start-secondary-tiles.md
@@ -76,10 +76,7 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
3. If you’d like to change the image for a secondary tile to your own custom image, open the layout.xml file, and look for the images that the tile references.
- For example, your layout.xml contains `Square150x150LogoUri="ms-appdata:///local/PinnedTiles/21581260870/hires.png" Wide310x150LogoUri="ms-appx:///"`
- - Open `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\21581260870\` and replace those images with your customized images.
-
- >[!TIP]
- >A quick method for getting appropriately sized images for each tile size is to upload your image at [BuildMyPinnedSite](http://www.buildmypinnedsite.com/) and then download the resized tile images.
+ - Open `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\21581260870\` and replace those images with your customized images.
4. In Windows PowerShell, enter the following command:
@@ -112,11 +109,8 @@ In Microsoft Intune, you create a device restrictions policy to apply to device
>[!NOTE]
>The device restrictions in Microsoft Intune include [other Start settings](https://docs.microsoft.com/intune/device-restrictions-windows-10#start) that you can also configure in your profile.
-
-
### Using a provisioning package
-
#### Prepare the Start layout and Edge assets XML files
The **export-StartLayout** and **export-StartLayoutEdgeAssets** cmdlets produce XML files. Because Windows Configuration Designer produces a customizations.xml file that contains the configuration settings, adding the Start layout and Edge assets sections to the customizations.xml file directly would result in an XML file embedded in an XML file. Before you add the Start layout and Edge assets sections to the customizations.xml file, you must replace the markup characters in your layout.xml with escape characters.
@@ -128,7 +122,7 @@ The **export-StartLayout** and **export-StartLayoutEdgeAssets** cmdlets produce
3. During the procedure to create a provisioning package, you will copy the text with the escape characters and paste it in the customizations.xml file for your project.
-#### Create a provisioning package that contains a customized Start layout
+#### Create a provisioning package that contains a customized Start layout
Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-packages/provisioning-install-icd.md)
diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md
index 643ebbc93e..15ac23506b 100644
--- a/windows/configuration/stop-employees-from-using-microsoft-store.md
+++ b/windows/configuration/stop-employees-from-using-microsoft-store.md
@@ -23,7 +23,7 @@ ms.date: 4/16/2018
- Windows 10
- Windows 10 Mobile
->For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
+>For more info about the features and functionality that are supported in each edition of Windows, see [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
IT pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store.
diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
index 049e9cff9f..0d078ba82b 100644
--- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
+++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
@@ -228,7 +228,7 @@ To distribute a new Notepad template, you would perform these steps:
## Get the UE-V Configuration Pack
-You can download the [System Center 2012 Configuration Pack for Microsoft User Experience Virtualization 2.0](https://www.microsoft.com/en-us/download/details.aspx?id=40913) from the Microsoft Download Center.
+You can download the [System Center 2012 Configuration Pack for Microsoft User Experience Virtualization 2.0](https://www.microsoft.com/download/details.aspx?id=40913) from the Microsoft Download Center.
diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
index 3a799a5027..3bf783b488 100644
--- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
+++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
@@ -139,7 +139,7 @@ You can deploy UE-V settings location template with the following methods:
- **Registering template with Template Catalog Path**. If you use the Settings Template Catalog Path to manage templates on users’ computers, copy the Office template into the folder defined in the UE-V service. The next time the Template Auto Update (ApplySettingsCatalog.exe) scheduled task runs, the settings location template will be registered on the device. For more information, see [Deploy a settings template catalog](uev-deploy-uev-for-custom-applications.md).
-- **Registering template with Configuration Manager**. If you use Configuration Manager to manage your UE-V settings storage templates, recreate the Template Baseline CAB, import it into Configuration Manager, and then deploy the baseline to user devices. For more information, see the guidance provided in the documentation for the [System Center 2012 Configuration Pack for Microsoft User Experience Virtualization 2.0](https://www.microsoft.com/en-us/download/details.aspx?id=40913).
+- **Registering template with Configuration Manager**. If you use Configuration Manager to manage your UE-V settings storage templates, recreate the Template Baseline CAB, import it into Configuration Manager, and then deploy the baseline to user devices. For more information, see the guidance provided in the documentation for the [System Center 2012 Configuration Pack for Microsoft User Experience Virtualization 2.0](https://www.microsoft.com/download/details.aspx?id=40913).
diff --git a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
index e44d1c33a7..c17b9cedb8 100644
--- a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
+++ b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
@@ -22,7 +22,7 @@ User Experience Virtualization (UE-V) for Windows 10, version 1607, includes the
## UE-V is now a feature in Windows 10
-With Windows 10, version 1607 and later releases, UE-V is included with [Windows 10 for Enterprise](https://www.microsoft.com/en-us/WindowsForBusiness/windows-for-enterprise) and is no longer part of the Microsoft Desktop Optimization Pack.
+With Windows 10, version 1607 and later releases, UE-V is included with [Windows 10 for Enterprise](https://www.microsoft.com/WindowsForBusiness/windows-for-enterprise) and is no longer part of the Microsoft Desktop Optimization Pack.
The changes in UE-V for Windows 10, version 1607 impact already existing implementations of UE-V in the following ways:
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index 55c9e3dfac..c4c52097cc 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -63,7 +63,7 @@ You probably have on-premises Active Directory Domain Services (AD DS) domains.
You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
-**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
+**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
@@ -194,7 +194,7 @@ If there are any problems with the Windows 10 Enterprise E3 or E5 license or th
## Virtual Desktop Access (VDA)
-Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
+Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/CloudandHosting/licensing_sca.aspx).
Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md).
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index e32aae1631..e512fb6f51 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -29,7 +29,7 @@ This topic provides an overview of new solutions and online content related to d
## Recent additions to this page
-[SetupDiag](#setupdiag) 1.6.0 is released.
+[SetupDiag](#setupdiag) 1.6 is released.
The [Windows ADK for Windows 10, version 1903](https://docs.microsoft.com/windows-hardware/get-started/adk-install) is available.
New [Windows Autopilot](#windows-autopilot) content is available.
[Windows 10 Subscription Activation](#windows-10-subscription-activation) now supports Windows 10 Education.
@@ -95,7 +95,7 @@ With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to
[SetupDiag](upgrade/setupdiag.md) is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful.
-SetupDiag version 1.4.1 was released on 5/17/2019.
+SetupDiag version 1.6.0.42 was released on 08/08/2019.
### Upgrade Readiness
@@ -180,6 +180,6 @@ The following topics provide a change history for Windows 10 ITPro TechNet libra
[Overview of Windows as a service](update/waas-overview.md)
[Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md)
[Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information)
- [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/en-us/windows/windows-10-specifications)
+ [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications)
[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 7f2c14085a..b4ff72ee14 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -452,5 +452,5 @@ To fix this issue, mount the Windows PE image (WIM), copy the missing file from
## Related topics
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
- [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+ [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
diff --git a/windows/deployment/planning/compatibility-administrator-users-guide.md b/windows/deployment/planning/compatibility-administrator-users-guide.md
index d19359cc40..afbb20379c 100644
--- a/windows/deployment/planning/compatibility-administrator-users-guide.md
+++ b/windows/deployment/planning/compatibility-administrator-users-guide.md
@@ -1,85 +1,71 @@
----
-title: Compatibility Administrator User's Guide (Windows 10)
-ms.assetid: 0ce05f66-9009-4739-a789-60f3ce380e76
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-description:
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Compatibility Administrator User's Guide
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. Compatibility Administrator provides the following:
-
-- Compatibility fixes, compatibility modes, and AppHelp messages that you can use to resolve specific compatibility issues.
-
-- Tools for creating customized compatibility fixes, compatibility modes, AppHelp messages, and compatibility databases.
-
-- A query tool that you can use to search for installed compatibility fixes on your local computers.
-
-The following flowchart shows the steps for using the Compatibility Administrator tool to create your compatibility fixes, compatibility modes, and AppHelp messages.
-
-
-
-**Important**
-Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create and work with custom databases for 32-bit applications, and the 64-bit version to create and work with custom databases for 64-bit applications.
-
-
-
-## In this section
-
-
-
This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases.
You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways, including by using a logon script, by using Group Policy, or by performing file copy operations.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+---
+title: Compatibility Administrator User's Guide (Windows 10)
+ms.assetid: 0ce05f66-9009-4739-a789-60f3ce380e76
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+description:
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Compatibility Administrator User's Guide
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. Compatibility Administrator provides the following:
+
+- Compatibility fixes, compatibility modes, and AppHelp messages that you can use to resolve specific compatibility issues.
+
+- Tools for creating customized compatibility fixes, compatibility modes, AppHelp messages, and compatibility databases.
+
+- A query tool that you can use to search for installed compatibility fixes on your local computers.
+
+The following flowchart shows the steps for using the Compatibility Administrator tool to create your compatibility fixes, compatibility modes, and AppHelp messages.
+
+
+
+> [!IMPORTANT]
+> Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create and work with custom databases for 32-bit applications, and the 64-bit version to create and work with custom databases for 64-bit applications.
+
+## In this section
+
+
This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases.
You must deploy your customized database (.sdb) files to other computers in your organization before your compatibility fixes, compatibility modes, and AppHelp messages are applied. You can deploy your customized database files in several ways, including by using a logon script, by using Group Policy, or by performing file copy operations.
+
+
+
diff --git a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md
index c7052c8a15..162ad2c153 100644
--- a/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md
+++ b/windows/deployment/planning/compatibility-fix-database-management-strategies-and-deployment.md
@@ -102,8 +102,8 @@ If you decide to use the centralized compatibility-fix database deployment strat
5. The team that manages the centralized database opens Custom DB1 and uses the Compatibility Administrator to include the new compatibility fixes that were included in Custom DB2.
- **Note**
- Custom DB1 contains a unique GUID that makes updating the database easier. For example, if you install a new version of the custom compatibility-fix database that uses the same GUID as the previous version, the computer will automatically uninstall the old version.
+ > [!NOTE]
+ > Custom DB1 contains a unique GUID that makes updating the database easier. For example, if you install a new version of the custom compatibility-fix database that uses the same GUID as the previous version, the computer will automatically uninstall the old version.
@@ -123,23 +123,17 @@ In order to meet the two requirements above, we recommend that you use one of th
You can package your .sdb file and a custom deployment script into an .msi file, and then deploy the .msi file into your organization.
- **Important**
- You must ensure that you mark your custom script so that it does not impersonate the calling user. For example, if you use Microsoft® Visual Basic® Scripting Edition (VBScript), the custom action type would be:
+ > [!IMPORTANT]
+ > You must ensure that you mark your custom script so that it does not impersonate the calling user. For example, if you use Microsoft® Visual Basic® Scripting Edition (VBScript), the custom action type would be:
+ >`msidbCustomActionTypeVBScript + msidbCustomActionTypeInScript + msidbCustomActionTypeNoImpersonate = 0x0006 + 0x0400 + 0x0800 = 0x0C06 = 3078 decimal)`
-
-~~~
-```
-msidbCustomActionTypeVBScript + msidbCustomActionTypeInScript + msidbCustomActionTypeNoImpersonate = 0x0006 + 0x0400 + 0x0800 = 0x0C06 = 3078 decimal)
-```
-~~~
-
- **Using a network share and a custom script**
You can store your .sdb file on your network share and then call to a script that resides on your specified computers.
-**Important**
-You must ensure that you call the script at a time when it will receive elevated rights. For example, you should call the script by using computer startup scripts instead of a user logon script. You must also ensure that the installation of the custom compatibility-fix database occurs with Administrator rights.
+> [!IMPORTANT]
+> You must ensure that you call the script at a time when it will receive elevated rights. For example, you should call the script by using computer startup scripts instead of a user logon script. You must also ensure that the installation of the custom compatibility-fix database occurs with Administrator rights.
diff --git a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
index 2ea1929b51..bc1991c752 100644
--- a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
+++ b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
@@ -1,972 +1,973 @@
----
-title: Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista (Windows 10)
-description: You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions.
-ms.assetid: cd51c824-557f-462a-83bb-54b0771b7dff
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions.
-
-**Important**
-The Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator. You must use the 32-bit version for 32-bit applications and the 64-bit version to work for 64-bit applications. You will receive an error message if you try to use the wrong version.
-
-If you start the Compatibility Administrator as an Administrator (with elevated privileges), all repaired applications can run successfully; however, virtualization and redirection might not occur as expected. To verify that a compatibility fix addresses an issue, you must test the repaired application by running it under the destination user account.
-
-
-
-## Compatibility Fixes
-
-
-The following table lists the known compatibility fixes for all Windows operating systems that have been released from Windows Vista through Windows 10. The fixes are listed in alphabetical order.
-
-
-
-
-
-
-
-
-
Fix
-
Fix Description
-
-
-
-
-
8And16BitAggregateBlts
-
Applications that are mitigated by 8/16-bit mitigation can exhibit performance issues. This layer aggregates all the blt operations and improves performance.
-
-
-
8And16BitDXMaxWinMode
-
Applications that use DX8/9 and are mitigated by the 8/16-bit mitigation are run in a maximized windowed mode. This layer mitigates applications that exhibit graphical corruption in full screen mode.
-
-
-
8And16BitGDIRedraw
-
This fix repairs applications that use GDI and that work in 8-bit color mode. The application is forced to repaint its window on RealizePalette.
-
-
-
AccelGdipFlush
-
This fix increases the speed of GdipFlush, which has perf issues in DWM.
-
-
-
AoaMp4Converter
-
This fix resolves a display issue for the AoA Mp4 Converter.
-
-
-
BIOSRead
-
This problem is indicated when an application cannot access the Device\PhysicalMemory object beyond the kernel-mode drivers, on any of the Windows Server® 2003 operating systems.
-
The fix enables OEM executable (.exe) files to use the GetSystemFirmwareTable function instead of the NtOpenSection function when the BIOS is queried for the \Device\Physical memory information..
-
-
-
BlockRunasInteractiveUser
-
This problem occurs when InstallShield creates installers and uninstallers that fail to complete and that generate error messages or warnings.
-
The fix blocks InstallShield from setting the value of RunAs registry keys to InteractiveUser Because InteractiveUser no longer has Administrator rights.
This fix is required when an application cannot return shell folder paths when it uses the SHGetFolder API.
-
The fix intercepts the SHGetFolder path request to the common appdata file path and returns the Windows® XP-style file path instead of the Windows Vista-style file path.
-
-
-
ClearLastErrorStatusonIntializeCriticalSection
-
This fix is indicated when an application fails to start.
-
The fix modifies the InitializeCriticalSection function call so that it checks the NTSTATUS error code, and then sets the last error to ERROR_SUCCESS.
-
-
-
CopyHKCUSettingsFromOtherUsers
-
This problem occurs when an application's installer must run in elevated mode and depends on the HKCU settings that are provided for other users.
-
The fix scans the existing user profiles and tries to copy the specified keys into the HKEY_CURRENT_USER registry area.
-
You can control this fix further by entering the relevant registry keys as parameters that are separated by the ^ Symbol; for example: Software\MyCompany\Key1^Software\MyCompany\Key2.
The problem is indicated by an access violation error message that displays and when the application fails when you select or crop an image.
-
The fix corrects the brush style hatch value, which is passed to the CreateBrushIndirect() function and enables the information to be correctly interpreted.
-
-
-
CorrectFilePaths
-
The problem is indicated when an application tries to write files to the hard disk and is denied access or receives a file not found or path not found error message.
-
The fix modifies the file path names to point to a new location on the hard disk.
-
-Note
For more detailed information about the CorrectFilePaths application fix, see Using the CorrectFilePaths Fix. We recommend that you use this fix together with the CorrectFilePathsUninstall fix if you are applying it to a setup installation file.
-
-
-
-
-
-
-
CorrectFilePathsUninstall
-
This problem occurs when an uninstalled application leaves behind files, directories, and links.
-
The fix corrects the file paths that are used by the uninstallation process of an application.
-
-Note
For more detailed information about this fix, see Using the CorrectFilePathsUninstall Fix. We recommend that you use this fix together with the CorrectFilePaths fix if you are applying it to a setup installation file.
-
-
-
-
-
-
-
CorrectShellExecuteHWND
-
This problem occurs when you start an executable (.exe) and a taskbar item blinks instead of an elevation prompt being opened, or when the application does not provide a valid HWND value when it calls the ShellExecute(Ex) function.
-
The fix intercepts the ShellExecute(Ex) calls, and then inspects the HWND value. If the value is invalid, this fix enables the call to use the currently active HWND value.
This fix instructs DWM to not render the non-client area, thereby forcing the application to do its own NC rendering. This often gives windows an XP look.
-
-
-
DelayApplyFlag
-
This fix applies a KERNEL, USER, or PROCESS flag if the specified DLL is loaded.
-
You can control this fix further by typing the following command at the command prompt:
-
DLL_Name;Flag_Type;Hexidecimal_Value
-
Where the DLL_Name is the name of the specific DLL, including the file extension. Flag_Type is KERNEL, USER, or PROCESS, and a Hexidecimal_Value, starting with 0x and up to 64-bits long.
-
-Note
The PROCESS flag type can have a 32-bit length only. You can separate multiple entries with a backslash ().
-
-
-
-
-
-
-
DeprecatedServiceShim
-
The problem is indicated when an application tries to install a service that has a dependency on a deprecated service. An error message displays.
-
The fix intercepts the CreateService function calls and removes the deprecated dependency service from the lpDependencies parameter.
-
You can control this fix further by typing the following command at the command prompt:
Where Deprecated_Service is the name of the service that has been deprecated and App_Service is the name of the specific application service that is to be modified; for example, NtLmSsp\WMI.
-
-Note
If you do not provide an App_Service name, the deprecated service will be removed from all newly created services.
-
-
-
-
-
-Note
You can separate multiple entries with a forward slash (/).
-
-
-
-
-
-
-
DirectXVersionLie
-
This problem occurs when an application fails because it does not find the correct version number for DirectX®.
-
The fix modifies the DXDIAGN GetProp function call to return the correct DirectX version.
-
You can control this fix further by typing the following command at the command prompt:
-
MAJORVERSION.MINORVERSION.LETTER
-
For example, 9.0.c.
-
-
-
DetectorDWM8And16Bit
-
This fix offeres mitigation for applications that work in 8/16-bit display color mode because these legacy color modes are not supported in Windows 8 .
-
-
-
Disable8And16BitD3D
-
This fix improves performance of 8/16-bit color applications that render using D3D and do not mix directdraw.
-
-
-
Disable8And16BitModes
-
This fix disables 8/16-bit color mitigation and enumeration of 8/16-bit color modes.
-
-
-
DisableDWM
-
The problem occurs when some objects are not drawn or object artifacts remain on the screen in an application.
-
The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.
The problem is indicated when an application fade animations, buttons, or other controls do not function properly.
-
The fix disables the fade animations functionality for unsupported applications.
-
-
-
DisableThemeMenus
-
The problem is indicated by an application that behaves unpredictably when it tries to detect and use the correct Windows settings.
-
The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.
-
-
-
DisableWindowsDefender
-
The fix disables Windows Defender for security applications that do not work with Windows Defender.
-
-
-
DWM8And16BitMitigation
-
The fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes are not supported in Windows 8.
-
-
-
DXGICompat
-
The fix allows application-specific compatibility instructions to be passed to the DirectX engine.
-
-
-
DXMaximizedWindowedMode
-
Applications that use DX8/9 are run in a maximized windowed mode. This is required for applications that use GDI/DirectDraw in addition to Direct3D.
-
-
-
ElevateCreateProcess
-
The problem is indicated when installations, de-installations, or updates fail because the host process calls the CreateProcess function and it returns an ERROR_ELEVATION_REQUIRED error message.
-
The fix handles the error code and attempts to recall the CreateProcess function together with requested elevation. If the fixed application already has a UAC manifest, the error code will be returned unchanged.
The problem occurs when an application fails because of an incorrect UNC path.
-
The fix changes the PathIsUNC function to return a value of True for UNC paths in Windows.
-
-
-
EmulateGetDiskFreeSpace
-
The problem is indicated when an application fails to install or to run, and it generates an error message that there is not enough free disk space to install or use the application, even though there is enough free disk space to meet the application requirements.
-
The fix determines the amount of free space, so that if the amount of free space is larger than 2 GB, the compatibility fix returns a value of 2 GB, but if the amount of free space is smaller than 2 GB, the compatibility fix returns the actual free space amount.
The fix emulates the sorting order of Windows 7 and Windows Server 2008 R2 for various APIs.
-
-
-
EnableRestarts
-
The problem is indicated when an application and computer appear to hang because processes cannot end to allow the computer to complete its restart processes.
-
The fix enables the computer to restart and finish the installation process by verifying and enabling that the SeShutdownPrivilege service privilege exists.
The problem occurs when an application invokes the Release() method too many times and causes an object to be prematurely destroyed.
-
The fix counteracts the application's tries to obtain the shell desktop folder by invoking the AddRef() method on the Desktop folder, which is returned by the SHGetDesktopFolder function.
-
-
-
FailObsoleteShellAPIs
-
The problem occurs when an application fails because it generated deprecated API calls.
-
The fix either fully implements the obsolete functions or implements the obsolete functions with stubs that fail.
-
-Note
You can type FailAll=1 at the command prompt to suppress the function implementation and force all functions to fail.
-
-
-
-
-
-
-
FailRemoveDirectory
-
The problem occurs when an application uninstallation process does not remove all of the application files and folders.
-
This fix fails calls to RemoveDirectory() when called with a path matching the one specified in the shim command-line. Only a single path is supported. The path can contain environment variables, but must be an exact path – no partial paths are supported.
-
The fix can resolve an issue where an application expects RemoveDirectory() to delete a folder immediately even though a handle is open to it.
-
-
-
FakeLunaTheme
-
The problem occurs when a theme application does not properly display: the colors are washed out or the user interface is not detailed.
-
The fix intercepts the GetCurrentThemeName API and returns the value for the Windows XP default theme, (Luna).
The fix invalidates any windows that exist under a closing or hiding window for applications that rely on the invalidation messages.
-
-
-
ForceLoadMirrorDrvMitigation
-
The fix loads the Windows 8 mirror driver mitigation for applications where the mitigation is not automatically applied.
-
-
-
FreestyleBMX
-
The fix resolves an application race condition that is related to window message order.
-
-
-
GetDriveTypeWHook
-
The application presents unusual behavior during installation; for example, the setup program states that it cannot install to a user-specified location.
-
The fix changes GetDriveType() so that only the root information appears for the file path. This is required when an application passes an incomplete or badly-formed file path when it tries to retrieve the drive type on which the file path exists.
-
-
-
GlobalMemoryStatusLie
-
The problem is indicated by a Computer memory full error message that displays when you start an application.
-
The fix modifies the memory status structure, so that it reports a swap file that is 400 MB, regardless of the true swap file size.
-
-
-
HandleBadPtr
-
The problem is indicated by an access violation error message that displays because an API is performing pointer validation before it uses a parameter.
-
The fix supports using lpBuffer validation from the InternetSetOptionA and InternetSetOptionW functions to perform the additional parameter validation.
-
-
-
HandleMarkedContentNotIndexed
-
The problem is indicated by an application that fails when it changes an attribute on a file or directory.
-
The fix intercepts any API calls that return file attributes and directories that are invoked from the %TEMP% directory, and resets the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute to its original state.
-
-
-
HeapClearAllocation
-
The problem is indicated when the allocation process shuts down unexpectedly.
-
The fix uses zeros to clear out the heap allocation for an application.
-
-
-
IgnoreAltTab
-
The problem occurs when an application fails to function when special key combinations are used.
-
The fix intercepts the RegisterRawInputDevices API and prevents the delivery of the WM_INPUT messages. This delivery failure forces the included hooks to be ignored and forces DInput to use Windows-specific hooks.
The fix allows Google Chrome to run on systems that have ntdll loaded above 4GB.
-
-
-
IgnoreDirectoryJunction
-
The problem is indicated by a read or access violation error message that displays when an application tries to find or open files.
-
The fix links the FindNextFileW, FindNextFileA, FindFirstFileExW, FindFirstFileExA, FindFirstFileW and FindFirstFileA APIs to prevent them from returning directory junctions.
-
-Note
Symbolic links appear starting in Windows Vista.
-
-
-
-
-
-
-
IgnoreException
-
The problem is indicated when an application stops functioning immediately after it starts, or the application starts with only a cursor appearing on the screen.
-
The fix enables the application to ignore specified exceptions. By default, this fix ignores privileged-mode exceptions; however, it can be configured to ignore any exception.
-
You can control this fix further by typing the following command at the command prompt:
-
Exception1;Exception2
-
Where Exception1 and Exception2 are specific exceptions to be ignored. For example: ACCESS_VIOLATION_READ:1;ACCESS_VIOLATION_WRITE:1.
-
-Important
You should use this compatibility fix only if you are certain that it is acceptable to ignore the exception. You might experience additional compatibility issues if you choose to incorrectly ignore an exception.
This fix enables an application to ignore the rounding control request and to behave as expected in previous versions of the application.
-
Before floating point SSE2 support in the C runtime library, the rounding control request was being ignored which would use round to nearest option by default. This shim ignores the rounding control request to support applications relying on old behavior.
-
-
-
IgnoreFontQuality
-
The problem occurs when application text appears to be distorted.
-
The fix enables color-keyed fonts to properly work with anti-aliasing.
-
-
-
IgnoreMessageBox
-
The problem is indicated by a message box that displays with debugging or extraneous content when the application runs on an unexpected operating system.
-
The fix intercepts the MessageBox* APIs and inspects them for specific message text. If matching text is found, the application continues without showing the message box.
The problem is indicated by an error message that states that the operating system cannot locate the MSVCR80D.DLL file.
-
The fix ignores the registered MSOXMLMF.DLL object, which Microsoft® Office 2007 loads into the operating system any time that you load an XML file, and then it fails the CoGetClassObject for its CLSID. This compatibility fix will just ignore the registered MSOXMLMF and fail the CoGetClassObject for its CLSID.
-
-
-
IgnoreSetROP2
-
The fix ignores read-modify-write operations on the desktop to avoid performance issues.
-
-
-
InstallComponent
-
The fix prompts the user to install.Net 3.5 or .Net 2.0 because .Net is not included with Windows 8.
-
-
-
LoadLibraryRedirect
-
The fix forces an application to load system versions of libraries instead of loading redistributable versions that shipped with the application.
-
-
-
LocalMappedObject
-
The problem occurs when an application unsuccessfully tries to create an object in the Global namespace.
-
The fix intercepts the function call to create the object and replaces the word Global with Local.
The problem is indicated when an application fails to uninstall because of access-related errors.
-
The fix locates any RunDLL.exe-based uninstallers and forces them to run with different credentials during the application installation. After it applies this fix, the installer will create a shortcut that specifies a matching string to run during the application installation, thereby enabling the uninstallation to occur later.
The fix intercepts common APIs that are going to a directory or to an executable (.exe) file, and then converts any symbolic or directory junctions before passing it back to the original APIs.
-
-
-
MirrorDriverWithComposition
-
The fix allows mirror drivers to work properly with acceptable performance with desktop composition.
-
-
-
MoveToCopyFileShim
-
The problem occurs when an application experiences security access issues during setup.
-
The fix forces the CopyFile APIs to run instead of the MoveFile APIs. CopyFile APIs avoid moving the security descriptor, which enables the application files to get the default descriptor of the destination folder and prevents the security access issue.
-
-
-
OpenDirectoryAcl
-
The problem is indicated by an error message that states that you do not have the appropriate permissions to access the application.
-
The fix reduces the security privilege levels on a specified set of files and folders.
The fix resolves the performance issues in PopCap games like Bejeweled2. The performance issues are visible in certain low-end cards at certain resolutions where the 1024x768 buffer is scaled to fit the display resolution.
-
-
-
PreInstallDriver
-
The fix preinstalls drivers for applications that would otherwise try to install or start drivers during the initial start process.
-
-
-
PreInstallSmarteSECURE
-
The fix preinstalls computer-wide CLSIDs for applications that use SmartSECURE copy protection, which would otherwise try to install the CLSIDs during the initial start process.
-
-
-
ProcessPerfData
-
The problem is indicated by an Unhandled Exception error message because the application tried to read the process performance data registry value to determine if another instance of the application is running.
-
The fix handles the failure case by passing a fake process performance data registry key, so that the application perceives that it is the only instance running.
-
-Note
This issue seems to occur most frequently with .NET applications.
-
-
-
-
-
-
-
PromoteDAM
-
The fix registers an application for power state change notifications.
-
-
-
PropagateProcessHistory
-
The problem occurs when an application incorrectly fails to apply an application fix.
-
The fix sets the _PROCESS_HISTORY environment variable so that child processes can look in the parent directory for matching information while searching for application fixes.
-
-
-
ProtectedAdminCheck
-
The problem occurs when an application fails to run because of incorrect Protected Administrator permissions.
-
The fix addresses the issues that occur when applications use non-standard Administrator checks, thereby generating false positives for user accounts that are being run as Protected Administrators. In this case, the associated SID exists, but it is set as deny-only.
-
-
-
RedirectCRTTempFile
-
The fix intercepts failing CRT calls that try to create a temporary file at the root of the volume, thereby redirecting the calls to a temporary file in the user's temporary directory.
-
-
-
RedirectHKCUKeys
-
The problem occurs when an application cannot be accessed because of User Account Control (UAC) restrictions.
-
The fix duplicates any newly created HKCU keys to other users' HKCU accounts. This fix is generic for UAC restrictions, whereby the HKCU keys are required, but are unavailable to an application at runtime.
-
-
-
RedirectMP3Codec
-
This problem occurs when you cannot play MP3 files.
-
The fix intercepts the CoCreateInstance call for the missing filter and then redirects it to a supported version.
-
-
-
RedirectShortcut
-
The problem occurs when an application cannot be accessed by its shortcut, or application shortcuts are not removed during the application uninstallation process.
-
The fix redirects all of the shortcuts created during the application setup to appear according to a specified path.
-
-
Start Menu shortcuts: Appear in the \ProgramData\Microsoft\Windows\Start Menu directory for all users.
-
Desktop or Quick Launch shortcuts:You must manually place the shortcuts on the individual user's desktop or Quick Launch bar.
-
-
This issue occurs because of UAC restrictions: specifically, when an application setup runs by using elevated privileges and stores the shortcuts according to the elevated user's context. In this situation, a restricted user cannot access the shortcuts.
-
You cannot apply this fix to an .exe file that includes a manifest and provides a runlevel.
-
-
-
RelaunchElevated
-
The problem occurs when installers, uninstallers, or updaters fail when they are started from a host application.
-
The fix enables a child .exe file to run with elevated privileges when it is difficult to determine the parent process with either the ElevateCreateProcess fix or by marking the .exe files to RunAsAdmin.
The problem occurs when an Unable to open service due to your application using the OpenService() API to test for the existence of a particular service error message displays.
-
The fix retries the OpenService() API call and verifies that the user has Administrator rights, is not a Protected Administrator, and by using read-only access. Applications can test for the existence of a service by calling the OpenService() API but some applications ask for all access when making this check. This fix retries the call but only asking for read-only access. The user needs to be an administrator for this to work
The problem occurs when an application fails to function by using the Standard User or Protected Administrator account.
-
The fix enables the application to run by using elevated privileges. The fix is the equivalent of specifying requireAdministrator in an application manifest.
The problem occurs when administrators cannot view the read/write version of an application that presents a read-only view to standard users.
-
The fix enables the application to run by using the highest available permissions. This is the equivalent of specifying highestAvailable in an application manifest.
The problem occurs when an application is not detected as requiring elevation.
-
The fix enables the application to run by using the privileges that are associated with the creation process, without requiring elevation. This is the equivalent of specifying asInvoker in an application manifest.
The fix repairs applications by using SecuROM7 for copy protection.
-
-
-
SessionShim
-
The fix intercepts API calls from applications that are trying to interact with services that are running in another session, by using the terminal service name prefix (Global or Local) as the parameter.
-
At the command prompt, you can supply a list of objects to modify, separating the values by a double backslash (). Or, you can choose not to include any parameters, so that all of the objects are modified.
-
-Important
Users cannot log in as Session 0 (Global Session) in Windows Vista and later. Therefore, applications that require access to Session 0 automatically fail.
The fix registers an application as a protocol handler.
-
You can control this fix further by typing the following command at the command prompt:
-
Client;Protocol;App
-
Where the Client is the name of the email protocol, Protocol is mailto, and App is the name of the application.
-
-Note
Only the mail client and the mailto protocol are supported. You can separate multiple clients by using a backslash ().
-
-
-
-
-
-
-
SetupCommitFileQueueIgnoreWow
-
The problem occurs when a 32-bit setup program fails to install because it requires 64-bit drivers.
-
The fix disables the Wow64 file system that is used by the 64-bit editions of Windows, to prevent 32-bit applications from accessing 64-bit file systems during the application setup.
-
-
-
SharePointDesigner2007
-
The fix resolves an application bug that severely slows the application when it runs in DWM.
-
-
-
ShimViaEAT
-
The problem occurs when an application fails, even after applying acompatibility fix that is known to fix an issue. Applications that use unicows.dll or copy protection often present this issue.
-
The fix applies the specified compatibility fixes by modifying the export table and by nullifying the use of module inclusion and exclusion.
The problem occurs when a web application experiences navigation and display issues because of the tabbing feature.
-
The fix intercepts the ShowWindow API call to address the issues that can occur when a web application determines that it is in a child window. This fix calls the real ShowWindow API on the top-level parent window.
-
-
-
SierraWirelessHideCDROM
-
The fix repairs the Sierra Wireless Driver installation, thereby preventing bugcheck.
-
-
-
Sonique2
-
The application uses an invalid window style, which breaks in DWM. This fix replaces the window style with a valid value.
-
-
-
SpecificInstaller
-
The problem occurs when an application installation file fails to be picked up by the GenericInstaller function.
-
The fix flags the application as being an installer file (for example, setup.exe), and then prompts for elevation.
The problem occurs when an application that is not an installer (and has sufficient privileges) generates a false positive from the GenericInstaller function.
-
The fix flags the application to exclude it from detection by the GenericInstaller function.
The fix replaces SystemMetrics values and SystemParametersInfo values with the values of previous Windows versions.
-
-
-
TextArt
-
The application receives different mouse coordinates with DWM ON versus DWM OFF, which causes the application to hang. This fix resolves the issue.
-
-
-
TrimDisplayDeviceNames
-
The fix trims the names of the display devices that are returned by the EnumDisplayDevices API.
-
-
-
UIPICompatLogging
-
The fix enables the logging of Windows messages from Internet Explorer and other processes.
-
-
-
UIPIEnableCustomMsgs
-
The problem occurs when an application does not properly communicate with other processes because customized Windows messages are not delivered.
-
The fix enables customized Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the RegisterWindowMessage function, followed by the ChangeWindowMessageFilter function in the code.
-
You can control this fix further by typing the following command at the command prompt:
-
MessageString1 MessageString2
-
Where MessageString1 and MessageString2 reflect the message strings that can pass.
-
-Note
Multiple message strings must be separated by spaces. For more detailed information about this application fix, see Using the UIPIEnableCustomMsgs Fix.
-
-
-
-
-
-
-
UIPIEnableStandardMsgs
-
The problem occurs when an application does not communicate properly with other processes because standard Windows messages are not delivered.
-
The fix enables standard Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the ChangeWindowMessageFilter function in the code.
-
You can control this fix further by typing the following command at the command prompt:
-
1055 1056 1069
-
Where 1055 reflects the first message ID, 1056 reflects the second message ID, and 1069 reflects the third message ID that can pass.
The fix virtualizes DeleteFile operations for applications that try to delete protected files.
-
-
-
VirtualizeDesktopPainting
-
This fix improves the performance of a number of operations on the Desktop DC while using DWM.
-
-
-
VirtualRegistry
-
The problem is indicated when a Component failed to be located error message displays when an application is started.
-
The fix enables the registry functions to allow for virtualization, redirection, expansion values, version spoofing, the simulation of performance data counters, and so on.
The problem occurs when several error messages display and the application cannot delete files.
-
The fix makes the application's DeleteFile function call a virtual call in an effort to remedy the UAC and file virtualization issues that were introduced with Windows Vista. This fix also links other file APIs (for example, GetFileAttributes) to ensure that the virtualization of the file is deleted.
The problem occurs when an application fails to register COM components at runtime.
-
The fix redirects the HKCR write calls (HKLM) to the HKCU hive for a per-user COM registration. This operates much like the VirtualRegistry fix when you use the VirtualizeHKCR parameter; however, VirtualizeHKCRLite provides better performance.
-
HKCR is a virtual merge of the HKCU\Software\Classes and HKLM\Software\Classes directories. The use of HKCU is preferred if an application is not elevated and is ignored if the application is elevated.
-
You typically will use this compatibility fix in conjunction with the VirtualizeRegisterTypeLib fix.
The fix, when it is used with the VirtualizeHKCRLite fix, ensures that the type library and the COM class registration happen simultaneously. This functions much like the RegistryTypeLib fix when the RegisterTypeLibForUser parameter is used.
This problem is indicated by an error message that states: Unable to initialize sound device from your audio driver; the application then closes.
-
The fix enables the application to ignore the format error and continue to function properly.
-
-
-
WerDisableReportException
-
The fix turns off the silent reporting of exceptions to the Windows Error Reporting tool, including those that are reported by Object Linking and Embedding-Database (OLE DB). The fix intercepts the RtlReportException API and returns a STATUS_NOT_SUPPORTED error message.
-
-
-
Win7RTM/Win8RTM
-
The layer provides the application with Windows 7/Windows 8 compatibility mode.
-
-
-
WinxxRTMVersionLie
-
The problem occurs when an application fails because it does not find the correct version number for the required Windows operating system.
-
All version lie compatibility fixes address the issue whereby an application fails to function because it is checking for, but not finding, a specific version of the operating system. The version lie fix returns the appropriate operating system version information. For example, the VistaRTMVersionLie returns the Windows Vista version information to the application, regardless of the actual operating system version that is running on the computer.
-
-
-
Wing32SystoSys32
-
The problem is indicated by an error message that states that the WinG library was not properly installed.
-
The fix detects whether the WinG32 library exists in the correct directory. If the library is located in the wrong location, this fix copies the information (typically during the runtime of the application) into the %WINDIR% \system32 directory.
-
-Important
The application must have Administrator privileges for this fix to work.
-
-
-
-
-
-
-
WinSrv08R2RTM
-
-
-
-
WinXPSP2VersionLie
-
The problem occurs when an application experiences issues because of a VB runtime DLL.
-
The fix forces the application to follow these steps:
-
-
Open the Compatibility Administrator, and then select None for Operating System Mode.
-
On the Compatibility Fixes page, click WinXPSP2VersionLie, and then click Parameters.
-
The Options for <fix_name> dialog box appears.
-
Type vbrun60.dll into the Module Name box, click Include, and then click Add.
The application fails when it tries to register a COM component that is released together with Windows Vista and later.
-
The fix skips the processes of registering and unregistering WRP-protected COM components when calling the DLLRegisterServer and DLLUnregisterServer functions.
-
You can control this fix further by typing the following command at the command prompt:
-
Component1.dll;Component2.dll
-
Where Component1.dll and Component2.dll reflect the components to be skipped.
The problem is indicated when an access denied error message displays when the application tries to access a protected operating system resource by using more than read-only access.
-
The fix emulates the successful authentication and modification of file and registry APIs, so that the application can continue.
The problem is indicated by an access denied error message that displays when the application tries to delete a registry key.
-
The fix verifies whether the registry key is WRP-protected. If the key is protected, this fix emulates the deletion process.
-
-
-
XPAfxIsValidAddress
-
The fix emulates the behavior of Windows XP for MFC42!AfxIsValidAddress.
-
-
-
-
-
-
-## Compatibility Modes
-
-
-The following table lists the known compatibility modes.
-
-
-
-
-
-
-
-
-
-
Compatibility Mode Name
-
Description
-
Included Compatibility Fixes
-
-
-
-
-
WinSrv03
-
Emulates the Windows Server 2003 operating system.
-
-
Win2k3RTMVersionLie
-
VirtualRegistry
-
ElevateCreateProcess
-
EmulateSorting
-
FailObsoleteShellAPIs
-
LoadLibraryCWD
-
HandleBadPtr
-
GlobalMemoryStatus2GB
-
RedirectMP3Codec
-
EnableLegacyExceptionHandlinginOLE
-
NoGhost
-
HardwareAudioMixer
-
-
-
-
WinSrv03Sp1
-
Emulates the Windows Server 2003 with Service Pack 1 (SP1) operating system.
-
-
Win2K3SP1VersionLie
-
VirtualRegistry
-
ElevateCreateProcess
-
EmulateSorting
-
FailObsoleteShellAPIs
-
LoadLibraryCWD
-
HandleBadPtr
-
EnableLegacyExceptionHandlinginOLE
-
RedirectMP3Codec
-
HardwareAudioMixer
-
-
-
-
+---
+title: Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista (Windows 10)
+description: You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions.
+ms.assetid: cd51c824-557f-462a-83bb-54b0771b7dff
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions.
+
+> [!IMPORTANT]
+> The Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator. You must use the 32-bit version for 32-bit applications and the 64-bit version to work for 64-bit applications. You will receive an error message if you try to use the wrong version.
+
+If you start the Compatibility Administrator as an Administrator (with elevated privileges), all repaired applications can run successfully; however, virtualization and redirection might not occur as expected. To verify that a compatibility fix addresses an issue, you must test the repaired application by running it under the destination user account.
+
+
+
+## Compatibility Fixes
+
+
+The following table lists the known compatibility fixes for all Windows operating systems that have been released from Windows Vista through Windows 10. The fixes are listed in alphabetical order.
+
+
+
+
+
+
+
+
+
Fix
+
Fix Description
+
+
+
+
+
8And16BitAggregateBlts
+
Applications that are mitigated by 8/16-bit mitigation can exhibit performance issues. This layer aggregates all the blt operations and improves performance.
+
+
+
8And16BitDXMaxWinMode
+
Applications that use DX8/9 and are mitigated by the 8/16-bit mitigation are run in a maximized windowed mode. This layer mitigates applications that exhibit graphical corruption in full screen mode.
+
+
+
8And16BitGDIRedraw
+
This fix repairs applications that use GDI and that work in 8-bit color mode. The application is forced to repaint its window on RealizePalette.
+
+
+
AccelGdipFlush
+
This fix increases the speed of GdipFlush, which has perf issues in DWM.
+
+
+
AoaMp4Converter
+
This fix resolves a display issue for the AoA Mp4 Converter.
+
+
+
BIOSRead
+
This problem is indicated when an application cannot access the Device\PhysicalMemory object beyond the kernel-mode drivers, on any of the Windows Server® 2003 operating systems.
+
The fix enables OEM executable (.exe) files to use the GetSystemFirmwareTable function instead of the NtOpenSection function when the BIOS is queried for the \Device\Physical memory information..
+
+
+
BlockRunasInteractiveUser
+
This problem occurs when InstallShield creates installers and uninstallers that fail to complete and that generate error messages or warnings.
+
The fix blocks InstallShield from setting the value of RunAs registry keys to InteractiveUser Because InteractiveUser no longer has Administrator rights.
This fix is required when an application cannot return shell folder paths when it uses the SHGetFolder API.
+
The fix intercepts the SHGetFolder path request to the common appdata file path and returns the Windows® XP-style file path instead of the Windows Vista-style file path.
+
+
+
ClearLastErrorStatusonIntializeCriticalSection
+
This fix is indicated when an application fails to start.
+
The fix modifies the InitializeCriticalSection function call so that it checks the NTSTATUS error code, and then sets the last error to ERROR_SUCCESS.
+
+
+
CopyHKCUSettingsFromOtherUsers
+
This problem occurs when an application's installer must run in elevated mode and depends on the HKCU settings that are provided for other users.
+
The fix scans the existing user profiles and tries to copy the specified keys into the HKEY_CURRENT_USER registry area.
+
You can control this fix further by entering the relevant registry keys as parameters that are separated by the ^ Symbol; for example: Software\MyCompany\Key1^Software\MyCompany\Key2.
The problem is indicated by an access violation error message that displays and when the application fails when you select or crop an image.
+
The fix corrects the brush style hatch value, which is passed to the CreateBrushIndirect() function and enables the information to be correctly interpreted.
+
+
+
CorrectFilePaths
+
The problem is indicated when an application tries to write files to the hard disk and is denied access or receives a file not found or path not found error message.
+
The fix modifies the file path names to point to a new location on the hard disk.
+
+Note
For more detailed information about the CorrectFilePaths application fix, see Using the CorrectFilePaths Fix. We recommend that you use this fix together with the CorrectFilePathsUninstall fix if you are applying it to a setup installation file.
+
+
+
+
+
+
+
CorrectFilePathsUninstall
+
This problem occurs when an uninstalled application leaves behind files, directories, and links.
+
The fix corrects the file paths that are used by the uninstallation process of an application.
+
+Note
For more detailed information about this fix, see Using the CorrectFilePathsUninstall Fix. We recommend that you use this fix together with the CorrectFilePaths fix if you are applying it to a setup installation file.
+
+
+
+
+
+
+
CorrectShellExecuteHWND
+
This problem occurs when you start an executable (.exe) and a taskbar item blinks instead of an elevation prompt being opened, or when the application does not provide a valid HWND value when it calls the ShellExecute(Ex) function.
+
The fix intercepts the ShellExecute(Ex) calls, and then inspects the HWND value. If the value is invalid, this fix enables the call to use the currently active HWND value.
This fix instructs DWM to not render the non-client area, thereby forcing the application to do its own NC rendering. This often gives windows an XP look.
+
+
+
DelayApplyFlag
+
This fix applies a KERNEL, USER, or PROCESS flag if the specified DLL is loaded.
+
You can control this fix further by typing the following command at the command prompt:
+
DLL_Name;Flag_Type;Hexidecimal_Value
+
Where the DLL_Name is the name of the specific DLL, including the file extension. Flag_Type is KERNEL, USER, or PROCESS, and a Hexidecimal_Value, starting with 0x and up to 64-bits long.
+
+Note
The PROCESS flag type can have a 32-bit length only. You can separate multiple entries with a backslash ().
+
+
+
+
+
+
+
DeprecatedServiceShim
+
The problem is indicated when an application tries to install a service that has a dependency on a deprecated service. An error message displays.
+
The fix intercepts the CreateService function calls and removes the deprecated dependency service from the lpDependencies parameter.
+
You can control this fix further by typing the following command at the command prompt:
Where Deprecated_Service is the name of the service that has been deprecated and App_Service is the name of the specific application service that is to be modified; for example, NtLmSsp\WMI.
+
+Note
If you do not provide an App_Service name, the deprecated service will be removed from all newly created services.
+
+
+
+
+
+Note
You can separate multiple entries with a forward slash (/).
+
+
+
+
+
+
+
DirectXVersionLie
+
This problem occurs when an application fails because it does not find the correct version number for DirectX®.
+
The fix modifies the DXDIAGN GetProp function call to return the correct DirectX version.
+
You can control this fix further by typing the following command at the command prompt:
+
MAJORVERSION.MINORVERSION.LETTER
+
For example, 9.0.c.
+
+
+
DetectorDWM8And16Bit
+
This fix offeres mitigation for applications that work in 8/16-bit display color mode because these legacy color modes are not supported in Windows 8 .
+
+
+
Disable8And16BitD3D
+
This fix improves performance of 8/16-bit color applications that render using D3D and do not mix directdraw.
+
+
+
Disable8And16BitModes
+
This fix disables 8/16-bit color mitigation and enumeration of 8/16-bit color modes.
+
+
+
DisableDWM
+
The problem occurs when some objects are not drawn or object artifacts remain on the screen in an application.
+
The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.
The problem is indicated when an application fade animations, buttons, or other controls do not function properly.
+
The fix disables the fade animations functionality for unsupported applications.
+
+
+
DisableThemeMenus
+
The problem is indicated by an application that behaves unpredictably when it tries to detect and use the correct Windows settings.
+
The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.
+
+
+
DisableWindowsDefender
+
The fix disables Windows Defender for security applications that do not work with Windows Defender.
+
+
+
DWM8And16BitMitigation
+
The fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes are not supported in Windows 8.
+
+
+
DXGICompat
+
The fix allows application-specific compatibility instructions to be passed to the DirectX engine.
+
+
+
DXMaximizedWindowedMode
+
Applications that use DX8/9 are run in a maximized windowed mode. This is required for applications that use GDI/DirectDraw in addition to Direct3D.
+
+
+
ElevateCreateProcess
+
The problem is indicated when installations, de-installations, or updates fail because the host process calls the CreateProcess function and it returns an ERROR_ELEVATION_REQUIRED error message.
+
The fix handles the error code and attempts to recall the CreateProcess function together with requested elevation. If the fixed application already has a UAC manifest, the error code will be returned unchanged.
The problem occurs when an application fails because of an incorrect UNC path.
+
The fix changes the PathIsUNC function to return a value of True for UNC paths in Windows.
+
+
+
EmulateGetDiskFreeSpace
+
The problem is indicated when an application fails to install or to run, and it generates an error message that there is not enough free disk space to install or use the application, even though there is enough free disk space to meet the application requirements.
+
The fix determines the amount of free space, so that if the amount of free space is larger than 2 GB, the compatibility fix returns a value of 2 GB, but if the amount of free space is smaller than 2 GB, the compatibility fix returns the actual free space amount.
The fix emulates the sorting order of Windows 7 and Windows Server 2008 R2 for various APIs.
+
+
+
EnableRestarts
+
The problem is indicated when an application and computer appear to hang because processes cannot end to allow the computer to complete its restart processes.
+
The fix enables the computer to restart and finish the installation process by verifying and enabling that the SeShutdownPrivilege service privilege exists.
The problem occurs when an application invokes the Release() method too many times and causes an object to be prematurely destroyed.
+
The fix counteracts the application's tries to obtain the shell desktop folder by invoking the AddRef() method on the Desktop folder, which is returned by the SHGetDesktopFolder function.
+
+
+
FailObsoleteShellAPIs
+
The problem occurs when an application fails because it generated deprecated API calls.
+
The fix either fully implements the obsolete functions or implements the obsolete functions with stubs that fail.
+
+Note
You can type FailAll=1 at the command prompt to suppress the function implementation and force all functions to fail.
+
+
+
+
+
+
+
FailRemoveDirectory
+
The problem occurs when an application uninstallation process does not remove all of the application files and folders.
+
This fix fails calls to RemoveDirectory() when called with a path matching the one specified in the shim command-line. Only a single path is supported. The path can contain environment variables, but must be an exact path – no partial paths are supported.
+
The fix can resolve an issue where an application expects RemoveDirectory() to delete a folder immediately even though a handle is open to it.
+
+
+
FakeLunaTheme
+
The problem occurs when a theme application does not properly display: the colors are washed out or the user interface is not detailed.
+
The fix intercepts the GetCurrentThemeName API and returns the value for the Windows XP default theme, (Luna).
The fix invalidates any windows that exist under a closing or hiding window for applications that rely on the invalidation messages.
+
+
+
ForceLoadMirrorDrvMitigation
+
The fix loads the Windows 8 mirror driver mitigation for applications where the mitigation is not automatically applied.
+
+
+
FreestyleBMX
+
The fix resolves an application race condition that is related to window message order.
+
+
+
GetDriveTypeWHook
+
The application presents unusual behavior during installation; for example, the setup program states that it cannot install to a user-specified location.
+
The fix changes GetDriveType() so that only the root information appears for the file path. This is required when an application passes an incomplete or badly-formed file path when it tries to retrieve the drive type on which the file path exists.
+
+
+
GlobalMemoryStatusLie
+
The problem is indicated by a Computer memory full error message that displays when you start an application.
+
The fix modifies the memory status structure, so that it reports a swap file that is 400 MB, regardless of the true swap file size.
+
+
+
HandleBadPtr
+
The problem is indicated by an access violation error message that displays because an API is performing pointer validation before it uses a parameter.
+
The fix supports using lpBuffer validation from the InternetSetOptionA and InternetSetOptionW functions to perform the additional parameter validation.
+
+
+
HandleMarkedContentNotIndexed
+
The problem is indicated by an application that fails when it changes an attribute on a file or directory.
+
The fix intercepts any API calls that return file attributes and directories that are invoked from the %TEMP% directory, and resets the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute to its original state.
+
+
+
HeapClearAllocation
+
The problem is indicated when the allocation process shuts down unexpectedly.
+
The fix uses zeros to clear out the heap allocation for an application.
+
+
+
IgnoreAltTab
+
The problem occurs when an application fails to function when special key combinations are used.
+
The fix intercepts the RegisterRawInputDevices API and prevents the delivery of the WM_INPUT messages. This delivery failure forces the included hooks to be ignored and forces DInput to use Windows-specific hooks.
The fix allows Google Chrome to run on systems that have ntdll loaded above 4GB.
+
+
+
IgnoreDirectoryJunction
+
The problem is indicated by a read or access violation error message that displays when an application tries to find or open files.
+
The fix links the FindNextFileW, FindNextFileA, FindFirstFileExW, FindFirstFileExA, FindFirstFileW and FindFirstFileA APIs to prevent them from returning directory junctions.
+
+Note
Symbolic links appear starting in Windows Vista.
+
+
+
+
+
+
+
IgnoreException
+
The problem is indicated when an application stops functioning immediately after it starts, or the application starts with only a cursor appearing on the screen.
+
The fix enables the application to ignore specified exceptions. By default, this fix ignores privileged-mode exceptions; however, it can be configured to ignore any exception.
+
You can control this fix further by typing the following command at the command prompt:
+
Exception1;Exception2
+
Where Exception1 and Exception2 are specific exceptions to be ignored. For example: ACCESS_VIOLATION_READ:1;ACCESS_VIOLATION_WRITE:1.
+
+Important
You should use this compatibility fix only if you are certain that it is acceptable to ignore the exception. You might experience additional compatibility issues if you choose to incorrectly ignore an exception.
This fix enables an application to ignore the rounding control request and to behave as expected in previous versions of the application.
+
Before floating point SSE2 support in the C runtime library, the rounding control request was being ignored which would use round to nearest option by default. This shim ignores the rounding control request to support applications relying on old behavior.
+
+
+
IgnoreFontQuality
+
The problem occurs when application text appears to be distorted.
+
The fix enables color-keyed fonts to properly work with anti-aliasing.
+
+
+
IgnoreMessageBox
+
The problem is indicated by a message box that displays with debugging or extraneous content when the application runs on an unexpected operating system.
+
The fix intercepts the MessageBox* APIs and inspects them for specific message text. If matching text is found, the application continues without showing the message box.
The problem is indicated by an error message that states that the operating system cannot locate the MSVCR80D.DLL file.
+
The fix ignores the registered MSOXMLMF.DLL object, which Microsoft® Office 2007 loads into the operating system any time that you load an XML file, and then it fails the CoGetClassObject for its CLSID. This compatibility fix will just ignore the registered MSOXMLMF and fail the CoGetClassObject for its CLSID.
+
+
+
IgnoreSetROP2
+
The fix ignores read-modify-write operations on the desktop to avoid performance issues.
+
+
+
InstallComponent
+
The fix prompts the user to install.Net 3.5 or .Net 2.0 because .Net is not included with Windows 8.
+
+
+
LoadLibraryRedirect
+
The fix forces an application to load system versions of libraries instead of loading redistributable versions that shipped with the application.
+
+
+
LocalMappedObject
+
The problem occurs when an application unsuccessfully tries to create an object in the Global namespace.
+
The fix intercepts the function call to create the object and replaces the word Global with Local.
The problem is indicated when an application fails to uninstall because of access-related errors.
+
The fix locates any RunDLL.exe-based uninstallers and forces them to run with different credentials during the application installation. After it applies this fix, the installer will create a shortcut that specifies a matching string to run during the application installation, thereby enabling the uninstallation to occur later.
The fix intercepts common APIs that are going to a directory or to an executable (.exe) file, and then converts any symbolic or directory junctions before passing it back to the original APIs.
+
+
+
MirrorDriverWithComposition
+
The fix allows mirror drivers to work properly with acceptable performance with desktop composition.
+
+
+
MoveToCopyFileShim
+
The problem occurs when an application experiences security access issues during setup.
+
The fix forces the CopyFile APIs to run instead of the MoveFile APIs. CopyFile APIs avoid moving the security descriptor, which enables the application files to get the default descriptor of the destination folder and prevents the security access issue.
+
+
+
OpenDirectoryAcl
+
The problem is indicated by an error message that states that you do not have the appropriate permissions to access the application.
+
The fix reduces the security privilege levels on a specified set of files and folders.
The fix resolves the performance issues in PopCap games like Bejeweled2. The performance issues are visible in certain low-end cards at certain resolutions where the 1024x768 buffer is scaled to fit the display resolution.
+
+
+
PreInstallDriver
+
The fix preinstalls drivers for applications that would otherwise try to install or start drivers during the initial start process.
+
+
+
PreInstallSmarteSECURE
+
The fix preinstalls computer-wide CLSIDs for applications that use SmartSECURE copy protection, which would otherwise try to install the CLSIDs during the initial start process.
+
+
+
ProcessPerfData
+
The problem is indicated by an Unhandled Exception error message because the application tried to read the process performance data registry value to determine if another instance of the application is running.
+
The fix handles the failure case by passing a fake process performance data registry key, so that the application perceives that it is the only instance running.
+
+Note
This issue seems to occur most frequently with .NET applications.
+
+
+
+
+
+
+
PromoteDAM
+
The fix registers an application for power state change notifications.
+
+
+
PropagateProcessHistory
+
The problem occurs when an application incorrectly fails to apply an application fix.
+
The fix sets the _PROCESS_HISTORY environment variable so that child processes can look in the parent directory for matching information while searching for application fixes.
+
+
+
ProtectedAdminCheck
+
The problem occurs when an application fails to run because of incorrect Protected Administrator permissions.
+
The fix addresses the issues that occur when applications use non-standard Administrator checks, thereby generating false positives for user accounts that are being run as Protected Administrators. In this case, the associated SID exists, but it is set as deny-only.
+
+
+
RedirectCRTTempFile
+
The fix intercepts failing CRT calls that try to create a temporary file at the root of the volume, thereby redirecting the calls to a temporary file in the user's temporary directory.
+
+
+
RedirectHKCUKeys
+
The problem occurs when an application cannot be accessed because of User Account Control (UAC) restrictions.
+
The fix duplicates any newly created HKCU keys to other users' HKCU accounts. This fix is generic for UAC restrictions, whereby the HKCU keys are required, but are unavailable to an application at runtime.
+
+
+
RedirectMP3Codec
+
This problem occurs when you cannot play MP3 files.
+
The fix intercepts the CoCreateInstance call for the missing filter and then redirects it to a supported version.
+
+
+
RedirectShortcut
+
The problem occurs when an application cannot be accessed by its shortcut, or application shortcuts are not removed during the application uninstallation process.
+
The fix redirects all of the shortcuts created during the application setup to appear according to a specified path.
+
+
Start Menu shortcuts: Appear in the \ProgramData\Microsoft\Windows\Start Menu directory for all users.
+
Desktop or Quick Launch shortcuts:You must manually place the shortcuts on the individual user's desktop or Quick Launch bar.
+
+
This issue occurs because of UAC restrictions: specifically, when an application setup runs by using elevated privileges and stores the shortcuts according to the elevated user's context. In this situation, a restricted user cannot access the shortcuts.
+
You cannot apply this fix to an .exe file that includes a manifest and provides a runlevel.
+
+
+
RelaunchElevated
+
The problem occurs when installers, uninstallers, or updaters fail when they are started from a host application.
+
The fix enables a child .exe file to run with elevated privileges when it is difficult to determine the parent process with either the ElevateCreateProcess fix or by marking the .exe files to RunAsAdmin.
The problem occurs when an Unable to open service due to your application using the OpenService() API to test for the existence of a particular service error message displays.
+
The fix retries the OpenService() API call and verifies that the user has Administrator rights, is not a Protected Administrator, and by using read-only access. Applications can test for the existence of a service by calling the OpenService() API but some applications ask for all access when making this check. This fix retries the call but only asking for read-only access. The user needs to be an administrator for this to work
The problem occurs when an application fails to function by using the Standard User or Protected Administrator account.
+
The fix enables the application to run by using elevated privileges. The fix is the equivalent of specifying requireAdministrator in an application manifest.
The problem occurs when administrators cannot view the read/write version of an application that presents a read-only view to standard users.
+
The fix enables the application to run by using the highest available permissions. This is the equivalent of specifying highestAvailable in an application manifest.
The problem occurs when an application is not detected as requiring elevation.
+
The fix enables the application to run by using the privileges that are associated with the creation process, without requiring elevation. This is the equivalent of specifying asInvoker in an application manifest.
The fix repairs applications by using SecuROM7 for copy protection.
+
+
+
SessionShim
+
The fix intercepts API calls from applications that are trying to interact with services that are running in another session, by using the terminal service name prefix (Global or Local) as the parameter.
+
At the command prompt, you can supply a list of objects to modify, separating the values by a double backslash (). Or, you can choose not to include any parameters, so that all of the objects are modified.
+
+Important
Users cannot log in as Session 0 (Global Session) in Windows Vista and later. Therefore, applications that require access to Session 0 automatically fail.
The fix registers an application as a protocol handler.
+
You can control this fix further by typing the following command at the command prompt:
+
Client;Protocol;App
+
Where the Client is the name of the email protocol, Protocol is mailto, and App is the name of the application.
+
+Note
Only the mail client and the mailto protocol are supported. You can separate multiple clients by using a backslash ().
+
+
+
+
+
+
+
SetupCommitFileQueueIgnoreWow
+
The problem occurs when a 32-bit setup program fails to install because it requires 64-bit drivers.
+
The fix disables the Wow64 file system that is used by the 64-bit editions of Windows, to prevent 32-bit applications from accessing 64-bit file systems during the application setup.
+
+
+
SharePointDesigner2007
+
The fix resolves an application bug that severely slows the application when it runs in DWM.
+
+
+
ShimViaEAT
+
The problem occurs when an application fails, even after applying acompatibility fix that is known to fix an issue. Applications that use unicows.dll or copy protection often present this issue.
+
The fix applies the specified compatibility fixes by modifying the export table and by nullifying the use of module inclusion and exclusion.
The problem occurs when a web application experiences navigation and display issues because of the tabbing feature.
+
The fix intercepts the ShowWindow API call to address the issues that can occur when a web application determines that it is in a child window. This fix calls the real ShowWindow API on the top-level parent window.
+
+
+
SierraWirelessHideCDROM
+
The fix repairs the Sierra Wireless Driver installation, thereby preventing bugcheck.
+
+
+
Sonique2
+
The application uses an invalid window style, which breaks in DWM. This fix replaces the window style with a valid value.
+
+
+
SpecificInstaller
+
The problem occurs when an application installation file fails to be picked up by the GenericInstaller function.
+
The fix flags the application as being an installer file (for example, setup.exe), and then prompts for elevation.
The problem occurs when an application that is not an installer (and has sufficient privileges) generates a false positive from the GenericInstaller function.
+
The fix flags the application to exclude it from detection by the GenericInstaller function.
The fix replaces SystemMetrics values and SystemParametersInfo values with the values of previous Windows versions.
+
+
+
TextArt
+
The application receives different mouse coordinates with DWM ON versus DWM OFF, which causes the application to hang. This fix resolves the issue.
+
+
+
TrimDisplayDeviceNames
+
The fix trims the names of the display devices that are returned by the EnumDisplayDevices API.
+
+
+
UIPICompatLogging
+
The fix enables the logging of Windows messages from Internet Explorer and other processes.
+
+
+
UIPIEnableCustomMsgs
+
The problem occurs when an application does not properly communicate with other processes because customized Windows messages are not delivered.
+
The fix enables customized Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the RegisterWindowMessage function, followed by the ChangeWindowMessageFilter function in the code.
+
You can control this fix further by typing the following command at the command prompt:
+
MessageString1 MessageString2
+
Where MessageString1 and MessageString2 reflect the message strings that can pass.
+
+Note
Multiple message strings must be separated by spaces. For more detailed information about this application fix, see Using the UIPIEnableCustomMsgs Fix.
+
+
+
+
+
+
+
UIPIEnableStandardMsgs
+
The problem occurs when an application does not communicate properly with other processes because standard Windows messages are not delivered.
+
The fix enables standard Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the ChangeWindowMessageFilter function in the code.
+
You can control this fix further by typing the following command at the command prompt:
+
1055 1056 1069
+
Where 1055 reflects the first message ID, 1056 reflects the second message ID, and 1069 reflects the third message ID that can pass.
The fix virtualizes DeleteFile operations for applications that try to delete protected files.
+
+
+
VirtualizeDesktopPainting
+
This fix improves the performance of a number of operations on the Desktop DC while using DWM.
+
+
+
VirtualRegistry
+
The problem is indicated when a Component failed to be located error message displays when an application is started.
+
The fix enables the registry functions to allow for virtualization, redirection, expansion values, version spoofing, the simulation of performance data counters, and so on.
The problem occurs when several error messages display and the application cannot delete files.
+
The fix makes the application's DeleteFile function call a virtual call in an effort to remedy the UAC and file virtualization issues that were introduced with Windows Vista. This fix also links other file APIs (for example, GetFileAttributes) to ensure that the virtualization of the file is deleted.
The problem occurs when an application fails to register COM components at runtime.
+
The fix redirects the HKCR write calls (HKLM) to the HKCU hive for a per-user COM registration. This operates much like the VirtualRegistry fix when you use the VirtualizeHKCR parameter; however, VirtualizeHKCRLite provides better performance.
+
HKCR is a virtual merge of the HKCU\Software\Classes and HKLM\Software\Classes directories. The use of HKCU is preferred if an application is not elevated and is ignored if the application is elevated.
+
You typically will use this compatibility fix in conjunction with the VirtualizeRegisterTypeLib fix.
The fix, when it is used with the VirtualizeHKCRLite fix, ensures that the type library and the COM class registration happen simultaneously. This functions much like the RegistryTypeLib fix when the RegisterTypeLibForUser parameter is used.
This problem is indicated by an error message that states: Unable to initialize sound device from your audio driver; the application then closes.
+
The fix enables the application to ignore the format error and continue to function properly.
+
+
+
WerDisableReportException
+
The fix turns off the silent reporting of exceptions to the Windows Error Reporting tool, including those that are reported by Object Linking and Embedding-Database (OLE DB). The fix intercepts the RtlReportException API and returns a STATUS_NOT_SUPPORTED error message.
+
+
+
Win7RTM/Win8RTM
+
The layer provides the application with Windows 7/Windows 8 compatibility mode.
+
+
+
WinxxRTMVersionLie
+
The problem occurs when an application fails because it does not find the correct version number for the required Windows operating system.
+
All version lie compatibility fixes address the issue whereby an application fails to function because it is checking for, but not finding, a specific version of the operating system. The version lie fix returns the appropriate operating system version information. For example, the VistaRTMVersionLie returns the Windows Vista version information to the application, regardless of the actual operating system version that is running on the computer.
+
+
+
Wing32SystoSys32
+
The problem is indicated by an error message that states that the WinG library was not properly installed.
+
The fix detects whether the WinG32 library exists in the correct directory. If the library is located in the wrong location, this fix copies the information (typically during the runtime of the application) into the %WINDIR% \system32 directory.
+
+Important
The application must have Administrator privileges for this fix to work.
+
+
+
+
+
+
+
WinSrv08R2RTM
+
+
+
+
WinXPSP2VersionLie
+
The problem occurs when an application experiences issues because of a VB runtime DLL.
+
The fix forces the application to follow these steps:
+
+
Open the Compatibility Administrator, and then select None for Operating System Mode.
+
On the Compatibility Fixes page, click WinXPSP2VersionLie, and then click Parameters.
+
The Options for <fix_name> dialog box appears.
+
Type vbrun60.dll into the Module Name box, click Include, and then click Add.
The application fails when it tries to register a COM component that is released together with Windows Vista and later.
+
The fix skips the processes of registering and unregistering WRP-protected COM components when calling the DLLRegisterServer and DLLUnregisterServer functions.
+
You can control this fix further by typing the following command at the command prompt:
+
Component1.dll;Component2.dll
+
Where Component1.dll and Component2.dll reflect the components to be skipped.
The problem is indicated when an access denied error message displays when the application tries to access a protected operating system resource by using more than read-only access.
+
The fix emulates the successful authentication and modification of file and registry APIs, so that the application can continue.
The problem is indicated by an access denied error message that displays when the application tries to delete a registry key.
+
The fix verifies whether the registry key is WRP-protected. If the key is protected, this fix emulates the deletion process.
+
+
+
XPAfxIsValidAddress
+
The fix emulates the behavior of Windows XP for MFC42!AfxIsValidAddress.
+
+
+
+
+
+
+## Compatibility Modes
+
+
+The following table lists the known compatibility modes.
+
+
+
+
+
+
+
+
+
+
Compatibility Mode Name
+
Description
+
Included Compatibility Fixes
+
+
+
+
+
WinSrv03
+
Emulates the Windows Server 2003 operating system.
+
+
Win2k3RTMVersionLie
+
VirtualRegistry
+
ElevateCreateProcess
+
EmulateSorting
+
FailObsoleteShellAPIs
+
LoadLibraryCWD
+
HandleBadPtr
+
GlobalMemoryStatus2GB
+
RedirectMP3Codec
+
EnableLegacyExceptionHandlinginOLE
+
NoGhost
+
HardwareAudioMixer
+
+
+
+
WinSrv03Sp1
+
Emulates the Windows Server 2003 with Service Pack 1 (SP1) operating system.
+
+
Win2K3SP1VersionLie
+
VirtualRegistry
+
ElevateCreateProcess
+
EmulateSorting
+
FailObsoleteShellAPIs
+
LoadLibraryCWD
+
HandleBadPtr
+
EnableLegacyExceptionHandlinginOLE
+
RedirectMP3Codec
+
HardwareAudioMixer
+
+
+
+
diff --git a/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
index 0be29f8a0c..9a86786070 100644
--- a/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
+++ b/windows/deployment/planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
@@ -1,86 +1,67 @@
----
-title: Creating a Custom Compatibility Fix in Compatibility Administrator (Windows 10)
-description: The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application.
-ms.assetid: e4f2853a-0e46-49c5-afd7-0ed12f1fe0c2
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Creating a Custom Compatibility Fix in Compatibility Administrator
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The Compatibility Administrator tool uses the term *fix* to describe the combination of compatibility information added to a customized database for a specific application. This combination can include single application fixes, groups of fixes that work together as a compatibility mode, and blocking and non-blocking AppHelp messages.
-
-**Important**
-Fixes apply to a single application only; therefore, you must create multiple fixes if you need to fix the same issue in multiple applications.
-
-
-
-## What is a Compatibility Fix?
-
-
-A compatibility fix, previously known as a shim, is a small piece of code that intercepts API calls from applications. The fix transforms the API calls so that the current version of the operating system supports the application in the same way as previous versions of the operating system. This can mean anything from disabling a new feature in the current version of the operating system to emulating a particular behavior of an older version of the Windows API.
-
-## Searching for Existing Compatibility Fixes
-
-
-The Compatibility Administrator tool has preloaded fixes for many common applications, including known compatibility fixes, compatibility modes, and AppHelp messages. Before you create a new compatibility fix, you can search for an existing application and then copy and paste the known fixes into your customized database.
-
-**Important**
-Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications.
-
-
-
-**To search for an existing application**
-
-1. In the left-side pane of Compatibility Administrator, expand the **Applications** folder and search for your application name.
-
-2. Click the application name to view the preloaded compatibility fixes, compatibility modes, or AppHelp messages.
-
-## Creating a New Compatibility Fix
-
-
-If you are unable to find a preloaded compatibility fix for your application, you can create a new one for use by your customized database.
-
-**To create a new compatibility fix**
-
-1. In the left-side pane of Compatibility Administrator underneath the **Custom Databases** heading, right-click the name of the database to which you want to apply the compatibility fix, click **Create New**, and then click **Application Fix**.
-
-2. Type the name of the application to which the compatibility fix applies, type the name of the application vendor, browse to the location of the application file (.exe) on your computer, and then click **Next**.
-
-3. Select the operating system for which your compatibility fix applies, click any applicable compatibility modes to apply to your compatibility fix, and then click **Next**.
-
-4. Select any additional compatibility fixes to apply to your compatibility fix, and then click **Next**.
-
-5. Select any additional criteria to use to match your applications to the AppHelp message, and then click **Finish**.
-
- By default, Compatibility Administrator selects the basic matching criteria for your application. As a best practice, use a limited set of matching information to represent your application, because it reduces the size of the database. However, make sure you have enough information to correctly identify your application.
-
-## Related topics
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
-
-
-
-
-
-
-
-
-
+---
+title: Creating a Custom Compatibility Fix in Compatibility Administrator (Windows 10)
+description: The Compatibility Administrator tool uses the term fix to describe the combination of compatibility information added to a customized database for a specific application.
+ms.assetid: e4f2853a-0e46-49c5-afd7-0ed12f1fe0c2
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Creating a Custom Compatibility Fix in Compatibility Administrator
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+The Compatibility Administrator tool uses the term *fix* to describe the combination of compatibility information added to a customized database for a specific application. This combination can include single application fixes, groups of fixes that work together as a compatibility mode, and blocking and non-blocking AppHelp messages.
+
+> [!IMPORTANT]
+> Fixes apply to a single application only; therefore, you must create multiple fixes if you need to fix the same issue in multiple applications.
+
+## What is a Compatibility Fix?
+
+A compatibility fix, previously known as a shim, is a small piece of code that intercepts API calls from applications. The fix transforms the API calls so that the current version of the operating system supports the application in the same way as previous versions of the operating system. This can mean anything from disabling a new feature in the current version of the operating system to emulating a particular behavior of an older version of the Windows API.
+
+## Searching for Existing Compatibility Fixes
+
+The Compatibility Administrator tool has preloaded fixes for many common applications, including known compatibility fixes, compatibility modes, and AppHelp messages. Before you create a new compatibility fix, you can search for an existing application and then copy and paste the known fixes into your customized database.
+
+> [!IMPORTANT]
+> Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications.
+
+**To search for an existing application**
+
+1. In the left-side pane of Compatibility Administrator, expand the **Applications** folder and search for your application name.
+2. Click the application name to view the preloaded compatibility fixes, compatibility modes, or AppHelp messages.
+
+## Creating a New Compatibility Fix
+
+
+If you are unable to find a preloaded compatibility fix for your application, you can create a new one for use by your customized database.
+
+**To create a new compatibility fix**
+
+1. In the left-side pane of Compatibility Administrator underneath the **Custom Databases** heading, right-click the name of the database to which you want to apply the compatibility fix, click **Create New**, and then click **Application Fix**.
+2. Type the name of the application to which the compatibility fix applies, type the name of the application vendor, browse to the location of the application file (.exe) on your computer, and then click **Next**.
+3. Select the operating system for which your compatibility fix applies, click any applicable compatibility modes to apply to your compatibility fix, and then click **Next**.
+4. Select any additional compatibility fixes to apply to your compatibility fix, and then click **Next**.
+5. Select any additional criteria to use to match your applications to the AppHelp message, and then click **Finish**.
+
+ By default, Compatibility Administrator selects the basic matching criteria for your application. As a best practice, use a limited set of matching information to represent your application, because it reduces the size of the database. However, make sure you have enough information to correctly identify your application.
+
+## Related topics
+
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
diff --git a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
index a34c87220b..c434f06486 100644
--- a/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
+++ b/windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
@@ -39,8 +39,8 @@ A compatibility mode is a group of compatibility fixes. A compatibility fix, pre
The Compatibility Administrator tool has preloaded fixes for many common applications, including known compatibility fixes, compatibility modes, and AppHelp messages. Before you create a new compatibility mode, you can search for an existing application and then copy and paste the known fixes into your custom database.
-**Important**
-Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications.
+> [!IMPORTANT]
+> Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications.
@@ -55,8 +55,8 @@ Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version o
If you are unable to find a preloaded compatibility mode for your application, you can create a new one for use by your custom database.
-**Important**
-A compatibility mode includes a set of compatibility fixes and must be deployed as a group. Therefore, you should include only fixes that you intend to deploy together to the database.
+> [!IMPORTANT]
+> A compatibility mode includes a set of compatibility fixes and must be deployed as a group. Therefore, you should include only fixes that you intend to deploy together to the database.
diff --git a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md
index 14270c5d3c..e4ebfef4e3 100644
--- a/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md
+++ b/windows/deployment/planning/creating-an-apphelp-message-in-compatibility-administrator.md
@@ -1,97 +1,98 @@
----
-title: Creating an AppHelp Message in Compatibility Administrator (Windows 10)
-description: The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.
-ms.assetid: 5c6e89f5-1942-4aa4-8439-ccf0ecd02848
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Creating an AppHelp Message in Compatibility Administrator
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.
-
-## Blocking Versus Non-Blocking AppHelp Messages
-
-
-A blocking AppHelp message prevents the application from starting and displays a message to the user. You can define a specific URL where the user can download an updated driver or other fix to resolve the issue. When using a blocking AppHelp message, you must also define the file-matching information to identify the version of the application and enable the corrected version to continue.
-
-A non-blocking AppHelp message does not prevent the application from starting, but provides a message to the user including information such as security issues, updates to the application, or changes to the location of network resources.
-
-## Searching for Existing Compatibility Fixes
-
-
-The Compatibility Administrator tool has preloaded fixes for many common applications, including known compatibility fixes, compatibility modes, and AppHelp messages. Before you create a new AppHelp message, you can search for an existing application and then copy and paste the known fixes into your custom database.
-
-**Important**
-Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications.
-
-
-
-**To search for an existing application**
-
-1. In the left-side pane of Compatibility Administrator, expand the **Applications** folder and search for your application name.
-
-2. Click the application name to view the preloaded AppHelp messages, compatibility fixes, and compatibility modes.
-
-## Creating a New AppHelp Message
-
-
-If you are unable to find a preloaded AppHelp message for your application, you can create a new one for use by your custom database.
-
-**To create a new AppHelp message**
-
-1. In the left-side pane of Compatibility Administrator, below the **Custom Databases** heading, right-click the name of the database to which you will apply the AppHelp message, click **Create New**, and then click **AppHelp Message**.
-
-2. Type the name of the application to which this AppHelp message applies, type the name of the application vendor, browse to the location of the application file (.exe) on your computer, and then click **Next**.
-
- The wizard shows the known **Matching Information**, which is used for program identification.
-
-3. Select any additional criteria to use to match your applications to the AppHelp message, and then click **Next**.
-
- By default, Compatibility Administrator selects the basic matching criteria for your application.
-
- The wizard shows the **Enter Message Type** options.
-
-4. Click one of the following options:
-
- - **Display a message and allow this program to run**. This is a non-blocking message, which means that you can alert the user that there might be a problem, but the application is not prevented from starting.
-
- - **Display a message and do not allow this program to run**. This is a blocking message, which means that the application will not start. Instead, this message points the user to a location that provides more information about fixing the issue.
-
-5. Click **Next**.
-
- The wizard then shows the **Enter Message Information** fields.
-
-6. Type the website URL and the message text to appear when the user starts the application, and then click **Finish**.
-
-## Issues with AppHelp Messages and Computers Running Windows 2000
-
-
-The following issues might occur with computers running Windows 2000:
-
-- You might be unable to create a custom AppHelp message.
-
-- The AppHelp message text used for system database entries might not appear.
-
-- Copying an AppHelp entry for a system database or a custom-compatibility fix from a system database might cause Compatibility Administrator to hide the descriptive text.
-
-## Related topics
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+---
+title: Creating an AppHelp Message in Compatibility Administrator (Windows 10)
+description: The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.
+ms.assetid: 5c6e89f5-1942-4aa4-8439-ccf0ecd02848
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Creating an AppHelp Message in Compatibility Administrator
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+The Compatibility Administrator tool enables you to create an AppHelp text message. This is a blocking or non-blocking message that appears when a user starts an application that you know has major functionality issues on the Windows® operating system.
+
+## Blocking Versus Non-Blocking AppHelp Messages
+
+
+A blocking AppHelp message prevents the application from starting and displays a message to the user. You can define a specific URL where the user can download an updated driver or other fix to resolve the issue. When using a blocking AppHelp message, you must also define the file-matching information to identify the version of the application and enable the corrected version to continue.
+
+A non-blocking AppHelp message does not prevent the application from starting, but provides a message to the user including information such as security issues, updates to the application, or changes to the location of network resources.
+
+## Searching for Existing Compatibility Fixes
+
+
+The Compatibility Administrator tool has preloaded fixes for many common applications, including known compatibility fixes, compatibility modes, and AppHelp messages. Before you create a new AppHelp message, you can search for an existing application and then copy and paste the known fixes into your custom database.
+
+> [!IMPORTANT]
+> Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications.
+
+
+
+**To search for an existing application**
+
+1. In the left-side pane of Compatibility Administrator, expand the **Applications** folder and search for your application name.
+
+2. Click the application name to view the preloaded AppHelp messages, compatibility fixes, and compatibility modes.
+
+## Creating a New AppHelp Message
+
+
+If you are unable to find a preloaded AppHelp message for your application, you can create a new one for use by your custom database.
+
+**To create a new AppHelp message**
+
+1. In the left-side pane of Compatibility Administrator, below the **Custom Databases** heading, right-click the name of the database to which you will apply the AppHelp message, click **Create New**, and then click **AppHelp Message**.
+
+2. Type the name of the application to which this AppHelp message applies, type the name of the application vendor, browse to the location of the application file (.exe) on your computer, and then click **Next**.
+
+ The wizard shows the known **Matching Information**, which is used for program identification.
+
+3. Select any additional criteria to use to match your applications to the AppHelp message, and then click **Next**.
+
+ By default, Compatibility Administrator selects the basic matching criteria for your application.
+
+ The wizard shows the **Enter Message Type** options.
+
+4. Click one of the following options:
+
+ - **Display a message and allow this program to run**. This is a non-blocking message, which means that you can alert the user that there might be a problem, but the application is not prevented from starting.
+
+ - **Display a message and do not allow this program to run**. This is a blocking message, which means that the application will not start. Instead, this message points the user to a location that provides more information about fixing the issue.
+
+5. Click **Next**.
+
+ The wizard then shows the **Enter Message Information** fields.
+
+6. Type the website URL and the message text to appear when the user starts the application, and then click **Finish**.
+
+## Issues with AppHelp Messages and Computers Running Windows 2000
+
+
+The following issues might occur with computers running Windows 2000:
+
+- You might be unable to create a custom AppHelp message.
+
+- The AppHelp message text used for system database entries might not appear.
+
+- Copying an AppHelp entry for a system database or a custom-compatibility fix from a system database might cause Compatibility Administrator to hide the descriptive text.
+
+## Related topics
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
index decac6d28e..022ac067c8 100644
--- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
+++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
@@ -1,340 +1,304 @@
----
-title: Deployment considerations for Windows To Go (Windows 10)
-description: Deployment considerations for Windows To Go
-ms.assetid: dcfc5d96-b96b-44cd-ab65-416b5611c65e
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deploy, mobile, device, USB, boot, image, workspace, driver
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: mobility
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Deployment considerations for Windows To Go
-
-
-**Applies to**
-
-- Windows 10
-
->[!IMPORTANT]
->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
-
-From the start, Windows To Go was designed to minimize differences between the user experience of working on a laptop and Windows To Go booted from a USB drive. Given that Windows To Go was designed as an enterprise solution, extra consideration was given to the deployment workflows that enterprises already have in place. Additionally, there has been a focus on minimizing the number of differences in deployment between Windows To Go workspaces and laptop PCs.
-
-**Note**
-Windows To Go does not support operating system upgrades. Windows To Go is designed as a feature that is managed centrally. IT departments that plan to transition from one operating system version to a later version will need to incorporate re-imaging their existing Windows To Go drives as part of their upgrade deployment process.
-
-
-
-The following sections discuss the boot experience, deployment methods, and tools that you can use with Windows To Go.
-
-- [Initial boot experiences](#wtg-initboot)
-
-- [Image deployment and drive provisioning considerations](#wtg-imagedep)
-
-- [Application installation and domain join](#wtg-appinstall)
-
-- [Management of Windows To Go using Group Policy](#bkmk-wtggp)
-
-- [Supporting booting from USB](#wtg-bootusb)
-
-- [Updating firmware](#stg-firmware)
-
-- [Configure Windows To Go startup options](#wtg-startup)
-
-- [Change firmware settings](#wtg-changefirmware)
-
-## Initial boot experiences
-
-
-The following diagrams illustrate the two different methods you could use to provide Windows To Go drives to your users. The experiences differ depending on whether the user will be booting the device initially on-premises or off-premises:
-
-
-
-When a Windows To Go workspace is first used at the workplace, the Windows To Go workspace can be joined to the domain through the normal procedures that occur when a new computer is introduced. It obtains a lease, applicable policies are applied and set, and user account tokens are placed appropriately. BitLocker protection can be applied and the BitLocker recovery key automatically stored in Active Directory Domain Services. The user can access network resources to install software and get access to data sources. When the workspace is subsequently booted at a different location either on or off premises, the configuration required for it to connect back to the work network using either DirectAccess or a virtual private network connection can be configured. It is not necessary to configure the workspace for offline domain join. DirectAccess can make connecting to organizational resources easier, but is not required.
-
-
-
-When the Windows To Go workspace is going to be used first on an off-premises computer, such as one at the employee’s home, then the IT professional preparing the Windows To Go drives should configure the drive to be able to connect to organizational resources and to maintain the security of the workspace. In this situation, the Windows To Go workspace needs to be configured for offline domain join and BitLocker needs to be enabled before the workspace has been initialized.
-
-**Tip**
-Applying BitLocker Drive Encryption to the drives before provisioning is a much faster process than encrypting the drives after data has already been stored on them due to a new feature called used-disk space only encryption. For more information, see [What's New in BitLocker](https://go.microsoft.com/fwlink/p/?LinkId=619076).
-
-
-
-DirectAccess can be used to ensure that the user can login with their domain credentials without needing a local account. For instructions on setting up a DirectAccess solution, for a small pilot deployment see [Deploy a Single Remote Access Server using the Getting Started Wizard](https://go.microsoft.com/fwlink/p/?LinkId=619077) for a larger scale deployment, see [Deploy Remote Access in an Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=619078). If you do not want to use DirectAccess as an alternative users could log on using a local user account on the Windows To Go workspace and then use a virtual private network for remote access to your organizational network.
-
-### Image deployment and drive provisioning considerations
-
-The Image Deployment process can be accomplished either by a centralized IT process for your organization or by individual users creating their own Windows To Go workspaces. You must have local Administrator access and access to a Windows 10 Enterprise or Windows 10 Education image to create a Windows To Go workspace, or you must be using System Center Configuration Manager 2012 Service Pack 1 or later to distribute Windows To Go workspaces to users. The image deployment process takes a blank USB drive and a Windows 10 Enterprise image (WIM) and turns it into a Windows To Go drive.
-
-
-
-The simplest way to provision a Windows To Go drive is to use the Windows To Go Creator. After a single Windows To Go workspace has been created, it can be duplicated as many times as necessary using widely available USB duplicator products as long as the device has not been booted. After the Windows To Go drive is initialized, it should not be duplicated. Alternatively, Windows To Go Workspace Creator can be run multiple times to create multiple Windows To Go drives.
-
-**Tip**
-When you create your Windows To Go image use sysprep /generalize, just as you do when you deploy Windows 10 to a standard PC. In fact, if appropriate, use the same image for both deployments.
-
-
-
-**Driver considerations**
-
-Windows includes most of the drivers that you will need to support a wide variety of host computers. However, you will occasionally need to download drivers from Windows Update to take advantage of the full functionality of a device. If you are using Windows To Go on a set of known host computers, you can add any additional drivers to the image used on Windows To Go to make Windows To Go drives more quickly usable by your employees. Especially ensure that network drivers are available so that the user can connect to Windows Update to get additional drivers if necessary.
-
-Wi-Fi network adapter drivers are one of the most important drivers to make sure that you include in your standard image so that users can easily connect to the internet for any additional updates. IT administrators that are attempting to build Windows 10 images for use with Windows To Go should consider adding additional Wi-Fi drivers to their image to ensure that their users have the best chance of still having basic network connectivity when roaming between systems.
-
-The following list of commonly used Wi-Fi network adapters that are not supported by the default drivers provided with Windows 10 is provided to help you ascertain whether or not you need to add drivers to your image.
-
-
-
-
-
-
-
-
-
-
-
Vendor name
-
Product description
-
HWID
-
Windows Update availability
-
-
-
Broadcom
-
802.11abgn Wireless SDIO adapter
-
sd\vid_02d0&pid_4330&fn_1
-
Contact the system OEM or Broadcom for driver availability.
-
-
-
Broadcom
-
802.11n Network Adapter
-
pci\ven_14e4&dev_4331&subsys_00d6106b&rev_02
-
Contact the system OEM or Broadcom for driver availability.
-
-
-
Broadcom
-
802.11n Network Adapter
-
pci\ven_14e4&dev_4331&subsys_00f5106b&rev_02
-
Contact the system OEM or Broadcom for driver availability.
-
-
-
Broadcom
-
802.11n Network Adapter
-
pci\ven_14e4&dev_4331&subsys_00ef106b&rev_02
-
Contact the system OEM or Broadcom for driver availability.
-
-
-
Broadcom
-
802.11n Network Adapter
-
pci\ven_14e4&dev_4331&subsys_00f4106b&rev_02
-
Contact the system OEM or Broadcom for driver availability.
-
-
-
Broadcom
-
802.11n Network Adapter
-
pci\ven_14e4&dev_4331&subsys_010e106b&rev_02
-
Contact the system OEM or Broadcom for driver availability.
-
-
-
Broadcom
-
802.11n Network Adapter
-
pci\ven_14e4&dev_4331&subsys_00e4106b&rev_02
-
Contact the system OEM or Broadcom for driver availability.
-
-
-
Broadcom
-
802.11n Network Adapter
-
pci\ven_14e4&dev_4331&subsys_433114e4&rev_02
-
Contact the system OEM or Broadcom for driver availability.
-
-
-
Broadcom
-
802.11n Network Adapter
-
pci\ven_14e4&dev_4331&subsys_010f106b&rev_02
-
Contact the system OEM or Broadcom for driver availability.
-
-
-
-IT administrators that want to target Windows To Go images for specific systems should test their images to ensure that the necessary system drivers are in the image, especially for critical functionality like Wi-Fi that is not supported by class drivers. Some consumer devices require OEM specific driver packages, which may not be available on Windows Update. For more information on how to add a driver to a Windows Image, please refer to the [Basic Windows Deployment Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=619079).
-
-### Application installation and domain join
-
-Unless you are using a customized Windows image that includes unattended installation settings, the initial Windows To Go workspace will not be domain joined and will not contain applications. This is exactly like a new installation of Windows on a desktop or laptop computer. When planning your deployment, you should develop methods to join Windows to Go drives to the domain and install the standard applications that users in your organization require. These methods probably will be similar to the ones used for setting up desktop and laptop computers with domain privileges and applications
-
-### Management of Windows To Go using Group Policy
-
-In general, management of Windows To Go workspaces is same as that for desktop and laptop computers. There are Windows To Go specific Group Policy settings that should be considered as part of Windows To Go deployment. Windows To Go Group Policy settings are located at `\\Computer Configuration\Administrative Templates\Windows Components\Portable Operating System\` in the Local Group Policy Editor.
-
-The use of the Store on Windows To Go workspaces that are running Windows 8 can also be controlled by Group Policy. This policy setting is located at `\\Computer Configuration\Administrative Templates\Windows Components\Store\` in the Local Group Policy Editor. The policy settings have specific implications for Windows To Go that you should be aware of when planning your deployment:
-
-**Settings for workspaces**
-
-- **Allow hibernate (S4) when started from a Windows To Go workspace**
-
- This policy setting specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. By default, hibernation is disabled when using Windows To Go workspace, so enabling this setting explicitly turns this ability back on. When a computer enters hibernation, the contents of memory are written to disk. When the disk is resumed, it is important that the hardware attached to the system, as well as the disk itself, are unchanged. This is inherently incompatible with roaming between PC hosts. Hibernation should only be used when the Windows To Go workspace is not being used to roam between host PCs.
-
- **Important**
- For the host-PC to resume correctly when hibernation is enabled the Windows To Go workspace must continue to use the same USB port.
-
-
-
-- **Disallow standby sleep states (S1-S3) when starting from a Windows To Go workspace**
-
- This policy setting specifies whether the PC can use standby sleep states (S1–S3) when started from a Windows To Go workspace. The Sleep state also presents a unique challenge to Windows To Go users. When a computer goes to sleep, it appears as if it is shut down. It could be very easy for a user to think that a Windows To Go workspace in sleep mode was actually shut down and they could remove the Windows To Go drive and take it home. Removing the Windows To Go drive in this scenario is equivalent to an unclean shutdown which may result in the loss of unsaved user data or the corruption on the drive. Moreover, if the user now boots the drive on another PC and brings it back to the first PC which still happens to be in the sleep state, it will lead to an arbitrary crash and eventually corruption of the drive and result in the workspace becoming unusable. If you enable this policy setting, the Windows To Go workspace cannot use the standby states to cause the PC to enter sleep mode. If you disable or do not configure this policy setting, the Windows To Go workspace can place the PC in sleep mode.
-
-**Settings for host PCs**
-
-- **Windows To Go Default Startup Options**
-
- This policy setting controls whether the host computer will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the **Windows To Go Startup Options** settings dialog. If you enable this policy setting, booting to Windows To Go when a USB device is connected will be enabled and users will not be able to make changes using the **Windows To Go Startup Options** settings dialog. If you disable this policy setting, booting to Windows To Go when a USB device is connected will not be enabled unless a user configures the option manually in the firmware. If you do not configure this policy setting, users who are members of the local Administrators group can enable or disable booting from USB using the **Windows To Go Startup Options** settings dialog.
-
- **Important**
- Enabling this policy setting will cause PCs running Windows to attempt to boot from any USB device that is inserted into the PC before it is started.
-
-
-
-## Supporting booting from USB
-
-
-The biggest hurdle for a user wanting to use Windows To Go is configuring their computer to boot from USB. This is traditionally done by entering the firmware and configuring the appropriate boot order options. To ease the process of making the firmware modifications required for Windows To Go, Windows includes a feature named **Windows To Go Startup Options** that allows a user to configure their computer to boot from USB from within Windows—without ever entering their firmware, as long as their firmware supports booting from USB.
-
-**Note**
-Enabling a system to always boot from USB first has implications that you should consider. For example, a USB device that includes malware could be booted inadvertently to compromise the system, or multiple USB drives could be plugged in to cause a boot conflict. For this reason, the Windows To Go startup options are disabled by default. In addition, administrator privileges are required to configure Windows To Go startup options.
-
-
-
-If you are going to be using a Windows 7 computer as a host-PC, see the wiki article [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkID=618951).
-
-### Roaming between different firmware types
-
-Windows supports two types of PC firmware: Unified Extensible Firmware Interface (UEFI), which is the new standard, and legacy BIOS firmware, which was used in most PCs shipping with Windows 7 or earlier version of Windows. Each firmware type has completely different Windows boot components that are incompatible with each other. Beyond the different boot components, Windows supports different partition styles and layout requirements for each type of firmware as shown in the following diagrams.
-
-
-
-This presented a unique challenge for Windows To Go because the firmware type is not easily determined by end-users—a UEFI computer looks just like a legacy BIOS computer and Windows To Go must boot on both types of firmware.
-
-To enable booting Windows To Go on both types of firmware, a new disk layout is provided for Windows 8 or later that contains both sets of boot components on a FAT32 system partition and a new command-line option was added to bcdboot.exe to support this configuration. The **/f** option is used with the **bcdboot /s** command to specify the firmware type of the target system partition by appending either **UEFI**, **BIOS** or **ALL**. When creating Windows To Go drives manually you must use the **ALL** parameter to provide the Windows To Go drive the ability to boot on both types of firmware. For example, on volume H: (your Windows To Go USB drive letter), you would use the command **bcdboot C:\\windows /s H: /f ALL**. The following diagram illustrates the disk layout that results from that command:
-
-
-
-This is the only supported disk configuration for Windows To Go. With this disk configuration, a single Windows To Go drive can be booted on computers with UEFI and legacy BIOS firmware.
-
-### Configure Windows To Go startup options
-
-Windows To Go Startup Options is a setting available on Windows 10-based PCs that enables the computer to be booted from a USB without manually changing the firmware settings of the PC. To configure Windows To Go Startup Options you must have administrative rights on the computer and the **Windows To Go Default Startup Options** Group Policy setting must not be configured.
-
-**To configure Windows To Go startup options**
-
-1. On the Start screen, type, type **Windows To Go Startup Options**, click **Settings** and then press Enter.
-
- 
-
-2. Select **Yes** to enable the startup options.
-
- **Tip**
- If your computer is part of a domain, the Group Policy setting can be used to enable the startup options instead of the dialog.
-
-
-
-3. Click **Save Changes**. If the User Account Control dialog box is displayed, confirm that the action it displays is what you want, and then click **Yes**.
-
-### Change firmware settings
-
-If you choose to not use the Windows To Go startup options or are using a PC running Windows 7 as your host computer you will need to manually configure the firmware settings. The process used to accomplish this will depend on the firmware type and manufacturer. If your host computer is protected by BitLocker and running Windows 7 you should suspend BitLocker before making the change to the firmware settings. After the firmware settings have been successfully reconfigured, resume BitLocker protection. If you do not suspend BitLocker first, BitLocker will assume that the computer has been tampered with and will boot into BitLocker recovery mode.
-
-## Related topics
-
-
-[Windows To Go: feature overview](windows-to-go-overview.md)
-
-[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
-
-[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-
-[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
-
-
-
-
-
-
-
-
-
+---
+title: Deployment considerations for Windows To Go (Windows 10)
+description: Deployment considerations for Windows To Go
+ms.assetid: dcfc5d96-b96b-44cd-ab65-416b5611c65e
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: deploy, mobile, device, USB, boot, image, workspace, driver
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: mobility
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Deployment considerations for Windows To Go
+
+
+**Applies to**
+
+- Windows 10
+
+> [!IMPORTANT]
+> Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
+
+From the start, Windows To Go was designed to minimize differences between the user experience of working on a laptop and Windows To Go booted from a USB drive. Given that Windows To Go was designed as an enterprise solution, extra consideration was given to the deployment workflows that enterprises already have in place. Additionally, there has been a focus on minimizing the number of differences in deployment between Windows To Go workspaces and laptop PCs.
+
+> [!NOTE]
+> Windows To Go does not support operating system upgrades. Windows To Go is designed as a feature that is managed centrally. IT departments that plan to transition from one operating system version to a later version will need to incorporate re-imaging their existing Windows To Go drives as part of their upgrade deployment process.
+
+The following sections discuss the boot experience, deployment methods, and tools that you can use with Windows To Go.
+
+- [Initial boot experiences](#wtg-initboot)
+- [Image deployment and drive provisioning considerations](#wtg-imagedep)
+- [Application installation and domain join](#wtg-appinstall)
+- [Management of Windows To Go using Group Policy](#bkmk-wtggp)
+- [Supporting booting from USB](#wtg-bootusb)
+- [Updating firmware](#stg-firmware)
+- [Configure Windows To Go startup options](#wtg-startup)
+- [Change firmware settings](#wtg-changefirmware)
+
+## Initial boot experiences
+
+The following diagrams illustrate the two different methods you could use to provide Windows To Go drives to your users. The experiences differ depending on whether the user will be booting the device initially on-premises or off-premises:
+
+
+
+When a Windows To Go workspace is first used at the workplace, the Windows To Go workspace can be joined to the domain through the normal procedures that occur when a new computer is introduced. It obtains a lease, applicable policies are applied and set, and user account tokens are placed appropriately. BitLocker protection can be applied and the BitLocker recovery key automatically stored in Active Directory Domain Services. The user can access network resources to install software and get access to data sources. When the workspace is subsequently booted at a different location either on or off premises, the configuration required for it to connect back to the work network using either DirectAccess or a virtual private network connection can be configured. It is not necessary to configure the workspace for offline domain join. DirectAccess can make connecting to organizational resources easier, but is not required.
+
+
+
+When the Windows To Go workspace is going to be used first on an off-premises computer, such as one at the employee’s home, then the IT professional preparing the Windows To Go drives should configure the drive to be able to connect to organizational resources and to maintain the security of the workspace. In this situation, the Windows To Go workspace needs to be configured for offline domain join and BitLocker needs to be enabled before the workspace has been initialized.
+
+> [!TIP]
+> Applying BitLocker Drive Encryption to the drives before provisioning is a much faster process than encrypting the drives after data has already been stored on them due to a new feature called used-disk space only encryption. For more information, see [What's New in BitLocker](https://go.microsoft.com/fwlink/p/?LinkId=619076).
+
+DirectAccess can be used to ensure that the user can login with their domain credentials without needing a local account. For instructions on setting up a DirectAccess solution, for a small pilot deployment see [Deploy a Single Remote Access Server using the Getting Started Wizard](https://go.microsoft.com/fwlink/p/?LinkId=619077) for a larger scale deployment, see [Deploy Remote Access in an Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=619078). If you do not want to use DirectAccess as an alternative users could log on using a local user account on the Windows To Go workspace and then use a virtual private network for remote access to your organizational network.
+
+### Image deployment and drive provisioning considerations
+
+The Image Deployment process can be accomplished either by a centralized IT process for your organization or by individual users creating their own Windows To Go workspaces. You must have local Administrator access and access to a Windows 10 Enterprise or Windows 10 Education image to create a Windows To Go workspace, or you must be using System Center Configuration Manager 2012 Service Pack 1 or later to distribute Windows To Go workspaces to users. The image deployment process takes a blank USB drive and a Windows 10 Enterprise image (WIM) and turns it into a Windows To Go drive.
+
+
+
+The simplest way to provision a Windows To Go drive is to use the Windows To Go Creator. After a single Windows To Go workspace has been created, it can be duplicated as many times as necessary using widely available USB duplicator products as long as the device has not been booted. After the Windows To Go drive is initialized, it should not be duplicated. Alternatively, Windows To Go Workspace Creator can be run multiple times to create multiple Windows To Go drives.
+
+> [!TIP]
+> When you create your Windows To Go image use sysprep /generalize, just as you do when you deploy Windows 10 to a standard PC. In fact, if appropriate, use the same image for both deployments.
+
+**Driver considerations**
+
+Windows includes most of the drivers that you will need to support a wide variety of host computers. However, you will occasionally need to download drivers from Windows Update to take advantage of the full functionality of a device. If you are using Windows To Go on a set of known host computers, you can add any additional drivers to the image used on Windows To Go to make Windows To Go drives more quickly usable by your employees. Especially ensure that network drivers are available so that the user can connect to Windows Update to get additional drivers if necessary.
+
+Wi-Fi network adapter drivers are one of the most important drivers to make sure that you include in your standard image so that users can easily connect to the internet for any additional updates. IT administrators that are attempting to build Windows 10 images for use with Windows To Go should consider adding additional Wi-Fi drivers to their image to ensure that their users have the best chance of still having basic network connectivity when roaming between systems.
+
+The following list of commonly used Wi-Fi network adapters that are not supported by the default drivers provided with Windows 10 is provided to help you ascertain whether or not you need to add drivers to your image.
+
+
+
+
+
+
+
+
+
+
+
Vendor name
+
Product description
+
HWID
+
Windows Update availability
+
+
+
Broadcom
+
802.11abgn Wireless SDIO adapter
+
sd\vid_02d0&pid_4330&fn_1
+
Contact the system OEM or Broadcom for driver availability.
+
+
+
Broadcom
+
802.11n Network Adapter
+
pci\ven_14e4&dev_4331&subsys_00d6106b&rev_02
+
Contact the system OEM or Broadcom for driver availability.
+
+
+
Broadcom
+
802.11n Network Adapter
+
pci\ven_14e4&dev_4331&subsys_00f5106b&rev_02
+
Contact the system OEM or Broadcom for driver availability.
+
+
+
Broadcom
+
802.11n Network Adapter
+
pci\ven_14e4&dev_4331&subsys_00ef106b&rev_02
+
Contact the system OEM or Broadcom for driver availability.
+
+
+
Broadcom
+
802.11n Network Adapter
+
pci\ven_14e4&dev_4331&subsys_00f4106b&rev_02
+
Contact the system OEM or Broadcom for driver availability.
+
+
+
Broadcom
+
802.11n Network Adapter
+
pci\ven_14e4&dev_4331&subsys_010e106b&rev_02
+
Contact the system OEM or Broadcom for driver availability.
+
+
+
Broadcom
+
802.11n Network Adapter
+
pci\ven_14e4&dev_4331&subsys_00e4106b&rev_02
+
Contact the system OEM or Broadcom for driver availability.
+
+
+
Broadcom
+
802.11n Network Adapter
+
pci\ven_14e4&dev_4331&subsys_433114e4&rev_02
+
Contact the system OEM or Broadcom for driver availability.
+
+
+
Broadcom
+
802.11n Network Adapter
+
pci\ven_14e4&dev_4331&subsys_010f106b&rev_02
+
Contact the system OEM or Broadcom for driver availability.
+
+IT administrators that want to target Windows To Go images for specific systems should test their images to ensure that the necessary system drivers are in the image, especially for critical functionality like Wi-Fi that is not supported by class drivers. Some consumer devices require OEM specific driver packages, which may not be available on Windows Update. For more information on how to add a driver to a Windows Image, please refer to the [Basic Windows Deployment Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=619079).
+
+### Application installation and domain join
+
+Unless you are using a customized Windows image that includes unattended installation settings, the initial Windows To Go workspace will not be domain joined and will not contain applications. This is exactly like a new installation of Windows on a desktop or laptop computer. When planning your deployment, you should develop methods to join Windows to Go drives to the domain and install the standard applications that users in your organization require. These methods probably will be similar to the ones used for setting up desktop and laptop computers with domain privileges and applications
+
+### Management of Windows To Go using Group Policy
+
+In general, management of Windows To Go workspaces is same as that for desktop and laptop computers. There are Windows To Go specific Group Policy settings that should be considered as part of Windows To Go deployment. Windows To Go Group Policy settings are located at `\\Computer Configuration\Administrative Templates\Windows Components\Portable Operating System\` in the Local Group Policy Editor.
+
+The use of the Store on Windows To Go workspaces that are running Windows 8 can also be controlled by Group Policy. This policy setting is located at `\\Computer Configuration\Administrative Templates\Windows Components\Store\` in the Local Group Policy Editor. The policy settings have specific implications for Windows To Go that you should be aware of when planning your deployment:
+
+**Settings for workspaces**
+
+- **Allow hibernate (S4) when started from a Windows To Go workspace**
+
+ This policy setting specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. By default, hibernation is disabled when using Windows To Go workspace, so enabling this setting explicitly turns this ability back on. When a computer enters hibernation, the contents of memory are written to disk. When the disk is resumed, it is important that the hardware attached to the system, as well as the disk itself, are unchanged. This is inherently incompatible with roaming between PC hosts. Hibernation should only be used when the Windows To Go workspace is not being used to roam between host PCs.
+
+ > [!IMPORTANT]
+ > For the host-PC to resume correctly when hibernation is enabled the Windows To Go workspace must continue to use the same USB port.
+
+- **Disallow standby sleep states (S1-S3) when starting from a Windows To Go workspace**
+
+ This policy setting specifies whether the PC can use standby sleep states (S1–S3) when started from a Windows To Go workspace. The Sleep state also presents a unique challenge to Windows To Go users. When a computer goes to sleep, it appears as if it is shut down. It could be very easy for a user to think that a Windows To Go workspace in sleep mode was actually shut down and they could remove the Windows To Go drive and take it home. Removing the Windows To Go drive in this scenario is equivalent to an unclean shutdown which may result in the loss of unsaved user data or the corruption on the drive. Moreover, if the user now boots the drive on another PC and brings it back to the first PC which still happens to be in the sleep state, it will lead to an arbitrary crash and eventually corruption of the drive and result in the workspace becoming unusable. If you enable this policy setting, the Windows To Go workspace cannot use the standby states to cause the PC to enter sleep mode. If you disable or do not configure this policy setting, the Windows To Go workspace can place the PC in sleep mode.
+
+**Settings for host PCs**
+
+- **Windows To Go Default Startup Options**
+
+ This policy setting controls whether the host computer will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the **Windows To Go Startup Options** settings dialog. If you enable this policy setting, booting to Windows To Go when a USB device is connected will be enabled and users will not be able to make changes using the **Windows To Go Startup Options** settings dialog. If you disable this policy setting, booting to Windows To Go when a USB device is connected will not be enabled unless a user configures the option manually in the firmware. If you do not configure this policy setting, users who are members of the local Administrators group can enable or disable booting from USB using the **Windows To Go Startup Options** settings dialog.
+
+ > [!IMPORTANT]
+ > Enabling this policy setting will cause PCs running Windows to attempt to boot from any USB device that is inserted into the PC before it is started.
+
+## Supporting booting from USB
+
+The biggest hurdle for a user wanting to use Windows To Go is configuring their computer to boot from USB. This is traditionally done by entering the firmware and configuring the appropriate boot order options. To ease the process of making the firmware modifications required for Windows To Go, Windows includes a feature named **Windows To Go Startup Options** that allows a user to configure their computer to boot from USB from within Windows—without ever entering their firmware, as long as their firmware supports booting from USB.
+
+> [!NOTE]
+> Enabling a system to always boot from USB first has implications that you should consider. For example, a USB device that includes malware could be booted inadvertently to compromise the system, or multiple USB drives could be plugged in to cause a boot conflict. For this reason, the Windows To Go startup options are disabled by default. In addition, administrator privileges are required to configure Windows To Go startup options.
+
+If you are going to be using a Windows 7 computer as a host-PC, see the wiki article [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkID=618951).
+
+### Roaming between different firmware types
+
+Windows supports two types of PC firmware: Unified Extensible Firmware Interface (UEFI), which is the new standard, and legacy BIOS firmware, which was used in most PCs shipping with Windows 7 or earlier version of Windows. Each firmware type has completely different Windows boot components that are incompatible with each other. Beyond the different boot components, Windows supports different partition styles and layout requirements for each type of firmware as shown in the following diagrams.
+
+
+
+This presented a unique challenge for Windows To Go because the firmware type is not easily determined by end-users—a UEFI computer looks just like a legacy BIOS computer and Windows To Go must boot on both types of firmware.
+
+To enable booting Windows To Go on both types of firmware, a new disk layout is provided for Windows 8 or later that contains both sets of boot components on a FAT32 system partition and a new command-line option was added to bcdboot.exe to support this configuration. The **/f** option is used with the **bcdboot /s** command to specify the firmware type of the target system partition by appending either **UEFI**, **BIOS** or **ALL**. When creating Windows To Go drives manually you must use the **ALL** parameter to provide the Windows To Go drive the ability to boot on both types of firmware. For example, on volume H: (your Windows To Go USB drive letter), you would use the command **bcdboot C:\\windows /s H: /f ALL**. The following diagram illustrates the disk layout that results from that command:
+
+
+
+This is the only supported disk configuration for Windows To Go. With this disk configuration, a single Windows To Go drive can be booted on computers with UEFI and legacy BIOS firmware.
+
+### Configure Windows To Go startup options
+
+Windows To Go Startup Options is a setting available on Windows 10-based PCs that enables the computer to be booted from a USB without manually changing the firmware settings of the PC. To configure Windows To Go Startup Options you must have administrative rights on the computer and the **Windows To Go Default Startup Options** Group Policy setting must not be configured.
+
+**To configure Windows To Go startup options**
+
+1. On the Start screen, type, type **Windows To Go Startup Options**, click **Settings** and then press Enter.
+
+ 
+
+2. Select **Yes** to enable the startup options.
+
+ > [!TIP]
+ > If your computer is part of a domain, the Group Policy setting can be used to enable the startup options instead of the dialog.
+
+
+3. Click **Save Changes**. If the User Account Control dialog box is displayed, confirm that the action it displays is what you want, and then click **Yes**.
+
+### Change firmware settings
+
+If you choose to not use the Windows To Go startup options or are using a PC running Windows 7 as your host computer you will need to manually configure the firmware settings. The process used to accomplish this will depend on the firmware type and manufacturer. If your host computer is protected by BitLocker and running Windows 7 you should suspend BitLocker before making the change to the firmware settings. After the firmware settings have been successfully reconfigured, resume BitLocker protection. If you do not suspend BitLocker first, BitLocker will assume that the computer has been tampered with and will boot into BitLocker recovery mode.
+
+## Related topics
+
+[Windows To Go: feature overview](windows-to-go-overview.md)
+[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
+[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
+[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
diff --git a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
index efa2cac236..565b9b6833 100644
--- a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
+++ b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
@@ -1,68 +1,68 @@
----
-title: Enabling and Disabling Compatibility Fixes in Compatibility Administrator (Windows 10)
-description: You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.
-ms.assetid: 6bd4a7c5-0ed9-4a35-948c-c438aa4d6cb6
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Enabling and Disabling Compatibility Fixes in Compatibility Administrator
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.
-
-## Disabling Compatibility Fixes
-
-
-Customized compatibility databases can become quite complex as you add your fixes for the multiple applications found in your organization. Over time, you may find you need to disable a particular fix in your customized database. For example, if a software vendor releases a fix for an issue addressed in one of your compatibility fixes, you must validate that the vendor's fix is correct and that it resolves your issue. To do this, you must temporarily disable the compatibility fix and then test your application.
-
-**Important**
-Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to work with custom databases for 32-bit applications and the 64-bit version to work with custom databases for 64-bit applications.
-
-
-
-**To disable a compatibility fix within a database**
-
-1. In the left-sde pane of Compatibility Administrator, expand the custom database that includes the compatibility fix that you want to disable, and then select the specific compatibility fix.
-
- The compatibility fix details appear in the right-hand pane.
-
-2. On the **Database** menu, click **Disable Entry**.
-
- **Important**
- When you disable an entry, it will remain disabled even if you do not save the database file.
-
-
-
-## Enabling Compatibility Fixes
-
-
-You can enable your disabled compatibility fixes at any time.
-
-**To enable a compatibility fix within a database**
-
-1. In the left-side pane of Compatibility Administrator, expand the custom database that includes the compatibility fix that you want to enable, and then select the specific compatibility fix.
-
- The compatibility fix details appear in the right-side pane.
-
-2. On the **Database** menu, click **Enable Entry**.
-
-## Related topics
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+---
+title: Enabling and Disabling Compatibility Fixes in Compatibility Administrator (Windows 10)
+description: You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.
+ms.assetid: 6bd4a7c5-0ed9-4a35-948c-c438aa4d6cb6
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Enabling and Disabling Compatibility Fixes in Compatibility Administrator
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.
+
+## Disabling Compatibility Fixes
+
+Customized compatibility databases can become quite complex as you add your fixes for the multiple applications found in your organization. Over time, you may find you need to disable a particular fix in your customized database. For example, if a software vendor releases a fix for an issue addressed in one of your compatibility fixes, you must validate that the vendor's fix is correct and that it resolves your issue. To do this, you must temporarily disable the compatibility fix and then test your application.
+
+>[!IMPORTANT]
+>Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to work with custom databases for 32-bit applications and the 64-bit version to work with custom databases for 64-bit applications.
+
+
+
+**To disable a compatibility fix within a database**
+
+1. In the left-sde pane of Compatibility Administrator, expand the custom database that includes the compatibility fix that you want to disable, and then select the specific compatibility fix.
+
+ The compatibility fix details appear in the right-hand pane.
+
+2. On the **Database** menu, click **Disable Entry**.
+
+ **Important**
+ When you disable an entry, it will remain disabled even if you do not save the database file.
+
+
+
+## Enabling Compatibility Fixes
+
+
+You can enable your disabled compatibility fixes at any time.
+
+**To enable a compatibility fix within a database**
+
+1. In the left-side pane of Compatibility Administrator, expand the custom database that includes the compatibility fix that you want to enable, and then select the specific compatibility fix.
+
+ The compatibility fix details appear in the right-side pane.
+
+2. On the **Database** menu, click **Enable Entry**.
+
+## Related topics
+
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
diff --git a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
index 6159fe34e5..f8f502fe93 100644
--- a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
+++ b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
@@ -1,67 +1,68 @@
----
-title: Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator (Windows 10)
-description: The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases.
-ms.assetid: 659c9d62-5f32-433d-94aa-12141c01368f
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers.
-
-By default, the Windows® operating system installs a System Application Fix database for use with the Compatibility Administrator. This database can be updated through Windows Update, and is stored in the %WINDIR% \\AppPatch directory. Your custom databases are automatically stored in the %WINDIR% \\AppPatch\\Custom directory and are installed by using the Sdbinst.exe tool provided with the Compatibility Administrator.
-
-**Important**
-Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to work with custom databases for 32-bit applications and the 64-bit version to work with custom databases for 64-bit applications.
-
-In addition, you must deploy your databases to your organization’s computers before the included fixes will have any effect on the application issue. For more information about deploying your database, see [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md).
-
-
-
-## Installing a Custom Database
-
-
-Installing your custom-compatibility database enables you to fix issues with your installed applications.
-
-**To install a custom database**
-
-1. In the left-side pane of Compatibility Administrator, click the custom database to install to your local computers.
-
-2. On the **File** menu, click **Install**.
-
- The Compatibility Administrator installs the database, which appears in the **Installed Databases** list.
-
- The relationship between your database file and an included application occurs in the registry. Every time you start an application, the operating system checks the registry for compatibility-fix information and, if found, retrieves the information from your customized database file.
-
-## Uninstalling a Custom Database
-
-
-When a custom database is no longer necessary, either because the applications are no longer used or because the vendor has provided a fix that resolves the compatibility issues, you can uninstall the custom database.
-
-**To uninstall a custom database**
-
-1. In the **Installed Databases** list, which appears in the left-side pane of Compatibility Administrator, click the database to uninstall from your local computers.
-
-2. On the **File** menu, click **Uninstall**.
-
-## Related topics
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+---
+title: Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator (Windows 10)
+description: The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases.
+ms.assetid: 659c9d62-5f32-433d-94aa-12141c01368f
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases. Both the custom databases and the standard databases store the known compatibility fixes, compatibility modes, and AppHelp messages. They also store the required application-matching information for installation on your local computers.
+
+By default, the Windows® operating system installs a System Application Fix database for use with the Compatibility Administrator. This database can be updated through Windows Update, and is stored in the %WINDIR% \\AppPatch directory. Your custom databases are automatically stored in the %WINDIR% \\AppPatch\\Custom directory and are installed by using the Sdbinst.exe tool provided with the Compatibility Administrator.
+
+> [!IMPORTANT]
+> Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to work with custom databases for 32-bit applications and the 64-bit version to work with custom databases for 64-bit applications.
+
+In addition, you must deploy your databases to your organization’s computers before the included fixes will have any effect on the application issue. For more information about deploying your database, see [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md).
+
+
+
+## Installing a Custom Database
+
+
+Installing your custom-compatibility database enables you to fix issues with your installed applications.
+
+**To install a custom database**
+
+1. In the left-side pane of Compatibility Administrator, click the custom database to install to your local computers.
+
+2. On the **File** menu, click **Install**.
+
+ The Compatibility Administrator installs the database, which appears in the **Installed Databases** list.
+
+ The relationship between your database file and an included application occurs in the registry. Every time you start an application, the operating system checks the registry for compatibility-fix information and, if found, retrieves the information from your customized database file.
+
+## Uninstalling a Custom Database
+
+
+When a custom database is no longer necessary, either because the applications are no longer used or because the vendor has provided a fix that resolves the compatibility issues, you can uninstall the custom database.
+
+**To uninstall a custom database**
+
+1. In the **Installed Databases** list, which appears in the left-side pane of Compatibility Administrator, click the database to uninstall from your local computers.
+
+2. On the **File** menu, click **Uninstall**.
+
+## Related topics
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
index 6dca43c7ac..6c41d9922c 100644
--- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
+++ b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
@@ -1,131 +1,132 @@
----
-title: Prepare your organization for Windows To Go (Windows 10)
-description: Prepare your organization for Windows To Go
-ms.assetid: f3f3c160-90ad-40a8-aeba-2aedee18f7ff
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: ["mobile, device, USB, deploy"]
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: mobility
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Prepare your organization for Windows To Go
-
-
-**Applies to**
-
-- Windows 10
-
->[!IMPORTANT]
->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
-
-The following information is provided to help you plan and design a new deployment of a Windows To Go in your production environment. It provides answers to the “what”, “why”, and “when” questions an IT professional might have when planning to deploy Windows To Go.
-
-## What is Windows To Go?
-
-
-Windows To Go is a feature of Windows 10 Enterprise and Windows 10 Education that enables users to boot Windows from a USB-connected external drive. Windows To Go drives can use the same image that enterprises use for their desktops and laptops, and can be managed the same way. Offering a new mobility option, a Windows To Go workspace is not intended to replace desktops or laptops, or supplant other mobility offerings.
-
-Enterprise customers utilizing Volume Activation Windows licensing will be able to deploy USB drives provisioned with Windows To Go workspace. These drives will be bootable on multiple compatible host computers. Compatible host computers are computers that are:
-
-- USB boot capable
-- Have USB boot enabled in the firmware
-- Meet Windows 7 minimum system requirements
-- Have compatible processor architectures (for example, x86 or AMD64) as the image used to create the Windows To Go workspace. ARM is not a supported processor for Windows To Go.
-- Have firmware architecture that is compatible with the architecture of the image used for the Windows To Go workspace
-
-Booting a Windows To Go workspace requires no specific software on the host computer. PCs certified for Windows 7 and later can host Windows To Go.
-
-The following topics will familiarize you with how you can use a Windows To Go workspace and give you an overview of some of the things you should consider in your design.
-
-## Usage scenarios
-
-
-The following scenarios are examples of situations in which Windows To Go workspaces provide a solution for an IT implementer:
-
-- **Continuance of operations (COO).** In this scenario, selected employees receive a USB drive with a Windows To Go workspace, which includes all of the applications that the employees use at work. The employees can keep the device at home, in a briefcase, or wherever they want to store it until needed. When the users boot their home computer from the USB drive, it will create a corporate desktop experience so that they can quickly start working. On the very first boot, the employee sees that Windows is installing devices; after that one time, the Windows To Go drive boots like a normal computer. If they have enterprise network access, employees can use a virtual private network (VPN) connection or DirectAccess to access corporate resources. If the enterprise network is available, the Windows To Go workspace will automatically be updated using your standard client management processes.
-
-- **Contractors and temporary workers.** In this situation, an enterprise IT pro or manager would distribute the Windows To Go drive directly to the worker where they can be assisted with any necessary additional user education needs or address any possible compatibility issues. While the worker is on assignment, they can boot their computer exclusively from the Windows To Go drive and run all applications in that environment until the end of the assignment when the device is returned. No installation of software is required on the worker’s personal computer.
-
-- **Managed free seating.** The employee is issued a Windows To Go drive that is then used with the host computer assigned to that employee for a given session (this could be a vehicle, workspace, or standalone laptop). When the employee leaves the session, the next time they return they use the same USB flash drive but use a different host computer.
-
-- **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including System Center Configuration Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work, which caches the employee’s credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity.
-
-- **Travel lightly.** In this situation you have employees who are moving from site to site, but who always will have access to a compatible host computer on site. Using Windows To Go workspaces allows them to travel without the need to pack their PC.
-
-**Note**
-If the employee wants to work offline for the majority of the time, but still maintain the ability to use the drive on the enterprise network, they should be informed of how often the Windows To Go workspace needs to be connected to the enterprise network. Doing so will ensure that the drive retains its access privileges and the workspace’s computer object is not potentially deleted from Active Directory Domain Services (AD DS).
-
-
-
-## Infrastructure considerations
-
-
-Because Windows To Go requires no additional software and minimal configuration, the same tools used to deploy images to other PCs can be used by an enterprise to install Windows To Go on a large group of USB devices. Moreover, because Windows To Go is compatible with connectivity and synchronization solutions already in use—such as Remote Desktop, DirectAccess and Folder Redirection—no additional infrastructure or management is necessary for this deployment. A Windows To Go image can be created on a USB drive that is identical to the hard drive inside a desktop. However, you may wish to consider making some modifications to your infrastructure to help make management of Windows To Go drives easier and to be able to identify them as a distinct device group.
-
-## Activation considerations
-
-
-Windows To Go uses volume activation. You can use either Active Directory-based activation or KMS activation with Windows To Go. The Windows To Go workspace counts as another installation when assessing compliance with application licensing agreements.
-
-Microsoft software, such as Microsoft Office, distributed to a Windows To Go workspace must also be activated. Office deployment is fully supported on Windows To Go. Please note, due to the retail subscription activation method associated with Office 365 ProPlus, Office 365 ProPlus subscribers are provided volume licensing activation rights for Office Professional Plus 2013 MSI for local installation on the Windows To Go drive. This is available to organizations who purchase Office 365 ProPlus or Office 365 Enterprise SKUs containing Office 365 ProPlus via volume licensing channels. For more information about activating Microsoft Office, see [Volume activation methods in Office 2013](https://go.microsoft.com/fwlink/p/?LinkId=618922).
-
-You should investigate other software manufacturer’s licensing requirements to ensure they are compatible with roaming usage before deploying them to a Windows To Go workspace.
-
-**Note**
-Using Multiple Activation Key (MAK) activation is not a supported activation method for Windows To Go as each different PC-host would require separate activation. MAK activation should not be used for activating Windows, Office, or any other application on a Windows To Go drive.
-
-
-
-See [Plan for Volume Activation](https://go.microsoft.com/fwlink/p/?LinkId=618923) for more information about these activation methods and how they can be used in your organization.
-
-## Organizational unit structure and use of Group Policy Objects
-
-
-You may find it beneficial to create additional Active Directory organizational unit (OU) structures to support your Windows To Go deployment; one for host computer accounts and one for Windows To Go workspace computer accounts. Creating an organizational unit for host computers allows you to enable the Windows To Go Startup Options using Group Policy for only the computers that will be used as Windows To Go hosts. Setting this policy helps to prevent computers from being accidentally configured to automatically boot from USB devices and allows closer monitoring and control of those computers which have the ability to boot from a USB device. The organizational unit for Windows To Go workspaces allows you to apply specific policy controls to them, such as the ability to use the Store application, power state controls, and line-of-business application installation.
-
-If you are deploying Windows To Go workspaces for a scenario in which they are not going to be roaming, but are instead being used on the same host computer, such as with temporary or contract employees, you might wish to enable hibernation or the Windows Store.
-
-For more information about Group Policy settings that can be used with Windows To Go, see [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
-
-## Computer account management
-
-
-If you configure Windows To Go drives for scenarios where drives may remain unused for extended period of time such as use in continuance of operations scenarios, the AD DS computer account objects that correspond to Windows To Go drives have the potential to become stale and be pruned during maintenance operations. To address this issue, you should either have users log on regularly according to a schedule or modify any maintenance scripts to not clean up computer accounts in the Windows To Go device organizational unit.
-
-## User account and data management
-
-
-People use computers to work with data and consume content - that is their core function. The data must be stored and retrievable for it to be useful. When users are working in a Windows To Go workspace, they need to have the ability to get to the data that they work with and to keep it accessible when the workspace is not being used. For this reason we recommend that you use folder redirection and offline files to redirect the path of local folders (such as the Documents folder) to a network location, while caching the contents locally for increased speed and availability. We also recommend that you use roaming user profiles to synchronize user specific settings so that users receive the same operating system and application settings when using their Windows To Go workspace and their desktop computer. When a user signs in using a domain account that is set up with a file share as the profile path, the user’s profile is downloaded to the local computer and merged with the local profile (if present). When the user logs off the computer, the local copy of their profile, including any changes, is merged with the server copy of the profile. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](https://go.microsoft.com/fwlink/p/?LinkId=618924).
-
-Windows To Go is fully integrated with your Microsoft account. Setting synchronization is accomplished by connecting a Microsoft account to a user account. Windows To Go devices fully support this feature and can be managed by Group Policy so that the customization and configurations you prefer will be applied to your Windows To Go workspace.
-
-## Remote connectivity
-
-
-If you want Windows To Go to be able to connect back to organizational resources when it is being used off-premises a remote connectivity solution must be enabled. Windows Server 2012 DirectAccess can be used as can a virtual private network (VPN) solution. For more information about configuring a remote access solution, see the [Remote Access (DirectAccess, Routing and Remote Access) Overview](https://go.microsoft.com/fwlink/p/?LinkId=618925).
-
-## Related topics
-
-
-[Windows To Go: feature overview](windows-to-go-overview.md)
-
-[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
-
-[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-
-[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
-
-
-
-
-
-
-
-
-
+---
+title: Prepare your organization for Windows To Go (Windows 10)
+description: Prepare your organization for Windows To Go
+ms.assetid: f3f3c160-90ad-40a8-aeba-2aedee18f7ff
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: ["mobile, device, USB, deploy"]
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: mobility
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Prepare your organization for Windows To Go
+
+
+**Applies to**
+
+- Windows 10
+
+>[!IMPORTANT]
+>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
+
+The following information is provided to help you plan and design a new deployment of a Windows To Go in your production environment. It provides answers to the “what”, “why”, and “when” questions an IT professional might have when planning to deploy Windows To Go.
+
+## What is Windows To Go?
+
+
+Windows To Go is a feature of Windows 10 Enterprise and Windows 10 Education that enables users to boot Windows from a USB-connected external drive. Windows To Go drives can use the same image that enterprises use for their desktops and laptops, and can be managed the same way. Offering a new mobility option, a Windows To Go workspace is not intended to replace desktops or laptops, or supplant other mobility offerings.
+
+Enterprise customers utilizing Volume Activation Windows licensing will be able to deploy USB drives provisioned with Windows To Go workspace. These drives will be bootable on multiple compatible host computers. Compatible host computers are computers that are:
+
+- USB boot capable
+- Have USB boot enabled in the firmware
+- Meet Windows 7 minimum system requirements
+- Have compatible processor architectures (for example, x86 or AMD64) as the image used to create the Windows To Go workspace. ARM is not a supported processor for Windows To Go.
+- Have firmware architecture that is compatible with the architecture of the image used for the Windows To Go workspace
+
+Booting a Windows To Go workspace requires no specific software on the host computer. PCs certified for Windows 7 and later can host Windows To Go.
+
+The following topics will familiarize you with how you can use a Windows To Go workspace and give you an overview of some of the things you should consider in your design.
+
+## Usage scenarios
+
+
+The following scenarios are examples of situations in which Windows To Go workspaces provide a solution for an IT implementer:
+
+- **Continuance of operations (COO).** In this scenario, selected employees receive a USB drive with a Windows To Go workspace, which includes all of the applications that the employees use at work. The employees can keep the device at home, in a briefcase, or wherever they want to store it until needed. When the users boot their home computer from the USB drive, it will create a corporate desktop experience so that they can quickly start working. On the very first boot, the employee sees that Windows is installing devices; after that one time, the Windows To Go drive boots like a normal computer. If they have enterprise network access, employees can use a virtual private network (VPN) connection or DirectAccess to access corporate resources. If the enterprise network is available, the Windows To Go workspace will automatically be updated using your standard client management processes.
+
+- **Contractors and temporary workers.** In this situation, an enterprise IT pro or manager would distribute the Windows To Go drive directly to the worker where they can be assisted with any necessary additional user education needs or address any possible compatibility issues. While the worker is on assignment, they can boot their computer exclusively from the Windows To Go drive and run all applications in that environment until the end of the assignment when the device is returned. No installation of software is required on the worker’s personal computer.
+
+- **Managed free seating.** The employee is issued a Windows To Go drive that is then used with the host computer assigned to that employee for a given session (this could be a vehicle, workspace, or standalone laptop). When the employee leaves the session, the next time they return they use the same USB flash drive but use a different host computer.
+
+- **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including System Center Configuration Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work, which caches the employee’s credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity.
+
+- **Travel lightly.** In this situation you have employees who are moving from site to site, but who always will have access to a compatible host computer on site. Using Windows To Go workspaces allows them to travel without the need to pack their PC.
+
+> [!NOTE]
+> If the employee wants to work offline for the majority of the time, but still maintain the ability to use the drive on the enterprise network, they should be informed of how often the Windows To Go workspace needs to be connected to the enterprise network. Doing so will ensure that the drive retains its access privileges and the workspace’s computer object is not potentially deleted from Active Directory Domain Services (AD DS).
+
+
+
+## Infrastructure considerations
+
+
+Because Windows To Go requires no additional software and minimal configuration, the same tools used to deploy images to other PCs can be used by an enterprise to install Windows To Go on a large group of USB devices. Moreover, because Windows To Go is compatible with connectivity and synchronization solutions already in use—such as Remote Desktop, DirectAccess and Folder Redirection—no additional infrastructure or management is necessary for this deployment. A Windows To Go image can be created on a USB drive that is identical to the hard drive inside a desktop. However, you may wish to consider making some modifications to your infrastructure to help make management of Windows To Go drives easier and to be able to identify them as a distinct device group.
+
+## Activation considerations
+
+
+Windows To Go uses volume activation. You can use either Active Directory-based activation or KMS activation with Windows To Go. The Windows To Go workspace counts as another installation when assessing compliance with application licensing agreements.
+
+Microsoft software, such as Microsoft Office, distributed to a Windows To Go workspace must also be activated. Office deployment is fully supported on Windows To Go. Please note, due to the retail subscription activation method associated with Office 365 ProPlus, Office 365 ProPlus subscribers are provided volume licensing activation rights for Office Professional Plus 2013 MSI for local installation on the Windows To Go drive. This is available to organizations who purchase Office 365 ProPlus or Office 365 Enterprise SKUs containing Office 365 ProPlus via volume licensing channels. For more information about activating Microsoft Office, see [Volume activation methods in Office 2013](https://go.microsoft.com/fwlink/p/?LinkId=618922).
+
+You should investigate other software manufacturer’s licensing requirements to ensure they are compatible with roaming usage before deploying them to a Windows To Go workspace.
+
+> [!NOTE]
+> Using Multiple Activation Key (MAK) activation is not a supported activation method for Windows To Go as each different PC-host would require separate activation. MAK activation should not be used for activating Windows, Office, or any other application on a Windows To Go drive.
+
+
+
+See [Plan for Volume Activation](https://go.microsoft.com/fwlink/p/?LinkId=618923) for more information about these activation methods and how they can be used in your organization.
+
+## Organizational unit structure and use of Group Policy Objects
+
+
+You may find it beneficial to create additional Active Directory organizational unit (OU) structures to support your Windows To Go deployment; one for host computer accounts and one for Windows To Go workspace computer accounts. Creating an organizational unit for host computers allows you to enable the Windows To Go Startup Options using Group Policy for only the computers that will be used as Windows To Go hosts. Setting this policy helps to prevent computers from being accidentally configured to automatically boot from USB devices and allows closer monitoring and control of those computers which have the ability to boot from a USB device. The organizational unit for Windows To Go workspaces allows you to apply specific policy controls to them, such as the ability to use the Store application, power state controls, and line-of-business application installation.
+
+If you are deploying Windows To Go workspaces for a scenario in which they are not going to be roaming, but are instead being used on the same host computer, such as with temporary or contract employees, you might wish to enable hibernation or the Windows Store.
+
+For more information about Group Policy settings that can be used with Windows To Go, see [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
+
+## Computer account management
+
+
+If you configure Windows To Go drives for scenarios where drives may remain unused for extended period of time such as use in continuance of operations scenarios, the AD DS computer account objects that correspond to Windows To Go drives have the potential to become stale and be pruned during maintenance operations. To address this issue, you should either have users log on regularly according to a schedule or modify any maintenance scripts to not clean up computer accounts in the Windows To Go device organizational unit.
+
+## User account and data management
+
+
+People use computers to work with data and consume content - that is their core function. The data must be stored and retrievable for it to be useful. When users are working in a Windows To Go workspace, they need to have the ability to get to the data that they work with and to keep it accessible when the workspace is not being used. For this reason we recommend that you use folder redirection and offline files to redirect the path of local folders (such as the Documents folder) to a network location, while caching the contents locally for increased speed and availability. We also recommend that you use roaming user profiles to synchronize user specific settings so that users receive the same operating system and application settings when using their Windows To Go workspace and their desktop computer. When a user signs in using a domain account that is set up with a file share as the profile path, the user’s profile is downloaded to the local computer and merged with the local profile (if present). When the user logs off the computer, the local copy of their profile, including any changes, is merged with the server copy of the profile. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](https://go.microsoft.com/fwlink/p/?LinkId=618924).
+
+Windows To Go is fully integrated with your Microsoft account. Setting synchronization is accomplished by connecting a Microsoft account to a user account. Windows To Go devices fully support this feature and can be managed by Group Policy so that the customization and configurations you prefer will be applied to your Windows To Go workspace.
+
+## Remote connectivity
+
+
+If you want Windows To Go to be able to connect back to organizational resources when it is being used off-premises a remote connectivity solution must be enabled. Windows Server 2012 DirectAccess can be used as can a virtual private network (VPN) solution. For more information about configuring a remote access solution, see the [Remote Access (DirectAccess, Routing and Remote Access) Overview](https://go.microsoft.com/fwlink/p/?LinkId=618925).
+
+## Related topics
+
+
+[Windows To Go: feature overview](windows-to-go-overview.md)
+
+[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
+
+[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
+
+[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md
index 66a530280c..955117dcd6 100644
--- a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md
+++ b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md
@@ -1,79 +1,79 @@
----
-title: Searching for Fixed Applications in Compatibility Administrator (Windows 10)
-description: With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages.
-ms.assetid: 1051a2dc-0362-43a4-8ae8-07dae39b1cb8
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Searching for Fixed Applications in Compatibility Administrator
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application.
-
-The **Query Compatibility Databases** tool provides additional search options. For more information, see [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md).
-
-## Searching for Previously Applied Compatibility Fixes
-
-
-**Important**
-You must perform your search with the correct version of the Compatibility Administrator tool. If you are searching for a 32-bit custom database, you must use the 32-bit version of Compatibility Administrator. If you are searching for a 64-bit custom database, you must use the 64-bit version of Compatibility Administrator.
-
-
-
-**To search for previous fixes**
-
-1. On the Compatibility Administrator toolbar, click **Search**.
-
-2. Click **Browse** to locate the directory location to search for .exe files.
-
-3. Select at least one check box from **Entries with Compatibility Fixes**, **Entries with Compatibility Modes**, or **Entries with AppHelp**.
-
-4. Click **Find Now**.
-
- The query runs, returning your results in the lower pane.
-
-## Viewing Your Query Results
-
-
-Your query results display the affected files, the application location, the application name, the type of compatibility fix, and the custom database that provided the fix.
-
-## Exporting Your Query Results
-
-
-You can export your search results to a text (.txt) file for later review or archival.
-
-**To export your search results**
-
-1. In the **Search for Fixes** dialog box, click **Export**.
-
-2. Browse to the location where you want to store your search result file, and then click **Save**.
-
-## Related topics
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
-
-
-
-
-
-
-
-
-
+---
+title: Searching for Fixed Applications in Compatibility Administrator (Windows 10)
+description: With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages.
+ms.assetid: 1051a2dc-0362-43a4-8ae8-07dae39b1cb8
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Searching for Fixed Applications in Compatibility Administrator
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+With the search functionality in Compatibility Administrator, you can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages. This is particularly useful if you are trying to identify applications with a specific compatibility fix or identifying which fixes are applied to a specific application.
+
+The **Query Compatibility Databases** tool provides additional search options. For more information, see [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md).
+
+## Searching for Previously Applied Compatibility Fixes
+
+> [!IMPORTANT]
+> You must perform your search with the correct version of the Compatibility Administrator tool. If you are searching for a 32-bit custom database, you must use the 32-bit version of Compatibility Administrator. If you are searching for a 64-bit custom database, you must use the 64-bit version of Compatibility Administrator.
+
+
+
+**To search for previous fixes**
+
+1. On the Compatibility Administrator toolbar, click **Search**.
+
+2. Click **Browse** to locate the directory location to search for .exe files.
+
+3. Select at least one check box from **Entries with Compatibility Fixes**, **Entries with Compatibility Modes**, or **Entries with AppHelp**.
+
+4. Click **Find Now**.
+
+ The query runs, returning your results in the lower pane.
+
+## Viewing Your Query Results
+
+
+Your query results display the affected files, the application location, the application name, the type of compatibility fix, and the custom database that provided the fix.
+
+## Exporting Your Query Results
+
+
+You can export your search results to a text (.txt) file for later review or archival.
+
+**To export your search results**
+
+1. In the **Search for Fixes** dialog box, click **Export**.
+
+2. Browse to the location where you want to store your search result file, and then click **Save**.
+
+## Related topics
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
index 08b12d19fc..5bc84062d1 100644
--- a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
+++ b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
@@ -1,183 +1,154 @@
----
-title: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator (Windows 10)
-description: You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature.
-ms.assetid: dd213b55-c71c-407a-ad49-33db54f82f22
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature.
-
-For information about the Search feature, see [Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md). However, the Query tool provides more detailed search criteria, including tabs that enable you to search the program properties, the compatibility fix properties, and the fix description. You can perform a search by using SQL SELECT and WHERE clauses, in addition to searching specific types of databases.
-
-**Important**
-You must perform your search with the correct version of the Compatibility Administrator tool. To use the Query tool to search for a 32-bit custom database, you must use the 32-bit version of Compatibility Administrator. To use the Query tool to search for a 64-bit custom database, you must use the 64-bit version of Compatibility Administrator.
-
-
-
-## Querying by Using the Program Properties Tab
-
-
-You can use the **Program Properties** tab of the Query tool to search for any compatibility fix, compatibility mode, or AppHelp for a specific application.
-
-**To query by using the Program Properties tab**
-
-1. On the Compatibility Administrator toolbar, click **Query**.
-
-2. In the **Look in** drop-down list, select the appropriate database type to search.
-
-3. Type the location of the application you are searching for into the **Search for the Application** field.
-
- This name should be the same as the name in the **Applications** area (left pane) of Compatibility Administrator.
-
-4. Type the application executable (.exe) file name into the **Search for the File** box. If you leave this box blank, the percent (%) sign appears as a wildcard to search for any file.
-
- You must designate the executable name that was given when the compatibility fix was added to the database.
-
-5. Optionally, select the check box for one of the following types of compatibility fix:
-
- - **Compatibility Modes**
-
- - **Compatibility Fixes**
-
- - **Application Helps**
-
- **Important**
- If you do not select any of the check boxes, the search will look for all types of compatibility fixes. Do not select multiple check boxes because only applications that match all of the requirements will appear.
-
-
-
-6. Click **Find Now**.
-
- The query runs and the results of the query are displayed in the lower pane.
-
-## Querying by Using the Fix Properties Tab
-
-
-You can use the **Fix Properties** tab of the Query tool to search for any application affected by a specific compatibility fix or a compatibility mode. For example, you can search for any application affected by the ProfilesSetup compatibility mode.
-
-**To query by using the Fix Properties tab**
-
-1. On the Compatibility Administrator toolbar, click **Query**.
-
-2. Click the **Fix Properties** tab.
-
-3. In the **Look in** drop-down list, select the appropriate database type to search.
-
-4. Type the name of the compatibility fix or compatibility mode into the **Search for programs fixed using** field.
-
- **Note**
- You can use the percent (%) symbol as a wildcard in your fix-properties query, as a substitute for any string of zero or more characters.
-
-
-
-5. Select the check box for either **Search in Compatibility Fixes** or **Search in Compatibility Modes**.
-
- **Important**
- Your text must match the type of compatibility fix or mode for which you are performing the query. For example, entering the name of a compatibility fix and selecting the compatibility mode check box will not return any results. Additionally, if you select both check boxes, the query will search for the fix by compatibility mode and compatibility fix. Only applications that match both requirements appear.
-
-
-
-6. Click **Find Now**.
-
- The query runs and the results of the query are displayed in the lower pane.
-
-## Querying by Using the Fix Description Tab
-
-
-You can use the **Fix Description** tab of the Query tool to add parameters that enable you to search your compatibility databases by application title or solution description text.
-
-**To query by using the Fix Description tab**
-
-1. On the Compatibility Administrator toolbar, click **Query**.
-
-2. Click the **Fix Description** tab.
-
-3. In the **Look in** drop-down list, select the appropriate database type to search.
-
-4. Type your search keywords into the box **Words to look for**. Use commas to separate multiple keywords.
-
- **Important**
- You cannot use wildcards as part of the Fix Description search query because the default behavior is to search for any entry that meets your search criteria.
-
-
-
-5. Refine your search by selecting **Match any word** or **Match all words** from the drop-down list.
-
-6. Click **Find Now**.
-
- The query runs and the results of the query are displayed in the lower pane.
-
-## Querying by Using the Fix Description Tab
-
-
-You can use the **Fix Description** tab of the Query tool to add additional SQL Server SELECT and WHERE clauses to your search criteria.
-
-**To query by using the Advanced tab**
-
-1. On the Compatibility Administrator toolbar, click **Query**.
-
-2. Click the **Advanced** tab.
-
-3. In the **Look in** drop-down list, select the appropriate database type to search.
-
-4. Select the appropriate SELECT clause for your search from the **Select clauses** box. For example, **APP\_NAME**.
-
- The **APP\_NAME** clause appears in the **SELECT** field. You can add as many additional clauses as you require. They will appear as columns in your search results.
-
-5. Select the appropriate WHERE clause for your search from the **Where clauses** box. For example, **DATABASE\_NAME**.
-
- The **DATABASE\_NAME =** clause appears in the **WHERE** box.
-
-6. Type the appropriate clause criteria after the equal (=) sign in the **WHERE** box. For example, **DATABASE\_NAME = "Custom\_Database"**.
-
- You must surround your clause criteria text with quotation marks (") for the clause to function properly.
-
-7. Click **Find Now**.
-
- The query runs and the results of the query are displayed in the lower pane.
-
-## Exporting Your Search Results
-
-
-You can export any of your search results into a tab-delimited text (.txt) file for later review or for archival purposes.
-
-**To export your results**
-
-1. After you have completed your search by using the Query tool, click **Export**.
-
- The **Save results to a file** dialog box appears.
-
-2. Browse to the location where you intend to store the search results file, and then click **Save**.
-
-## Related topics
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
-
-
-
-
-
-
-
-
-
+---
+title: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator (Windows 10)
+description: You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature.
+ms.assetid: dd213b55-c71c-407a-ad49-33db54f82f22
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature.
+
+For information about the Search feature, see [Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md). However, the Query tool provides more detailed search criteria, including tabs that enable you to search the program properties, the compatibility fix properties, and the fix description. You can perform a search by using SQL SELECT and WHERE clauses, in addition to searching specific types of databases.
+
+<<<<<<< HEAD
+> [!IMPORTANT]
+> You must perform your search with the correct version of the Compatibility Administrator tool. To use the Query tool to search for a 32-bit custom database, you must use the 32-bit version of Compatibility Administrator. To use the Query tool to search for a 64-bit custom database, you must use the 64-bit version of Compatibility Administrator.
+=======
+>[!IMPORTANT]
+>You must perform your search with the correct version of the Compatibility Administrator tool. To use the Query tool to search for a 32-bit custom database, you must use the 32-bit version of Compatibility Administrator. To use the Query tool to search for a 64-bit custom database, you must use the 64-bit version of Compatibility Administrator.
+>>>>>>> bfaab3359a63dde24e6d0dca11b841e045c481f6
+
+## Querying by Using the Program Properties Tab
+
+You can use the **Program Properties** tab of the Query tool to search for any compatibility fix, compatibility mode, or AppHelp for a specific application.
+
+**To query by using the Program Properties tab**
+
+1. On the Compatibility Administrator toolbar, click **Query**.
+2. In the **Look in** drop-down list, select the appropriate database type to search.
+3. Type the location of the application you are searching for into the **Search for the Application** field.
+
+ This name should be the same as the name in the **Applications** area (left pane) of Compatibility Administrator.
+
+4. Type the application executable (.exe) file name into the **Search for the File** box. If you leave this box blank, the percent (%) sign appears as a wildcard to search for any file.
+
+ You must designate the executable name that was given when the compatibility fix was added to the database.
+
+5. Optionally, select the check box for one of the following types of compatibility fix:
+
+ - **Compatibility Modes**
+ - **Compatibility Fixes**
+ - **Application Helps**
+
+ > [!IMPORTANT]
+ > If you do not select any of the check boxes, the search will look for all types of compatibility fixes. Do not select multiple check boxes because only applications that match all of the requirements will appear.
+
+6. Click **Find Now**.
+
+ The query runs and the results of the query are displayed in the lower pane.
+
+## Querying by Using the Fix Properties Tab
+
+
+You can use the **Fix Properties** tab of the Query tool to search for any application affected by a specific compatibility fix or a compatibility mode. For example, you can search for any application affected by the ProfilesSetup compatibility mode.
+
+**To query by using the Fix Properties tab**
+
+1. On the Compatibility Administrator toolbar, click **Query**.
+2. Click the **Fix Properties** tab.
+3. In the **Look in** drop-down list, select the appropriate database type to search.
+4. Type the name of the compatibility fix or compatibility mode into the **Search for programs fixed using** field.
+
+ >[!NOTE]
+ >You can use the percent (%) symbol as a wildcard in your fix-properties query, as a substitute for any string of zero or more characters
+
+5. Select the check box for either **Search in Compatibility Fixes** or **Search in Compatibility Modes**.
+
+ >[!IMPORTANT]
+ >Your text must match the type of compatibility fix or mode for which you are performing the query. For example, entering the name of a compatibility fix and selecting the compatibility mode check box will not return any results. Additionally, if you select both check boxes, the query will search for the fix by compatibility mode and compatibility fix. Only applications that match both requirements appear.
+
+6. Click **Find Now**.
+
+ The query runs and the results of the query are displayed in the lower pane.
+
+## Querying by Using the Fix Description Tab
+
+You can use the **Fix Description** tab of the Query tool to add parameters that enable you to search your compatibility databases by application title or solution description text.
+
+**To query by using the Fix Description tab**
+
+1. On the Compatibility Administrator toolbar, click **Query**.
+2. Click the **Fix Description** tab.
+3. In the **Look in** drop-down list, select the appropriate database type to search.
+4. Type your search keywords into the box **Words to look for**. Use commas to separate multiple keywords.
+
+ >[!IMPORTANT]
+ >You cannot use wildcards as part of the Fix Description search query because the default behavior is to search for any entry that meets your search criteria.
+
+5. Refine your search by selecting **Match any word** or **Match all words** from the drop-down list.
+6. Click **Find Now**.
+
+ The query runs and the results of the query are displayed in the lower pane.
+
+## Querying by Using the Fix Description Tab
+
+
+You can use the **Fix Description** tab of the Query tool to add additional SQL Server SELECT and WHERE clauses to your search criteria.
+
+**To query by using the Advanced tab**
+
+1. On the Compatibility Administrator toolbar, click **Query**.
+2. Click the **Advanced** tab.
+3. In the **Look in** drop-down list, select the appropriate database type to search.
+4. Select the appropriate SELECT clause for your search from the **Select clauses** box. For example, **APP\_NAME**.
+
+ The **APP\_NAME** clause appears in the **SELECT** field. You can add as many additional clauses as you require. They will appear as columns in your search results.
+
+5. Select the appropriate WHERE clause for your search from the **Where clauses** box. For example, **DATABASE\_NAME**.
+
+ The **DATABASE\_NAME =** clause appears in the **WHERE** box.
+
+6. Type the appropriate clause criteria after the equal (=) sign in the **WHERE** box. For example, **DATABASE\_NAME = "Custom\_Database"**.
+
+ You must surround your clause criteria text with quotation marks (") for the clause to function properly.
+
+7. Click **Find Now**.
+
+ The query runs and the results of the query are displayed in the lower pane.
+
+## Exporting Your Search Results
+
+
+You can export any of your search results into a tab-delimited text (.txt) file for later review or for archival purposes.
+
+**To export your results**
+
+1. After you have completed your search by using the Query tool, click **Export**.
+
+ The **Save results to a file** dialog box appears.
+
+2. Browse to the location where you intend to store the search results file, and then click **Save**.
+
+## Related topics
+
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
\ No newline at end of file
diff --git a/windows/deployment/planning/testing-your-application-mitigation-packages.md b/windows/deployment/planning/testing-your-application-mitigation-packages.md
index 180b884748..6782e5861f 100644
--- a/windows/deployment/planning/testing-your-application-mitigation-packages.md
+++ b/windows/deployment/planning/testing-your-application-mitigation-packages.md
@@ -1,92 +1,93 @@
----
-title: Testing Your Application Mitigation Packages (Windows 10)
-description: This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues.
-ms.assetid: ae946f27-d377-4db9-b179-e8875d454ccf
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Testing Your Application Mitigation Packages
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues.
-
-## Testing Your Application Mitigation Packages
-
-
-Testing your application mitigation package strategies is an iterative process, whereby the mitigation strategies that prove unsuccessful will need to be revised and retested. The testing process includes a series of tests in the test environment and one or more pilot deployments in the production environment.
-
-**To test your mitigation strategies**
-
-1. Perform the following steps for each of the applications for which you have developed mitigations.
-
- 1. Test the mitigation strategy in your test environment.
-
- 2. If the mitigation strategy is unsuccessful, revise the mitigation strategy and perform step 1 again.
-
- At the end of this step, you will have successfully tested all of your mitigation strategies in your test environment and can move to your pilot deployment environment.
-
-2. Perform the following steps in the pilot deployments for each of the applications for which you have developed mitigations.
-
- 1. Test the mitigation strategy in your pilot deployment.
-
- 2. If the mitigation strategy is unsuccessful, revise the mitigation strategy and perform Step 2 again.
-
- At the end of this step, you will have successfully tested all of your mitigation strategies in your pilot environment.
-
-## Reporting the Compatibility Mitigation Status to Stakeholders
-
-
-After testing your application mitigation package, you must communicate your status to the appropriate stakeholders before deployment begins. We recommend that you perform this communication by using the following status ratings.
-
-- **Resolved application compatibility issues**. This status indicates that the application compatibility issues are resolved and that these applications represent no risk to your environment.
-
-- **Unresolved application compatibility issues**. This status indicates that there are unresolved issues for the specifically defined applications. Because these applications are a risk to your environment, more discussion is required before you can resolve the compatibility issues.
-
-- **Changes to user experience**. This status indicates that the fix will change the user experience for the defined applications, possibly requiring your staff to receive further training. More investigation is required before you can resolve the compatibility issues.
-
-- **Changes in help desk procedures and processes**. This status indicates that the fix will require changes to your help desk's procedures and processes, possibly requiring your support staff to receive further training. More investigation is required before you can resolve the compatibility issues.
-
-## Resolving Outstanding Compatibility Issues
-
-
-At this point, you probably cannot resolve any unresolved application compatibility issues by automated mitigation methods or by modifying the application. Resolve any outstanding application compatibility issues by using one of the following methods.
-
-- Apply specific compatibility modes, or run the program as an Administrator, by using the Compatibility Administrator tool.
-
- **Note**
- For more information about using Compatibility Administrator to apply compatibility fixes and compatibility modes, see [Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md).
-
-
-
-- Run the application in a virtual environment.
-
- Run the application in a version of Windows supported by the application in a virtualized environment. This method ensures application compatibility, because the application is running on a supported operating system.
-
-- Resolve application compatibility by using non-Microsoft tools.
-
- If the application was developed in an environment other than Microsoft Visual Studio®, you must use non-Microsoft debugging and analysis tools to help resolve the remaining application compatibility issues.
-
-- Outsource the application compatibility mitigation.
-
- If your developers have insufficient resources to resolve the application compatibility issues, outsource the mitigation effort to another organization within your company.
-
-## Related topics
-[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
+---
+title: Testing Your Application Mitigation Packages (Windows 10)
+description: This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues.
+ms.assetid: ae946f27-d377-4db9-b179-e8875d454ccf
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 04/19/2017
+ms.topic: article
+---
+
+# Testing Your Application Mitigation Packages
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues.
+
+## Testing Your Application Mitigation Packages
+
+
+Testing your application mitigation package strategies is an iterative process, whereby the mitigation strategies that prove unsuccessful will need to be revised and retested. The testing process includes a series of tests in the test environment and one or more pilot deployments in the production environment.
+
+**To test your mitigation strategies**
+
+1. Perform the following steps for each of the applications for which you have developed mitigations.
+
+ 1. Test the mitigation strategy in your test environment.
+
+ 2. If the mitigation strategy is unsuccessful, revise the mitigation strategy and perform step 1 again.
+
+ At the end of this step, you will have successfully tested all of your mitigation strategies in your test environment and can move to your pilot deployment environment.
+
+2. Perform the following steps in the pilot deployments for each of the applications for which you have developed mitigations.
+
+ 1. Test the mitigation strategy in your pilot deployment.
+
+ 2. If the mitigation strategy is unsuccessful, revise the mitigation strategy and perform Step 2 again.
+
+ At the end of this step, you will have successfully tested all of your mitigation strategies in your pilot environment.
+
+## Reporting the Compatibility Mitigation Status to Stakeholders
+
+
+After testing your application mitigation package, you must communicate your status to the appropriate stakeholders before deployment begins. We recommend that you perform this communication by using the following status ratings.
+
+- **Resolved application compatibility issues**. This status indicates that the application compatibility issues are resolved and that these applications represent no risk to your environment.
+
+- **Unresolved application compatibility issues**. This status indicates that there are unresolved issues for the specifically defined applications. Because these applications are a risk to your environment, more discussion is required before you can resolve the compatibility issues.
+
+- **Changes to user experience**. This status indicates that the fix will change the user experience for the defined applications, possibly requiring your staff to receive further training. More investigation is required before you can resolve the compatibility issues.
+
+- **Changes in help desk procedures and processes**. This status indicates that the fix will require changes to your help desk's procedures and processes, possibly requiring your support staff to receive further training. More investigation is required before you can resolve the compatibility issues.
+
+## Resolving Outstanding Compatibility Issues
+
+
+At this point, you probably cannot resolve any unresolved application compatibility issues by automated mitigation methods or by modifying the application. Resolve any outstanding application compatibility issues by using one of the following methods.
+
+- Apply specific compatibility modes, or run the program as an Administrator, by using the Compatibility Administrator tool.
+
+ > [!NOTE]
+ > For more information about using Compatibility Administrator to apply compatibility fixes and compatibility modes, see [Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md).
+
+
+
+- Run the application in a virtual environment.
+
+ Run the application in a version of Windows supported by the application in a virtualized environment. This method ensures application compatibility, because the application is running on a supported operating system.
+
+- Resolve application compatibility by using non-Microsoft tools.
+
+ If the application was developed in an environment other than Microsoft Visual Studio®, you must use non-Microsoft debugging and analysis tools to help resolve the remaining application compatibility issues.
+
+- Outsource the application compatibility mitigation.
+
+ If your developers have insufficient resources to resolve the application compatibility issues, outsource the mitigation effort to another organization within your company.
+
+## Related topics
+[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
diff --git a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
index 42f2b0f0dc..fe43dd8983 100644
--- a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
+++ b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
@@ -1,101 +1,94 @@
----
-title: Understanding and Using Compatibility Fixes (Windows 10)
-description: As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change.
-ms.assetid: 84bf663d-3e0b-4168-99d6-a26e054821b7
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Understanding and Using Compatibility Fixes
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. This can cause problems for applications that relied upon the original implementation. You can avoid compatibility issues by using the Microsoft Windows Application Compatibility (Compatibility Fix) infrastructure to create a specific application fix for a particular version of an application.
-
-## How the Compatibility Fix Infrastructure Works
-
-
-The Compatibility Fix infrastructure uses the linking ability of APIs to redirect an application from Windows code directly to alternative code that implements the compatibility fix.
-
-The Windows Portable Executable File Format includes headers that contain the data directories that are used to provide a layer of indirection between the application and the linked file. API calls to the external binary files take place through the Import Address Table (IAT), which then directly calls the Windows operating system, as shown in the following figure.
-
-
-
-Specifically, the process modifies the address of the affected Windows function in the IAT to point to the compatibility fix code, as shown in the following figure.
-
-
-
-**Note**
-For statically linked DLLs, the code redirection occurs as the application loads. You can also fix dynamically linked DLLs by hooking into the GetProcAddress API.
-
-
-
-## Design Implications of the Compatibility Fix Infrastructure
-
-
-There are important considerations to keep in mind when determining your application fix strategy, due to certain characteristics of the Compatibility Fix infrastructure.
-
-- The compatibility fix is not part of the Windows operating system (as shown in the previous figure). Therefore, the same security restrictions apply to the compatibility fix as apply to the application code, which means that you cannot use compatibility fixes to bypass any of the security mechanisms of the operating system. Therefore, compatibility fixes do not increase your security exposure, nor do you need to lower your security settings to accommodate compatibility fixes.
-
-- The Compatibility Fix infrastructure injects additional code into the application before it calls the operating system. This means that any remedy that can be accomplished by a compatibility fix can also be addressed by fixing the application code.
-
-- The compatibility fixes run as user-mode code inside of a user-mode application process. This means that you cannot use a compatibility fix to fix kernel-mode code issues. For example, you cannot use a compatibility fix to resolve device-driver issues.
-
- **Note**
- Some antivirus, firewall, and anti-spyware code runs in kernel mode.
-
-
-
-## Determining When to Use a Compatibility Fix
-
-
-The decision to use compatibility fixes to remedy your compatibility issues may involve more than just technical issues. The following scenarios reflect other common reasons for using a compatibility fix.
-
-### Scenario 1
-
-**The compatibility issue exists on an application which is no longer supported by the vendor.**
-
-As in many companies, you may run applications for which the vendor has ended support. In this situation, you cannot have the vendor make the fix, nor can you access the source code to modify the issue yourself. However, it is possible that the use of a compatibility fix might resolve the compatibility issue.
-
-### Scenario 2
-
-**The compatibility issue exists on an internally created application.**
-
-While it is preferable to fix the application code to resolve the issue, this is not always possible. Your internal team might not be able to fix all of the issues prior to the deployment of the new operating system. Instead, they might choose to employ a compatibility fix anywhere that it is possible. They can then fix the code only for issues that cannot be resolved in this manner. Through this method, your team can modify the application as time permits, without delaying the deployment of the new operating system into your environment.
-
-### Scenario 3
-
-**The compatibility issue exists on an application for which a compatible version is to be released in the near future, or an application that is not critical to the organization, regardless of its version.**
-
-In the situation where an application is either unimportant to your organization, or for which a newer, compatible version is to be released shortly, you can use a compatibility fix as a temporary solution. This means that you can continue to use the application without delaying the deployment of a new operating system, with the intention of updating your configuration as soon as the new version is released.
-
-## Determining Which Version of an Application to Fix
-
-
-You can apply a compatibility fix to a particular version of an application, either by using the "up to or including" clause or by selecting that specific version. This means that the next version of the application will not have the compatibility fix automatically applied. This is important, because it allows you to continue to use your application, but it also encourages the vendor to fix the application.
-
-## Support for Compatibility Fixes
-
-
-Compatibility fixes are shipped as part of the Windows operating system and are updated by using Windows Update. Therefore, they receive the same level of support as Windows itself.
-
-You can apply the compatibility fixes to any of your applications. However, Microsoft does not provide the tools to use the Compatibility Fix infrastructure to create your own custom fixes.
-
-## Related topics
-[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
+---
+title: Understanding and Using Compatibility Fixes (Windows 10)
+description: As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change.
+ms.assetid: 84bf663d-3e0b-4168-99d6-a26e054821b7
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Understanding and Using Compatibility Fixes
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. This can cause problems for applications that relied upon the original implementation. You can avoid compatibility issues by using the Microsoft Windows Application Compatibility (Compatibility Fix) infrastructure to create a specific application fix for a particular version of an application.
+
+## How the Compatibility Fix Infrastructure Works
+
+The Compatibility Fix infrastructure uses the linking ability of APIs to redirect an application from Windows code directly to alternative code that implements the compatibility fix.
+
+The Windows Portable Executable File Format includes headers that contain the data directories that are used to provide a layer of indirection between the application and the linked file. API calls to the external binary files take place through the Import Address Table (IAT), which then directly calls the Windows operating system, as shown in the following figure.
+
+
+
+Specifically, the process modifies the address of the affected Windows function in the IAT to point to the compatibility fix code, as shown in the following figure.
+
+
+
+>[!NOTE]
+>For statically linked DLLs, the code redirection occurs as the application loads. You can also fix dynamically linked DLLs by hooking into the GetProcAddress API.
+
+
+
+## Design Implications of the Compatibility Fix Infrastructure
+
+There are important considerations to keep in mind when determining your application fix strategy, due to certain characteristics of the Compatibility Fix infrastructure.
+
+- The compatibility fix is not part of the Windows operating system (as shown in the previous figure). Therefore, the same security restrictions apply to the compatibility fix as apply to the application code, which means that you cannot use compatibility fixes to bypass any of the security mechanisms of the operating system. Therefore, compatibility fixes do not increase your security exposure, nor do you need to lower your security settings to accommodate compatibility fixes.
+
+- The Compatibility Fix infrastructure injects additional code into the application before it calls the operating system. This means that any remedy that can be accomplished by a compatibility fix can also be addressed by fixing the application code.
+
+- The compatibility fixes run as user-mode code inside of a user-mode application process. This means that you cannot use a compatibility fix to fix kernel-mode code issues. For example, you cannot use a compatibility fix to resolve device-driver issues.
+
+ > [!NOTE]
+ > Some antivirus, firewall, and anti-spyware code runs in kernel mode.
+
+## Determining When to Use a Compatibility Fix
+
+The decision to use compatibility fixes to remedy your compatibility issues may involve more than just technical issues. The following scenarios reflect other common reasons for using a compatibility fix.
+
+### Scenario 1
+
+**The compatibility issue exists on an application which is no longer supported by the vendor.**
+
+As in many companies, you may run applications for which the vendor has ended support. In this situation, you cannot have the vendor make the fix, nor can you access the source code to modify the issue yourself. However, it is possible that the use of a compatibility fix might resolve the compatibility issue.
+
+### Scenario 2
+
+**The compatibility issue exists on an internally created application.**
+
+While it is preferable to fix the application code to resolve the issue, this is not always possible. Your internal team might not be able to fix all of the issues prior to the deployment of the new operating system. Instead, they might choose to employ a compatibility fix anywhere that it is possible. They can then fix the code only for issues that cannot be resolved in this manner. Through this method, your team can modify the application as time permits, without delaying the deployment of the new operating system into your environment.
+
+### Scenario 3
+
+**The compatibility issue exists on an application for which a compatible version is to be released in the near future, or an application that is not critical to the organization, regardless of its version.**
+
+In the situation where an application is either unimportant to your organization, or for which a newer, compatible version is to be released shortly, you can use a compatibility fix as a temporary solution. This means that you can continue to use the application without delaying the deployment of a new operating system, with the intention of updating your configuration as soon as the new version is released.
+
+## Determining Which Version of an Application to Fix
+
+You can apply a compatibility fix to a particular version of an application, either by using the "up to or including" clause or by selecting that specific version. This means that the next version of the application will not have the compatibility fix automatically applied. This is important, because it allows you to continue to use your application, but it also encourages the vendor to fix the application.
+
+## Support for Compatibility Fixes
+
+Compatibility fixes are shipped as part of the Windows operating system and are updated by using Windows Update. Therefore, they receive the same level of support as Windows itself.
+
+You can apply the compatibility fixes to any of your applications. However, Microsoft does not provide the tools to use the Compatibility Fix infrastructure to create your own custom fixes.
+
+## Related topics
+
+[Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md)
diff --git a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
index f5419526ab..579f4b8bfa 100644
--- a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
+++ b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
@@ -1,59 +1,49 @@
----
-title: Viewing the Events Screen in Compatibility Administrator (Windows 10)
-description: The Events screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.
-ms.assetid: f2b2ada4-1b7b-4558-989d-5b52b40454b3
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 04/19/2017
-ms.topic: article
----
-
-# Viewing the Events Screen in Compatibility Administrator
-
-
-**Applies to**
-
-- Windows 10
-- Windows 8.1
-- Windows 8
-- Windows 7
-- Windows Server 2012
-- Windows Server 2008 R2
-
-The **Events** screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.
-
-**Important**
-The **Events** screen only records your activities when the screen is open. If you perform an action before opening the **Events** screen, the action will not appear in the list.
-
-
-
-**To open the Events screen**
-
-- On the **View** menu, click **Events**.
-
-## Handling Multiple Copies of Compatibility Fixes
-
-
-Compatibility Administrator enables you to copy your compatibility fixes from one database to another, which can become confusing after adding multiple fixes, compatibility modes, and databases. For example, you can copy a fix called MyFix from Database 1 to Database 2. However, if there is already a fix called MyFix in Database 2, Compatibility Administrator renames the fix as MyFix (1) to avoid duplicate names.
-
-If you open the **Events** screen and then perform the copy operation, you can see a description of the action, along with the time stamp, which enables you to view your fix information without confusion.
-
-## Related topics
-[Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md)
-
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
-
-
-
-
-
-
-
-
-
+---
+title: Viewing the Events Screen in Compatibility Administrator (Windows 10)
+description: The Events screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.
+ms.assetid: f2b2ada4-1b7b-4558-989d-5b52b40454b3
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.pagetype: appcompat
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Viewing the Events Screen in Compatibility Administrator
+
+
+**Applies to**
+
+- Windows 10
+- Windows 8.1
+- Windows 8
+- Windows 7
+- Windows Server 2012
+- Windows Server 2008 R2
+
+The **Events** screen enables you to record and to view your activities in the Compatibility Administrator tool, provided that the screen is open while you perform the activities.
+
+>[!IMPORTANT]
+>The **Events** screen only records your activities when the screen is open. If you perform an action before opening the **Events** screen, the action will not appear in the list.
+
+
+
+**To open the Events screen**
+
+- On the **View** menu, click **Events**.
+
+## Handling Multiple Copies of Compatibility Fixes
+
+
+Compatibility Administrator enables you to copy your compatibility fixes from one database to another, which can become confusing after adding multiple fixes, compatibility modes, and databases. For example, you can copy a fix called MyFix from Database 1 to Database 2. However, if there is already a fix called MyFix in Database 2, Compatibility Administrator renames the fix as MyFix (1) to avoid duplicate names.
+
+If you open the **Events** screen and then perform the copy operation, you can see a description of the action, along with the time stamp, which enables you to view your fix information without confusion.
+
+## Related topics
+[Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md)
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
diff --git a/windows/deployment/planning/windows-10-1709-removed-features.md b/windows/deployment/planning/windows-10-1709-removed-features.md
index 6126b5272f..5a745277d5 100644
--- a/windows/deployment/planning/windows-10-1709-removed-features.md
+++ b/windows/deployment/planning/windows-10-1709-removed-features.md
@@ -1,46 +1,47 @@
----
-title: Windows 10, version 1709 removed features
-description: Learn about features that will be removed in Windows 10, version 1709
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-manager: laurawi
-ms.topic: article
----
-# Features that are removed or deprecated in Windows 10, version 1709
-
-> Applies to: Windows 10, version 1709
-
-The following features and functionalities in the Windows 10, version 1709 are either removed from the product in the current release (*Removed*) or are not in active development and might be removed in future releases.
-
-This list is intended to help customers consider these removals and deprecations for their own planning. The list is subject to change and may not include every deprecated feature or functionality.
-
-For more information about a listed feature or functionality and its replacement, see the documentation for that feature. You can also follow the provided links in this table to see additional resources.
-
-| Feature | Removed | Not actively developed |
-|----------|---------|------------|
-|**3D Builder app** No longer installed by default. Consider using Print 3D and Paint 3D in its place. However, 3D Builder is still available for download from the Windows Store. | X | |
-|**Apndatabase.xml** For more information about the replacement database, see the following Hardware Dev Center articles: [MO Process to update COSA](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission) [COSA FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq) | X | |
-|**Enhanced Mitigation Experience Toolkit (EMET)** Use will be blocked. Consider using the [Exploit Protection](https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/#fMH3bUDAb5HEstZ5.97) feature of Windows Defender Exploit Guard as a replacement.| X | |
-|**IIS 6 Management Compatibility** We recommend that users use alternative scripting tools and a newer management console. | | X |
-|**IIS Digest Authentication** We recommend that users use alternative authentication methods.| | X |
-|**Microsoft Paint** Will be available through the Windows Store. Functionality integrated into Paint 3D.| | X |
-|**Outlook Express** Removing this non-functional legacy code.| X | |
-|**Reader app** Functionality to be integrated into Microsoft Edge.| X | |
-|**Reading List** Functionality to be integrated into Microsoft Edge.| X | |
-|**Resilient File System (ReFS)** Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations. Creation ability will be removed from all other editions. All other editions will have Read and Write ability. (added: August 17, 2017)| | X |
-|**RSA/AES Encryption for IIS** We recommend that users use CNG encryption provider.| | X |
-|**Screen saver functionality in Themes** Disabled in Themes (classified as **Removed** in this table). Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lockscreen features and policies are preferred. | X | X |
-|**Sync your settings** Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The "Sync your settings" options and the Enterprise State Roaming feature will continue to work. (updated: August 17, 2017) | | X |
-|**Syskey.exe** Removing this nonsecure security feature. We recommend that users use BitLocker instead. For more information, see the following Knowledge Base article: [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window)| X | |
-|**System Image Backup (SIB) Solution** We recommend that users use full-disk backup solutions from other vendors.| | X |
-|**TCP Offload Engine** Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see the following PFE Platform Blog article: [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193)| X ||
-|**Tile Data Layer** To be replaced by the Tile Store.| X ||
-|**TLS RC4 Ciphers** To be disabled by default. For more information, see the following Windows IT Center topic: [TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)|| X|
-|**Trusted Platform Module (TPM) Owner Password Management** This legacy code to be removed.|| X |
-|**Trusted Platform Module (TPM): TPM.msc and TPM Remote Management** To be replaced by a new user interface in a future release.| | X |
-|**Trusted Platform Module (TPM) Remote Management** This legacy code to be removed in a future release.|| X |
-|**Windows Hello for Business deployment that uses System Center Configuration Manager** Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience.|| X |
-|**Windows PowerShell 2.0** Applications and components should be migrated to PowerShell 5.0+.| | X |
+---
+title: Windows 10, version 1709 removed features
+description: Learn about features that will be removed in Windows 10, version 1709
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: ITPro
+author: greg-lindsay
+manager: laurawi
+ms.topic: article
+---
+# Features that are removed or deprecated in Windows 10, version 1709
+
+> Applies to: Windows 10, version 1709
+
+The following features and functionalities in the Windows 10, version 1709 are either removed from the product in the current release (*Removed*) or are not in active development and might be removed in future releases.
+
+This list is intended to help customers consider these removals and deprecations for their own planning. The list is subject to change and may not include every deprecated feature or functionality.
+
+For more information about a listed feature or functionality and its replacement, see the documentation for that feature. You can also follow the provided links in this table to see additional resources.
+
+| Feature | Removed | Not actively developed |
+-|-|-
+|**3D Builder app** No longer installed by default. Consider using Print 3D and Paint 3D in its place. However, 3D Builder is still available for download from the Windows Store. | X | |
+|**Apndatabase.xml** For more information about the replacement database, see the following Hardware Dev Center articles: [MO Process to update COSA](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission) [COSA FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq) | X | |
+|**Enhanced Mitigation Experience Toolkit (EMET)** Use will be blocked. Consider using [Exploit Protection](https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/#fMH3bUDAb5HEstZ5.97) as a replacement.| X | |
+|**IIS 6 Management Compatibility** We recommend that users use alternative scripting tools and a newer management console. | | X |
+|**IIS Digest Authentication** We recommend that users use alternative authentication methods.| | X |
+|**Microsoft Paint** Will be available through the Windows Store. Functionality integrated into Paint 3D.| | X |
+|**Outlook Express** Removing this non-functional legacy code.| X | |
+|**Reader app** Functionality to be integrated into Microsoft Edge.| X | |
+|**Reading List** Functionality to be integrated into Microsoft Edge.| X | |
+|**Resilient File System (ReFS)** Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations. Creation ability will be removed from all other editions. All other editions will have Read and Write ability. (added: August 17, 2017)| | X |
+|**RSA/AES Encryption for IIS** We recommend that users use CNG encryption provider.| | X |
+|**Screen saver functionality in Themes** Disabled in Themes (classified as **Removed** in this table). Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lockscreen features and policies are preferred. | X | X |
+|**Sync your settings** Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The "Sync your settings" options and the Enterprise State Roaming feature will continue to work. (updated: August 17, 2017) | | X |
+|**Syskey.exe** Removing this nonsecure security feature. We recommend that users use BitLocker instead. For more information, see the following Knowledge Base article: [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window)| X | |
+|**System Image Backup (SIB) Solution** We recommend that users use full-disk backup solutions from other vendors.| | X |
+|**TCP Offload Engine** Removing this legacy code. This functionality was previously transitioned to the Stack TCP Engine. For more information, see the following PFE Platform Blog article: [Why Are We Deprecating Network Performance Features?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193)| X ||
+|**Tile Data Layer** To be replaced by the Tile Store.| X ||
+|**TLS RC4 Ciphers** To be disabled by default. For more information, see the following Windows IT Center topic: [TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)|| X|
+|**Trusted Platform Module (TPM) Owner Password Management** This legacy code to be removed.|| X |
+|**Trusted Platform Module (TPM): TPM.msc and TPM Remote Management** To be replaced by a new user interface in a future release.| | X |
+|**Trusted Platform Module (TPM) Remote Management** This legacy code to be removed in a future release.|| X |
+|**Windows Hello for Business deployment that uses System Center Configuration Manager** Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience.|| X |
+|**Windows PowerShell 2.0** Applications and components should be migrated to PowerShell 5.0+.| | X |
diff --git a/windows/deployment/planning/windows-10-1903-removed-features.md b/windows/deployment/planning/windows-10-1903-removed-features.md
index 2c73c4bc18..7d8e437274 100644
--- a/windows/deployment/planning/windows-10-1903-removed-features.md
+++ b/windows/deployment/planning/windows-10-1903-removed-features.md
@@ -1,43 +1,45 @@
----
-title: Windows 10, version 1903 - Features that have been removed
-description: Learn about features that will be removed or deprecated in Windows 10, version 1903, or a future release
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-manager: laurawi
-ms.author: greglin
-ms.topic: article
----
-# Features removed or planned for replacement starting with Windows 10, version 1903
-
-> Applies to: Windows 10, version 1903
-
-Each version of Windows 10 adds new features and functionality; occasionally we also remove features and functionality, often because we've added a better option. Below are the details about the features and functionalities that we removed in Windows 10, version 1903. **The list below is subject to change and might not include every affected feature or functionality.**
-
-**Note**: Join the [Windows Insider program](https://insider.windows.com) to get early access to new Windows 10 builds and test these changes yourself.
-
-## Features we removed or will remove soon
-
-The following features and functionalities are removed from the installed product image for Windows 10, version 1903, or are planned for removal in an upcoming release. Applications or code that depend on these features won't function in this release unless you use another method.
-
-
-| Feature | Details |
-|---------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| XDDM-based remote display driver | Starting with this release the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote indirect display driver ISVs can reach out to [rdsdev@microsoft.com](mailto:rdsdev@microsoft.com). |
-| Desktop messaging app doesn't offer messages sync | The messaging app on Desktop has a sync feature that can be used to sync SMS text messages received from Windows Mobile and keep a copy of them on the Desktop. The sync feature has been removed from all devices. Due to this change, you will only be able to access messages from the device that received the message. |
-
-## Features we’re no longer developing
-
-We're no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources.
-
-If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app).
-
-|Feature |Details|
-|-----------|---------------------|
-| Taskbar settings roaming| Roaming of taskbar settings is no longer being developed and we plan to disable this capability in a future release|
-|Wi-Fi WEP and TKIP|In this release a warning message will appear when connecting to Wi-Fi networks secured with WEP or TKIP, which are not as secure as those using WPA2 or WPA3. In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. |
-|Windows To Go|Windows To Go is no longer being developed.
The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.|
-|Print 3D app|Going forward, 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.|
-
+---
+title: Windows 10, version 1903 - Features that have been removed
+description: Learn about features that will be removed or deprecated in Windows 10, version 1903, or a future release
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+manager: laurawi
+ms.author: greglin
+ms.topic: article
+---
+# Features removed or planned for replacement starting with Windows 10, version 1903
+
+> Applies to: Windows 10, version 1903
+
+Each version of Windows 10 adds new features and functionality; occasionally we also remove features and functionality, often because we've added a better option. Below are the details about the features and functionalities that we removed in Windows 10, version 1903. **The list below is subject to change and might not include every affected feature or functionality.**
+
+> [!NOTE]
+> Join the [Windows Insider program](https://insider.windows.com) to get early access to new Windows 10 builds and test these changes yourself.
+
+## Features we removed or will remove soon
+
+The following features and functionalities are removed from the installed product image for Windows 10, version 1903, or are planned for removal in an upcoming release. Applications or code that depend on these features won't function in this release unless you use another method.
+
+
+| Feature | Details |
+|---------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| XDDM-based remote display driver | Starting with this release the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote indirect display driver ISVs can reach out to [rdsdev@microsoft.com](mailto:rdsdev@microsoft.com). |
+| Desktop messaging app doesn't offer messages sync | The messaging app on Desktop has a sync feature that can be used to sync SMS text messages received from Windows Mobile and keep a copy of them on the Desktop. The sync feature has been removed from all devices. Due to this change, you will only be able to access messages from the device that received the message. |
+
+## Features we’re no longer developing
+
+We're no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources.
+
+If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app).
+
+|Feature |Details|
+|-----------|---------------------|
+| Taskbar settings roaming| Roaming of taskbar settings is no longer being developed and we plan to disable this capability in a future release|
+|Wi-Fi WEP and TKIP|In this release a warning message will appear when connecting to Wi-Fi networks secured with WEP or TKIP, which are not as secure as those using WPA2 or WPA3. In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. |
+|Windows To Go|Windows To Go is no longer being developed.
The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.|
+|Print 3D app|Going forward, 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.|
+
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
index 2900db198c..8716d1b086 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
@@ -23,7 +23,7 @@ Get answers to common questions around compatibility, installation, and support
### Where can I download Windows 10 Enterprise?
-If you have Windows volume licenses with Software Assurance, or if you have purchased licenses for Windows 10 Enterprise volume licenses, you can download 32-bit and 64-bit versions of Windows 10 Enterprise from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). If you do not have current Software Assurance for Windows and would like to purchase volume licenses for Windows 10 Enterprise, contact your preferred Microsoft Reseller or see [How to purchase through Volume Licensing](https://www.microsoft.com/en-us/Licensing/how-to-buy/how-to-buy.aspx).
+If you have Windows volume licenses with Software Assurance, or if you have purchased licenses for Windows 10 Enterprise volume licenses, you can download 32-bit and 64-bit versions of Windows 10 Enterprise from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). If you do not have current Software Assurance for Windows and would like to purchase volume licenses for Windows 10 Enterprise, contact your preferred Microsoft Reseller or see [How to purchase through Volume Licensing](https://www.microsoft.com/Licensing/how-to-buy/how-to-buy.aspx).
### What are the system requirements?
@@ -35,7 +35,7 @@ Most computers that are compatible with Windows 8.1 will be compatible with Wind
### Can I evaluate Windows 10 Enterprise?
-Yes, a 90-day evaluation of Windows 10 Enterprise is available through the [TechNet Evaluation Center](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise). The evaluation is available in Chinese (Simplified), Chinese (Traditional), French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day Evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features.
+Yes, a 90-day evaluation of Windows 10 Enterprise is available through the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). The evaluation is available in Chinese (Simplified), Chinese (Traditional), French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day Evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features.
## Drivers and compatibility
@@ -56,7 +56,7 @@ Many existing Win32 and Win64 applications already run reliably on Windows 10 wi
### Is there an easy way to assess if my organization’s devices are ready to upgrade to Windows 10?
-[Windows Analytics Upgrade Readiness](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. You can find additional product information at [Windows Analytics](https://www.microsoft.com/en-us/WindowsForBusiness/Windows-Analytics).
+[Windows Analytics Upgrade Readiness](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. You can find additional product information at [Windows Analytics](https://www.microsoft.com/WindowsForBusiness/Windows-Analytics).
## Administration and deployment
diff --git a/windows/deployment/planning/windows-10-fall-creators-removed-features.md b/windows/deployment/planning/windows-10-fall-creators-removed-features.md
index bec34fa0f2..9c2f192856 100644
--- a/windows/deployment/planning/windows-10-fall-creators-removed-features.md
+++ b/windows/deployment/planning/windows-10-fall-creators-removed-features.md
@@ -1,87 +1,107 @@
----
-title: Windows 10 Fall Creators Update - Features removed or planned for removal
-description: Which features were removed in Windows 10 Fall Creators Update (version 1709)? Which features are we thinking of removing in the future?
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.date: 10/09/2017
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-ms.topic: article
----
-# Features removed or planned for replacement starting with Windows 10 Fall Creators Update (version 1709)
-
-> Applies to: Windows 10, version 1709
-
-Each release of Windows 10 adds new features and functionality; we also occasionally remove features and functionality, usually because we've added a better option. Read on for details about the features and functionalities that we removed in Windows 10 Fall Creators Update (version 1709). This list also includes information about features and functionality that we're considering removing in a future release of Windows 10. This list is intended to make you aware of current and future changes and inform your planning. **The list is subject to change and might not include every affected feature or functionality.**
-
-## Features removed from Windows 10 Fall Creators Update
-We've removed the following features and functionalities from the installed product image in Windows 10, version 1709. Applications, code, or usage that depend on these features won't function in this release unless you employ an alternate method.
-
-### 3D Builder
-No longer installed by default, [3D Builder](https://www.microsoft.com/store/p/3d-builder/9wzdncrfj3t6) is still available for download from the Microsoft Store. You can also consider using Print 3D and Paint 3D in its place.
-
-### APN database (Apndatabase.xml)
-Replaced by the Country and Operator Settings Asset (COSA) database. For more information, see the following Hardware Dev Center articles:
-- [Planning your COSA/APN database submission](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission)
-- [COSA – FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq)
-
-### Enhanced Mitigation Experience Toolkit (EMET)
-Removed from the image, and you're blocked from using it. Consider using the [Exploit Protection feature of Windows Defender Exploit Guard](/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) as a replacement. See the [Announcing Windows 10 Insider Preview Build 16232 for PC + Build 15228 for Mobile](https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/) for details.
-
-### Outlook Express
-Removed this non-functional code.
-
-### Reader app
-Integrated the Reader functionality into Microsoft Edge.
-
-### Reading list
-Integrated the Reading list functionality into Microsoft Edge.
-
-### Resilient File System (ReFS)
-We changed the way that ReFS works, based on the edition of Windows 10 you have. We didn't **remove** ReFS, but how you can use ReFS depends on your edition.
-
-If you have Windows 10 Enterprise or Windows 10 Pro for Workstations: You can create, read, and write volumes.
-
-If you have any other edition of Windows 10: You can read and write volumes, but you can't create volumes. If you need to create volumes, upgrade to the Enterprise or Pro for Workstations edition.
-
-### Syskey.exe
-Removed this security feature. Instead, we recommend using [BitLocker](/device-security/bitlocker/bitlocker-overview). For more information, see [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window).
-
-### TCP Offload Engine
-Removed this code. The TCP Offload Engine functionality is now available in the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features (KB4014193)?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193/)
-
-### TPM Owner Password Management
-Removed this code.
-
-## Features being considered for replacement starting after Windows Fall Creators Update
-We are considering removing the following features and functionalities from the installed product image, starting with releases after Windows 10, version 1709. Eventually, we might completely remove them and replace them with other features or functionality (or, in some instances, make them available from different sources). These features and functionalities are *still available* in this release, but **you should begin planning now to either use alternate methods or to replace any applications, code, or usage that depend on these features.**
-
-If you have feedback to share about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app).
-
-### IIS 6 Management Compatibility
-We're considering replacing the following specific DISM features:
-
-- IIS 6 Metabase Compatibility (Web-Metabase)
-- IIS 6 Management Console (Web-Lgcy-Mgmt-Console)
-- IIS 6 Scripting Tools (Web-Lgcy-Scripting)
-- IIS 6 WMI Compatibility (Web-WMI)
-
-Instead of IIS 6 Metabase Compatibility (which acts as an emulation layer between IIS 6-based metabase scripts and the file-based configuration used by IIS 7 or newer versions) you should start migrating management scripts to target IIS file-based configuration directly, by using tools such as the Microsoft.Web.Administration namespace.
-
-You should also start migration from IIS 6.0 or earlier versions, and move to the [latest version of IIS](/iis/get-started/whats-new-in-iis-10/new-features-introduced-in-iis-10).
-
-### IIS Digest Authentication
-We're considering removing the IIS Digest Authentication method. Instead, you should start using other authentication methods, such as [Client Certificate Mapping](/iis/manage/configuring-security/configuring-one-to-one-client-certificate-mappings) or [Windows Authentication](/iis/configuration/system.webServer/security/authentication/windowsAuthentication/).
-
-### Microsoft Paint
-We're considering removing MS Paint from the basic installed product image - that means it won't be installed by default. **You'll still be able to get the app separately from the [Microsoft Store](https://www.microsoft.com/store/b/home) for free.** Alternately, you can get [Paint 3D](https://www.microsoft.com/store/p/paint-3d/9nblggh5fv99) and [3D Builder](https://www.microsoft.com/store/p/3d-builder/9wzdncrfj3t6) from the Microsoft Store today; both of these offer the same functionality as Microsoft Paint, plus additional features.
-
-### RSA/AES Encryption for IIS
-We're considering removing RSA/AES encryption because the superior [Cryptography API: Next Generation (CNG)](https://msdn.microsoft.com/library/windows/desktop/bb931354(v=vs.85).aspx) method is already available.
-
-### Sync your settings
-We're considering making changes to the back-end storage that will affect the sync process: [Enterprise State Roaming](/azure/active-directory/active-directory-windows-enterprise-state-roaming-overview) and all other users will use a single cloud storage system. Both the "Sync your settings" options and the Enterprise State Roaming feature will continue to work.
+---
+title: Windows 10 Fall Creators Update - Features removed or planned for removal
+description: Which features were removed in Windows 10 Fall Creators Update (version 1709)? Which features are we thinking of removing in the future?
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.date: 10/09/2017
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+ms.topic: article
+---
+
+# Features removed or planned for replacement starting with Windows 10 Fall Creators Update (version 1709)
+
+> Applies to: Windows 10, version 1709
+
+Each release of Windows 10 adds new features and functionality; we also occasionally remove features and functionality, usually because we've added a better option. Read on for details about the features and functionalities that we removed in Windows 10 Fall Creators Update (version 1709). This list also includes information about features and functionality that we're considering removing in a future release of Windows 10. This list is intended to make you aware of current and future changes and inform your planning. **The list is subject to change and might not include every affected feature or functionality.**
+
+## Features removed from Windows 10 Fall Creators Update
+
+We've removed the following features and functionalities from the installed product image in Windows 10, version 1709. Applications, code, or usage that depend on these features won't function in this release unless you employ an alternate method.
+
+### 3D Builder
+
+No longer installed by default, [3D Builder](https://www.microsoft.com/store/p/3d-builder/9wzdncrfj3t6) is still available for download from the Microsoft Store. You can also consider using Print 3D and Paint 3D in its place.
+
+### APN database (Apndatabase.xml)
+
+Replaced by the Country and Operator Settings Asset (COSA) database. For more information, see the following Hardware Dev Center articles:
+
+- [Planning your COSA/APN database submission](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission)
+- [COSA – FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq)
+
+### Enhanced Mitigation Experience Toolkit (EMET)
+
+Removed from the image, and you're blocked from using it. Consider using the [Exploit Protection feature](/windows/threat-protection/windows-defender-exploit-guard/exploit-protection) as a replacement. See the [Announcing Windows 10 Insider Preview Build 16232 for PC + Build 15228 for Mobile](https://blogs.windows.com/windowsexperience/2017/06/28/announcing-windows-10-insider-preview-build-16232-pc-build-15228-mobile/) for details.
+
+### Outlook Express
+
+Removed this non-functional code.
+
+### Reader app
+
+Integrated the Reader functionality into Microsoft Edge.
+
+### Reading list
+
+Integrated the Reading list functionality into Microsoft Edge.
+
+### Resilient File System (ReFS)
+
+We changed the way that ReFS works, based on the edition of Windows 10 you have. We didn't **remove** ReFS, but how you can use ReFS depends on your edition.
+
+If you have Windows 10 Enterprise or Windows 10 Pro for Workstations: You can create, read, and write volumes.
+
+If you have any other edition of Windows 10: You can read and write volumes, but you can't create volumes. If you need to create volumes, upgrade to the Enterprise or Pro for Workstations edition.
+
+### Syskey.exe
+
+Removed this security feature. Instead, we recommend using [BitLocker](/device-security/bitlocker/bitlocker-overview). For more information, see [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window).
+
+### TCP Offload Engine
+
+Removed this code. The TCP Offload Engine functionality is now available in the Stack TCP Engine. For more information, see [Why Are We Deprecating Network Performance Features (KB4014193)?](https://blogs.technet.microsoft.com/askpfeplat/2017/06/13/why-are-we-deprecating-network-performance-features-kb4014193/)
+
+### TPM Owner Password Management
+
+Removed this code.
+
+## Features being considered for replacement starting after Windows Fall Creators Update
+
+We are considering removing the following features and functionalities from the installed product image, starting with releases after Windows 10, version 1709. Eventually, we might completely remove them and replace them with other features or functionality (or, in some instances, make them available from different sources). These features and functionalities are *still available* in this release, but **you should begin planning now to either use alternate methods or to replace any applications, code, or usage that depend on these features.**
+
+If you have feedback to share about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app).
+
+### IIS 6 Management Compatibility
+
+We're considering replacing the following specific DISM features:
+
+- IIS 6 Metabase Compatibility (Web-Metabase)
+- IIS 6 Management Console (Web-Lgcy-Mgmt-Console)
+- IIS 6 Scripting Tools (Web-Lgcy-Scripting)
+- IIS 6 WMI Compatibility (Web-WMI)
+
+Instead of IIS 6 Metabase Compatibility (which acts as an emulation layer between IIS 6-based metabase scripts and the file-based configuration used by IIS 7 or newer versions) you should start migrating management scripts to target IIS file-based configuration directly, by using tools such as the Microsoft.Web.Administration namespace.
+
+You should also start migration from IIS 6.0 or earlier versions, and move to the [latest version of IIS](/iis/get-started/whats-new-in-iis-10/new-features-introduced-in-iis-10).
+
+### IIS Digest Authentication
+
+We're considering removing the IIS Digest Authentication method. Instead, you should start using other authentication methods, such as [Client Certificate Mapping](/iis/manage/configuring-security/configuring-one-to-one-client-certificate-mappings) or [Windows Authentication](/iis/configuration/system.webServer/security/authentication/windowsAuthentication/).
+
+### Microsoft Paint
+
+We're considering removing MS Paint from the basic installed product image - that means it won't be installed by default. **You'll still be able to get the app separately from the [Microsoft Store](https://www.microsoft.com/store/b/home) for free.** Alternately, you can get [Paint 3D](https://www.microsoft.com/store/p/paint-3d/9nblggh5fv99) and [3D Builder](https://www.microsoft.com/store/p/3d-builder/9wzdncrfj3t6) from the Microsoft Store today; both of these offer the same functionality as Microsoft Paint, plus additional features.
+
+### RSA/AES Encryption for IIS
+
+We're considering removing RSA/AES encryption because the superior [Cryptography API: Next Generation (CNG)](https://msdn.microsoft.com/library/windows/desktop/bb931354(v=vs.85).aspx) method is already available.
+
+### Sync your settings
+
+We're considering making changes to the back-end storage that will affect the sync process: [Enterprise State Roaming](/azure/active-directory/active-directory-windows-enterprise-state-roaming-overview) and all other users will use a single cloud storage system. Both the "Sync your settings" options and the Enterprise State Roaming feature will continue to work.
diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md
index 36c030bdcf..03fd161f35 100644
--- a/windows/deployment/planning/windows-10-infrastructure-requirements.md
+++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md
@@ -1,133 +1,135 @@
----
-title: Windows 10 infrastructure requirements (Windows 10)
-description: There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization.
-ms.assetid: B0FA27D9-A206-4E35-9AE6-74E70748BE64
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: deploy, upgrade, update, hardware
-ms.prod: w10
-ms.mktglfcycl: plan
-ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Windows 10 infrastructure requirements
-
-
-**Applies to**
-
-- Windows 10
-
-There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization.
-
-## High-level requirements
-
-
-For initial Windows 10 deployments, as well as subsequent Windows 10 upgrades, ensure that sufficient disk space is available for distribution of the Windows 10 installation files (about 3 GB for Windows 10 x64 images, slightly smaller for x86). Also, be sure to take into account the network impact of moving these large images to each PC; you may need to leverage local server storage.
-
-For persistent VDI environments, carefully consider the I/O impact from upgrading large numbers of PCs in a short period of time. Ensure that upgrades are performed in smaller numbers, or during off-peak time periods. (For pooled VDI environments, a better approach is to replace the base image with a new version.)
-
-## Deployment tools
-
-
-A new version of the Assessment and Deployment Toolkit (ADK) has been released to support Windows 10. This new version, available for download [here](https://go.microsoft.com/fwlink/p/?LinkId=526740), is required for Windows 10; you should not use earlier versions of the ADK to deploy Windows 10. It also supports the deployment of Windows 7, Windows 8, and Windows 8.1.
-
-Significant enhancements in the ADK for Windows 10 include new runtime provisioning capabilities, which leverage the Windows Imaging and Configuration Designer (Windows ICD), as well as updated versions of existing deployment tools (DISM, USMT, Windows PE, and more).
-
-Microsoft Deployment Toolkit 2013 Update 1, available for download [here](https://go.microsoft.com/fwlink/p/?LinkId=625079), has also been updated to support Windows 10 and the new ADK; older versions do not support Windows 10. New in this release is task sequence support for Windows 10 in-place upgrades.
-
-For System Center Configuration Manager, Windows 10 support is offered with various releases:
-
-| Release | Windows 10 management? | Windows 10 deployment? |
-|---------------------------------------------|------------------------|------------------------------------------------|
-| System Center Configuration Manager 2007 | Yes, with a hotfix | No |
-| System Center Configuration Manager 2012 | Yes, with SP2 and CU1 | Yes, with SP2, CU1, and the ADK for Windows 10 |
-| System Center Configuration Manager 2012 R2 | Yes, with SP1 and CU1 | Yes, with SP1, CU1, and the ADK for Windows 10 |
-
-
->Note: Configuration Manager 2012 supports Windows 10 version 1507 (build 10.0.10240) and 1511 (build 10.0.10586) for the lifecycle of these builds. Future releases of Windows 10 CB/CBB are not supported With Configuration Manager 2012, and will require System Center Configuration Manager current branch for supported management.
-
-
-For more details about System Center Configuration Manager support for Windows 10, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
-
-## Management tools
-
-
-In addition to System Center Configuration Manager, Windows 10 also leverages other tools for management. For Windows Server and Active Directory, existing supported versions are fully supported for Windows 10. New Group Policy templates will be needed to configure new settings available in Windows 10; these templates are available in the Windows 10 media images, and are available as a separate download [here](https://go.microsoft.com/fwlink/p/?LinkId=625081). See [Group Policy settings reference](https://go.microsoft.com/fwlink/p/?LinkId=625082) for a list of the new and modified policy settings. If you are using a central policy store, follow the steps outlined [here](https://go.microsoft.com/fwlink/p/?LinkId=625083) to update the ADMX files stored in that central store.
-
-No new Active Directory schema updates or specific functional levels are currently required for core Windows 10 product functionality, although subsequent upgrades could require these to support new features.
-
-Microsoft Desktop Optimization Pack (MDOP) has been updated to support Windows 10. The minimum versions required to support Windows 10 are as follows:
-
-| Product | Required version |
-|----------------------------------------------------------|--------------------------|
-| Advanced Group Policy Management (AGPM) | AGPM 4.0 Service Pack 3 |
-| Application Virtualization (App-V) | App-V 5.1 |
-| Diagnostics and Recovery Toolkit (DaRT) | DaRT 10 |
-| Microsoft BitLocker Administration and Monitoring (MBAM) | MBAM 2.5 SP1 (2.5 is OK) |
-| User Experience Virtualization (UE-V) | UE-V 2.1 SP1 |
-
-
-
-For more information, see the [MDOP TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=625090).
-
-For devices you manage with mobile device management (MDM) solutions such as Microsoft Intune, existing capabilities (provided initially in Windows 8.1) are fully supported in Windows 10; new Windows 10 MDM settings and capabilities will require updates to the MDM services. See [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=625084) for more information.
-
-Windows Server Update Services (WSUS) requires some additional configuration to receive updates for Windows 10. Use the Windows Server Update Services admin tool and follow these instructions:
-
-1. Select the **Options** node, and then click **Products and Classifications**.
-
-2. In the **Products** tree, select the **Windows 10** and **Windows 10 LTSB** products and any other Windows 10-related items that you want. Click **OK**.
-
-3. From the **Synchronizations** node, right-click and choose **Synchronize Now**.
-
-
-
-Figure 1. WSUS product list with Windows 10 choices
-
-Because Windows 10 updates are cumulative in nature, each month’s new update will supersede the previous month's. Consider leveraging “express installation” packages to reduce the size of the payload that needs to be sent to each PC each month; see [Express installation files](https://go.microsoft.com/fwlink/p/?LinkId=625086) for more information. (Note that this will increase the amount of disk storage needed by WSUS, and impacts all operating systems being managed with WSUS.)
-
-## Activation
-
-
-Windows 10 volume license editions of Windows 10 will continue to support all existing activation methods (KMS, MAK, and AD-based activation). An update will be required for existing KMS servers:
-
-| Product | Required update |
-|----------------------------------------|---------------------------------------------------------------------------------------------|
-| Windows 10 | None |
-| Windows Server 2012 R2 and Windows 8.1 | [https://support.microsoft.com/kb/3058168](https://go.microsoft.com/fwlink/p/?LinkId=625087) |
-| Windows Server 2012 and Windows 8 | [https://support.microsoft.com/kb/3058168](https://go.microsoft.com/fwlink/p/?LinkId=625087) |
-| Windows Server 2008 R2 and Windows 7 | [https://support.microsoft.com/kb/3079821](https://support.microsoft.com/kb/3079821) |
-
-
-
-Also see: [Windows Server 2016 Volume Activation Tips](https://blogs.technet.microsoft.com/askcore/2016/10/19/windows-server-2016-volume-activation-tips/)
-
-Additionally, new product keys will be needed for all types of volume license activation (KMS, MAK, and AD-based Activation); these keys are available on the Volume Licensing Service Center (VLSC) for customers with rights to the Windows 10 operating system. To find the needed keys:
-
-- Sign into the [Volume Licensing Service Center (VLSC)](https://go.microsoft.com/fwlink/p/?LinkId=625088) at with a Microsoft account that has appropriate rights.
-
-- For KMS keys, click **Licenses** and then select **Relationship Summary**. Click the appropriate active license ID, and then select **Product Keys** near the right side of the page. For KMS running on Windows Server, find the **Windows Srv 2012R2 DataCtr/Std KMS for Windows 10** product key; for KMS running on client operating systems, find the **Windows 10** product key.
-
-- For MAK keys, click **Downloads and Keys**, and then filter the list by using **Windows 10** as a product. Click the **Key** link next to an appropriate list entry (for example, **Windows 10 Enterprise** or **Windows 10 Enterprise LTSB**) to view the available MAK keys. (You can also find keys for KMS running on Windows 10 in this list. These keys will not work on Windows servers running KMS.)
-
-Note that Windows 10 Enterprise and Windows 10 Enterprise LTSB installations use different MAK keys. But you can use the same KMS server or Active Directory-based activation environment for both; the KMS keys obtained from the Volume Licensing Service Center will work with both.
-
-## Related topics
-
-
-[Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md)
- [Windows 10 deployment considerations](windows-10-deployment-considerations.md)
- [Windows 10 compatibility](windows-10-compatibility.md)
-
-
-
-
-
-
-
-
-
+---
+title: Windows 10 infrastructure requirements (Windows 10)
+description: There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization.
+ms.assetid: B0FA27D9-A206-4E35-9AE6-74E70748BE64
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: deploy, upgrade, update, hardware
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Windows 10 infrastructure requirements
+
+
+**Applies to**
+
+- Windows 10
+
+There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization.
+
+## High-level requirements
+
+
+For initial Windows 10 deployments, as well as subsequent Windows 10 upgrades, ensure that sufficient disk space is available for distribution of the Windows 10 installation files (about 3 GB for Windows 10 x64 images, slightly smaller for x86). Also, be sure to take into account the network impact of moving these large images to each PC; you may need to leverage local server storage.
+
+For persistent VDI environments, carefully consider the I/O impact from upgrading large numbers of PCs in a short period of time. Ensure that upgrades are performed in smaller numbers, or during off-peak time periods. (For pooled VDI environments, a better approach is to replace the base image with a new version.)
+
+## Deployment tools
+
+
+A new version of the Assessment and Deployment Toolkit (ADK) has been released to support Windows 10. This new version, available for download [here](https://go.microsoft.com/fwlink/p/?LinkId=526740), is required for Windows 10; you should not use earlier versions of the ADK to deploy Windows 10. It also supports the deployment of Windows 7, Windows 8, and Windows 8.1.
+
+Significant enhancements in the ADK for Windows 10 include new runtime provisioning capabilities, which leverage the Windows Imaging and Configuration Designer (Windows ICD), as well as updated versions of existing deployment tools (DISM, USMT, Windows PE, and more).
+
+Microsoft Deployment Toolkit 2013 Update 1, available for download [here](https://go.microsoft.com/fwlink/p/?LinkId=625079), has also been updated to support Windows 10 and the new ADK; older versions do not support Windows 10. New in this release is task sequence support for Windows 10 in-place upgrades.
+
+For System Center Configuration Manager, Windows 10 support is offered with various releases:
+
+| Release | Windows 10 management? | Windows 10 deployment? |
+|---------------------------------------------|------------------------|------------------------------------------------|
+| System Center Configuration Manager 2007 | Yes, with a hotfix | No |
+| System Center Configuration Manager 2012 | Yes, with SP2 and CU1 | Yes, with SP2, CU1, and the ADK for Windows 10 |
+| System Center Configuration Manager 2012 R2 | Yes, with SP1 and CU1 | Yes, with SP1, CU1, and the ADK for Windows 10 |
+
+
+> [!NOTE]
+> Configuration Manager 2012 supports Windows 10 version 1507 (build 10.0.10240) and 1511 (build 10.0.10586) for the lifecycle of these builds. Future releases of Windows 10 CB/CBB are not supported With Configuration Manager 2012, and will require System Center Configuration Manager current branch for supported management.
+
+
+For more details about System Center Configuration Manager support for Windows 10, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md).
+
+## Management tools
+
+
+In addition to System Center Configuration Manager, Windows 10 also leverages other tools for management. For Windows Server and Active Directory, existing supported versions are fully supported for Windows 10. New Group Policy templates will be needed to configure new settings available in Windows 10; these templates are available in the Windows 10 media images, and are available as a separate download [here](https://go.microsoft.com/fwlink/p/?LinkId=625081). See [Group Policy settings reference](https://go.microsoft.com/fwlink/p/?LinkId=625082) for a list of the new and modified policy settings. If you are using a central policy store, follow the steps outlined [here](https://go.microsoft.com/fwlink/p/?LinkId=625083) to update the ADMX files stored in that central store.
+
+No new Active Directory schema updates or specific functional levels are currently required for core Windows 10 product functionality, although subsequent upgrades could require these to support new features.
+
+Microsoft Desktop Optimization Pack (MDOP) has been updated to support Windows 10. The minimum versions required to support Windows 10 are as follows:
+
+| Product | Required version |
+|----------------------------------------------------------|--------------------------|
+| Advanced Group Policy Management (AGPM) | AGPM 4.0 Service Pack 3 |
+| Application Virtualization (App-V) | App-V 5.1 |
+| Diagnostics and Recovery Toolkit (DaRT) | DaRT 10 |
+| Microsoft BitLocker Administration and Monitoring (MBAM) | MBAM 2.5 SP1 (2.5 is OK) |
+| User Experience Virtualization (UE-V) | UE-V 2.1 SP1 |
+
+
+
+For more information, see the [MDOP TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=625090).
+
+For devices you manage with mobile device management (MDM) solutions such as Microsoft Intune, existing capabilities (provided initially in Windows 8.1) are fully supported in Windows 10; new Windows 10 MDM settings and capabilities will require updates to the MDM services. See [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=625084) for more information.
+
+Windows Server Update Services (WSUS) requires some additional configuration to receive updates for Windows 10. Use the Windows Server Update Services admin tool and follow these instructions:
+
+1. Select the **Options** node, and then click **Products and Classifications**.
+
+2. In the **Products** tree, select the **Windows 10** and **Windows 10 LTSB** products and any other Windows 10-related items that you want. Click **OK**.
+
+3. From the **Synchronizations** node, right-click and choose **Synchronize Now**.
+
+
+
+Figure 1. WSUS product list with Windows 10 choices
+
+Because Windows 10 updates are cumulative in nature, each month’s new update will supersede the previous month's. Consider leveraging “express installation” packages to reduce the size of the payload that needs to be sent to each PC each month; see [Express installation files](https://go.microsoft.com/fwlink/p/?LinkId=625086) for more information. (Note that this will increase the amount of disk storage needed by WSUS, and impacts all operating systems being managed with WSUS.)
+
+## Activation
+
+
+Windows 10 volume license editions of Windows 10 will continue to support all existing activation methods (KMS, MAK, and AD-based activation). An update will be required for existing KMS servers:
+
+| Product | Required update |
+|----------------------------------------|---------------------------------------------------------------------------------------------|
+| Windows 10 | None |
+| Windows Server 2012 R2 and Windows 8.1 | [https://support.microsoft.com/kb/3058168](https://go.microsoft.com/fwlink/p/?LinkId=625087) |
+| Windows Server 2012 and Windows 8 | [https://support.microsoft.com/kb/3058168](https://go.microsoft.com/fwlink/p/?LinkId=625087) |
+| Windows Server 2008 R2 and Windows 7 | [https://support.microsoft.com/kb/3079821](https://support.microsoft.com/kb/3079821) |
+
+
+
+Also see: [Windows Server 2016 Volume Activation Tips](https://blogs.technet.microsoft.com/askcore/2016/10/19/windows-server-2016-volume-activation-tips/)
+
+Additionally, new product keys will be needed for all types of volume license activation (KMS, MAK, and AD-based Activation); these keys are available on the Volume Licensing Service Center (VLSC) for customers with rights to the Windows 10 operating system. To find the needed keys:
+
+- Sign into the [Volume Licensing Service Center (VLSC)](https://go.microsoft.com/fwlink/p/?LinkId=625088) at with a Microsoft account that has appropriate rights.
+
+- For KMS keys, click **Licenses** and then select **Relationship Summary**. Click the appropriate active license ID, and then select **Product Keys** near the right side of the page. For KMS running on Windows Server, find the **Windows Srv 2012R2 DataCtr/Std KMS for Windows 10** product key; for KMS running on client operating systems, find the **Windows 10** product key.
+
+- For MAK keys, click **Downloads and Keys**, and then filter the list by using **Windows 10** as a product. Click the **Key** link next to an appropriate list entry (for example, **Windows 10 Enterprise** or **Windows 10 Enterprise LTSB**) to view the available MAK keys. (You can also find keys for KMS running on Windows 10 in this list. These keys will not work on Windows servers running KMS.)
+
+Note that Windows 10 Enterprise and Windows 10 Enterprise LTSB installations use different MAK keys. But you can use the same KMS server or Active Directory-based activation environment for both; the KMS keys obtained from the Volume Licensing Service Center will work with both.
+
+## Related topics
+
+
+[Windows 10 servicing options](../update/waas-servicing-strategy-windows-10-updates.md)
+ [Windows 10 deployment considerations](windows-10-deployment-considerations.md)
+ [Windows 10 compatibility](windows-10-compatibility.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md
index c48af35d6e..40c4c03e81 100644
--- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md
+++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md
@@ -1,462 +1,463 @@
----
-title: Windows To Go frequently asked questions (Windows 10)
-description: Windows To Go frequently asked questions
-ms.assetid: bfdfb824-4a19-4401-b369-22c5e6ca9d6e
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: FAQ, mobile, device, USB
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: mobility
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Windows To Go: frequently asked questions
-
-
-**Applies to**
-
-- Windows 10
-
->[!IMPORTANT]
->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
-
-The following list identifies some commonly asked questions about Windows To Go.
-
-- [What is Windows To Go?](#wtg-faq-whatis)
-
-- [Does Windows To Go rely on virtualization?](#wtg-faq-virt)
-
-- [Who should use Windows To Go?](#wtg-faq-who)
-
-- [How can Windows To Go be deployed in an organization?](#wtg-faq-deploy)
-
-- [Is Windows To Go supported on both USB 2.0 and USB 3.0 drives?](#wtg-faq-usbvs)
-
-- [Is Windows To Go supported on USB 2.0 and USB 3.0 ports?](#wtg-faq-usbports)
-
-- [How do I identify a USB 3.0 port?](#wtg-faq-usb3port)
-
-- [Does Windows To Go run faster on a USB 3.0 port?](#wtg-faq-usb3speed)
-
-- [Can the user self-provision Windows To Go?](#wtg-faq-selfpro)
-
-- [How can Windows To Go be managed in an organization?](#wtg-faq-mng)
-
-- [How do I make my computer boot from USB?](#wtf-faq-startup)
-
-- [Why isn’t my computer booting from USB?](#wtg-faq-noboot)
-
-- [What happens if I remove my Windows To Go drive while it is running?](#wtg-faq-surprise)
-
-- [Can I use BitLocker to protect my Windows To Go drive?](#wtg-faq-bitlocker)
-
-- [Why can’t I enable BitLocker from Windows To Go Creator?](#wtg-faq-blfail)
-
-- [What power states does Windows To Go support?](#wtg-faq-power)
-
-- [Why is hibernation disabled in Windows To Go?](#wtg-faq-hibernate)
-
-- [Does Windows To Go support crash dump analysis?](#wtg-faq-crashdump)
-
-- [Do “Windows To Go Startup Options” work with dual boot computers?](#wtg-faq-dualboot)
-
-- [I plugged my Windows To Go drive into a running computer and I can’t see the partitions on the drive. Why not?](#wtg-faq-diskpart)
-
-- [I’m booted into Windows To Go, but I can’t browse to the internal hard drive of the host computer. Why not?](#wtg-faq-san4)
-
-- [Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition?](#wtg-faq-fatmbr)
-
-- [Is Windows To Go secure if I use it on an untrusted machine?](#wtg-faq-malhost)
-
-- [Does Windows To Go work with ARM processors?](#wtg-faq-arm)
-
-- [Can I synchronize data from Windows To Go with my other computer?](#wtg-faq-datasync)
-
-- [What size USB Flash Drive do I need to make a Windows To Go drive?](#wtg-faq-usbsz)
-
-- [Do I need to activate Windows To Go every time I roam?](#wtg-faq-roamact)
-
-- [Can I use all Windows features on Windows To Go?](#wtg-faq-features)
-
-- [Can I use all my applications on Windows To Go?](#wtg-faq-approam)
-
-- [Does Windows To Go work slower than standard Windows?](#wtg-faq-slow)
-
-- [If I lose my Windows To Go drive, will my data be safe?](#wtg-faq-safeloss)
-
-- [Can I boot Windows To Go on a Mac?](#wtg-faq-mac)
-
-- [Are there any APIs that allow applications to identify a Windows To Go workspace?](#wtg-faq-api)
-
-- [How is Windows To Go licensed?](#wtg-faq-lic)
-
-- [Does Windows Recovery Environment work with Windows To Go? What’s the guidance for recovering a Windows To Go drive?](#wtg-faq-recovery)
-
-- [Why won’t Windows To Go work on a computer running Windows XP or Windows Vista?](#wtg-faq-oldos)
-
-- [Why does the operating system on the host computer matter?](#wtg-faq-oldos2)
-
-- [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#wtg-faq-blreckey)
-
-- [I decided to stop using a drive for Windows To Go and reformatted it – why doesn’t it have a drive letter assigned and how can I fix it?](#wtg-faq-reformat)
-
-- [Why do I keep on getting the message “Installing devices…” when I boot Windows To Go?](#bkmk-roamconflict)
-
-- [How do I upgrade the operating system on my Windows To Go drive?](#bkmk-upgradewtg)
-
-## What is Windows To Go?
-
-
-Windows To Go is a feature for users of Windows 10 Enterprise and Windows 10 Education that enables users to boot a full version of Windows from external USB drives on host PCs.
-
-## Does Windows To Go rely on virtualization?
-
-
-No. Windows To Go is a native instance of Windows 10 that runs from a USB device. It is just like a laptop hard drive with Windows 8 that has been put into a USB enclosure.
-
-## Who should use Windows To Go?
-
-
-Windows To Go was designed for enterprise usage and targets scenarios such as continuance of operations, contractors, managed free seating, traveling workers, and work from home.
-
-## How can Windows To Go be deployed in an organization?
-
-
-Windows To Go can be deployed using standard Windows deployment tools like Diskpart and DISM. The prerequisites for deploying Windows To Go are:
-
-- A Windows To Go recommended USB drive to provision; See the list of currently available USB drives at [Hardware considerations for Windows To Go](windows-to-go-overview.md#wtg-hardware)
-
-- A Windows 10 Enterprise or Windows 10 Education image
-
-- A Windows 10 Enterprise, Windows 10 Education or Windows 10 Professional host PC that can be used to provision new USB keys
-
-You can use a Windows PowerShell script to target several drives and scale your deployment for a large number of Windows To Go drives. You can also use a USB duplicator to duplicate a Windows To Go drive after it has been provisioned if you are creating a large number of drives. See the [Windows To Go Step by Step](https://go.microsoft.com/fwlink/p/?LinkId=618950) article on the TechNet wiki for a walkthrough of the drive creation process.
-
-## Is Windows To Go supported on both USB 2.0 and USB 3.0 drives?
-
-
-No. Windows To Go is supported on USB 3.0 drives that are certified for Windows To Go.
-
-## Is Windows To Go supported on USB 2.0 and USB 3.0 ports?
-
-
-Yes. Windows To Go is fully supported on either USB 2.0 ports or USB 3.0 ports on PCs certified for Windows 7 or later.
-
-## How do I identify a USB 3.0 port?
-
-
-USB 3.0 ports are usually marked blue or carry a SS marking on the side.
-
-## Does Windows To Go run faster on a USB 3.0 port?
-
-
-Yes. Because USB 3.0 offers significantly faster speeds than USB 2.0, a Windows To Go drive running on a USB 3.0 port will operate considerably faster. This speed increase applies to both drive provisioning and when the drive is being used as a workspace.
-
-## Can the user self-provision Windows To Go?
-
-
-Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise, Windows 10 Education and Windows 10 Professional. Additionally, System Center 2012 Configuration Manager SP1 and later releases includes support for user self-provisioning of Windows To Go drives. Configuration Manager can be downloaded for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkID=618746).
-
-## How can Windows To Go be managed in an organization?
-
-
-Windows To Go can be deployed and managed like a traditional desktop PC using standard Windows enterprise software distribution tools like System Center Configuration Manager. Computer and user settings for Windows To Go workspaces can be managed using Group Policy setting also in the same manner that you manage Group Policy settings for other PCs in your organization. Windows To Go workspaces can be configured to connect to the organizational resources remotely using DirectAccess or a virtual private network connection so that they can connect securely to your network.
-
-## How do I make my computer boot from USB?
-
-
-For host computers running Windows 10
-
-- Using Cortana, search for **Windows To Go startup options**, and then press Enter.
-- In the **Windows To Go Startup Options** dialog box, select **Yes**, and then click **Save Changes** to configure the computer to boot from USB.
-
-For host computers running Windows 8 or Windows 8.1:
-
-Press **Windows logo key+W** and then search for **Windows To Go startup options** and then press Enter.
-
-In the **Windows To Go Startup Options** dialog box select **Yes** and then click **Save Changes** to configure the computer to boot from USB.
-
-**Note**
-Your IT department can use Group Policy to configure Windows To Go Startup Options in your organization.
-
-
-
-If the host computer is running an earlier version of the Windows operating system need to configure the computer to boot from USB manually.
-
-To do this, early during boot time (usually when you see the manufacturer’s logo), enter your firmware/BIOS setup. (This method to enter firmware/BIOS setup differs with different computer manufacturers, but is usually entered by pressing one of the function keys, such as F12, F2, F1, Esc, and so forth. You should check the manufacturer’s site to be sure if you do not know which key to use to enter firmware setup.)
-
-After you have entered firmware setup, make sure that boot from USB is enabled. Then change the boot order to boot from USB drives first.
-
-Alternatively, if your computer supports it, you can try to use the one-time boot menu (often F12), to select USB boot on a per-boot basis.
-
-For more detailed instructions, see the wiki article, [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkID=618951).
-
-**Warning**
-Configuring a computer to boot from USB will cause your computer to attempt to boot from any bootable USB device connected to your computer. This potentially includes malicious devices. Users should be informed of this risk and instructed to not have any bootable USB storage devices plugged in to their computers except for their Windows To Go drive.
-
-
-
-## Why isn’t my computer booting from USB?
-
-
-Computers certified for Windows 7 and later are required to have support for USB boot. Check to see if any of the following items apply to your situation:
-
-1. Ensure that your computer has the latest BIOS installed and the BIOS is configured to boot from a USB device.
-
-2. Ensure that the Windows To Go drive is connected directly to a USB port on the computer. Many computers don’t support booting from a device connected to a USB 3 PCI add-on card or external USB hubs.
-
-3. If the computer is not booting from a USB 3.0 port, try to boot from a USB 2.0 port.
-
-If none of these items enable the computer to boot from USB, contact the hardware manufacturer for additional support.
-
-## What happens if I remove my Windows To Go drive while it is running?
-
-
-If the Windows To Go drive is removed, the computer will freeze and the user will have 60 seconds to reinsert the Windows To Go drive. If the Windows To Go drive is reinserted into the same port it was removed from, Windows will resume at the point where the drive was removed. If the USB drive is not reinserted, or is reinserted into a different port, the host computer will turn off after 60 seconds.
-
-**Warning**
-You should never remove your Windows To Go drive when your workspace is running. The computer freeze is a safety measure to help mitigate the risk of accidental removal. Removing the Windows To Go drive without shutting down the Windows To Go workspace could result in corruption of the Windows To Go drive.
-
-
-
-## Can I use BitLocker to protect my Windows To Go drive?
-
-
-Yes. In Windows 8 and later, BitLocker has added support for using a password to protect operating system drives. This means that you can use a password to secure your Windows To Go workspace and you will be prompted to enter this password every time you use the Windows To Go workspace.
-
-## Why can’t I enable BitLocker from Windows To Go Creator?
-
-
-Several different Group Policies control the use of BitLocker on your organizations computers. These policies are located in the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** folder of the local Group Policy editor. The folder contains three sub-folders for fixed, operating system and removable data drive types.
-
-When you are using Windows To Go Creator, the Windows To Go drive is considered a removable data drive by BitLocker. Review the following setting to see if these settings apply in your situation:
-
-1. **Control use of BitLocker on removable drives**
-
- If this setting is disabled BitLocker cannot be used with removable drives, so the Windows To Go Creator wizard will fail if it attempts to enable BitLocker on the Windows To Go drive.
-
-2. **Configure use of smart cards on removable data drives**
-
- If this setting is enabled and the option **Require use of smart cards on removable data drives** is also selected the creator wizard might fail if you have not already signed on using your smart card credentials before starting the Windows To Go Creator wizard.
-
-3. **Configure use of passwords for removable data drives**
-
- If this setting is enabled and the **Require password complexity option** is selected the computer must be able to connect to the domain controller to verify that the password specified meets the password complexity requirements. If the connection is not available, the Windows To Go Creator wizard will fail to enable BitLocker.
-
-Additionally, the Windows To Go Creator will disable the BitLocker option if the drive does not have any volumes. In this situation, you should initialize the drive and create a volume using the Disk Management console before provisioning the drive with Windows To Go.
-
-## What power states does Windows To Go support?
-
-
-Windows To Go supports all power states except the hibernate class of power states, which include hybrid boot, hybrid sleep, and hibernate. This default behavior can be modified by using Group Policy settings to enable hibernation of the Windows To Go workspace.
-
-## Why is hibernation disabled in Windows To Go?
-
-
-When a Windows To Go workspace is hibernated, it will only successfully resume on the exact same hardware. Therefore, if a Windows To Go workspace is hibernated on one computer and roamed to another, the hibernation state (and therefore user state) will be lost. To prevent this from happening, the default settings for a Windows To Go workspace disable hibernation. If you are confident that you will only attempt to resume on the same computer, you can enable hibernation using the Windows To Go Group Policy setting, **Allow hibernate (S4) when started from a Windows To Go workspace** that is located at **\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\** in the Local Group Policy Editor (gpedit.msc).
-
-## Does Windows To Go support crash dump analysis?
-
-
-Yes. Windows 8 and later support crash dump stack analysis for both USB 2.0 and 3.0.
-
-## Do “Windows To Go Startup Options” work with dual boot computers?
-
-
-Yes, if both operating systems are running the Windows 8 operating system. Enabling “Windows To Go Startup Options” should cause the computer to boot from the Windows To Go workspace when the drive is plugged in before the computer is turned on.
-
-If you have configured a dual boot computer with a Windows operating system and another operating system it might work occasionally and fail occasionally. Using this configuration is unsupported.
-
-## I plugged my Windows To Go drive into a running computer and I can’t see the partitions on the drive. Why not?
-
-
-Windows To Go Creator and the recommended deployment steps for Windows To Go set the NO\_DEFAULT\_DRIVE\_LETTER flag on the Windows To Go drive. This flag prevents Windows from automatically assigning drive letters to the partitions on the Windows To Go drive. That’s why you can’t see the partitions on the drive when you plug your Windows To Go drive into a running computer. This helps prevent accidental data leakage between the Windows To Go drive and the host computer. If you really need to access the files on the Windows To Go drive from a running computer, you can use diskmgmt.msc or diskpart to assign a drive letter.
-
-**Warning**
-It is strongly recommended that you do not plug your Windows To Go drive into a running computer. If the computer is compromised, your Windows To Go workspace can also be compromised.
-
-
-
-## I’m booted into Windows To Go, but I can’t browse to the internal hard drive of the host computer. Why not?
-
-
-Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That’s why you can’t see the internal hard drives of the host computer when you are booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive.
-
-**Warning**
-It is strongly recommended that you do not mount internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 or later operating system, mounting the drive will lead to loss of hibernation state and therefor user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted.
-
-
-
-## Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition?
-
-
-This is done to allow Windows To Go to boot from UEFI and legacy systems.
-
-## Is Windows To Go secure if I use it on an untrusted computer?
-
-
-While you are more secure than if you use a completely untrusted operating system, you are still vulnerable to attacks from the firmware or anything that runs before Windows To Go starts. If you plug your Windows To Go drive into a running untrusted computer, your Windows To Go drive can be compromised because any malicious software that might be active on the computer can access the drive.
-
-## Does Windows To Go work with ARM processors?
-
-
-No. Windows RT is a specialized version of Windows designed for ARM processors. Windows To Go is currently only supported on PCs with x86 or x64-based processors.
-
-## Can I synchronize data from Windows To Go with my other computer?
-
-
-To get your data across all your computers, we recommend using folder redirection and client side caching to store copies of your data on a server while giving you offline access to the files you need.
-
-## What size USB flash drive do I need to make a Windows To Go drive?
-
-
-The size constraints are the same as full Windows. To ensure that you have enough space for Windows, your data, and your applications, we recommend USB drives that are a minimum of 20 GB in size.
-
-## Do I need to activate Windows To Go every time I roam?
-
-
-No, Windows To Go requires volume activation; either using the [Key Management Service](https://go.microsoft.com/fwlink/p/?LinkId=619051) (KMS) server in your organization or using [Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=619053) based volume activation. The Windows To Go workspace will not need to be reactivated every time you roam. KMS activates Windows on a local network, eliminating the need for individual computers to connect to Microsoft. To remain activated, KMS client computers must renew their activation by connecting to the KMS host on periodic basis. This typically occurs as soon as the user has access to the corporate network (either through a direct connection on-premises or a through remote connection using DirectAccess or a virtual private network connection), once activated the machine will not need to be activated again until the activation validity interval has passed. In a KMS configuration the activation validity interval is 180 days.
-
-## Can I use all Windows features on Windows To Go?
-
-
-Yes, with some minor exceptions, you can use all Windows features with your Windows To Go workspace. The only currently unsupported features are using the Windows Recovery Environment and PC Reset & Refresh.
-
-## Can I use all my applications on Windows To Go?
-
-
-Yes. Because your Windows To Go workspace is a full Windows 10 environment, all applications that work with Windows 10 should work in your Windows To Go workspace. However, any applications that use hardware binding (usually for licensing and/or digital rights management reasons) may not run when you roam your Windows To Go drive between different host computers, and you may have to use those applications on the same host computer every time.
-
-## Does Windows To Go work slower than standard Windows?
-
-
-If you are using a USB 3.0 port and a Windows To Go certified device, there should be no perceivable difference between standard Windows and Windows To Go. However, if you are booting from a USB 2.0 port, you may notice some slowdown since USB 2.0 transfer speeds are slower than SATA speeds.
-
-## If I lose my Windows To Go drive, will my data be safe?
-
-
-Yes! If you enable BitLocker on your Windows To Go drive, all your data will be encrypted and protected and a malicious user will not be able to access your data without your password. If you don’t enable BitLocker, your data will be vulnerable if you lose your Windows To Go drive.
-
-## Can I boot Windows To Go on a Mac?
-
-
-We are committed to give customers a consistent and quality Windows 10 experience with Windows To Go. Windows To Go supports host devices certified for use with Windows 7 or later. Because Mac computers are not certified for use with Windows 7 or later, using Windows To Go is not supported on a Mac.
-
-## Are there any APIs that allow applications to identify a Windows To Go workspace?
-
-
-Yes. You can use a combination of identifiers to determine if the currently running operating system is a Windows To Go workspace. First, check if the **PortableOperatingSystem** property is true. When that value is true it means that the operating system was booted from an external USB device.
-
-Next, check if the **OperatingSystemSKU** property is equal to **4** (for Windows 10 Enterprise) or **121** (for Windows 10 Education). The combination of those two properties represents a Windows To Go workspace environment.
-
-For more information, see the MSDN article on the [Win32\_OperatingSystem class](https://go.microsoft.com/fwlink/p/?LinkId=619059).
-
-## How is Windows To Go licensed?
-
-
-Windows To Go allows organization to support the use of privately owned PCs at the home or office with more secure access to their organizational resources. With Windows To Go use rights under [Software Assurance](https://go.microsoft.com/fwlink/p/?LinkId=619062), an employee will be able to use Windows To Go on any company PC licensed with Software Assurance as well as from their home PC.
-
-## Does Windows Recovery Environment work with Windows To Go? What’s the guidance for recovering a Windows To Go drive?
-
-
-No, use of Windows Recovery Environment is not supported on Windows To Go. It is recommended that you implement user state virtualization technologies like Folder Redirection to centralize and back up user data in the data center. If any corruption occurs on a Windows To Go drive, you should re-provision the workspace.
-
-## Why won’t Windows To Go work on a computer running Windows XP or Windows Vista?
-
-
-Actually it might. If you have purchased a computer certified for Windows 7 or later and then installed an older operating system, Windows To Go will boot and run as expected as long as you have configured the firmware to boot from USB. However, if the computer was certified for Windows XP or Windows Vista, it might not meet the hardware requirements for Windows To Go to run. Typically computers certified for Windows Vista and earlier operating systems have less memory, less processing power, reduced video rendering, and slower USB ports.
-
-## Why does the operating system on the host computer matter?
-
-
-It doesn’t other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer cannot boot from USB there is no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected.
-
-## My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?
-
-
-The default BitLocker protection profile in Windows 7 monitors the host computer for changes to the boot order as part of protecting the computer from tampering. When you change the boot order of the host computer to enable it to boot from the Windows To Go drive, the BitLocker system measurements will reflect that change and boot into recovery mode so that the computer can be inspected if necessary.
-
-You can reset the BitLocker system measurements to incorporate the new boot order using the following steps:
-
-1. Log on to the host computer using an account with administrator privileges.
-
-2. Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**.
-
-3. Click **Suspend Protection** for the operating system drive.
-
- A message is displayed, informing you that your data will not be protected while BitLocker is suspended and asking if you want to suspend BitLocker Drive Encryption. Click **Yes** to continue and suspend BitLocker on the drive.
-
-4. Restart the computer and enter the firmware settings to reset the boot order to boot from USB first. For more information on changing the boot order in the BIOS, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) on the TechNet wiki.
-
-5. Restart the computer again and then log on to the host computer using an account with administrator privileges. (Neither your Windows To Go drive nor any other USB drive should be inserted.)
-
-6. Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**.
-
-7. Click **Resume Protection** to re-enable BitLocker protection.
-
-The host computer will now be able to be booted from a USB drive without triggering recovery mode.
-
-**Note**
-The default BitLocker protection profile in Windows 8 or later does not monitor the boot order.
-
-
-
-## I decided to stop using a drive for Windows To Go and reformatted it – why doesn’t it have a drive letter assigned and how can I fix it?
-
-
-Reformatting the drive erases the data on the drive, but doesn’t reconfigure the volume attributes. When a drive is provisioned for use as a Windows To Go drive the NODEFAULTDRIVELETTER attribute is set on the volume. To remove this attribute, use the following steps:
-
-1. Open a command prompt with full administrator permissions.
-
- **Note**
- If your user account is a member of the Administrators group, but is not the Administrator account itself, then, by default, the programs that you run only have standard user permissions unless you explicitly choose to elevate them.
-
-
-
-2. Start the [diskpart](https://go.microsoft.com/fwlink/p/?LinkId=619070) command interpreter, by typing `diskpart` at the command prompt.
-
-3. Use the `select disk` command to identify the drive. If you do not know the drive number, use the `list` command to display the list of disks available.
-
-4. After selecting the disk, run the `clean` command to remove all data, formatting, and initialization information from the drive.
-
-## Why do I keep on getting the message “Installing devices…” when I boot Windows To Go?
-
-
-One of the challenges involved in moving the Windows To Go drive between PCs while seamlessly booting Windows with access to all of their applications and data is that for Windows to be fully functional, specific drivers need to be installed for the hardware in each machine that runs Windows. Windows 8 or later has a process called respecialize which will identify new drivers that need to be loaded for the new PC and disable drivers which are not present on the new configuration. In general this feature is reliable and efficient when roaming between PCs of widely varying hardware configurations.
-
-In certain cases, third party drivers for different hardware models or versions can reuse device ID’s, driver file names, registry keys (or any other operating system constructs which do not support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID’s, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver.
-
-This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message “Installing devices…” displaying every time that a Windows to Go drive is roamed between two PCs which require conflicting drivers.
-
-## How do I upgrade the operating system on my Windows To Go drive?
-
-
-There is no support in Windows for upgrading a Windows To Go drive. Deployed Windows To Go drives with older versions of Windows will need to be re-imaged with a new version of Windows in order to transition to the new operating system version.
-
-## Additional resources
-
-
-- [Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949)
-
-- [Windows To Go Step by Step Wiki](https://go.microsoft.com/fwlink/p/?LinkId=618950)
-
-- [Windows To Go: feature overview](windows-to-go-overview.md)
-
-- [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
-
-- [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
-
-- [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-
-
-
-
-
-
-
-
-
+---
+title: Windows To Go frequently asked questions (Windows 10)
+description: Windows To Go frequently asked questions
+ms.assetid: bfdfb824-4a19-4401-b369-22c5e6ca9d6e
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: FAQ, mobile, device, USB
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: mobility
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Windows To Go: frequently asked questions
+
+
+**Applies to**
+
+- Windows 10
+
+>[!IMPORTANT]
+>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
+
+The following list identifies some commonly asked questions about Windows To Go.
+
+- [What is Windows To Go?](#wtg-faq-whatis)
+
+- [Does Windows To Go rely on virtualization?](#wtg-faq-virt)
+
+- [Who should use Windows To Go?](#wtg-faq-who)
+
+- [How can Windows To Go be deployed in an organization?](#wtg-faq-deploy)
+
+- [Is Windows To Go supported on both USB 2.0 and USB 3.0 drives?](#wtg-faq-usbvs)
+
+- [Is Windows To Go supported on USB 2.0 and USB 3.0 ports?](#wtg-faq-usbports)
+
+- [How do I identify a USB 3.0 port?](#wtg-faq-usb3port)
+
+- [Does Windows To Go run faster on a USB 3.0 port?](#wtg-faq-usb3speed)
+
+- [Can the user self-provision Windows To Go?](#wtg-faq-selfpro)
+
+- [How can Windows To Go be managed in an organization?](#wtg-faq-mng)
+
+- [How do I make my computer boot from USB?](#wtf-faq-startup)
+
+- [Why isn’t my computer booting from USB?](#wtg-faq-noboot)
+
+- [What happens if I remove my Windows To Go drive while it is running?](#wtg-faq-surprise)
+
+- [Can I use BitLocker to protect my Windows To Go drive?](#wtg-faq-bitlocker)
+
+- [Why can’t I enable BitLocker from Windows To Go Creator?](#wtg-faq-blfail)
+
+- [What power states does Windows To Go support?](#wtg-faq-power)
+
+- [Why is hibernation disabled in Windows To Go?](#wtg-faq-hibernate)
+
+- [Does Windows To Go support crash dump analysis?](#wtg-faq-crashdump)
+
+- [Do “Windows To Go Startup Options” work with dual boot computers?](#wtg-faq-dualboot)
+
+- [I plugged my Windows To Go drive into a running computer and I can’t see the partitions on the drive. Why not?](#wtg-faq-diskpart)
+
+- [I’m booted into Windows To Go, but I can’t browse to the internal hard drive of the host computer. Why not?](#wtg-faq-san4)
+
+- [Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition?](#wtg-faq-fatmbr)
+
+- [Is Windows To Go secure if I use it on an untrusted machine?](#wtg-faq-malhost)
+
+- [Does Windows To Go work with ARM processors?](#wtg-faq-arm)
+
+- [Can I synchronize data from Windows To Go with my other computer?](#wtg-faq-datasync)
+
+- [What size USB Flash Drive do I need to make a Windows To Go drive?](#wtg-faq-usbsz)
+
+- [Do I need to activate Windows To Go every time I roam?](#wtg-faq-roamact)
+
+- [Can I use all Windows features on Windows To Go?](#wtg-faq-features)
+
+- [Can I use all my applications on Windows To Go?](#wtg-faq-approam)
+
+- [Does Windows To Go work slower than standard Windows?](#wtg-faq-slow)
+
+- [If I lose my Windows To Go drive, will my data be safe?](#wtg-faq-safeloss)
+
+- [Can I boot Windows To Go on a Mac?](#wtg-faq-mac)
+
+- [Are there any APIs that allow applications to identify a Windows To Go workspace?](#wtg-faq-api)
+
+- [How is Windows To Go licensed?](#wtg-faq-lic)
+
+- [Does Windows Recovery Environment work with Windows To Go? What’s the guidance for recovering a Windows To Go drive?](#wtg-faq-recovery)
+
+- [Why won’t Windows To Go work on a computer running Windows XP or Windows Vista?](#wtg-faq-oldos)
+
+- [Why does the operating system on the host computer matter?](#wtg-faq-oldos2)
+
+- [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#wtg-faq-blreckey)
+
+- [I decided to stop using a drive for Windows To Go and reformatted it – why doesn’t it have a drive letter assigned and how can I fix it?](#wtg-faq-reformat)
+
+- [Why do I keep on getting the message “Installing devices…” when I boot Windows To Go?](#bkmk-roamconflict)
+
+- [How do I upgrade the operating system on my Windows To Go drive?](#bkmk-upgradewtg)
+
+## What is Windows To Go?
+
+
+Windows To Go is a feature for users of Windows 10 Enterprise and Windows 10 Education that enables users to boot a full version of Windows from external USB drives on host PCs.
+
+## Does Windows To Go rely on virtualization?
+
+
+No. Windows To Go is a native instance of Windows 10 that runs from a USB device. It is just like a laptop hard drive with Windows 8 that has been put into a USB enclosure.
+
+## Who should use Windows To Go?
+
+
+Windows To Go was designed for enterprise usage and targets scenarios such as continuance of operations, contractors, managed free seating, traveling workers, and work from home.
+
+## How can Windows To Go be deployed in an organization?
+
+
+Windows To Go can be deployed using standard Windows deployment tools like Diskpart and DISM. The prerequisites for deploying Windows To Go are:
+
+- A Windows To Go recommended USB drive to provision; See the list of currently available USB drives at [Hardware considerations for Windows To Go](windows-to-go-overview.md#wtg-hardware)
+
+- A Windows 10 Enterprise or Windows 10 Education image
+
+- A Windows 10 Enterprise, Windows 10 Education or Windows 10 Professional host PC that can be used to provision new USB keys
+
+You can use a Windows PowerShell script to target several drives and scale your deployment for a large number of Windows To Go drives. You can also use a USB duplicator to duplicate a Windows To Go drive after it has been provisioned if you are creating a large number of drives. See the [Windows To Go Step by Step](https://go.microsoft.com/fwlink/p/?LinkId=618950) article on the TechNet wiki for a walkthrough of the drive creation process.
+
+## Is Windows To Go supported on both USB 2.0 and USB 3.0 drives?
+
+
+No. Windows To Go is supported on USB 3.0 drives that are certified for Windows To Go.
+
+## Is Windows To Go supported on USB 2.0 and USB 3.0 ports?
+
+
+Yes. Windows To Go is fully supported on either USB 2.0 ports or USB 3.0 ports on PCs certified for Windows 7 or later.
+
+## How do I identify a USB 3.0 port?
+
+
+USB 3.0 ports are usually marked blue or carry a SS marking on the side.
+
+## Does Windows To Go run faster on a USB 3.0 port?
+
+
+Yes. Because USB 3.0 offers significantly faster speeds than USB 2.0, a Windows To Go drive running on a USB 3.0 port will operate considerably faster. This speed increase applies to both drive provisioning and when the drive is being used as a workspace.
+
+## Can the user self-provision Windows To Go?
+
+
+Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise, Windows 10 Education and Windows 10 Professional. Additionally, System Center 2012 Configuration Manager SP1 and later releases includes support for user self-provisioning of Windows To Go drives. Configuration Manager can be downloaded for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkID=618746).
+
+## How can Windows To Go be managed in an organization?
+
+
+Windows To Go can be deployed and managed like a traditional desktop PC using standard Windows enterprise software distribution tools like System Center Configuration Manager. Computer and user settings for Windows To Go workspaces can be managed using Group Policy setting also in the same manner that you manage Group Policy settings for other PCs in your organization. Windows To Go workspaces can be configured to connect to the organizational resources remotely using DirectAccess or a virtual private network connection so that they can connect securely to your network.
+
+## How do I make my computer boot from USB?
+
+
+For host computers running Windows 10
+
+- Using Cortana, search for **Windows To Go startup options**, and then press Enter.
+- In the **Windows To Go Startup Options** dialog box, select **Yes**, and then click **Save Changes** to configure the computer to boot from USB.
+
+For host computers running Windows 8 or Windows 8.1:
+
+Press **Windows logo key+W** and then search for **Windows To Go startup options** and then press Enter.
+
+In the **Windows To Go Startup Options** dialog box select **Yes** and then click **Save Changes** to configure the computer to boot from USB.
+
+> [!NOTE]
+> Your IT department can use Group Policy to configure Windows To Go Startup Options in your organization.
+
+
+
+If the host computer is running an earlier version of the Windows operating system need to configure the computer to boot from USB manually.
+
+To do this, early during boot time (usually when you see the manufacturer’s logo), enter your firmware/BIOS setup. (This method to enter firmware/BIOS setup differs with different computer manufacturers, but is usually entered by pressing one of the function keys, such as F12, F2, F1, Esc, and so forth. You should check the manufacturer’s site to be sure if you do not know which key to use to enter firmware setup.)
+
+After you have entered firmware setup, make sure that boot from USB is enabled. Then change the boot order to boot from USB drives first.
+
+Alternatively, if your computer supports it, you can try to use the one-time boot menu (often F12), to select USB boot on a per-boot basis.
+
+For more detailed instructions, see the wiki article, [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkID=618951).
+
+**Warning**
+Configuring a computer to boot from USB will cause your computer to attempt to boot from any bootable USB device connected to your computer. This potentially includes malicious devices. Users should be informed of this risk and instructed to not have any bootable USB storage devices plugged in to their computers except for their Windows To Go drive.
+
+
+
+## Why isn’t my computer booting from USB?
+
+
+Computers certified for Windows 7 and later are required to have support for USB boot. Check to see if any of the following items apply to your situation:
+
+1. Ensure that your computer has the latest BIOS installed and the BIOS is configured to boot from a USB device.
+
+2. Ensure that the Windows To Go drive is connected directly to a USB port on the computer. Many computers don’t support booting from a device connected to a USB 3 PCI add-on card or external USB hubs.
+
+3. If the computer is not booting from a USB 3.0 port, try to boot from a USB 2.0 port.
+
+If none of these items enable the computer to boot from USB, contact the hardware manufacturer for additional support.
+
+## What happens if I remove my Windows To Go drive while it is running?
+
+
+If the Windows To Go drive is removed, the computer will freeze and the user will have 60 seconds to reinsert the Windows To Go drive. If the Windows To Go drive is reinserted into the same port it was removed from, Windows will resume at the point where the drive was removed. If the USB drive is not reinserted, or is reinserted into a different port, the host computer will turn off after 60 seconds.
+
+**Warning**
+You should never remove your Windows To Go drive when your workspace is running. The computer freeze is a safety measure to help mitigate the risk of accidental removal. Removing the Windows To Go drive without shutting down the Windows To Go workspace could result in corruption of the Windows To Go drive.
+
+
+
+## Can I use BitLocker to protect my Windows To Go drive?
+
+
+Yes. In Windows 8 and later, BitLocker has added support for using a password to protect operating system drives. This means that you can use a password to secure your Windows To Go workspace and you will be prompted to enter this password every time you use the Windows To Go workspace.
+
+## Why can’t I enable BitLocker from Windows To Go Creator?
+
+
+Several different Group Policies control the use of BitLocker on your organizations computers. These policies are located in the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** folder of the local Group Policy editor. The folder contains three sub-folders for fixed, operating system and removable data drive types.
+
+When you are using Windows To Go Creator, the Windows To Go drive is considered a removable data drive by BitLocker. Review the following setting to see if these settings apply in your situation:
+
+1. **Control use of BitLocker on removable drives**
+
+ If this setting is disabled BitLocker cannot be used with removable drives, so the Windows To Go Creator wizard will fail if it attempts to enable BitLocker on the Windows To Go drive.
+
+2. **Configure use of smart cards on removable data drives**
+
+ If this setting is enabled and the option **Require use of smart cards on removable data drives** is also selected the creator wizard might fail if you have not already signed on using your smart card credentials before starting the Windows To Go Creator wizard.
+
+3. **Configure use of passwords for removable data drives**
+
+ If this setting is enabled and the **Require password complexity option** is selected the computer must be able to connect to the domain controller to verify that the password specified meets the password complexity requirements. If the connection is not available, the Windows To Go Creator wizard will fail to enable BitLocker.
+
+Additionally, the Windows To Go Creator will disable the BitLocker option if the drive does not have any volumes. In this situation, you should initialize the drive and create a volume using the Disk Management console before provisioning the drive with Windows To Go.
+
+## What power states does Windows To Go support?
+
+
+Windows To Go supports all power states except the hibernate class of power states, which include hybrid boot, hybrid sleep, and hibernate. This default behavior can be modified by using Group Policy settings to enable hibernation of the Windows To Go workspace.
+
+## Why is hibernation disabled in Windows To Go?
+
+
+When a Windows To Go workspace is hibernated, it will only successfully resume on the exact same hardware. Therefore, if a Windows To Go workspace is hibernated on one computer and roamed to another, the hibernation state (and therefore user state) will be lost. To prevent this from happening, the default settings for a Windows To Go workspace disable hibernation. If you are confident that you will only attempt to resume on the same computer, you can enable hibernation using the Windows To Go Group Policy setting, **Allow hibernate (S4) when started from a Windows To Go workspace** that is located at **\\\\Computer Configuration\\Administrative Templates\\Windows Components\\Portable Operating System\\** in the Local Group Policy Editor (gpedit.msc).
+
+## Does Windows To Go support crash dump analysis?
+
+
+Yes. Windows 8 and later support crash dump stack analysis for both USB 2.0 and 3.0.
+
+## Do “Windows To Go Startup Options” work with dual boot computers?
+
+
+Yes, if both operating systems are running the Windows 8 operating system. Enabling “Windows To Go Startup Options” should cause the computer to boot from the Windows To Go workspace when the drive is plugged in before the computer is turned on.
+
+If you have configured a dual boot computer with a Windows operating system and another operating system it might work occasionally and fail occasionally. Using this configuration is unsupported.
+
+## I plugged my Windows To Go drive into a running computer and I can’t see the partitions on the drive. Why not?
+
+
+Windows To Go Creator and the recommended deployment steps for Windows To Go set the NO\_DEFAULT\_DRIVE\_LETTER flag on the Windows To Go drive. This flag prevents Windows from automatically assigning drive letters to the partitions on the Windows To Go drive. That’s why you can’t see the partitions on the drive when you plug your Windows To Go drive into a running computer. This helps prevent accidental data leakage between the Windows To Go drive and the host computer. If you really need to access the files on the Windows To Go drive from a running computer, you can use diskmgmt.msc or diskpart to assign a drive letter.
+
+**Warning**
+It is strongly recommended that you do not plug your Windows To Go drive into a running computer. If the computer is compromised, your Windows To Go workspace can also be compromised.
+
+
+
+## I’m booted into Windows To Go, but I can’t browse to the internal hard drive of the host computer. Why not?
+
+
+Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That’s why you can’t see the internal hard drives of the host computer when you are booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive.
+
+**Warning**
+It is strongly recommended that you do not mount internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 or later operating system, mounting the drive will lead to loss of hibernation state and therefor user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted.
+
+
+
+## Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition?
+
+
+This is done to allow Windows To Go to boot from UEFI and legacy systems.
+
+## Is Windows To Go secure if I use it on an untrusted computer?
+
+
+While you are more secure than if you use a completely untrusted operating system, you are still vulnerable to attacks from the firmware or anything that runs before Windows To Go starts. If you plug your Windows To Go drive into a running untrusted computer, your Windows To Go drive can be compromised because any malicious software that might be active on the computer can access the drive.
+
+## Does Windows To Go work with ARM processors?
+
+
+No. Windows RT is a specialized version of Windows designed for ARM processors. Windows To Go is currently only supported on PCs with x86 or x64-based processors.
+
+## Can I synchronize data from Windows To Go with my other computer?
+
+
+To get your data across all your computers, we recommend using folder redirection and client side caching to store copies of your data on a server while giving you offline access to the files you need.
+
+## What size USB flash drive do I need to make a Windows To Go drive?
+
+
+The size constraints are the same as full Windows. To ensure that you have enough space for Windows, your data, and your applications, we recommend USB drives that are a minimum of 20 GB in size.
+
+## Do I need to activate Windows To Go every time I roam?
+
+
+No, Windows To Go requires volume activation; either using the [Key Management Service](https://go.microsoft.com/fwlink/p/?LinkId=619051) (KMS) server in your organization or using [Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=619053) based volume activation. The Windows To Go workspace will not need to be reactivated every time you roam. KMS activates Windows on a local network, eliminating the need for individual computers to connect to Microsoft. To remain activated, KMS client computers must renew their activation by connecting to the KMS host on periodic basis. This typically occurs as soon as the user has access to the corporate network (either through a direct connection on-premises or a through remote connection using DirectAccess or a virtual private network connection), once activated the machine will not need to be activated again until the activation validity interval has passed. In a KMS configuration the activation validity interval is 180 days.
+
+## Can I use all Windows features on Windows To Go?
+
+
+Yes, with some minor exceptions, you can use all Windows features with your Windows To Go workspace. The only currently unsupported features are using the Windows Recovery Environment and PC Reset & Refresh.
+
+## Can I use all my applications on Windows To Go?
+
+
+Yes. Because your Windows To Go workspace is a full Windows 10 environment, all applications that work with Windows 10 should work in your Windows To Go workspace. However, any applications that use hardware binding (usually for licensing and/or digital rights management reasons) may not run when you roam your Windows To Go drive between different host computers, and you may have to use those applications on the same host computer every time.
+
+## Does Windows To Go work slower than standard Windows?
+
+
+If you are using a USB 3.0 port and a Windows To Go certified device, there should be no perceivable difference between standard Windows and Windows To Go. However, if you are booting from a USB 2.0 port, you may notice some slowdown since USB 2.0 transfer speeds are slower than SATA speeds.
+
+## If I lose my Windows To Go drive, will my data be safe?
+
+
+Yes! If you enable BitLocker on your Windows To Go drive, all your data will be encrypted and protected and a malicious user will not be able to access your data without your password. If you don’t enable BitLocker, your data will be vulnerable if you lose your Windows To Go drive.
+
+## Can I boot Windows To Go on a Mac?
+
+
+We are committed to give customers a consistent and quality Windows 10 experience with Windows To Go. Windows To Go supports host devices certified for use with Windows 7 or later. Because Mac computers are not certified for use with Windows 7 or later, using Windows To Go is not supported on a Mac.
+
+## Are there any APIs that allow applications to identify a Windows To Go workspace?
+
+
+Yes. You can use a combination of identifiers to determine if the currently running operating system is a Windows To Go workspace. First, check if the **PortableOperatingSystem** property is true. When that value is true it means that the operating system was booted from an external USB device.
+
+Next, check if the **OperatingSystemSKU** property is equal to **4** (for Windows 10 Enterprise) or **121** (for Windows 10 Education). The combination of those two properties represents a Windows To Go workspace environment.
+
+For more information, see the MSDN article on the [Win32\_OperatingSystem class](https://go.microsoft.com/fwlink/p/?LinkId=619059).
+
+## How is Windows To Go licensed?
+
+
+Windows To Go allows organization to support the use of privately owned PCs at the home or office with more secure access to their organizational resources. With Windows To Go use rights under [Software Assurance](https://go.microsoft.com/fwlink/p/?LinkId=619062), an employee will be able to use Windows To Go on any company PC licensed with Software Assurance as well as from their home PC.
+
+## Does Windows Recovery Environment work with Windows To Go? What’s the guidance for recovering a Windows To Go drive?
+
+
+No, use of Windows Recovery Environment is not supported on Windows To Go. It is recommended that you implement user state virtualization technologies like Folder Redirection to centralize and back up user data in the data center. If any corruption occurs on a Windows To Go drive, you should re-provision the workspace.
+
+## Why won’t Windows To Go work on a computer running Windows XP or Windows Vista?
+
+
+Actually it might. If you have purchased a computer certified for Windows 7 or later and then installed an older operating system, Windows To Go will boot and run as expected as long as you have configured the firmware to boot from USB. However, if the computer was certified for Windows XP or Windows Vista, it might not meet the hardware requirements for Windows To Go to run. Typically computers certified for Windows Vista and earlier operating systems have less memory, less processing power, reduced video rendering, and slower USB ports.
+
+## Why does the operating system on the host computer matter?
+
+
+It doesn’t other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer cannot boot from USB there is no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected.
+
+## My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?
+
+
+The default BitLocker protection profile in Windows 7 monitors the host computer for changes to the boot order as part of protecting the computer from tampering. When you change the boot order of the host computer to enable it to boot from the Windows To Go drive, the BitLocker system measurements will reflect that change and boot into recovery mode so that the computer can be inspected if necessary.
+
+You can reset the BitLocker system measurements to incorporate the new boot order using the following steps:
+
+1. Log on to the host computer using an account with administrator privileges.
+
+2. Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**.
+
+3. Click **Suspend Protection** for the operating system drive.
+
+ A message is displayed, informing you that your data will not be protected while BitLocker is suspended and asking if you want to suspend BitLocker Drive Encryption. Click **Yes** to continue and suspend BitLocker on the drive.
+
+4. Restart the computer and enter the firmware settings to reset the boot order to boot from USB first. For more information on changing the boot order in the BIOS, see [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951) on the TechNet wiki.
+
+5. Restart the computer again and then log on to the host computer using an account with administrator privileges. (Neither your Windows To Go drive nor any other USB drive should be inserted.)
+
+6. Click **Start**, click **Control Panel**, click **System and Security**, and then click **BitLocker Drive Encryption**.
+
+7. Click **Resume Protection** to re-enable BitLocker protection.
+
+The host computer will now be able to be booted from a USB drive without triggering recovery mode.
+
+> [!NOTE]
+> The default BitLocker protection profile in Windows 8 or later does not monitor the boot order.
+
+
+
+## I decided to stop using a drive for Windows To Go and reformatted it – why doesn’t it have a drive letter assigned and how can I fix it?
+
+
+Reformatting the drive erases the data on the drive, but doesn’t reconfigure the volume attributes. When a drive is provisioned for use as a Windows To Go drive the NODEFAULTDRIVELETTER attribute is set on the volume. To remove this attribute, use the following steps:
+
+1. Open a command prompt with full administrator permissions.
+
+ > [!NOTE]
+ > If your user account is a member of the Administrators group, but is not the Administrator account itself, then, by default, the programs that you run only have standard user permissions unless you explicitly choose to elevate them.
+
+
+
+2. Start the [diskpart](https://go.microsoft.com/fwlink/p/?LinkId=619070) command interpreter, by typing `diskpart` at the command prompt.
+
+3. Use the `select disk` command to identify the drive. If you do not know the drive number, use the `list` command to display the list of disks available.
+
+4. After selecting the disk, run the `clean` command to remove all data, formatting, and initialization information from the drive.
+
+## Why do I keep on getting the message “Installing devices…” when I boot Windows To Go?
+
+
+One of the challenges involved in moving the Windows To Go drive between PCs while seamlessly booting Windows with access to all of their applications and data is that for Windows to be fully functional, specific drivers need to be installed for the hardware in each machine that runs Windows. Windows 8 or later has a process called respecialize which will identify new drivers that need to be loaded for the new PC and disable drivers which are not present on the new configuration. In general this feature is reliable and efficient when roaming between PCs of widely varying hardware configurations.
+
+In certain cases, third party drivers for different hardware models or versions can reuse device ID’s, driver file names, registry keys (or any other operating system constructs which do not support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID’s, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver.
+
+This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message “Installing devices…” displaying every time that a Windows to Go drive is roamed between two PCs which require conflicting drivers.
+
+## How do I upgrade the operating system on my Windows To Go drive?
+
+
+There is no support in Windows for upgrading a Windows To Go drive. Deployed Windows To Go drives with older versions of Windows will need to be re-imaged with a new version of Windows in order to transition to the new operating system version.
+
+## Additional resources
+
+
+- [Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949)
+
+- [Windows To Go Step by Step Wiki](https://go.microsoft.com/fwlink/p/?LinkId=618950)
+
+- [Windows To Go: feature overview](windows-to-go-overview.md)
+
+- [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
+
+- [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
+
+- [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
+
+
+
+
+
+
+
+
+
diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md
index 3ed1e2e88c..57d74a1341 100644
--- a/windows/deployment/planning/windows-to-go-overview.md
+++ b/windows/deployment/planning/windows-to-go-overview.md
@@ -1,284 +1,239 @@
----
-title: Windows To Go feature overview (Windows 10)
-description: Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs.
-ms.assetid: 9df82b03-acba-442c-801d-56db241f8d42
-ms.reviewer:
-manager: laurawi
-ms.author: greglin
-keywords: workspace, mobile, installation, image, USB, device, image, edu
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: mobility, edu
-ms.sitesec: library
-audience: itpro
author: greg-lindsay
-ms.topic: article
----
-
-# Windows To Go: feature overview
-
-
-**Applies to**
-
-- Windows 10
-
->[!IMPORTANT]
->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
-
-Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs.
-
-PCs that meet the Windows 7 or later [certification requirements](https://go.microsoft.com/fwlink/p/?LinkId=618711) can run Windows 10 in a Windows To Go workspace, regardless of the operating system running on the PC. Windows To Go workspaces can use the same image enterprises use for their desktops and laptops and can be managed the same way. Windows To Go is not intended to replace desktops, laptops or supplant other mobility offerings. Rather, it provides support for efficient use of resources for alternative workplace scenarios. There are some additional considerations that you should keep in mind before you start to use Windows To Go:
-
-- [Differences between Windows To Go and a typical installation of Windows](#bkmk-wtgdif)
-- [Roaming with Windows To Go](#bkmk-wtgroam)
-- [Prepare for Windows To Go](#wtg-prep-intro)
-- [Hardware considerations for Windows To Go](#wtg-hardware)
-
-**Note**
-Windows To Go is not supported on Windows RT.
-
-
-
-## Differences between Windows To Go and a typical installation of Windows
-
-
-Windows To Go workspace operates just like any other installation of Windows with a few exceptions. These exceptions are:
-
-- **Internal disks are offline.** To ensure data isn’t accidentally disclosed, internal hard disks on the host computer are offline by default when booted into a Windows To Go workspace. Similarly if a Windows To Go drive is inserted into a running system, the Windows To Go drive will not be listed in Windows Explorer.
-
-- **Trusted Platform Module (TPM) is not used.** When using BitLocker Drive Encryption a pre-operating system boot password will be used for security rather than the TPM since the TPM is tied to a specific computer and Windows To Go drives will move between computers.
-
-- **Hibernate is disabled by default.** To ensure that the Windows To Go workspace is able to move between computers easily, hibernation is disabled by default. Hibernation can be re-enabled by using Group Policy settings.
-
-- **Windows Recovery Environment is not available.** In the rare case that you need to recover your Windows To Go drive, you should re-image it with a fresh image of Windows.
-
-- **Refreshing or resetting a Windows To Go workspace is not supported.** Resetting to the manufacturer’s standard for the computer doesn’t apply when running a Windows To Go workspace, so the feature was disabled.
-
-- **Upgrading a Windows To Go workspace is not supported.** Older Windows 8 or Windows 8.1 Windows To Go workspaces cannot be upgraded to Windows 10 workspaces, nor can Windows 10 Windows To Go workspaces be upgraded to future versions of Windows 10. For new versions, the workspace needs to be re-imaged with a fresh image of Windows.
-
-## Roaming with Windows To Go
-
-
-Windows To Go drives can be booted on multiple computers. When a Windows To Go workspace is first booted on a host computer it will detect all hardware on the computer and install any needed drivers. When the Windows To Go workspace is subsequently booted on that host computer it will be able to identify the host computer and load the correct set of drivers automatically.
-
-The applications that you want to use from the Windows To Go workspace should be tested to make sure they also support roaming. Some applications bind to the computer hardware which will cause difficulties if the workspace is being used with multiple host computers.
-
-## Prepare for Windows To Go
-
-
-Enterprises install Windows on a large group of computers either by using configuration management software (such as System Center Configuration Manager), or by using standard Windows deployment tools such as DiskPart and the Deployment Image Servicing and Management (DISM) tool.
-
-These same tools can be used to provision Windows To Go drive, just as you would if you were planning for provisioning a new class of mobile PCs. You can use the [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) to review deployment tools available.
-
-**Important**
-Make sure you use the versions of the deployment tools provided for the version of Windows you are deploying. There have been many enhancements made to support Windows To Go. Using versions of the deployment tools released for earlier versions of Windows to provision a Windows To Go drive is not supported.
-
-
-
-As you decide what to include in your Windows To Go image, be sure to consider the following questions:
-
-Are there any drivers that you need to inject into the image?
-
-How will data be stored and synchronized to appropriate locations from the USB device?
-
-Are there any applications that are incompatible with Windows To Go roaming that should not be included in the image?
-
-What should be the architecture of the image - 32bit/64bit?
-
-What remote connectivity solution should be supported in the image if Windows To Go is used outside the corporate network?
-
-For more information about designing and planning your Windows To Go deployment, see [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md).
-
-## Hardware considerations for Windows To Go
-
-
-**For USB drives**
-
-The devices listed in this section have been specially optimized and certified for Windows To Go and meet the necessary requirements for booting and running a full version of Windows 10 from a USB drive. The optimizations for Windows To Go include the following:
-
-- Windows To Go certified USB drives are built for high random read/write speeds and support the thousands of random access I/O operations per second required for running normal Windows workloads smoothly.
-
-- Windows To Go certified USB drives have been tuned to ensure they boot and run on hardware certified for use with Windows 7 and later.
-
-- Windows To Go certified USB drives are built to last. Certified USB drives are backed with manufacturer warranties and should continue operating under normal usage. Refer to the manufacturer websites for warranty details.
-
-As of the date of publication, the following are the USB drives currently certified for use as Windows To Go drives:
-
-**Warning**
-Using a USB drive that has not been certified is not supported
-
-
-
-- IronKey Workspace W700 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w700.html](https://go.microsoft.com/fwlink/p/?LinkId=618714))
-
-- IronKey Workspace W500 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w500.html](https://go.microsoft.com/fwlink/p/?LinkId=618717))
-
-- IronKey Workspace W300 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w300.html](https://go.microsoft.com/fwlink/p/?LinkId=618718))
-
-- Kingston DataTraveler Workspace for Windows To Go ([http://www.kingston.com/wtg/](https://go.microsoft.com/fwlink/p/?LinkId=618719))
-
-- Spyrus Portable Workplace ([http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720))
-
- We recommend that you run the Spyrus Deployment Suite for Windows To Go to provision the Spyrus Portable Workplace.
-
-- Spyrus Secure Portable Workplace ([http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720))
-
- **Important**
- You must use the Spyrus Deployment Suite for Windows To Go to provision the Spyrus Secure Portable Workplace. For more information about the Spyrus Deployment Suite for Windows To Go please refer to [http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720).
-
-
-
-- Spyrus Worksafe ([http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720))
-
- **Tip**
- This device contains an embedded smart card.
-
-
-
-- Super Talent Express RC4 for Windows To Go
-
- -and-
-
- Super Talent Express RC8 for Windows To Go
-
- ([http://www.supertalent.com/wtg/](https://go.microsoft.com/fwlink/p/?LinkId=618721))
-
-- Western Digital My Passport Enterprise ([http://www.wd.com/wtg](https://go.microsoft.com/fwlink/p/?LinkId=618722))
-
- We recommend that you run the WD Compass utility to prepare the Western Digital My Passport Enterprise drive for provisioning with Windows To Go. For more information about the WD Compass utility please refer to [http://www.wd.com/wtg](https://go.microsoft.com/fwlink/p/?LinkId=618722)
-
-**For host computers**
-
-When assessing the use of a PC as a host for a Windows To Go workspace you should consider the following criteria:
-
-- Hardware that has been certified for use with Windows 7or later operating systems will work well with Windows To Go.
-
-- Running a Windows To Go workspace from a computer that is running Windows RT is not a supported scenario.
-
-- Running a Windows To Go workspace on a Mac computer is not a supported scenario.
-
-The following table details the characteristics that the host computer must have to be used with Windows To Go:
-
-
-
-
-
-
-
-
-
Item
-
Requirement
-
-
-
-
-
Boot process
-
Capable of USB boot
-
-
-
Firmware
-
USB boot enabled. (PCs certified for use with Windows 7 or later can be configured to boot directly from USB, check with the hardware manufacturer if you are unsure of the ability of your PC to boot from USB)
-
-
-
Processor architecture
-
Must support the image on the Windows To Go drive
-
-
-
External USB Hubs
-
Not supported; connect the Windows To Go drive directly to the host machine
-
-
-
Processor
-
1 Ghz or faster
-
-
-
RAM
-
2 GB or greater
-
-
-
Graphics
-
DirectX 9 graphics device with WDDM 1.2 or greater driver
-
-
-
USB port
-
USB 2.0 port or greater
-
-
-
-
-
-
-**Checking for architectural compatibility between the host PC and the Windows To Go drive**
-
-In addition to the USB boot support in the BIOS, the Windows 10 image on your Windows To Go drive must be compatible with the processor architecture and the firmware of the host PC as shown in the table below.
-
-
-
-
-
-
-
-
-
-
Host PC Firmware Type
-
Host PC Processor Architecture
-
Compatible Windows To Go Image Architecture
-
-
-
-
-
Legacy BIOS
-
32-bit
-
32-bit only
-
-
-
Legacy BIOS
-
64-bit
-
32-bit and 64-bit
-
-
-
UEFI BIOS
-
32-bit
-
32-bit only
-
-
-
UEFI BIOS
-
64-bit
-
64-bit only
-
-
-
-
-
-
-## Additional resources
-
-
-- [Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949)
-
-- [Windows To Go Step by Step Wiki](https://go.microsoft.com/fwlink/p/?LinkId=618950)
-
-- [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951)
-
-## Related topics
-
-
-- [Deploy Windows To Go in your organization](https://go.microsoft.com/fwlink/p/?LinkId=619975)
-
-- [Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
-
-- [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
-
-- [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
-
-- [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-
-- [Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md)
-
-
-
-
-
-
-
-
-
+---
+title: Windows To Go feature overview (Windows 10)
+description: Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs.
+ms.assetid: 9df82b03-acba-442c-801d-56db241f8d42
+ms.reviewer:
+manager: laurawi
+ms.author: greglin
+keywords: workspace, mobile, installation, image, USB, device, image, edu
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.pagetype: mobility, edu
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.topic: article
+---
+
+# Windows To Go: feature overview
+
+
+**Applies to**
+
+- Windows 10
+
+> [!IMPORTANT]
+> Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.
+
+Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs.
+
+PCs that meet the Windows 7 or later [certification requirements](https://go.microsoft.com/fwlink/p/?LinkId=618711) can run Windows 10 in a Windows To Go workspace, regardless of the operating system running on the PC. Windows To Go workspaces can use the same image enterprises use for their desktops and laptops and can be managed the same way. Windows To Go is not intended to replace desktops, laptops or supplant other mobility offerings. Rather, it provides support for efficient use of resources for alternative workplace scenarios. There are some additional considerations that you should keep in mind before you start to use Windows To Go:
+
+- [Differences between Windows To Go and a typical installation of Windows](#bkmk-wtgdif)
+- [Roaming with Windows To Go](#bkmk-wtgroam)
+- [Prepare for Windows To Go](#wtg-prep-intro)
+- [Hardware considerations for Windows To Go](#wtg-hardware)
+
+> [!NOTE]
+> Windows To Go is not supported on Windows RT.
+
+## Differences between Windows To Go and a typical installation of Windows
+
+Windows To Go workspace operates just like any other installation of Windows with a few exceptions. These exceptions are:
+
+- **Internal disks are offline.** To ensure data isn’t accidentally disclosed, internal hard disks on the host computer are offline by default when booted into a Windows To Go workspace. Similarly if a Windows To Go drive is inserted into a running system, the Windows To Go drive will not be listed in Windows Explorer.
+- **Trusted Platform Module (TPM) is not used.** When using BitLocker Drive Encryption a pre-operating system boot password will be used for security rather than the TPM since the TPM is tied to a specific computer and Windows To Go drives will move between computers.
+- **Hibernate is disabled by default.** To ensure that the Windows To Go workspace is able to move between computers easily, hibernation is disabled by default. Hibernation can be re-enabled by using Group Policy settings.
+- **Windows Recovery Environment is not available.** In the rare case that you need to recover your Windows To Go drive, you should re-image it with a fresh image of Windows.
+- **Refreshing or resetting a Windows To Go workspace is not supported.** Resetting to the manufacturer’s standard for the computer doesn’t apply when running a Windows To Go workspace, so the feature was disabled.
+- **Upgrading a Windows To Go workspace is not supported.** Older Windows 8 or Windows 8.1 Windows To Go workspaces cannot be upgraded to Windows 10 workspaces, nor can Windows 10 Windows To Go workspaces be upgraded to future versions of Windows 10. For new versions, the workspace needs to be re-imaged with a fresh image of Windows.
+
+## Roaming with Windows To Go
+
+Windows To Go drives can be booted on multiple computers. When a Windows To Go workspace is first booted on a host computer it will detect all hardware on the computer and install any needed drivers. When the Windows To Go workspace is subsequently booted on that host computer it will be able to identify the host computer and load the correct set of drivers automatically.
+
+The applications that you want to use from the Windows To Go workspace should be tested to make sure they also support roaming. Some applications bind to the computer hardware which will cause difficulties if the workspace is being used with multiple host computers.
+
+## Prepare for Windows To Go
+
+Enterprises install Windows on a large group of computers either by using configuration management software (such as System Center Configuration Manager), or by using standard Windows deployment tools such as DiskPart and the Deployment Image Servicing and Management (DISM) tool.
+
+These same tools can be used to provision Windows To Go drive, just as you would if you were planning for provisioning a new class of mobile PCs. You can use the [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) to review deployment tools available.
+
+> [!IMPORTANT]
+> Make sure you use the versions of the deployment tools provided for the version of Windows you are deploying. There have been many enhancements made to support Windows To Go. Using versions of the deployment tools released for earlier versions of Windows to provision a Windows To Go drive is not supported.
+
+As you decide what to include in your Windows To Go image, be sure to consider the following questions:
+
+Are there any drivers that you need to inject into the image?
+
+How will data be stored and synchronized to appropriate locations from the USB device?
+
+Are there any applications that are incompatible with Windows To Go roaming that should not be included in the image?
+
+What should be the architecture of the image - 32bit/64bit?
+
+What remote connectivity solution should be supported in the image if Windows To Go is used outside the corporate network?
+
+For more information about designing and planning your Windows To Go deployment, see [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md).
+
+## Hardware considerations for Windows To Go
+
+**For USB drives**
+
+The devices listed in this section have been specially optimized and certified for Windows To Go and meet the necessary requirements for booting and running a full version of Windows 10 from a USB drive. The optimizations for Windows To Go include the following:
+
+- Windows To Go certified USB drives are built for high random read/write speeds and support the thousands of random access I/O operations per second required for running normal Windows workloads smoothly.
+- Windows To Go certified USB drives have been tuned to ensure they boot and run on hardware certified for use with Windows 7 and later.
+- Windows To Go certified USB drives are built to last. Certified USB drives are backed with manufacturer warranties and should continue operating under normal usage. Refer to the manufacturer websites for warranty details.
+
+As of the date of publication, the following are the USB drives currently certified for use as Windows To Go drives:
+
+> [!WARNING]
+> Using a USB drive that has not been certified is not supported.
+
+- IronKey Workspace W700 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w700.html](https://go.microsoft.com/fwlink/p/?LinkId=618714))
+- IronKey Workspace W500 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w500.html](https://go.microsoft.com/fwlink/p/?LinkId=618717))
+- IronKey Workspace W300 ([http://www.ironkey.com/windows-to-go-drives/ironkey-workspace-w300.html](https://go.microsoft.com/fwlink/p/?LinkId=618718))
+- Kingston DataTraveler Workspace for Windows To Go ([http://www.kingston.com/wtg/](https://go.microsoft.com/fwlink/p/?LinkId=618719))
+- Spyrus Portable Workplace ([http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720))
+
+ We recommend that you run the Spyrus Deployment Suite for Windows To Go to provision the Spyrus Portable Workplace.
+
+- Spyrus Secure Portable Workplace ([http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720))
+
+ > [!IMPORTANT]
+ > You must use the Spyrus Deployment Suite for Windows To Go to provision the Spyrus Secure Portable Workplace. For more information about the Spyrus Deployment Suite for Windows To Go please refer to [http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720).
+
+
+- Spyrus Worksafe ([http://www.spyruswtg.com/](https://go.microsoft.com/fwlink/p/?LinkId=618720))
+
+ > [!TIP]
+ > This device contains an embedded smart card.
+
+
+
+- Super Talent Express RC4 for Windows To Go
+
+ -and-
+
+ Super Talent Express RC8 for Windows To Go
+
+ ([http://www.supertalent.com/wtg/](https://go.microsoft.com/fwlink/p/?LinkId=618721))
+
+- Western Digital My Passport Enterprise ([http://www.wd.com/wtg](https://go.microsoft.com/fwlink/p/?LinkId=618722))
+
+ We recommend that you run the WD Compass utility to prepare the Western Digital My Passport Enterprise drive for provisioning with Windows To Go. For more information about the WD Compass utility please refer to [http://www.wd.com/wtg](https://go.microsoft.com/fwlink/p/?LinkId=618722)
+
+**For host computers**
+
+When assessing the use of a PC as a host for a Windows To Go workspace you should consider the following criteria:
+
+- Hardware that has been certified for use with Windows 7 or later operating systems will work well with Windows To Go.
+- Running a Windows To Go workspace from a computer that is running Windows RT is not a supported scenario.
+- Running a Windows To Go workspace on a Mac computer is not a supported scenario.
+
+The following table details the characteristics that the host computer must have to be used with Windows To Go:
+
+
+
+
+
+
+
+
+
Item
+
Requirement
+
+
+
+
+
Boot process
+
Capable of USB boot
+
+
+
Firmware
+
USB boot enabled. (PCs certified for use with Windows 7 or later can be configured to boot directly from USB, check with the hardware manufacturer if you are unsure of the ability of your PC to boot from USB)
+
+
+
Processor architecture
+
Must support the image on the Windows To Go drive
+
+
+
External USB Hubs
+
Not supported; connect the Windows To Go drive directly to the host machine
+
+
+
Processor
+
1 Ghz or faster
+
+
+
RAM
+
2 GB or greater
+
+
+
Graphics
+
DirectX 9 graphics device with WDDM 1.2 or greater driver
+
+
+
USB port
+
USB 2.0 port or greater
+
+
+
+
+**Checking for architectural compatibility between the host PC and the Windows To Go drive**
+
+In addition to the USB boot support in the BIOS, the Windows 10 image on your Windows To Go drive must be compatible with the processor architecture and the firmware of the host PC as shown in the table below.
+
+
+
+
+
+
+
+
+
+
Host PC Firmware Type
+
Host PC Processor Architecture
+
Compatible Windows To Go Image Architecture
+
+
+
+
+
Legacy BIOS
+
32-bit
+
32-bit only
+
+
+
Legacy BIOS
+
64-bit
+
32-bit and 64-bit
+
+
+
UEFI BIOS
+
32-bit
+
32-bit only
+
+
+
UEFI BIOS
+
64-bit
+
64-bit only
+
+
+
+
+## Additional resources
+
+- [Windows 10 forums](https://go.microsoft.com/fwlink/p/?LinkId=618949)
+- [Windows To Go Step by Step Wiki](https://go.microsoft.com/fwlink/p/?LinkId=618950)
+- [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkId=618951)
+
+## Related topics
+
+[Deploy Windows To Go in your organization](https://go.microsoft.com/fwlink/p/?LinkId=619975)
+[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
+[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
+[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
+[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
+[Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md)
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
index 530c47ce6f..deb025fd32 100644
--- a/windows/deployment/s-mode.md
+++ b/windows/deployment/s-mode.md
@@ -51,7 +51,7 @@ The [MSIX Packaging Tool](https://docs.microsoft.com/windows/application-managem
## Related links
-- [Consumer applications for S mode](https://www.microsoft.com/en-us/windows/s-mode)
-- [S mode devices](https://www.microsoft.com/en-us/windows/view-all-devices)
+- [Consumer applications for S mode](https://www.microsoft.com/windows/s-mode)
+- [S mode devices](https://www.microsoft.com/windows/view-all-devices)
- [Windows Defender Application Control deployment guide](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
-- [Windows Defender Advanced Threat Protection](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp)
+- [Windows Defender Advanced Threat Protection](https://www.microsoft.com/WindowsForBusiness/windows-atp)
diff --git a/windows/deployment/update/update-compliance-wd-av-status.md b/windows/deployment/update/update-compliance-wd-av-status.md
index 35deef9366..74250033ff 100644
--- a/windows/deployment/update/update-compliance-wd-av-status.md
+++ b/windows/deployment/update/update-compliance-wd-av-status.md
@@ -20,7 +20,7 @@ ms.topic: article
The Windows Defender AV Status section deals with data concerning signature and threat status for devices that use Windows Defender Antivirus. The section tile in the [Overview Blade](update-compliance-using.md#overview-blade) provides the percentage of devices with insufficient protection – this percentage only considers devices using Windows Defender Antivirus.
>[!NOTE]
->Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx).
+>Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx).
# Windows Defender AV Status sections
The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Selecting any of these statuses will navigate you to a Log Search view containing the query.
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index 4df1a782b7..cda79baf8e 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -4,10 +4,9 @@ description: WSUS allows companies to defer, selectively approve, choose when de
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
-author: greg-lindsay
+author: jaimeo
ms.localizationpriority: medium
-ms.author: greglin
-ms.date: 10/16/2017
+ms.author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
@@ -23,9 +22,8 @@ ms.topic: article
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
>[!IMPORTANT]
->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
->
->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy or the registry. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
+
WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that System Center Configuration Manager provides.
@@ -35,35 +33,23 @@ When you choose WSUS as your source for Windows updates, you use Group Policy to
## Requirements for Windows 10 servicing with WSUS
-To be able to use WSUS to manage and deploy Windows 10 feature updates, you must have WSUS 4.0, which is available in the Windows Server 2012 R2 and Windows Server 2012 operating systems. In addition to WSUS 4.0, you must install the [KB3095113](https://support.microsoft.com/kb/3095113) and [KB3159706](https://support.microsoft.com/kb/3159706) patches on the WSUS server.
+To be able to use WSUS to manage and deploy Windows 10 feature updates, you must use a supported WSUS version:
+- WSUS 10.0.14393 (role in Windows Server 2016)
+- WSUS 10.0.17763 (role in Windows Server 2019)
+- WSUS 6.2 and 6.3 (role in Windows Server 2012 and Windows Server 2012 R2)
+- KB 3095113 and KB 3159706 (or an equivalent update) must be installed on WSUS 6.2 and 6.3.
+
+> [!IMPORTANT]
+> Both [KB 3095113](https://support.microsoft.com/kb/3095113) and [KB 3159706](https://support.microsoft.com/kb/3159706) are included in the **Security Monthly Quality Rollup** starting in July 2017. This means you might not see KB 3095113 and KB 3159706 as installed updates since they might have been installed with a rollup. However, if you need either of these updates, we recommend installing a **Security Monthly Quality Rollup** released after **October 2017** since they contain an additional WSUS update to decrease memory utilization on WSUS's clientwebservice.
+>If you have synced either of these updates prior to the security monthly quality rollup, you can experience problems. To recover from this, see [How to Delete Upgrades in WSUS](https://blogs.technet.microsoft.com/wsus/2016/01/29/how-to-delete-upgrades-in-wsus/).
+
## WSUS scalability
To use WSUS to manage all Windows updates, some organizations may need access to WSUS from a perimeter network, or they might have some other complex scenario. WSUS is highly scalable and configurable for organizations of any size or site layout. For specific information about scaling WSUS, including upstream and downstream server configuration, branch offices, WSUS load balancing, and other complex scenarios, see [Choose a Type of WSUS Deployment](https://technet.microsoft.com/library/cc720448%28v=ws.10%29.aspx).
-## Express Installation Files
-With Windows 10, quality updates will be larger than traditional Windows Updates because they’re cumulative. To manage the bandwidth clients downloading large updates like these will need, WSUS has a feature called *Express Installation Files*.
-
- At a binary level, files associated with updates may not change a lot. In fact, with cumulative quality updates, most of the content will be from previous updates. Rather than downloading the entire update when only a small percentage of the payload is actually different, Express Installation Files analyze the differences between the new files associated with an update and the existing files on the client. This approach significantly reduces the amount of bandwidth used because only a fraction of the update content is actually delivered.
-
- **To configure WSUS to download Express Update Files**
-
-1. Open the WSUS Administration Console.
-
-2. In the navigation pane, go to *Your_Server*\\**Options**.
-
-3. In the **Options** section, click **Update Files and Languages**.
-
- 
-
-4. In the **Update Files and Languages** dialog box, select **Download express installation files**.
-
- 
-
- >[!NOTE]
- >Because Windows 10 updates are cumulative, enabling Express Installation Files when WSUS is configured to download Windows 10 updates will significantly increase the amount of disk space that WSUS requires. Alternatively, when using Express Installation Files for previous versions of Windows, the feature’s positive effects aren’t noticeable because the updates aren’t cumulative.
## Configure automatic updates and update service location
@@ -71,11 +57,11 @@ When using WSUS to manage updates on Windows client devices, start by configurin
**To configure the Configure Automatic Updates and Intranet Microsoft Update Service Location Group Policy settings for your environment**
-1. Open GPMC.
+1. Open Group Policy Management Console (gpmc.msc).
-2. Expand Forest\Domains\\*Your_Domain*.
+2. Expand *Forest\Domains\\*Your_Domain**.
-3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**.
+3. Right-click **Your_Domain**, and then select **Create a GPO in this domain, and Link it here**.
@@ -99,13 +85,13 @@ When using WSUS to manage updates on Windows client devices, start by configurin
> [!NOTE]
- > ?There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx).
+ > There are three other settings for automatic update download and installation dates and times. This is simply the option this example uses. For more examples of how to control automatic updates and other related policies, see [Configure Automatic Updates by Using Group Policy](https://technet.microsoft.com/library/cc720539%28v=ws.10%29.aspx).
-10. Right-click the **Specify intranet Microsoft update service location** setting, and then click **Edit**.
+10. Right-click the **Specify intranet Microsoft update service location** setting, and then select **Edit**.
11. In the **Specify intranet Microsoft update service location** dialog box, select **Enable**.
-12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type http://Your_WSUS_Server_FQDN:PortNumber, and then click **OK**.
+12. Under **Options**, in the **Set the intranet update service for detecting updates** and **Set the intranet statistics server** options, type http://Your_WSUS_Server_FQDN:PortNumber, and then select **OK**.
>[!NOTE]
>The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance.
@@ -113,7 +99,7 @@ When using WSUS to manage updates on Windows client devices, start by configurin
>[!NOTE]
- >The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. If you’re unsure which port WSUS is using for client communication, right-click the WSUS Administration site in IIS Manager, and then click **Edit Bindings**.
+ >The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. (The other options are 80 and 443; no other ports are supported.)
As Windows clients refresh their computer policies (the default Group Policy refresh setting is 90 minutes and when a computer restarts), computers start to appear in WSUS. Now that clients are communicating with the WSUS server, create the computer groups that align with your deployment rings.
@@ -139,6 +125,7 @@ You can use computer groups to target a subset of devices that have specific qua
Now that the groups have been created, add the computers to the computer groups that align with the desired deployment rings. You can do this through [Group Policy](#wsus-gp) or manually by using the [WSUS Administration Console](#wsus-admin).
+
## Use the WSUS Administration Console to populate deployment rings
Adding computers to computer groups in the WSUS Administration Console is simple, but it could take much longer than managing membership through Group Policy, especially if you have many computers to add. Adding computers to computer groups in the WSUS Administration Console is called *server-side targeting*.
@@ -205,7 +192,7 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
>[!TIP]
>When using client-side targeting, consider giving security groups the same names as your deployment rings. Doing so simplifies the policy-creation process and helps ensure that you don’t add computers to the incorrect rings.
-1. Open GPMC.
+1. Open Group Policy Management Console (gpmc.msc).
2. Expand Forest\Domains\\*Your_Domain*.
@@ -223,10 +210,13 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
8. In the **Enable client-side targeting** dialog box, select **Enable**.
-9. In the **Target group name for this computer** box, type **Ring 4 Broad Business Users**. This is the name of the deployment ring in WSUS to which these computers will be added.
+9. In the **Target group name for this computer** box, type *Ring 4 Broad Business Users*. This is the name of the deployment ring in WSUS to which these computers will be added.
+> [!WARNING]
+> The target group name must match the computer group name.
+
10. Close the Group Policy Management Editor.
Now you’re ready to deploy this GPO to the correct computer security group for the **Ring 4 Broad Business Users** deployment ring.
@@ -248,7 +238,8 @@ The next time the clients in the **Ring 4 Broad Business Users** security group
For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS.
>[!NOTE]
->WSUS respects the client’s servicing branch. If you approve a feature update while it is still Current Branch (CB), WSUS will install the update only on PCs that are in the CB servicing branch. When Microsoft releases the build for Current Branch for Business (CBB), the PCs in the CBB servicing branch will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
+>WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for Semi-Annual Channel, the devices in the Semi-Annual Channel will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
+
**To configure an Automatic Approval rule for Windows 10 feature updates and approve them for the Ring 3 Broad IT deployment ring**
@@ -277,13 +268,18 @@ For clients that should have their feature updates approved as soon as they’re
9. In the **Automatic Approvals** dialog box, click **OK**.
>[!NOTE]
- >WSUS does not honor any existing month/week/day deferral settings for CB or CBB. That said, if you’re using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
+ >WSUS does not honor any existing month/week/day [deferral settings](waas-configure-wufb.md#configure-when-devices-receive-feature-updates). That said, if you’re using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
Now, whenever Windows 10 feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
+> [!WARNING]
+> The auto approval rule runs after synchronization occurs. This means that the *next* upgrade for each Windows 10 version will be approved. If you select **Run Rule**, all possible updates that meet the criteria will be approved, potentially including older updates that you don't actualy want--which can be a problem when the download sizes are very large.
+
## Manually approve and deploy feature updates
-You can manually approve updates and set deadlines for installation within the WSUS Administration Console, as well. To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates.
+You can manually approve updates and set deadlines for installation within the WSUS Administration Console, as well. It might be best to approve update rules manually after your pilot deployment has been updated.
+
+To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates.
**To approve and deploy feature updates manually**
@@ -301,7 +297,7 @@ You can manually approve updates and set deadlines for installation within the W
-Now that you have the All Windows 10 Upgrades view, complete the following steps to manually approve an update for the **Ring 4 Broad Business Users** deployment ring:
+Now that you have the **All Windows 10 Upgrades** view, complete the following steps to manually approve an update for the **Ring 4 Broad Business Users** deployment ring:
1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Updates\All Windows 10 Upgrades.
diff --git a/windows/deployment/update/waas-mobile-updates.md b/windows/deployment/update/waas-mobile-updates.md
index 78594a2262..73652f10a9 100644
--- a/windows/deployment/update/waas-mobile-updates.md
+++ b/windows/deployment/update/waas-mobile-updates.md
@@ -18,7 +18,7 @@ ms.topic: article
**Applies to**
- Windows 10 Mobile
-- [Windows 10 IoT Mobile](https://www.microsoft.com/en-us/WindowsForBusiness/windows-iot)
+- [Windows 10 IoT Mobile](https://www.microsoft.com/WindowsForBusiness/windows-iot)
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md
index b1122abef6..bf740f50c0 100644
--- a/windows/deployment/update/waas-morenews.md
+++ b/windows/deployment/update/waas-morenews.md
@@ -37,7 +37,7 @@ Here's more news about [Windows as a service](windows-as-a-service.md):
diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md
index 56b4cc46a7..74c05a0abe 100644
--- a/windows/deployment/update/waas-quick-start.md
+++ b/windows/deployment/update/waas-quick-start.md
@@ -50,7 +50,7 @@ See [Assign devices to servicing channels for Windows 10 updates](waas-servicing
## Staying up to date
-The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Analytics Upgrade Readiness](https://www.microsoft.com/en-us/WindowsForBusiness/windows-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help.
+The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Analytics Upgrade Readiness](https://www.microsoft.com/WindowsForBusiness/windows-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help.
Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin.
diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md
index ab43140802..d7d45d741a 100644
--- a/windows/deployment/update/windows-as-a-service.md
+++ b/windows/deployment/update/windows-as-a-service.md
@@ -80,7 +80,7 @@ Prepare to implement Windows as a service effectively using the right tools, pro
-Simplified updates
+Simplified updatesWindows 10 end user readiness
diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md
index 6524be0563..1edad940a4 100644
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@@ -105,13 +105,13 @@ Once the device is in the pending restart state, it will attempt to restart the
-#### Suggested configuration {OK}
+#### Suggested configuration
|Policy|Location|3-day compliance|5-day compliance|7-day compliance|
|-|-|-|-|-|
|Specify deadline before auto-restart for update installation| GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadline before auto-restart for update installation |State: Enabled **Specify the number of days before pending restart will automatically be executed outside of active hours:** 2| State: Enabled **Specify the number of days before pending restart will automatically be executed outside of active hours:** 3 | State: Enabled **Specify the number of days before pending restart will automatically be executed outside of active hours:** 4|
-#### Controlling notification experience for deadline {OK}
+#### Controlling notification experience for deadline
|Policy| Location|Suggested Configuration |
|-|-|-|
diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md
index 0216aec2c1..0214e53ad8 100644
--- a/windows/deployment/upgrade/log-files.md
+++ b/windows/deployment/upgrade/log-files.md
@@ -166,6 +166,6 @@ Therefore, Windows Setup failed because it was not able to migrate the corrupt f
[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
- [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+ [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md
index 305917b360..01850db7f6 100644
--- a/windows/deployment/upgrade/quick-fixes.md
+++ b/windows/deployment/upgrade/quick-fixes.md
@@ -234,6 +234,6 @@ If you downloaded the SetupDiag.exe program to your computer, then copied it to
[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
- [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+ [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md
index 34e22a7ab7..15c4156866 100644
--- a/windows/deployment/upgrade/resolution-procedures.md
+++ b/windows/deployment/upgrade/resolution-procedures.md
@@ -504,7 +504,7 @@ This error has more than one possible cause. Attempt [quick fixes](quick-fixes.m
0xC1900200
Setup.exe has detected that the machine does not meet the minimum system requirements.
-
Ensure the system you are trying to upgrade meets the minimum system requirements. See Windows 10 specifications for information.
+
Ensure the system you are trying to upgrade meets the minimum system requirements. See Windows 10 specifications for information.
@@ -524,14 +524,14 @@ This error has more than one possible cause. Attempt [quick fixes](quick-fixes.m
0x80190001
An unexpected error was encountered while attempting to download files required for upgrade.
-
To resolve this issue, download and run the media creation tool. See Download windows 10.
+
To resolve this issue, download and run the media creation tool. See Download windows 10.
0x80246007
The update was not downloaded successfully.
Attempt other methods of upgrading the operating system.
-Download and run the media creation tool. See Download windows 10.
+Download and run the media creation tool. See Download windows 10.
Attempt to upgrade using .ISO or USB. Note: Windows 10 Enterprise isn’t available in the media creation tool. For more information, go to the Volume Licensing Service Center.
@@ -640,7 +640,7 @@ Download and run the media creation tool. See Windows 10 Specifications and verify the computer meets minimum requirements.
+
See Windows 10 Specifications and verify the computer meets minimum requirements.
Review logs for [compatibility information](https://blogs.technet.microsoft.com/askcore/2016/01/21/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues/).
0x80070004 - 0x3000D
@@ -766,6 +766,6 @@ Also see the following sequential list of modern setup (mosetup) error codes wit
[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
- [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+ [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
index af24d3c075..3a7f854132 100644
--- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
+++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
@@ -58,7 +58,7 @@ See the following topics in this article:
[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
- [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+ [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index b413218f3d..f468627408 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -28,7 +28,7 @@ ms.topic: article
## About SetupDiag
-Current version of SetupDiag: 1.6.0.0
+Current version of SetupDiag: 1.6.0.42
>Always be sure to run the most recent version of SetupDiag, so that can access new functionality and fixes to known issues.
SetupDiag is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful.
@@ -73,6 +73,8 @@ The [Release notes](#release-notes) section at the bottom of this topic has info
| /Verbose |
This optional parameter will output much more data to a log file. By default, SetupDiag will only produce a log file entry for serious errors. Using **/Verbose** will cause SetupDiag to always produce an additional log file with debugging details. These details can be useful when reporting a problem with SetupDiag.
|
| /NoTel |
This optional parameter tells SetupDiag.exe not to send diagnostic telemetry to Microsoft.
|
| /AddReg |
This optional parameter instructs SetupDiag.exe to add failure information to the registry in offline mode. By default, SetupDiag will add failure information to the registry in online mode only. Registry data is added to the following location on the system where SetupDiag is run: **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag**.
|
+| /RegPath |
This optional parameter instructs SetupDiag.exe to add failure information to the registry using the specified path. If this parameter is not specified the default path is **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag**.
+
|
Note: The **/Mode** parameter is deprecated in version 1.4.0.0 of SetupDiag.
- In previous versions, this command was used with the LogsPath parameter to specify that SetupDiag should run in an offline manner to analyze a set of log files that were captured from a different computer. In version 1.4.0.0 when you specify /LogsPath then SetupDiag will automatically run in offline mode, therefore the /Mode parameter is not needed.
@@ -318,7 +320,7 @@ Each rule name and its associated unique rule identifier are listed with a descr
## Release notes
-08/08/2019 - SetupDiag v1.6.0.0 is released with 60 rules, as a standalone tool available from the Download Center.
+08/08/2019 - SetupDiag v1.6.0.42 is released with 60 rules, as a standalone tool available from the Download Center.
- Log detection performance is improved. What used to take up to a minute should take around 10 seconds or less.
- Added Setup Operation and Setup Phase information to both the results log and the registry information.
- This is the last Operation and Phase that Setup was in when the failure occurred.
@@ -332,54 +334,54 @@ Each rule name and its associated unique rule identifier are listed with a descr
06/19/2019 - SetupDiag v1.5.0.0 is released with 60 rules, as a standalone tool available from the Download Center.
- - All date and time outputs are updated to localized format per user request.
- - Added setup Operation and Phase information to /verbose log.
- - Added last Setup Operation and last Setup Phase information to most rules where it make sense (see new output below).
- - Performance improvement in searching setupact.logs to determine correct log to parse.
- - Added SetupDiag version number to text report (xml and json always had it).
- - Added "no match" reports for xml and json per user request.
- - Formatted Json output for easy readability.
- - Performance improvements when searching for setup logs; this should be much faster now.
- - Added 7 new rules: PlugInComplianceBlock, PreReleaseWimMountDriverFound, WinSetupBootFilterFailure, WimMountDriverIssue, DISMImageSessionFailure, FindEarlyDownlevelError, and FindSPFatalError. See the [Rules](#rules) section above for more information.
- - Diagnostic information is now output to the registry at **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag**
- - The **/AddReg** command was added to toggle registry output. This setting is off by default for offline mode, and on by default for online mode. The command has no effect for online mode and enables registry output for offline mode.
- - This registry key is deleted as soon as SetupDiag is run a second time, and replaced with current data, so it’s always up to date.
- - This registry key also gets deleted when a new update instance is invoked.
- - For an example, see [Sample registry key](#sample-registry-key).
+- All date and time outputs are updated to localized format per user request.
+- Added setup Operation and Phase information to /verbose log.
+- Added last Setup Operation and last Setup Phase information to most rules where it make sense (see new output below).
+- Performance improvement in searching setupact.logs to determine correct log to parse.
+- Added SetupDiag version number to text report (xml and json always had it).
+- Added "no match" reports for xml and json per user request.
+- Formatted Json output for easy readability.
+- Performance improvements when searching for setup logs; this should be much faster now.
+- Added 7 new rules: PlugInComplianceBlock, PreReleaseWimMountDriverFound, WinSetupBootFilterFailure, WimMountDriverIssue, DISMImageSessionFailure, FindEarlyDownlevelError, and FindSPFatalError. See the [Rules](#rules) section above for more information.
+- Diagnostic information is now output to the registry at **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag**
+ - The **/AddReg** command was added to toggle registry output. This setting is off by default for offline mode, and on by default for online mode. The command has no effect for online mode and enables registry output for offline mode.
+ - This registry key is deleted as soon as SetupDiag is run a second time, and replaced with current data, so it’s always up to date.
+ - This registry key also gets deleted when a new update instance is invoked.
+ - For an example, see [Sample registry key](#sample-registry-key).
05/17/2019 - SetupDiag v1.4.1.0 is released with 53 rules, as a standalone tool available from the Download Center.
- - This release dds the ability to find and diagnose reset and recovery failures (Push Button Reset).
+- This release dds the ability to find and diagnose reset and recovery failures (Push Button Reset).
12/18/2018 - SetupDiag v1.4.0.0 is released with 53 rules, as a standalone tool available from the Download Center.
- - This release includes major improvements in rule processing performance: ~3x faster rule processing performance!
- - The FindDownlevelFailure rule is up to 10x faster.
- - New rules have been added to analyze failures upgrading to Windows 10 version 1809.
- - A new help link is available for resolving servicing stack failures on the down-level OS when the rule match indicates this type of failure.
- - Removed the need to specify /Mode parameter. Now if you specify /LogsPath, it automatically assumes offline mode.
- - Some functional and output improvements were made for several rules.
+- This release includes major improvements in rule processing performance: ~3x faster rule processing performance!
+ - The FindDownlevelFailure rule is up to 10x faster.
+- New rules have been added to analyze failures upgrading to Windows 10 version 1809.
+- A new help link is available for resolving servicing stack failures on the down-level OS when the rule match indicates this type of failure.
+- Removed the need to specify /Mode parameter. Now if you specify /LogsPath, it automatically assumes offline mode.
+- Some functional and output improvements were made for several rules.
07/16/2018 - SetupDiag v1.3.1 is released with 44 rules, as a standalone tool available from the Download Center.
- - This release fixes a problem that can occur when running SetupDiag in online mode on a computer that produces a setupmem.dmp file, but does not have debugger binaries installed.
+- This release fixes a problem that can occur when running SetupDiag in online mode on a computer that produces a setupmem.dmp file, but does not have debugger binaries installed.
07/10/2018 - SetupDiag v1.30 is released with 44 rules, as a standalone tool available from the Download Center.
- - Bug fix for an over-matched plug-in rule. The rule will now correctly match only critical (setup failure) plug-in issues.
- - New feature: Ability to output logs in JSON and XML format.
- - Use "/Format:xml" or "/Format:json" command line parameters to specify the new output format. See [sample logs](#sample-logs) at the bottom of this topic.
- - If the “/Format:xml” or “/Format:json” parameter is omitted, the log output format will default to text.
- - New Feature: Where possible, specific instructions are now provided in rule output to repair the identified error. For example, instructions are provided to remediate known blocking issues such as uninstalling an incompatible app or freeing up space on the system drive.
- - 3 new rules added: AdvancedInstallerFailed, MigrationAbortedDueToPluginFailure, DISMAddPackageFailed.
+- Bug fix for an over-matched plug-in rule. The rule will now correctly match only critical (setup failure) plug-in issues.
+- New feature: Ability to output logs in JSON and XML format.
+ - Use "/Format:xml" or "/Format:json" command line parameters to specify the new output format. See [sample logs](#sample-logs) at the bottom of this topic.
+ - If the “/Format:xml” or “/Format:json” parameter is omitted, the log output format will default to text.
+- New Feature: Where possible, specific instructions are now provided in rule output to repair the identified error. For example, instructions are provided to remediate known blocking issues such as uninstalling an incompatible app or freeing up space on the system drive.
+- 3 new rules added: AdvancedInstallerFailed, MigrationAbortedDueToPluginFailure, DISMAddPackageFailed.
05/30/2018 - SetupDiag v1.20 is released with 41 rules, as a standalone tool available from the Download Center.
- - Fixed a bug in device install failure detection in online mode.
- - Changed SetupDiag to work without an instance of setupact.log. Previously, SetupDiag required at least one setupact.log to operate. This change enables the tool to analyze update failures that occur prior to calling SetupHost.
- - Telemetry is refactored to only send the rule name and GUID (or “NoRuleMatched” if no rule is matched) and the Setup360 ReportId. This change assures data privacy during rule processing.
+- Fixed a bug in device install failure detection in online mode.
+- Changed SetupDiag to work without an instance of setupact.log. Previously, SetupDiag required at least one setupact.log to operate. This change enables the tool to analyze update failures that occur prior to calling SetupHost.
+- Telemetry is refactored to only send the rule name and GUID (or “NoRuleMatched” if no rule is matched) and the Setup360 ReportId. This change assures data privacy during rule processing.
05/02/2018 - SetupDiag v1.10 is released with 34 rules, as a standalone tool available from the Download Center.
- - A performance enhancment has been added to result in faster rule processing.
- - Rules output now includes links to support articles, if applicable.
- - SetupDiag now provides the path and name of files that it is processing.
- - You can now run SetupDiag by simply clicking on it and then examining the output log file.
- - An output log file is now always created, whether or not a rule was matched.
+- A performance enhancment has been added to result in faster rule processing.
+- Rules output now includes links to support articles, if applicable.
+- SetupDiag now provides the path and name of files that it is processing.
+- You can now run SetupDiag by simply clicking on it and then examining the output log file.
+- An output log file is now always created, whether or not a rule was matched.
03/30/2018 - SetupDiag v1.00 is released with 26 rules, as a standalone tool available from the Download Center.
diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md
index 6f6bde4fba..64716a73e7 100644
--- a/windows/deployment/upgrade/submit-errors.md
+++ b/windows/deployment/upgrade/submit-errors.md
@@ -29,7 +29,7 @@ This topic describes how to submit problems with a Windows 10 upgrade to Microso
## About the Feedback Hub
-The Feedback Hub app lets you tell Microsoft about any problems you run in to while using Windows 10 and send suggestions to help us improve your Windows experience. Previously, you could only use the Feedback Hub if you were in the Windows Insider Program. Now anyone can use this tool. You can download the Feedback Hub app from the Microsoft Store [here](https://www.microsoft.com/en-us/store/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0).
+The Feedback Hub app lets you tell Microsoft about any problems you run in to while using Windows 10 and send suggestions to help us improve your Windows experience. Previously, you could only use the Feedback Hub if you were in the Windows Insider Program. Now anyone can use this tool. You can download the Feedback Hub app from the Microsoft Store [here](https://www.microsoft.com/store/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0).
The Feedback Hub requires Windows 10 or Windows 10 mobile. If you are having problems upgrading from an older version of Windows to Windows 10, you can use the Feedback Hub to submit this information, but you must collect the log files from the legacy operating system and then attach these files to your feedback using a device that is running Windows 10. If you are upgrading to Windows 10 from a previous verion of Windows 10, the Feedback Hub will collect log files automatically.
diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
index b252ff670a..c9509188a3 100644
--- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
+++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
@@ -92,6 +92,6 @@ WIM = Windows image (Microsoft)
[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
- [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+ [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md
index f06c6fb87b..0dd0d042c6 100644
--- a/windows/deployment/upgrade/upgrade-error-codes.md
+++ b/windows/deployment/upgrade/upgrade-error-codes.md
@@ -154,6 +154,6 @@ For example: An extend code of **0x4000D**, represents a problem during phase 4
[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
- [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+ [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md
index 3078890be7..582f5bb732 100644
--- a/windows/deployment/upgrade/upgrade-readiness-requirements.md
+++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md
@@ -31,7 +31,7 @@ If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Window
> [!NOTE]
> Upgrade Readiness is designed to best support in-place upgrades. In-place upgrades do not support migrations from BIOS to UEFI or from 32-bit to 64-bit architecture. If you need to migrate computers in these scenarios, use the wipe-and-reload method. Upgrade Readiness insights are still valuable in this scenario, however, you can ignore in-place upgrade specific guidance.
-See [Windows 10 Specifications](https://www.microsoft.com/en-US/windows/windows-10-specifications) for additional information about computer system requirements.
+See [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications) for additional information about computer system requirements.
### Windows 10
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index 72345c3d54..d683bd63b3 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -138,7 +138,7 @@ Downgrading from Enterprise
- Upgrade edition: **Enterprise**
- Valid downgrade paths: **Pro, Pro for Workstations, Pro Education, Education**
-You can move directly from Enterprise to any valid destination edition. In this example, downgrading to Pro for Workstations, Pro Education, or Education requires an additional activation key to supersede the firmware-embedded Pro key. In all cases, you must comply with [Microsoft License Terms](https://www.microsoft.com/useterms). If you are a volume license customer, refer to the [Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/en-us/download/details.aspx?id=11091).
+You can move directly from Enterprise to any valid destination edition. In this example, downgrading to Pro for Workstations, Pro Education, or Education requires an additional activation key to supersede the firmware-embedded Pro key. In all cases, you must comply with [Microsoft License Terms](https://www.microsoft.com/useterms). If you are a volume license customer, refer to the [Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/download/details.aspx?id=11091).
### Supported Windows 10 downgrade paths
diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md
index f0f918ef4a..77f1ae38b0 100644
--- a/windows/deployment/upgrade/windows-error-reporting.md
+++ b/windows/deployment/upgrade/windows-error-reporting.md
@@ -68,6 +68,6 @@ The event will also contain links to log files that can be used to perform a det
[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
-[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index 1ed8638bcc..7ba4d88b2d 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -29,13 +29,13 @@ Deployment instructions are provided for the following scenarios:
- VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later.
- VMs must be Active Directory-joined or Azure Active Directory (AAD)-joined.
- VMs must be generation 1.
-- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH).
+- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/CloudandHosting/licensing_sca.aspx) (QMTH).
## Activation
### Scenario 1
- The VM is running Windows 10, version 1803 or later.
-- The VM is hosted in Azure or another [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH).
+- The VM is hosted in Azure or another [Qualified Multitenant Hoster](https://www.microsoft.com/CloudandHosting/licensing_sca.aspx) (QMTH).
When a user with VDA rights signs in to the VM using their AAD credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure.
@@ -45,7 +45,7 @@ Deployment instructions are provided for the following scenarios:
[Inherited Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation#inherited-activation) is enabled. All VMs created by a user with a Windows 10 E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure Active Directory account.
### Scenario 3
-- The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) partner.
+- The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://www.microsoft.com/CloudandHosting/licensing_sca.aspx) partner.
In this scenario, the underlying Windows 10 Pro license must be activated prior to Subscription Activation of Windows 10 Enterprise. Activation is accomplished using a Windows 10 Pro Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server on your corporate network can be used if you have configured a private connection, such as [ExpressRoute](https://azure.microsoft.com/services/expressroute/) or [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/).
diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md
index 6b45127282..e241930c1e 100644
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@@ -43,9 +43,9 @@ When you purchase Windows 10 Enterprise E3 via a partner, you get the followin
How does the Windows 10 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance?
-- [Microsoft Volume Licensing](https://www.microsoft.com/en-us/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products.
+- [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products.
-- [Software Assurance](https://www.microsoft.com/en-us/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits:
+- [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits:
- **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits.
diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md
index 66d5049d31..e46fc7ed24 100644
--- a/windows/deployment/windows-10-media.md
+++ b/windows/deployment/windows-10-media.md
@@ -77,7 +77,7 @@ Features on demand is a method for adding features to your Windows 10 image that
## Related topics
-[Microsoft Volume Licensing Service Center (VLSC) User Guide](https://www.microsoft.com/en-us/download/details.aspx?id=10585)
+[Microsoft Volume Licensing Service Center (VLSC) User Guide](https://www.microsoft.com/download/details.aspx?id=10585)
[Volume Activation for Windows 10](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-windows-10)
[Plan for volume activation](https://docs.microsoft.com/windows/deployment/volume-activation/plan-for-volume-activation-client)
[VLSC downloads FAQ](https://www.microsoft.com/Licensing/servicecenter/Help/FAQDetails.aspx?id=150)
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index ddb22cbbbb..87eea0e845 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -75,7 +75,7 @@ MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch
Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
Stop-Process -Name Explorer
```
-2. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/en-us/download/details.aspx?id=54259) on SRV1 using the default options. As of the writing of this guide, the latest version of MDT was 8443.
+2. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/download/details.aspx?id=54259) on SRV1 using the default options. As of the writing of this guide, the latest version of MDT was 8443.
3. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components.
@@ -638,7 +638,7 @@ Deployment logs are available on the client computer in the following locations:
You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then click **Enable Log**.
-Tools for viewing log files, and to assist with troubleshooting are available in the [System Center 2012 R2 Configuration Manager Toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=50012)
+Tools for viewing log files, and to assist with troubleshooting are available in the [System Center 2012 R2 Configuration Manager Toolkit](https://www.microsoft.com/download/details.aspx?id=50012)
Also see [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) for detailed troubleshooting information.
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index d9a32a74be..929b097d58 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -72,7 +72,7 @@ Topics and procedures in this guide are summarized in the following table. An es
>If the request to add features fails, retry the installation by typing the command again.
-2. Download [SQL Server 2014 SP2](https://www.microsoft.com/en-us/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory.
+2. Download [SQL Server 2014 SP2](https://www.microsoft.com/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory.
3. When you have downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
```
@@ -126,7 +126,7 @@ Topics and procedures in this guide are summarized in the following table. An es
Stop-Process -Name Explorer
```
-2. Download [System Center Configuration Manager and Endpoint Protection](https://www.microsoft.com/en-us/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) on SRV1 (download the executable file anywhere on SRV1), double-click the file, enter **C:\configmgr** for **Unzip to folder**, and click **Unzip**. The C:\configmgr directory will be automatically created. Click **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
+2. Download [System Center Configuration Manager and Endpoint Protection](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) on SRV1 (download the executable file anywhere on SRV1), double-click the file, enter **C:\configmgr** for **Unzip to folder**, and click **Unzip**. The C:\configmgr directory will be automatically created. Click **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
3. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**:
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index b12b80110d..7a4fb81ed7 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -224,9 +224,9 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
### Download VHD and ISO files
-When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. Before you can download VHD and ISO files, you will need to register and sign in to the [TechNet Evaluation Center](https://www.microsoft.com/en-us/evalcenter/) using your Microsoft account.
+When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab. Before you can download VHD and ISO files, you will need to register and sign in to the [TechNet Evaluation Center](https://www.microsoft.com/evalcenter/) using your Microsoft account.
-1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory.
+1. Create a directory on your Hyper-V host named **C:\VHD** and download a single [Windows Server 2012 R2 VHD](https://www.microsoft.com/evalcenter/evaluate-windows-server-2012-r2) from the TechNet Evaluation Center to the **C:\VHD** directory.
**Important**: This guide assumes that VHDs are stored in the **C:\VHD** directory on the Hyper-V host. If you use a different directory to store VHDs, you must adjust steps in this guide appropriately.
@@ -238,7 +238,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf
2. Download the file to the **C:\VHD** directory. When the download is complete, rename the VHD file that you downloaded to **2012R2-poc-1.vhd**. This is done to make the filename simple to recognize and type.
3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**.
-4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host.
+4. Download the [Windows 10 Enterprise ISO](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) from the TechNet Evaluation Center to the **C:\VHD** directory on your Hyper-V host.
>During registration, you must specify the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version if desired. **Note: The evaluation version of Windows 10 does not support in-place upgrade**.
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 198a7e9aa2..11ef79b654 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -105,8 +105,8 @@ If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade ben
With Windows 10 Enterprise or Windows 10 Education, businesses and institutions can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Education or Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 or A3 and E5 or A5 being available as a true online service, it is available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following:
-- [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare)
-- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security-pricing)
+- [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare)
+- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/cloud-platform/enterprise-mobility-security-pricing)
You can benefit by moving to Windows as an online service in the following ways:
@@ -215,12 +215,12 @@ See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
## Virtual Desktop Access (VDA)
-Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
+Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/CloudandHosting/licensing_sca.aspx).
Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
## Related topics
[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/)
-[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
-[Windows for business](https://www.microsoft.com/en-us/windowsforbusiness/default.aspx)
+[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
+[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)
diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md
index a8090d1812..6d2dc8e363 100644
--- a/windows/deployment/windows-autopilot/add-devices.md
+++ b/windows/deployment/windows-autopilot/add-devices.md
@@ -26,7 +26,7 @@ Before deploying a device using Windows Autopilot, the device must be registered
## OEM registration
-When you purchase devices directly from an OEM, that OEM can automatically register the devices with the Windows Autopilot deployment service. For the list of OEMs that currently support this, see the "Participant device manufacturers" section of the [Windows Autopilot information page](https://www.microsoft.com/en-us/windowsforbusiness/windows-autopilot).
+When you purchase devices directly from an OEM, that OEM can automatically register the devices with the Windows Autopilot deployment service. For the list of OEMs that currently support this, see the "Participant device manufacturers" section of the [Windows Autopilot information page](https://www.microsoft.com/windowsforbusiness/windows-autopilot).
Before an OEM can register devices on behalf of an organization, the organization must grant the OEM permission to do so. This process is initiated by the OEM, with approval granted by an Azure AD global administrator from the organization. See the "Customer Consent" section of the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#oem-authorization).
diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md
index f514184445..0e14ae0b89 100644
--- a/windows/deployment/windows-autopilot/existing-devices.md
+++ b/windows/deployment/windows-autopilot/existing-devices.md
@@ -55,7 +55,7 @@ See the following examples.
### Create the JSON file
>[!TIP]
->To run the following commands on a computer running Windows Server 2012/2012 R2 or Windows 7/8.1, you must first download and install the [Windows Management Framework](https://www.microsoft.com/en-us/download/details.aspx?id=54616).
+>To run the following commands on a computer running Windows Server 2012/2012 R2 or Windows 7/8.1, you must first download and install the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=54616).
1. On an Internet connected Windows PC or Server open an elevated Windows PowerShell command window
2. Enter the following lines to install the necessary modules
diff --git a/windows/deployment/windows-autopilot/white-glove.md b/windows/deployment/windows-autopilot/white-glove.md
index 75e7e3a334..b5cc63019b 100644
--- a/windows/deployment/windows-autopilot/white-glove.md
+++ b/windows/deployment/windows-autopilot/white-glove.md
@@ -71,7 +71,7 @@ Windows Autopilot for white glove deployment supports two distinct scenarios:
- User-driven deployments with Hybrid Azure AD Join. The device will be joined to an on-premises Active Directory domain, and separately registered with Azure AD.
Each of these scenarios consists of two parts, a technician flow and a user flow. At a high level, these parts are the same for Azure AD Join and Hybrid Azure AD join; differences are primarily seen by the end user in the authentication steps.
-### Technican flow
+### Technician flow
After the customer or IT Admin has targeted all the apps and settings they want for their devices through Intune, the white glove technician can begin the white glove process. The technician could be a member of the IT staff, a services partner, or an OEM – each organization can decide who should perform these activities. Regardless of the scenario, the process to be performed by the technician is the same:
- Boot the device (running Windows 10 Pro, Enterprise, or Education SKUs, version 1903 or later).
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
index 4fcd4811c2..9aa928f3f9 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
@@ -84,16 +84,16 @@ If the Microsoft Store is not accessible, the AutoPilot process will still conti
Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs:
To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required:
-- [Microsoft 365 Business subscriptions](https://www.microsoft.com/en-us/microsoft-365/business)
-- [Microsoft 365 F1 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise/firstline)
-- [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx)
-- [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune).
-- [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features.
+- [Microsoft 365 Business subscriptions](https://www.microsoft.com/microsoft-365/business)
+- [Microsoft 365 F1 subscriptions](https://www.microsoft.com/microsoft-365/enterprise/firstline)
+- [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/education/buy-license/microsoft365/default.aspx)
+- [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune).
+- [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features.
- [Intune for Education subscriptions](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features.
-- [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service).
+- [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/cloud-platform/microsoft-intune) (or an alternative MDM service).
Additionally, the following are also recommended (but not required):
-- [Office 365 ProPlus](https://www.microsoft.com/en-us/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services).
+- [Office 365 ProPlus](https://www.microsoft.com/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services).
- [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise.
## Configuration requirements
diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md
index 6f5daf90d1..7ebad52ee8 100644
--- a/windows/privacy/diagnostic-data-viewer-overview.md
+++ b/windows/privacy/diagnostic-data-viewer-overview.md
@@ -42,7 +42,7 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn
### Download the Diagnostic Data Viewer
-Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/en-us/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page.
+Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page.
>[!Important]
>It's possible that your Windows device doesn't have the Microsoft Store available (for example, Windows Server). If this is the case, see [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2023830).
diff --git a/windows/privacy/gdpr-it-guidance.md b/windows/privacy/gdpr-it-guidance.md
index 524f34b78a..f142ad0677 100644
--- a/windows/privacy/gdpr-it-guidance.md
+++ b/windows/privacy/gdpr-it-guidance.md
@@ -74,7 +74,7 @@ For example, when an organization is using Microsoft Windows Defender Advanced T
#### Processor scenario
-In the controller scenario described above, Microsoft is a *processor* because Microsoft provides data processing services to that controller (in the given example, an organization that subscribed to Windows Defender ATP and enabled it for the user’s device). As processor, Microsoft only processes data on behalf of the enterprise customer and does not have the right to process data beyond their instructions as specified in a written contract, such as the [Microsoft Product Terms and the Microsoft Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products.aspx).
+In the controller scenario described above, Microsoft is a *processor* because Microsoft provides data processing services to that controller (in the given example, an organization that subscribed to Windows Defender ATP and enabled it for the user’s device). As processor, Microsoft only processes data on behalf of the enterprise customer and does not have the right to process data beyond their instructions as specified in a written contract, such as the [Microsoft Product Terms and the Microsoft Online Services Terms (OST)](https://www.microsoft.com/licensing/product-licensing/products.aspx).
## GDPR relationship between a Windows 10 user and Microsoft
@@ -120,11 +120,11 @@ Diagnostic data is categorized into the levels "Security", "Basic", "Enhanced",
Most Windows 10 services are controller services in terms of the GDPR – for both Windows functional data and Windows diagnostic data. But there are a few Windows services where Microsoft is a processor for functional data under the GDPR, such as [Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics) and [Windows Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/windowsforbusiness/windows-atp).
>[!NOTE]
->Both Windows Analytics and Windows Defender ATP are subscription services for organizations. Some functionality requires a certain license (please see [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare)).
+>Both Windows Analytics and Windows Defender ATP are subscription services for organizations. Some functionality requires a certain license (please see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare)).
#### Windows Analytics
-[Windows Analytics](https://www.microsoft.com/en-us/windowsforbusiness/windows-analytics) is a service that provides rich, actionable information for helping organizations to gain deep insights into the operational efficiency and health of the Windows devices in their environment. It uses Windows diagnostic data from devices enrolled by the IT organization of an enterprise into the Windows Analytics service.
+[Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics) is a service that provides rich, actionable information for helping organizations to gain deep insights into the operational efficiency and health of the Windows devices in their environment. It uses Windows diagnostic data from devices enrolled by the IT organization of an enterprise into the Windows Analytics service.
Windows [transmits Windows diagnostic data](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) to Microsoft datacenters, where that data is analyzed and stored. With Windows Analytics, the IT organization can then view the analyzed data to detect and fix issues or to improve their processes for upgrading to Windows 10.
@@ -137,7 +137,7 @@ As a result, in terms of the GDPR, the organization that has subscribed to Windo
#### Windows Defender ATP
-[Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) is cloud-based service that collects and analyzes usage data from an organization’s devices to detect security threats. Some of the data can contain personal data as defined by the GDPR. Enrolled devices transmit usage data to Microsoft datacenters, where that data is analyzed, processed, and stored. The security operations center (SOC) of the organization can view the analyzed data using the [Windows Defender ATP portal](https://securitycenter.windows.com/).
+[Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp) is cloud-based service that collects and analyzes usage data from an organization’s devices to detect security threats. Some of the data can contain personal data as defined by the GDPR. Enrolled devices transmit usage data to Microsoft datacenters, where that data is analyzed, processed, and stored. The security operations center (SOC) of the organization can view the analyzed data using the [Windows Defender ATP portal](https://securitycenter.windows.com/).
As a result, in terms of the GDPR, the organization that has subscribed to Windows Defender ATP is acting as the controller, while Microsoft is the processor for Windows Defender ATP.
@@ -285,7 +285,7 @@ To make it easier to deploy settings that restrict connections from Windows 10 a
### Microsoft Trust Center and Service Trust Portal
-Please visit our [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/privacy/gdpr) to obtain additional resources and to learn more about how Microsoft can help you fulfill specific GDPR requirements. There you can find lots of useful information about the GDPR, including how Microsoft is helping customers to successfully master the GDPR, a FAQ list, and a list of [resources for GDPR compliance](https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/resources). Also, please check out the [Compliance Manager](https://aka.ms/compliancemanager) of the Microsoft [Service Trust Portal (STP)](https://aka.ms/stp) and [Get Started: Support for GDPR Accountability](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted).
+Please visit our [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/trustcenter/privacy/gdpr) to obtain additional resources and to learn more about how Microsoft can help you fulfill specific GDPR requirements. There you can find lots of useful information about the GDPR, including how Microsoft is helping customers to successfully master the GDPR, a FAQ list, and a list of [resources for GDPR compliance](https://www.microsoft.com/TrustCenter/Privacy/gdpr/resources). Also, please check out the [Compliance Manager](https://aka.ms/compliancemanager) of the Microsoft [Service Trust Portal (STP)](https://aka.ms/stp) and [Get Started: Support for GDPR Accountability](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted).
### Additional resources
diff --git a/windows/privacy/gdpr-win10-whitepaper.md b/windows/privacy/gdpr-win10-whitepaper.md
index 3ad1a4a14e..259561932e 100644
--- a/windows/privacy/gdpr-win10-whitepaper.md
+++ b/windows/privacy/gdpr-win10-whitepaper.md
@@ -30,7 +30,7 @@ Microsoft and our customers are now on a journey to achieve the privacy goals of
We have outlined our commitment to the GDPR and how we are supporting our customers within the [Get GDPR compliant with the Microsoft Cloud](https://blogs.microsoft.com/on-the-issues/2017/02/15/get-gdpr-compliant-with-the-microsoft-cloud/#hv52B68OZTwhUj2c.99) blog post by our Chief Privacy Officer [Brendon Lynch](https://blogs.microsoft.com/on-the-issues/author/brendonlynch/) and the [Earning your trust with contractual commitments to the General Data Protection Regulation](https://blogs.microsoft.com/on-the-issues/2017/04/17/earning-trust-contractual-commitments-general-data-protection-regulation/#6QbqoGWXCLavGM63.99)” blog post by [Rich Sauer](https://blogs.microsoft.com/on-the-issues/author/rsauer/) - Microsoft Corporate Vice President & Deputy General Counsel.
-Although your journey to GDPR-compliance may seem challenging, we're here to help you. For specific information about the GDPR, our commitments and how to begin your journey, please visit the [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/privacy/gdpr).
+Although your journey to GDPR-compliance may seem challenging, we're here to help you. For specific information about the GDPR, our commitments and how to begin your journey, please visit the [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/trustcenter/privacy/gdpr).
## GDPR and its implications
The GDPR is a complex regulation that may require significant changes in how you gather, use and manage personal data. Microsoft has a long history of helping our customers comply with complex regulations, and when it comes to preparing for the GDPR, we are your partner on this journey.
@@ -82,7 +82,7 @@ Given how much is involved to become GDPR-compliant, we strongly recommend that
-For each of the steps, we've outlined example tools, resources, and features in various Microsoft solutions, which can be used to help you address the requirements of that step. While this article isn't a comprehensive “how to,” we've included links for you to find out more details, and more information is available in the [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/privacy/gdpr).
+For each of the steps, we've outlined example tools, resources, and features in various Microsoft solutions, which can be used to help you address the requirements of that step. While this article isn't a comprehensive “how to,” we've included links for you to find out more details, and more information is available in the [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/trustcenter/privacy/gdpr).
## Windows 10 security and privacy
As you work to comply with the GDPR, understanding the role of your desktop and laptop client machines in creating, accessing, processing, storing and managing data that may qualify as personal and potentially sensitive data under the GDPR is important. Windows 10 provides capabilities that will help you comply with the GDPR requirements to implement appropriate technical and organizational security measures to protect personal data.
@@ -252,7 +252,7 @@ There are numerous ways one can use the Windows Hello Companion Device Framework
- Wear a fitness band that has already authenticated the wearer. Upon approaching PC, and by performing a special gesture (like clapping), the PC unlocks.
#### Protection against attacks by isolating user credentials
-As noted in the [Windows 10 Credential Theft Mitigation Guide](https://www.microsoft.com/en-us/download/confirmation.aspx?id=54095), “_the tools and techniques criminals use to carry out credential theft and reuse attacks improve, malicious attackers are finding it easier to achieve their goals. Credential theft often relies on operational practices or user credential exposure, so effective mitigations require a holistic approach that addresses people, processes, and technology. In addition, these attacks rely on the attacker stealing credentials after compromising a system to expand or persist access, so organizations must contain breaches rapidly by implementing strategies that prevent attackers from moving freely and undetected in a compromised network._”
+As noted in the [Windows 10 Credential Theft Mitigation Guide](https://www.microsoft.com/download/confirmation.aspx?id=54095), “_the tools and techniques criminals use to carry out credential theft and reuse attacks improve, malicious attackers are finding it easier to achieve their goals. Credential theft often relies on operational practices or user credential exposure, so effective mitigations require a holistic approach that addresses people, processes, and technology. In addition, these attacks rely on the attacker stealing credentials after compromising a system to expand or persist access, so organizations must contain breaches rapidly by implementing strategies that prevent attackers from moving freely and undetected in a compromised network._”
An important design consideration for Windows 10 was mitigating credential theft — in particular, derived credentials. Windows Defender Credential Guard provides significantly improved security against derived credential theft and reuse by implementing a significant architectural change in Windows designed to help eliminate hardware-based isolation attacks rather than simply trying to defend against them.
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index e2fa73f5c7..52f8406707 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -9,32 +9,34 @@ ms.sitesec: library
ms.localizationpriority: medium
author: medgarmedgar
ms.author: v-medgar
-ms.date: 7/9/2019
+ms.date: 9/4/2019
---
-# Manage connections from Windows operating system components to Microsoft services using Microsoft Intune MDM Server
+# Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server
**Applies to**
- Windows 10 Enterprise 1903 version and newer
-You can use Microsoft InTune with MDM CSPs and custom [OMA URIs](https://docs.microsoft.com/intune/custom-settings-windows-10) to minimize connections from Windows to Microsoft services, or to configure particular privacy settings. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
-To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
+This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
-You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
+>[!IMPORTANT]
+>- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic)
+> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
+> - There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 devices.
+>- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features.
+>- To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
+>- The **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings.
-Note, there is some traffic which is required (i.e. "whitelisted") for the operation of Windows and the Microsoft InTune based management. This traffic includes CRL and OCSP network traffic which will show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign. Additional whitelisted traffic specifically for MDM managed devices includes Windows Notification Service related traffic as well as some specific Microsoft InTune and Windows Update related traffic.
+For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/).
-For more information on Microsoft InTune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/).
+For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies and Registry settings see [Manage connections from Windows 10 operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services).
-For detailed information about managing network connections to Microsoft services using Registries, Group Policies, or UI see [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services).
+We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp**@**microsoft.com**.
-The endpoints for the MDM “whitelisted” traffic are in the [Whitelisted Traffic](#bkmk-mdm-whitelist).
-
-
-### Settings for Windows 10 Enterprise edition 1903 and newer
+## Settings for Windows 10 Enterprise edition 1903 and newer
The following table lists management options for each setting.
@@ -98,7 +100,7 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt
1. **OneDrive**
1. MDM Policy: [DisableOneDriveFileSync](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-disableonedrivefilesync). Allows IT Admins to prevent apps and features from working with files on OneDrive. **Set to 1 (one)**
1. Ingest the ADMX - To get the latest OneDrive ADMX file you need an up-to-date Windows 10 client. The ADMX files are located under the following path: %LocalAppData%\Microsoft\OneDrive\ there's a folder with the current OneDrive build (e.g. "18.162.0812.0001"). There is a folder named "adm" which contains the admx and adml policy definition files.
- 1. MDM Policy: Prevent Network Traffic before User SignIn. **PreventNetworkTrafficPreUserSignIn**. The OMA-URI value is: ./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC\~Policy\~OneDriveNGSC/PreventNetworkTrafficPreUserSignIn, **String, \**
+ 1. MDM Policy: Prevent Network Traffic before User SignIn. **PreventNetworkTrafficPreUserSignIn**. The OMA-URI value is: **./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC\~Policy\~OneDriveNGSC/PreventNetworkTrafficPreUserSignIn**, Data type: **String**, Value: **\**
1. **Privacy settings** Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
@@ -137,6 +139,7 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt
1. Windows Defender Smartscreen - [Browser/AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen). Disable Windows Defender Smartscreen. **Set to 0 (zero)**
1. Windows Defender Smartscreen EnableAppInstallControl - [SmartScreen/EnableAppInstallControl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol). Controls whether users are allowed to install apps from places other than the Microsoft Store. **Set to 0 (zero)**
1. Windows Defender Potentially Unwanted Applications(PUA) Protection - [Defender/PUAProtection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-puaprotection). Specifies the level of detection for potentially unwanted applications (PUAs). **Set to 1 (one)**
+ 1. [Defender/SignatureUpdateFallbackOrder](https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm). Allows you to define the order in which different definition update sources should be contacted. The OMA-URI for this is: **./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFallbackOrder**, Data type: **String**, Value: **FileShares**
1. **Windows Spotlight** - [Experience/AllowWindowsSpotlight](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsspotlight). Disable Windows Spotlight. **Set to 0 (zero)**
1. **Microsoft Store**
1. [ApplicationManagement/DisableStoreOriginatedApps](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-disablestoreoriginatedapps). Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded. **Set to 1 (one)**
@@ -150,7 +153,7 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt
1. Windows Update Service URL - [Update/UpdateServiceUrl](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-updateserviceurl). Allows the device to check for updates from a WSUS server instead of Microsoft Update. **Set to String** with the Value:
1. **\\$CmdID$\\\chr\text/plain\\ \./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl\\http://abcd-srv:8530\\**
-### Allowed traffic ("Whitelisted traffic") for Microsoft InTune / MDM configurations
+### Allowed traffic for Microsoft Intune / MDM configurations
|**Allowed traffic endpoints** |
| --- |
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index f4e4106726..33f7ec2b4b 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -1,5 +1,5 @@
---
-title: Manage connections from Windows operating system components to Microsoft services (Windows 10)
+title: Manage connections from Windows 10 operating system components to Microsoft services
description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider.
ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
ms.reviewer:
@@ -14,10 +14,10 @@ ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 05/16/2019
+ms.date: 8/23/2019
---
-# Manage connections from Windows operating system components to Microsoft services
+# Manage connections from Windows 10 operating system components to Microsoft services
**Applies to**
@@ -25,29 +25,24 @@ ms.date: 05/16/2019
- Windows Server 2016
- Windows Server 2019
-If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
+This article describes the network connections that Windows 10 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
-Learn about the network connections that Windows components make to Microsoft in addition to the privacy settings that affect the data which is shared with either Microsoft or apps and how they can be managed by an IT Pro.
+Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
-If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
+>[!IMPORTANT]
+> - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic)
+> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
+> - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features.
+> - It is recommended that you restart a device after making configuration changes to it.
+> - The **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
-You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
+To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm)
-To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887), but **before application please ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors. This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state.
-Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure you've chosen the right settings configuration for your environment before applying.
-You should not extract this package to the windows\\system32 folder because it will not apply correctly.
+We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting **telmhelp**@**microsoft.com**.
-Applying the Windows Restricted Traffic Limited Functionality Baseline is the same as applying each setting covered in this article.
-It is recommended that you restart a device after making configuration changes to it.
-Note that **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
+## Management options for each setting
-To use Microsoft InTune cloud based device management for restricting traffic please refer to the [Manage connections from Windows operating system components to Microsoft services using MDM](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm).
-
-We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
-
-## Management options for each setting
-
-The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections.
+The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections
### Settings for Windows 10 Enterprise edition
@@ -230,7 +225,7 @@ For more information, see [Automatic Root Certificates Update Configuration](htt
Although not recommended, you can turn off Automatic Root Certificates Update, which also prevents updates to the disallowed certificate list and the pin rules list.
> [!CAUTION]
-> By not automatically downloading the root certificates, the device might have not been able to connect to some websites.
+> By not automatically downloading the root certificates the device may not be able to connect to some websites.
For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 2016 Server Core:
@@ -260,7 +255,7 @@ On Windows Server 2016 Nano Server:
- Create the registry path **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\AuthRoot** and then add a REG_DWORD registry setting, named **DisableRootAutoUpdate**, with a value of 1.
>[!NOTE]
->CRL and OCSP network traffic is currently whitelisted and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign.
+>CRL and OCSP network traffic is currently Allowed Traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign.
### 2. Cortana and Search
@@ -390,7 +385,7 @@ Windows Insider Preview builds only apply to Windows 10 and are not available fo
> [!NOTE]
-> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for zero exhaust) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Full**. Although the diagnostic data level may initially appear as **Basic**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Full**.
+> If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for Restricted Traffic) to a Windows Insider Preview build, the Feedback & Diagnostic setting will automatically be set to **Full**. Although the diagnostic data level may initially appear as **Basic**, a few hours after the UI is refreshed or the machine is rebooted, the setting will become **Full**.
To turn off Insider Preview builds for a released version of Windows 10:
@@ -1260,7 +1255,7 @@ To turn off **Let your apps use your trusted devices (hardware you've already co
### 18.16 Feedback & diagnostics
-In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
+In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
To change how frequently **Windows should ask for my feedback**:
@@ -1584,7 +1579,7 @@ You can disconnect from the Microsoft Antimalware Protection Service.
>[!IMPORTANT]
>**Required Steps BEFORE setting the Windows Defender Group Policy or RegKey on Windows 10 version 1903**
>1. Ensure Windows and Windows Defender are fully up to date.
->2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to >the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make >the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link >and then scroll down to the Tamper Protection toggle to set it to **Off**.
+>2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link and then scroll down to the Tamper Protection toggle to set it to **Off**.
- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** and then select **Disabled** from the drop-down box named **Join Microsoft MAPS**
@@ -1623,7 +1618,7 @@ You can stop downloading **Definition Updates**:
- **Remove** the **DefinitionUpdateFileSharesSources** reg value if it exists under **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Signature Updates**
-You can turn off **Malicious Software Reporting Tool diagnostic data**:
+You can turn off **Malicious Software Reporting Tool (MSRT) diagnostic data**:
- Set the REG_DWORD value **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to **1**.
@@ -1881,7 +1876,16 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre
- Add a REG_DWORD value named **HapDownloadEnabled** to **HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LexiconUpdate\\loc_0804** and set the value to 0.
+
+### Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline
+
+|**Allowed traffic endpoints** |
+| --- |
+|activation-v2.sls.microsoft.com/*|
+|crl.microsoft.com/pki/crl/*|
+|ocsp.digicert.com/*|
+|www.microsoft.com/pkiops/*|
To learn more, see [Device update management](https://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](https://technet.microsoft.com/library/cc720539.aspx).
diff --git a/windows/release-information/resolved-issues-windows-10-1507.yml b/windows/release-information/resolved-issues-windows-10-1507.yml
index efd586d8b9..6eb7bd7645 100644
--- a/windows/release-information/resolved-issues-windows-10-1507.yml
+++ b/windows/release-information/resolved-issues-windows-10-1507.yml
@@ -39,7 +39,6 @@ sections:
Embedded objects may display incorrectly Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
MSXML6 may cause applications to stop responding MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
Error 1309 when installing/uninstalling MSI or MSP files Users may receive \"Error 1309\" while installing or uninstalling certain types of MSI and MSP files.
First character of Japanese era name not recognized The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Custom URI schemes may not start corresponding application Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
Applications using Microsoft Jet database and Access 95 file format stop working Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Error 1309 when installing/uninstalling MSI or MSP files
After installing KB4487018, users may receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
After installing KB4487018, Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
First character of Japanese era name not recognized
After installing KB4487018, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Applications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Notification issue: \"Your device is missing important security and quality fixes.\" Some users may have incorrectly received the notification \"Your device is missing important security and quality fixes.\"
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
Notification issue: \"Your device is missing important security and quality fixes.\"
Some users may have incorrectly received the notification \"Your device is missing important security and quality fixes\" in the Windows Update dialog and a red \"!\" in the task tray on the Windows Update tray icon. This notification is intended for devices that are 90 days or more out of date, but some users with installed updates released in June or July also saw this notification.
Affected platforms:
Client: Windows 10, version 1803
Server: Windows Server, version 1803
Resolution: This issue was resolved on the server side on August 30, 2019. Only devices that are out of date by 90 days or more should now see the notification. No action is required by the user to resolve this issue. If you are still seeing the \"Your device is missing important security and quality fixes\" notification, we recommend selecting Check for Updates in the Windows Update dialog. For instructions, see Update Windows 10. Microsoft always recommends trying to keep your devices up to date, as the monthly updates contain important security fixes.
End-user-defined characters (EUDC) may cause blue screen at startup If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.
MSXML6 may cause applications to stop responding MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
Error 1309 when installing/uninstalling MSI or MSP files Users may receive \"Error 1309\" while installing or uninstalling certain types of MSI and MSP files.
First character of the Japanese era name not recognized The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Applications using Microsoft Jet database and Access 95 file format stop working Applications that use a Microsoft Jet database with the Microsoft Access 9 file format may randomly stop working.
Shared albums may not sync with iCloud for Windows Upgrade block: Apple has identified an incompatibility with iCloud for Windows (version 7.7.0.27) where users may experience issues updating or synching Shared Albums.
Intel Audio Display (intcdaud.sys) notification during Windows 10 Setup Upgrade block: Users may see an Intel Audio Display (intcdaud.sys) notification during setup for devices with certain Intel Display Audio Drivers.
F5 VPN clients losing network connectivity Upgrade block: After updating to Windows 10, version 1809, F5 VPN clients may lose network connectivity when the VPN service is in a split tunnel configuration.
Global DNS outage affects Windows Update customers Windows Update customers were recently affected by a network infrastructure event caused by an external DNS service provider's global outage.
Apps may stop working after selecting an audio output device other than the default Users with multiple audio devices that select an audio output device different from the \"Default Audio Device\" may find certain applications stop working unexpectedly.
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Error 1309 when installing/uninstalling MSI or MSP files
After installing KB4487044, users may receive \"Error 1309\" while installing or uninstalling certain types of MSI and MSP files.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
After installing KB4487044, Internet Explorer may fail to load images with a backslash (\\) in their relative source path.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
First character of the Japanese era name not recognized
After installing KB4487044, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Applications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 7 SP1
Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Audio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort
Upgrade block: Microsoft has identified issues with certain new Intel display drivers. Intel inadvertently released versions of its display driver (versions 24.20.100.6344, 24.20.100.6345) to OEMs that accidentally turned on unsupported features in Windows.
As a result, after updating to Windows 10, version 1809, audio playback from a monitor or television connected to a PC via HDMI, USB-C, or a DisplayPort may not function correctly on devices with these drivers.
Note: This Intel display driver issue is different from the Intel Smart Sound Technology driver (version 09.21.00.3755) audio issue previously documented.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
Server: Windows Server, version 1809; Windows Server 2019
Next steps: Intel has released updated drivers to OEM device manufacturers. OEMs need to make the updated driver available via Windows Update. For more information, see the Intel Customer Support article.
Resolution: Microsoft has removed the safeguard hold.
Shared albums may not sync with iCloud for Windows
Upgrade block: Users who attempt to install iCloud for Windows (version 7.7.0.27) will see a message displayed that this version iCloud for Windows isn't supported and the install will fail.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
Server: Windows Server, version 1809; Windows Server 2019
To ensure a seamless experience, Microsoft is blocking devices with iCloud for Windows (version 7.7.0.27) software installed from being offered Windows 10, version 1809 until this issue has been resolved.
We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool from the Microsoft software download website until this issue is resolved.
Resolution: Apple has released an updated version of iCloud for Windows (version 7.8.1) that resolves compatibility issues encountered when updating or synching Shared Albums after updating to Windows 10, version 1809. We recommend that you update your iCloud for Windows to version 7.8.1 when prompted before attempting to upgrade to Windows 10, version 1809. You can also manually download the latest version of iCloud for Windows by visiting https://support.apple.com/HT204283.
Intel Audio Display (intcdaud.sys) notification during Windows 10 Setup
Upgrade block: Microsoft and Intel have identified a compatibility issue with a range of Intel Display Audio device drivers (intcdaud.sys, versions 10.25.0.3 - 10.25.0.8) that may result in excessive processor demand and reduced battery life. As a result, the update process to the Windows 10 October 2018 Update (Windows 10, version 1809) will fail and affected devices will automatically revert to the previous working configuration.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
Server: Windows Server, version 1809; Windows Server 2019
If you see a \"What needs your attention\" notification during installation of the October 2018 Update, you have one of these affected drivers on your system. On the notification, click Back to remain on your current version of Windows 10.
To ensure a seamless experience, we are blocking devices from being offered the October 2018 Update until updated Intel device drivers are installed on your current operating system. We recommend that you do not attempt to manually update to Windows 10, version 1809, using the Update Now button or the Media Creation Tool from the Microsoft Software Download Center until newer Intel device drivers are available with the update. You can either wait for newer drivers to be installed automatically through Windows Update or check with your computer manufacturer for the latest device driver software availability and installation procedures. For more information about this issue, see Intel's customer support guidance.
Resolution: This issue was resolved in KB4482887 and the upgrade block removed.
Upgrade block: After updating to Windows 10, version 1809, F5 VPN clients may lose network connectivity when the VPN service is in a split tunnel configuration.
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
Server: Windows Server, version 1809; Windows Server 2019
Resolution: This issue was resolved in KB4482887 and the upgrade block removed.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Issues updating when certain versions of Intel storage drivers are installed Certain versions of Intel Rapid Storage Technology (Intel RST) drivers may cause updating to Windows 10, version 1903 to fail.
Initiating a Remote Desktop connection may result in black screen When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen.
Windows Sandbox may fail to start with error code “0x80070002” Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language was changed between updates
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Display brightness may not respond to adjustments Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.
RASMAN service may stop working and result in the error “0xc0000005” The Remote Access Connection Manager (RASMAN) service may stop working and result in the error “0xc0000005” with VPN profiles configured as an Always On VPN connection.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512508, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512941. The ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512941 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503293) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Issues updating when certain versions of Intel storage drivers are installed
Intel and Microsoft have found incompatibility issues with certain versions of the Intel Rapid Storage Technology (Intel RST) drivers and the Windows 10 May 2019 Update (Windows 10, version 1903).
To safeguard your update experience, we have applied a compatibility hold on devices with Intel RST drivers, versions 15.1.0.1002 through version 15.5.2.1053 installed from installing or being offered Windows 10, version 1903 or Windows Server, version 1903, until the driver has been updated.
Versions 15.5.2.1054 or later are compatible, and a device that has these drivers installed can install the Windows 10 May 2019 Update. For affected devices, the recommended version is 15.9.8.1050.
Affected platforms:
Client: Windows 10, version 1903
Server: Windows Server, version 1903
Workaround: To mitigate this issue before the safeguard hold is removed, you will need to update the Intel RST drivers for your device to version 15.5.2.1054 or a later. Check with your device manufacturer (OEM) to see if an updated driver is available and install it. You can also download the latest Intel RST drivers directly from Intel at Intel® Rapid Storage Technology (Intel® RST) User Interface and Driver. Once your drivers are updated, you can restart the installation process for Windows 10, version 1903. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.
Resolution: This issue was resolved in KB4512941. The safeguard hold is estimated to be removed in early September.
Initiating a Remote Desktop connection may result in black screen
When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen. Any version of Windows may encounter this issue when initiating a Remote Desktop connection to a Windows 10, version 1903 device which is running an affected display driver, including the drivers for the Intel 4 series chipset integrated GPU (iGPU).
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503293 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4497935. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512941. The safeguard hold is estimated to be removed in early September.
Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. After updating to Windows 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change.
To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms:
Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed. Please ensure you have applied the resolving update before attempting to update to the Windows 10 May 2019 Update (version 1903). Please note, it can take up to 48 hours for the safeguard to be removed.
Loss of functionality in Dynabook Smartphone Link app
Some users may experience a loss of functionality after updating to Windows 10, version 1903 when using the Dynabook Smartphone Link application on Windows devices. Loss of functionality may affect the display of phone numbers in the Call menu and the ability to answer phone calls on the Windows PC.
To safeguard your update experience, we have applied a compatibility hold on devices with Dynabook Smartphone Link from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms:
Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.
Error attempting to update with external USB device or memory card attached
If you have an external USB device or SD memory card attached when installing Windows 10, version 1903, you may get an error message stating \"This PC can't be upgraded to Windows 10.\" This is caused by inappropriate drive reassignment during installation.
Sample scenario: An update to Windows 10, version 1903 is attempted on a computer that has a thumb drive inserted into its USB port. Before the update, the thumb drive is mounted in the system as drive G based on the existing drive configuration. After the feature update is installed; however, the device is reassigned a different drive letter (e.g., drive H).
Note The drive reassignment is not limited to removable drives. Internal hard drives may also be affected.
To safeguard your update experience, we have applied a hold on devices with an external USB device or SD memory card attached from being offered Windows 10, version 1903 until this issue is resolved.
Affected platforms:
Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.
Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV Windows updates that are SHA-2 signed are not available with Symantec or Norton antivirus program installed
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
System may be unresponsive after restart with certain McAfee antivirus products Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Symantec identified the potential for a negative interaction that may occur after Windows Updates code signed with SHA-2 only certificates are installed on devices with Symantec or Norton antivirus programs installed. The software may not correctly identify files included in the update as code signed by Microsoft, putting the device at risk for a delayed or incomplete update.
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1
Resolution: The safeguard hold has been removed. Symantec has completed its evaluation of the impact of this update and future updates to Windows 7/Windows 2008 R2 and has determined that there is no increased risk of a false positive detection for all in-field versions of Symantec Endpoint Protection and Norton antivirus programs. See the Symantec support article for additional detail and please reach out to Symantec or Norton support if you encounter any issues.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512506, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517297. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503292) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Internet Explorer 11 and apps using the WebBrowser control may fail to render JavaScript may fail to render as expected in Internet Explorer 11 and in apps using JavaScript or the WebBrowser control.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Apps and scripts using the NetQueryDisplayInformation API may fail with error Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data.
SCVMM cannot enumerate and manage logical switches deployed on the host For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host.
Certain operations performed on a Cluster Shared Volume may fail Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.
Cluster service may fail if the minimum password length is set to greater than 14 The cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters.
SCVMM cannot enumerate and manage logical switches deployed on the host
For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host after installing KB4467684.
Additionally, if you do not follow the best practices, a stop error may occur in vfpext.sys on the hosts.
Affected platforms:
Client: Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
Cluster service may fail if the minimum password length is set to greater than 14
After installing KB4467684, the cluster service may fail to start with the error \"2245 (NERR_PasswordTooShort)\" if the Group Policy \"Minimum Password Length\" is configured with greater than 14 characters.
Affected platforms:
Client: Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
Server: Windows Server 2016
Workaround: Set the domain default \"Minimum Password Length\" policy to less than or equal to 14 characters.
Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.
diff --git a/windows/release-information/status-windows-10-1703.yml b/windows/release-information/status-windows-10-1703.yml
index 0e11306afb..dbe7b4e91e 100644
--- a/windows/release-information/status-windows-10-1703.yml
+++ b/windows/release-information/status-windows-10-1703.yml
@@ -20,6 +20,12 @@ sections:
text: "
Find information on known issues for Windows 10, version 1703. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
+
+
Current status as of August 23, 2019:
+
The Enterprise and Education editions of Windows 10, version 1703 (the Windows 10 Creators Update) will reach end of life on October 9, 2019. The Home, Pro, Pro for Workstations, and IoT Core editions reached end of service on October 8, 2018.
There is no extended support available for any edition of Windows 10, version 1703. Therefore, it will no longer be supported after October 9, 2019 and will not receive monthly security and quality updates containing protections from the latest security threats.
To continue receiving security and quality updates, Microsoft recommends that you update your devices to the latest version of Windows 10. For more information on end of service dates and currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
+
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
+
Notification issue: \"Your device is missing important security and quality fixes.\" Some users may have incorrectly received the notification \"Your device is missing important security and quality fixes.\"
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
Notification issue: \"Your device is missing important security and quality fixes.\"
Some users may have incorrectly received the notification \"Your device is missing important security and quality fixes\" in the Windows Update dialog and a red \"!\" in the task tray on the Windows Update tray icon. This notification is intended for devices that are 90 days or more out of date, but some users with installed updates released in June or July also saw this notification.
Affected platforms:
Client: Windows 10, version 1803
Server: Windows Server, version 1803
Resolution: This issue was resolved on the server side on August 30, 2019. Only devices that are out of date by 90 days or more should now see the notification. No action is required by the user to resolve this issue. If you are still seeing the \"Your device is missing important security and quality fixes\" notification, we recommend selecting Check for Updates in the Windows Update dialog. For instructions, see Update Windows 10. Microsoft always recommends trying to keep your devices up to date, as the monthly updates contain important security fixes.
Devices with some Asian language packs installed may receive an error
After installing the April 2019 Cumulative Update (KB4493509), devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
Server: Windows Server, version 1809; Windows Server 2019
Devices with some Asian language packs installed may receive an error
After installing the April 2019 Cumulative Update (KB4493509), devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"
Affected platforms:
Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
Server: Windows Server, version 1809; Windows Server 2019
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
-
Windows Sandbox may fail to start with error code “0x80070002” Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language was changed between updates
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Windows Desktop Search may not return any results and may have high CPU usage Windows Desktop Search may not return any results and SearchUI.exe may have high CPU usage after installing KB4512941.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
Issues updating when certain versions of Intel storage drivers are installed Certain versions of Intel Rapid Storage Technology (Intel RST) drivers may cause updating to Windows 10, version 1903 to fail.
Initiating a Remote Desktop connection may result in black screen When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen.
Windows Sandbox may fail to start with error code “0x80070002” Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language was changed between updates
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
Updates may fail to install and you may receive Error 0x80073701 Installation of updates may fail and you may receive an error, \"Updates Failed, There were problems installing some updates, but we'll try again later\" and \"Error 0x80073701.\"
Domain connected devices that use MIT Kerberos realms will not start up Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Issues updating when certain versions of Intel storage drivers are installed Certain versions of Intel Rapid Storage Technology (Intel RST) drivers may cause updating to Windows 10, version 1903 to fail.
Gamma ramps, color profiles, and night light settings do not apply in some cases Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.
Display brightness may not respond to adjustments Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.
RASMAN service may stop working and result in the error “0xc0000005” The Remote Access Connection Manager (RASMAN) service may stop working and result in the error “0xc0000005” with VPN profiles configured as an Always On VPN connection.
The dGPU may occasionally disappear from device manager on Surface Book 2 with dGPU Some apps or games that needs to perform graphics intensive operations may close or fail to open on Surface Book 2 devices with Nvidia dGPU.
Initiating a Remote Desktop connection may result in black screen When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen.
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Unable to discover or connect to Bluetooth devices Microsoft has identified compatibility issues with some versions of Realtek and Qualcomm Bluetooth radio drivers.
Intel Audio displays an intcdaud.sys notification Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in battery drain.
Windows Desktop Search may not return any results and may have high CPU usage
Microsoft is getting reports that a small number of users may not receive results when using Windows Desktop Search and may see high CPU usage from SearchUI.exe when searching after installing KB4512941. This issue is only encountered on devices in which searching the web from Windows Desktop Search has been disabled.
Affected platforms:
Client: Windows 10, version 1903
Next steps: We are working on a resolution and estimate a solution will be available in mid-September.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512508, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: Microsoft is working on a resolution and estimates a solution will be available late August. The ‘optional’ update will be available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive the update once it is released.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512508, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4512941. The ‘optional’ update is available on Microsoft Update Catalog, Windows Update, Microsoft Update and Windows Server Update Services (WSUS). As with any 'optional' update, you will need to Check for updates to receive KB4512941 and install. For instructions, see Update Windows 10.
Note Windows Update for Business customers should apply the update via Microsoft Update Catalog or Windows Server Update Services (WSUS).
Updates may fail to install and you may receive Error 0x80073701
Installation of updates may fail and you may receive the error message, \"Updates Failed, There were problems installing some updates, but we'll try again later\" or \"Error 0x80073701\" on the Windows Update dialog or within Update history.
Affected platforms:
Client: Windows 10, version 1903
Server: Windows Server, version 1903
Next steps: We are working on a resolution and will provide an update in an upcoming release.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503293) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4497935. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4497935. We are working on a resolution and estimate a solution will be available in late August.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Issues updating when certain versions of Intel storage drivers are installed
Intel and Microsoft have found incompatibility issues with certain versions of the Intel Rapid Storage Technology (Intel RST) drivers and the Windows 10 May 2019 Update (Windows 10, version 1903).
To safeguard your update experience, we have applied a compatibility hold on devices with Intel RST drivers, versions 15.1.0.1002 through version 15.5.2.1053 installed from installing or being offered Windows 10, version 1903 or Windows Server, version 1903, until the driver has been updated.
Versions 15.5.2.1054 or later are compatible, and a device that has these drivers installed can install the Windows 10 May 2019 Update. For affected devices, the recommended version is 15.9.8.1050.
Affected platforms:
Client: Windows 10, version 1903
Server: Windows Server, version 1903
Workaround: To mitigate this issue before the resolution is released, you will need to update the Intel RST drivers for your device to version 15.5.2.1054 or a later. Check with your device manufacturer (OEM) to see if an updated driver is available and install it. You can also download the latest Intel RST drivers directly from Intel at Intel® Rapid Storage Technology (Intel® RST) User Interface and Driver. Once your drivers are updated, you can restart the installation process for Windows 10, version 1903. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.
Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool.
Next Steps: We are working on a resolution and estimate a solution will be available in late August.
Issues updating when certain versions of Intel storage drivers are installed
Intel and Microsoft have found incompatibility issues with certain versions of the Intel Rapid Storage Technology (Intel RST) drivers and the Windows 10 May 2019 Update (Windows 10, version 1903).
To safeguard your update experience, we have applied a compatibility hold on devices with Intel RST drivers, versions 15.1.0.1002 through version 15.5.2.1053 installed from installing or being offered Windows 10, version 1903 or Windows Server, version 1903, until the driver has been updated.
Versions 15.5.2.1054 or later are compatible, and a device that has these drivers installed can install the Windows 10 May 2019 Update. For affected devices, the recommended version is 15.9.8.1050.
Affected platforms:
Client: Windows 10, version 1903
Server: Windows Server, version 1903
Workaround: To mitigate this issue before the safeguard hold is removed, you will need to update the Intel RST drivers for your device to version 15.5.2.1054 or a later. Check with your device manufacturer (OEM) to see if an updated driver is available and install it. You can also download the latest Intel RST drivers directly from Intel at Intel® Rapid Storage Technology (Intel® RST) User Interface and Driver. Once your drivers are updated, you can restart the installation process for Windows 10, version 1903. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.
Resolution: This issue was resolved in KB4512941. The safeguard hold is estimated to be removed in early September.
Initiating a Remote Desktop connection may result in black screen
When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen. Any version of Windows may encounter this issue when initiating a Remote Desktop connection to a Windows 10, version 1903 device which is running an affected display driver, including the drivers for the Intel 4 series chipset integrated GPU (iGPU).
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503293 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4497935. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512941. The safeguard hold is estimated to be removed in early September.
The dGPU may occasionally disappear from device manager on Surface Book 2 with dGPU
Microsoft has identified a compatibility issue on some Surface Book 2 devices configured with Nvidia discrete graphics processing unit (dGPU). After updating to Windows 10, version 1903 (May 2019 Feature Update), some apps or games that needs to perform graphics intensive operations may close or fail to open.
To safeguard your update experience, we have applied a compatibility hold on Surface Book 2 devices with Nvidia dGPUs from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms:
Client: Windows 10, version 1903
Workaround: To mitigate the issue if you are already on Windows 10, version 1903, you can restart the device or select the Scan for hardware changes button in the Action menu or on the toolbar in Device Manager.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Initiating a Remote Desktop connection may result in black screen
When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen. Any version of Windows may encounter this issue when initiating a Remote Desktop connection to a Windows 10, version 1903 device which is running an affected display driver, including the drivers for the Intel 4 series chipset integrated GPU (iGPU).
Affected platforms:
Client: Windows 10, version 1903
Server: Windows Server, version 1903
Next steps: We are working on a resolution that will be made available in upcoming release.
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503293 on a WDS server.
Affected platforms:
Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.
To mitigate this issue on a WDS server without SCCM:
In WDS TFTP settings, verify Variable Window Extension is enabled.
In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
RASMAN service may stop working and result in the error “0xc0000005”
The Remote Access Connection Manager (RASMAN) service may stop working and you may receive the error “0xc0000005” on devices where the diagnostic data level is manually configured to the non-default setting of 0. You may also receive an error in the Application section of Windows LogsinEvent Viewer with Event ID 1000 referencing “svchost.exe_RasMan” and “rasman.dll”.
This issue only occurs when a VPN profile is configured as an Always On VPN (AOVPN) connection with or without device tunnel. This does not affect manual only VPN profiles or connections.
Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.
Affected platforms:
Client: Windows 10, version 1903
Next steps: We are working on a resolution and estimates a solution will be available in late August.
Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.
Some older computers may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).
To safeguard your upgrade experience, we have applied a hold on devices with this Qualcomm driver from being offered Windows 10, version 1903, until the updated driver is installed.
Affected platforms:
Client: Windows 10, version 1903
Workaround: Before updating to Windows 10, version 1903, you will need to download and install an updated Wi-Fi driver from your device manufacturer (OEM).
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you.
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.
Microsoft has identified some scenarios in which these features may have issues or stop working, for example:
Connecting to (or disconnecting from) an external monitor, dock, or projector
Rotating the screen
Updating display drivers or making other display mode changes
Closing full screen applications
Applying custom color profiles
Running applications that rely on custom gamma ramps
Affected platforms:
Client: Windows 10, version 1903
Workaround: If you find that your night light has stopped working, try turning the night light off and on, or restarting your computer. For other color setting issues, restart your computer to correct the issue.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. After updating to Windows 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change.
To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms:
Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed. Please ensure you have applied the resolving update before attempting to update to the Windows 10 May 2019 Update (version 1903). Please note, it can take up to 48 hours for the safeguard to be removed.
Unable to discover or connect to Bluetooth devices
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek and Qualcomm. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek or Qualcomm Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.
Affected platforms:
Client: Windows 10, version 1903
Server: Windows Server, version 1903
Workaround: Check with your device manufacturer (OEM) to see if an updated driver is available and install it.
For Qualcomm drivers, you will need to install a driver version greater than 10.0.1.11.
For Realtek drivers, you will need to install a driver version greater than 1.5.1011.0.
Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool.
Next steps: Microsoft is working with Realtek and Qualcomm to release new drivers for all affected system via Windows Update.
Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8).
To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed.
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809
Workaround:
On the “What needs your attention\" notification, click the Back button to remain on your current version of Windows 10. (Do not click Confirm as this will proceed with the update and you may experience compatibility issues.) Affected devices will automatically revert to the previous working configuration.
Note We recommend you do not attempt to update your devices until newer device drivers are installed.
Next steps: You can opt to wait for newer drivers to be installed automatically through Windows Update or check with the computer manufacturer for the latest device driver software availability and installation procedures.
Microsoft and Intel have identified an issue affecting Intel RealSense SR300 and Intel RealSense S200 cameras when using the Camera app. After updating to the Windows 10 May 2019 Update and launching the Camera app, you may get an error message stating:
\"Close other apps, error code: 0XA00F4243.”
To safeguard your update experience, we have applied a protective hold on machines with Intel RealSense SR300 or Intel RealSense S200 cameras installed from being offered Windows 10, version 1903, until this issue is resolved.
Affected platforms:
Client: Windows 10, version 1903
Workaround: To temporarily resolve this issue, perform one of the following:
Unplug your camera and plug it back in.
or
Disable and re-enable the driver in Device Manager. In the Search box, type \"Device Manager\" and press Enter. In the Device Manager dialog box, expand Cameras, then right-click on any RealSense driver listed and select Disable device. Right click on the driver again and select Enable device.
or
Restart the RealSense service. In the Search box, type \"Task Manager\" and hit Enter. In the Task Manager dialog box, click on the Services tab, right-click on RealSense, and select Restart.
Note This workaround will only resolve the issue until your next system restart.
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.
Next steps: We are working on a resolution and will provide an update in an upcoming release.
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
Summary
Originating update
Status
Last updated
+
Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV Windows updates that are SHA-2 signed are not available with Symantec or Norton antivirus program installed
Devices starting using PXE from a WDS or SCCM servers may fail to start Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.
IA64 and x64 devices may fail to start after installing updates After installing updates released on or after August 13, 2019, IA64 and x64 devices using EFI Boot may fail to start.
Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV Windows udates that are SHA-2 signed are not available with Symantec or Norton antivirus program installed
System may be unresponsive after restart with certain McAfee antivirus products Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.
Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Symantec identified the potential for a negative interaction that may occur after Windows Updates code signed with SHA-2 only certificates are installed on devices with Symantec or Norton antivirus programs installed. The software may not correctly identify files included in the update as code signed by Microsoft, putting the device at risk for a delayed or incomplete update.
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1
Resolution: The safeguard hold has been removed. Symantec has completed its evaluation of the impact of this update and future updates to Windows 7/Windows 2008 R2 and has determined that there is no increased risk of a false positive detection for all in-field versions of Symantec Endpoint Protection and Norton antivirus programs. See the Symantec support article for additional detail and please reach out to Symantec or Norton support if you encounter any issues.
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512506, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue was resolved in KB4517297. The ‘optional’ update is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).
IA64 and x64 devices may fail to start after installing updates
IA64 devices (in any configuration) and x64 devices using EFI boot that were provisioned after the July 9th updates and/or skipped the recommended update (KB3133977), may fail to start with the following error:
\"File: \\Windows\\system32\\winload.efi
Status: 0xc0000428
Info: Windows cannot verify the digital signature for this file.\"
Affected platforms:
Client: Windows 7 SP1
Server: Windows Server 2008 R2 SP1
Take Action: To resolve this issue please follow the steps outlined in the SHA-2 support FAQ article for error code 0xc0000428.
Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Symantec has identified an issue that occurs when a device is running any Symantec or Norton antivirus program and installs updates for Windows that are signed with SHA-2 certificates only. The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start.
Next steps: To safeguard your update experience, Microsoft and Symantec have partnered to place a safeguard hold on devices with an affected version of Symantec Antivirus or Norton Antivirus installed to prevent them from receiving this type of Windows update until a solution is available. We recommend that you do not manually install affected updates until a solution is available. Please reach out to Symantec or Norton support for further guidance.
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503292) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”
Affected platforms:
Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
On August 16, 2019 at 7:16 AM a server required for downloading the Internet Explorer 11 (IE11) startup page, went down. As a result of the server outage, IE 11 became unresponsive for some customers who had not yet installed the August 2019 security updates. Customers who had the August 2019 security update installed were not affected. In order to ensure your devices remain in a serviced and secure state, we recommend you install the latest monthly update.
This issue was resolved on the server side at 1:00 pm PST.
The August optional monthly “D” release for Windows 10, version 1903 is now available. Follow @WindowsUpdate for the latest on the availability of this release.
August 30, 2019 08:00 AM PT
+
Feature update install notification on Windows 10, version 1809 (the October 2018 Update)
We've had reports on August 29th that some customers running Windows 10, version 1809 (the October 2018 Update) have received notification to install the latest feature update (version 1903) early. Updating remains in your control. To install the update, you must select one of the following options: \"Pick a Time\", \"Restart Tonight,\" or \"Restart Now\". If you are not ready to update at this time, simply dismiss the notification by clicking the arrow in the top right corner. If you have updated to Windows 10, version 1903 and would like to go back to your previous version, see the instructions here.
Internet Explorer 11 (KB 4492872) is now available via Windows Update (WU) and Windows Server Update Services (WSUS) for commercial customers running Windows Server 2012 and Windows Embedded 8 Standard. For details about these changes and end of support for IE10, please refer to the IT Pro blog.
Windows 7 SP1 and Windows Server 2008 R2 SP1 update signatures are now SHA-2 based signatures and requires that SHA-2 support to be installed. For important customer guidance on installation and troubleshooting tips, please read the knowledge base article 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.
August 23, 2019 03:35 PM PT
+
Take action: Windows 10, version 1703 (the Windows 10 Creators Update) reaches end of life on October 9, 2019
The Enterprise and Education editions of Windows 10, version 1703 (the Windows 10 Creators Update) will reach end of life on October 9, 2019. The Home, Pro, Pro for Workstations, and IoT Core editions reached end of service on October 8, 2018.
There is no extended support available for any edition of Windows 10, version 1703. Therefore, it will no longer be supported after October 9, 2019 and will not receive monthly security and quality updates containing protections from the latest security threats.
To continue receiving security and quality updates, Microsoft recommends that you update your devices to the latest version of Windows 10. For more information on end of service dates and currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
August 23, 2019 02:17 PM PT
+
Resolved: Delays starting Internet Explorer 11
On August 16, 2019 at 7:16 AM a server required for downloading the Internet Explorer 11 (IE11) startup page, went down. As a result of the server outage, IE 11 became unresponsive for some customers who had not yet installed the August 2019 security updates. Customers who had the August 2019 security update installed were not affected. In order to ensure your devices remain in a serviced and secure state, we recommend you install the latest monthly update.
This issue was resolved on the server side at 1:00 pm PST.
The August 2019 security update release, referred to as our “B” release, is now available for Windows 10, version 1903 and all supported versions of Windows. A “B” release is the primary, regular update event for each month and is the only regular release that contains security fixes. As a result, we recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
On August 13, 2019, Microsoft released security updates to address a Bluetooth key length encryption vulnerability. To exploit this vulnerability, an attacker would need specialized hardware and would be limited by the signal range of the Bluetooth devices in use. For more information about this industry-wide issue, see CVE-2019-9506 | Bluetooth Encryption Key Size Vulnerability in the Microsoft Security Update Guide and important guidance for IT pros in KB4514157. (Note: we are documenting this vulnerability together with guidance for IT admins as part of a coordinated industry disclosure effort.)
On August 13, 2019, Google Project Zero (GPZ) disclosed an Elevation of Privilege (EoP) vulnerability in how Windows handles calls to Advanced Local Procedure Call (ALPC) that affects Windows operating systems, versions 8.1 and higher. An attacker must already have code execution on the target system to leverage these vulnerabilities. Microsoft released security updates on August 13, 2019 that partially address this issue. Other items disclosed by GPZ require more time to address and we are working to release a resolution in mid-September. For more information, see CVE-2019-1162 | Windows ALPC Elevation of Privilege Vulnerability
As of August 13, 2019, Windows 7 SP1 and Windows Server 2008 R2 SP1 updates signatures only support SHA-2 code signing. As outlined in 2019 SHA-2 Code Signing Support requirement for Windows and WSUS, we are requiring that SHA-2 code signing support be installed. If you have Windows Update enabled and have applied the security updates released in March 2019 (KB4490628) and August 2019 (KB4474419), you are protected automatically; no further configuration is necessary. If you have not installed the March 2019 updates, you will need to do so in order to continue to receive updates on devices running Windows 7 SP1 and Windows Server 2008 R2 SP1.
Windows 10, version 1803 (the April 2018 Update) will reach end of service on November 12, 2019 for Home and Pro editions. We will begin updating devices running Windows 10, version 1803 to Windows 10, version 1903 (the May 2019 Update) starting July 16, 2019 to help ensure that these devices remain in a serviced and secure state. For more information, see the Windows 10, version 1903 section of the Windows release health dashboard.
August 13, 2019 10:00 AM PT
Advisory: Windows Kernel Information Disclosure Vulnerability (CVE-2019-1125)
On July 9, 2019, Microsoft released a security update for a Windows kernel information disclosure vulnerability (CVE-2019-1125). Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically; no further configuration is necessary. For more information, see CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability in the Microsoft Security Update Guide. (Note: we are documenting this mitigation publicly today, instead of back in July, as part of a coordinated industry disclosure effort.)
August 06, 2019 10:00 AM PT
Resolved August 1, 2019 16:00 PT: Microsoft Store users may encounter blank screens when clicking on certain buttons
Some customers running the version of the Microsoft Store app released on July 29, 2019 encountered a blank screen when selecting “Switch out of S mode,” “Get Genuine,” or some “Upgrade to [version]” OS upgrade options. This issue has now been resolved and a new version of the Microsoft Store app has been released. Users who encountered this issue will need to update the Microsoft Store app on their device. If you are still encountering an issue, please see Fix problems with apps from Microsoft Store.
August 01, 2019 02:00 PM PT
@@ -78,8 +83,8 @@ Given the potential impact to customers and their businesses, we have also relea
This month we received questions about the cadence of updates we released in April and May 2019. Here's a quick recap of our releases and servicing cadence:
April 9, 2019 was the regular Update Tuesday release for all versions of Windows.
-
May 1, 2019 was an \"optional,\" out of band non-security update (OOB) for Windows 10, version 1809. It was released to Microsoft Catalog and WSUS, providing a critical fix for our OEM partners.
-
May 3, 2019 was the \"optional\" Windows 10, version 1809 \"C\" release for April. This update contained important Japanese era packages for commercial customers to preview. It was released later than expected and mistakenly targeted as \"required\" (instead of \"optional\") for consumers, which pushed the update out to customers and required a reboot. Within 24 hours of receiving customer reports, we corrected the targeting logic and mitigated the issue.
+
May 1, 2019 was an \\\"optional,\\\" out of band non-security update (OOB) for Windows 10, version 1809. It was released to Microsoft Catalog and WSUS, providing a critical fix for our OEM partners.
+
May 3, 2019 was the \\\"optional\\\" Windows 10, version 1809 \\\"C\\\" release for April. This update contained important Japanese era packages for commercial customers to preview. It was released later than expected and mistakenly targeted as \\\"required\\\" (instead of \\\"optional\\\") for consumers, which pushed the update out to customers and required a reboot. Within 24 hours of receiving customer reports, we corrected the targeting logic and mitigated the issue.
For more information about the Windows 10 update servicing cadence, please see the Window IT Pro blog.
May 10, 2019 10:00 AM PT
diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md
index 9b684b3be6..2130ff295b 100644
--- a/windows/security/identity-protection/access-control/active-directory-accounts.md
+++ b/windows/security/identity-protection/access-control/active-directory-accounts.md
@@ -12,7 +12,7 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 08/23/2019
ms.reviewer:
---
@@ -330,9 +330,7 @@ Windows Server Kerberos authentication is achieved by the use of a special Kerbe
### KRBTGT account maintenance considerations
-A strong password is assigned to the KRBTGT account automatically. Be sure that you change the password on a regular schedule. The password for the KDC account is used to derive a secret key for encrypting and decrypting the TGT requests that are issued. The password for a domain trust account is used to derive an inter-realm key for encrypting referral tickets.
-
-On occasion, the KRBTGT account password requires a reset, for example, when an attempt to change the password on the KRBTGT account fails. In order to resolve this issue, you reset the KRBTGT user account password twice by using Active Directory Users and Computers. You must reset the password twice because the KRBTGT account stores only two of the most recent passwords in the password history. By resetting the password twice, you effectively clear all passwords from the password history.
+A strong password is assigned to the KRBTGT and trust accounts automatically. Like any privileged service accounts, organizations should change these passwords on a regular schedule. The password for the KDC account is used to derive a secret key for encrypting and decrypting the TGT requests that are issued. The password for a domain trust account is used to derive an inter-realm key for encrypting referral tickets.
Resetting the password requires you either to be a member of the Domain Admins group, or to have been delegated with the appropriate authority. In addition, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md
index 978d72142a..fb7addb918 100644
--- a/windows/security/identity-protection/access-control/special-identities.md
+++ b/windows/security/identity-protection/access-control/special-identities.md
@@ -255,7 +255,7 @@ The Network Service account is similar to an Authenticated User account. The Net
| Well-Known SID/RID | S-1-5-20 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\|
-|Default User Rights| [Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege [Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege [Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege |
+|Default User Rights| [Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege [Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege [Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege |
## NTLM Authentication
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index c23f167615..662c89648d 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -319,7 +319,7 @@ This example configures Wi-Fi as a trusted signal (Windows 10, version 1803)
### How to configure Multifactor Unlock policy settings
-You need a Windows 10, version 1709 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business Group Policy settings, which includes multi-factor unlock. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1709.
+You need a Windows 10, version 1709 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business Group Policy settings, which includes multi-factor unlock. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1709.
Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index 00344d3bd5..c9b80af1e6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -24,7 +24,7 @@ ms.reviewer:
- Certificate trust
-You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520).
+You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index ffee400b8c..f2fe950a8c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -21,7 +21,6 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
-
Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair.
This deployment guide is to guide you through deploying Windows Hello for Business, based on the planning decisions made using the Planning a Windows Hello for Business Deployment Guide. It provides you with the information needed to successfully deploy Windows Hello for Business in an existing environment.
@@ -52,16 +51,18 @@ The trust model determines how you want users to authenticate to the on-premises
* The certificate-trust model is for enterprise that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today.
* The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
->[!NOTE]
->RDP does not support authentication with Windows Hello for business key trust deployments. RDP is only supported with certificate trust deployments at this time.
+> [!NOTE]
+> Remote Desktop Protocol (RDP) does not support authentication with Windows Hello for Business key trust deployments. RDP is only supported with certificate trust deployments at this time. See [Remote Desktop with Biometrics](hello-features.md#remote-desktop-with-biometrics) to learn more.
-Following are the various deployment guides included in this topic:
+Following are the various deployment guides and models included in this topic:
- [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
- [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
- [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
- [On Premises Key Trust Deployment](hello-deployment-key-trust.md)
- [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md)
+> [!NOTE]
+> For Windows Hello for Business hybrid [certificate trust prerequisites](hello-hybrid-cert-trust-prereqs.md#directory-synchronization) and [key trust prerequisites](hello-hybrid-key-trust-prereqs.md#directory-synchronization) deployments, you will need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](hello-key-trust-validate-deploy-mfa.md) and [for certificate trust](hello-cert-trust-validate-deploy-mfa.md) deployments.
## Provisioning
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index 8eecd51ab4..5738d0e7ff 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -187,12 +187,17 @@ If the error occurs again, check the error code against the following table to s
The AIK certificate is no longer valid
Sign out and then sign in again.
-
-
0x801C044D
+
+
0x801C03F2
+
Windows Hello key registration failed.
+
ERROR_BAD_DIRECTORY_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue refer to Duplicate Attributes Prevent Dirsync.
+
+
+
0x801C044D
Unable to obtain user token
Sign out and then sign in again. Check network and credentials.
-
+
0x801C044E
Failed to receive user creds input
Sign out and then sign in again.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index 9a2711dc1c..c876fbd351 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -32,6 +32,8 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
[Domain joined provisioning in an On-premises Key Trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment)
[Domain joined provisioning in an On-premises Certificate Trust deployment](#domain-joined-provisioning-in-an-on-premises-certificate-trust-deployment)
+> [!NOTE]
+> The flows in this section are not exhaustive for every possible scenario. For example, Federated Key Trust is also a supported configuration.
## Azure AD joined provisioning in a Managed environment
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 8eb13e3cb1..5136ececee 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -656,15 +656,16 @@ Sign-in a workstation with access equivalent to a _domain user_.
10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
11. Select **Custom** from the **Subject name format** list.
12. Next to **Custom**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
-13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
-14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority.
+13. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** value.
+14. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
+15. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority.
-15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
-16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
+16. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
+17. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
-17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests amongst the URLs listed in the SCEP certificate profile.
-18. Click **OK**.
-19. Click **Create**.
+18. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
+19. Click **OK**.
+20. Click **Create**.
### Assign Group to the WHFB Certificate Enrollment Certificate Profile
Sign-in a workstation with access equivalent to a _domain user_.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
index f65eaf8b20..80325188e6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
@@ -26,7 +26,7 @@ ms.reviewer:
## Policy Configuration
-You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520).
+You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
index aa99101b75..0977f9b6a8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
@@ -39,7 +39,7 @@ Begin configuring device registration to support Hybrid Windows Hello for Busine
To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-setup/)
-Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup) page. In the **Configuration steps** section, identify your configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark.
+Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-manual) page. In the **Configuration steps** section, identify your configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
index c38ab35a87..122053e414 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
@@ -26,7 +26,7 @@ ms.reviewer:
## Policy Configuration
-You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520).
+You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
index 1b30d94278..b7c09bf09e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
@@ -24,7 +24,7 @@ ms.reviewer:
- Key trust
-You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520).
+You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 07989c7579..e5194ab324 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -105,7 +105,7 @@ Windows Hello for Business with a key does not support RDP. RDP does not support
## Learn more
-[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/en-us/itshowcase/implementing-windows-hello-for-business-at-microsoft)
+[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/itshowcase/implementing-windows-hello-for-business-at-microsoft)
[Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 59a2e070cb..121c58873e 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -79,7 +79,7 @@ For helpdesk support scenarios in which personnel require administrative access
Therefore, we recommend instead that you use the Restricted Admin mode option. For helpdesk support scenarios, RDP connections should only be initiated using the /RestrictedAdmin switch. This helps ensure that credentials and other user resources are not exposed to compromised remote hosts. For more information, see [Mitigating Pass-the-Hash and Other Credential Theft v2](https://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf).
-To further harden security, we also recommend that you implement Local Administrator Password Solution (LAPS), a Group Policy client-side extension (CSE) introduced in Windows 8.1 that automates local administrator password management. LAPS mitigates the risk of lateral escalation and other cyberattacks facilitated when customers use the same administrative local account and password combination on all their computers. You can download and install LAPS [here](https://www.microsoft.com/en-us/download/details.aspx?id=46899).
+To further harden security, we also recommend that you implement Local Administrator Password Solution (LAPS), a Group Policy client-side extension (CSE) introduced in Windows 8.1 that automates local administrator password management. LAPS mitigates the risk of lateral escalation and other cyberattacks facilitated when customers use the same administrative local account and password combination on all their computers. You can download and install LAPS [here](https://www.microsoft.com/download/details.aspx?id=46899).
For further information on LAPS, see [Microsoft Security Advisory 3062591](https://technet.microsoft.com/library/security/3062591.aspx).
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
index b81fc4b4cd..93cca16a92 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
@@ -26,6 +26,9 @@ This topic for IT professional provides an overview of the virtual smart card te
- [Smart Cards](../smart-cards/smart-card-windows-smart-card-technical-reference.md)
+> [!NOTE]
+> [Windows Hello for Business](../hello-for-business/hello-identity-verification.md) is the modern, two-factor authentication for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date has been set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. We recommend that new Windows 10 deployments use Windows Hello for Business. Virtual smart cards remain supported for Windows 7 and Windows 8.
+
## Feature description
Virtual smart card technology from Microsoft offers comparable security benefits to physical smart cards by using two-factor authentication. Virtual smart cards emulate the functionality of physical smart cards, but they use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. Virtual smart cards are created in the TPM, where the keys that are used for authentication are stored in cryptographically secured hardware.
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index a234d017d0..aed7e145ac 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -300,7 +300,7 @@ The following is a sample plug-in VPN profile. This blob would fall under the Pr
After you configure the settings that you want using ProfileXML, you can apply it using Intune and a **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy.
1. Sign into the [Azure portal](https://portal.azure.com).
-2. Go to **Intune** > **Device Configuration** > **Properties**.
+2. Go to **Intune** > **Device Configuration** > **Profiles**.
3. Click **Create Profile**.
4. Enter a name and (optionally) a description.
5. Choose **Windows 10 and later** as the platform.
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 53bf9b0641..f49a974ddd 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -100,7 +100,7 @@ In-market systems, released with Windows 10 version 1709 or earlier, will not su
No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot.
### How can I check if a certain driver supports DMA-remapping?
-DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of 2 means that the device driver supports DMA-remapping.
+DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of 2 means that the device driver supports DMA-remapping. If the property is not available, then the policy is not set by the device driver (i.e. the device driver does not support DMA-remapping).
Please check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external).
*For Windows 10 versions 1803 and 1809, the property field in Device Manager uses a GUID, as highlighted in the following image.
diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md
index 2090fe9ea8..72cb85f143 100644
--- a/windows/security/information-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md
@@ -96,7 +96,7 @@ Because Secure Boot has protected the bootloader and Trusted Boot has protected
Early Launch Anti-Malware (ELAM) can load a Microsoft or non-Microsoft anti-malware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasn’t started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: examine every boot driver and determine whether it is on the list of trusted drivers. If it’s not trusted, Windows won’t load it.
-An ELAM driver isn’t a full-featured anti-malware solution; that loads later in the boot process. Windows Defender (included with Windows 10) supports ELAM, as does [Microsoft System Center 2012 Endpoint Protection](https://www.microsoft.com/en-us/server-cloud/system-center/endpoint-protection-2012.aspx) and several non-Microsoft anti-malware apps.
+An ELAM driver isn’t a full-featured anti-malware solution; that loads later in the boot process. Windows Defender (included with Windows 10) supports ELAM, as does [Microsoft System Center 2012 Endpoint Protection](https://www.microsoft.com/server-cloud/system-center/endpoint-protection-2012.aspx) and several non-Microsoft anti-malware apps.
## Measured Boot
If a PC in your organization does become infected with a rootkit, you need to know about it. Enterprise anti-malware apps can report malware infections to the IT department, but that doesn’t work with rootkits that hide their presence. In other words, you can’t trust the client to tell you whether it’s healthy.
diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md
index a1a64bebe4..5da4caee6b 100644
--- a/windows/security/information-protection/tpm/tpm-recommendations.md
+++ b/windows/security/information-protection/tpm/tpm-recommendations.md
@@ -20,8 +20,9 @@ ms.date: 11/29/2018
# TPM recommendations
**Applies to**
-- Windows 10
-- Windows Server 2016
+
+- Windows 10
+- Windows Server 2016
This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10.
@@ -47,27 +48,27 @@ From an industry standard, Microsoft has been an industry leader in moving and s
TPM 2.0 products and systems have important security advantages over TPM 1.2, including:
-- The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
+- The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
-- For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017.
+- For security reasons, some entities are moving away from SHA-1. Notably, NIST has required many federal agencies to move to SHA-256 as of 2014, and technology leaders, including Microsoft and Google have announced they will remove support for SHA-1 based signing or certificates in 2017.
-- TPM 2.0 **enables greater crypto agility** by being more flexible with respect to cryptographic algorithms.
+- TPM 2.0 **enables greater crypto agility** by being more flexible with respect to cryptographic algorithms.
- - TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the [TCG Algorithm Registry](http://www.trustedcomputinggroup.org/tcg-algorithm-registry/). Some TPMs do not support all algorithms.
+ - TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the [TCG Algorithm Registry](http://www.trustedcomputinggroup.org/tcg-algorithm-registry/). Some TPMs do not support all algorithms.
- - For the list of algorithms that Windows supports in the platform cryptographic storage provider, see [CNG Cryptographic Algorithm Providers](https://msdn.microsoft.com/library/windows/desktop/bb931354(v=vs.85).aspx).
+ - For the list of algorithms that Windows supports in the platform cryptographic storage provider, see [CNG Cryptographic Algorithm Providers](https://msdn.microsoft.com/library/windows/desktop/bb931354(v=vs.85).aspx).
- - TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](https://blogs.microsoft.com/cybertrust/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption/)).
+ - TPM 2.0 achieved ISO standardization ([ISO/IEC 11889:2015](https://blogs.microsoft.com/cybertrust/2015/06/29/governments-recognize-the-importance-of-tpm-2-0-through-iso-adoption/)).
- - Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions.
+ - Use of TPM 2.0 may help eliminate the need for OEMs to make exception to standard configurations for certain countries and regions.
-- TPM 2.0 offers a more **consistent experience** across different implementations.
+- TPM 2.0 offers a more **consistent experience** across different implementations.
- - TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary.
+ - TPM 1.2 implementations vary in policy settings. This may result in support issues as lockout policies vary.
- - TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee.
+ - TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee.
-- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
+- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
> [!NOTE]
> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
@@ -78,11 +79,11 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
There are three implementation options for TPMs:
-- Discrete TPM chip as a separate component in its own semiconductor package
+- Discrete TPM chip as a separate component in its own semiconductor package
-- Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components
+- Integrated TPM solution, using dedicated hardware integrated into one or more semiconductor packages alongside, but logically separate from, other components
-- Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit
+- Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit
Windows uses any compatible TPM in the same way. Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions which should suit all needs.
@@ -94,39 +95,37 @@ For end consumers, TPM is behind the scenes but is still very relevant. TPM is u
### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
-- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features).
+- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features).
### IoT Core
-- TPM is optional on IoT Core.
+- TPM is optional on IoT Core.
### Windows Server 2016
-- TPM is optional for Windows Server SKUs unless the SKU meets the additional qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required.
+- TPM is optional for Windows Server SKUs unless the SKU meets the additional qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required.
## TPM and Windows Features
The following table defines which Windows features require TPM support.
-| Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details |
-|-------------------------|--------------|--------------------|--------------------|----------|
-| Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot |
-| BitLocker | Yes | Yes | Yes | TPM 1.2 or 2.0 is required, but [Automatic Device Encryption requires Modern Standby](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) including TPM 2.0 support |
-| Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0. |
-| Windows Defender Application Control (Device Guard) | No | Yes | Yes | |
-| Windows Defender Exploit Guard | No | N/A | N/A | |
-| Windows Defender System Guard | Yes | No | Yes | |
-| Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. |
-| Device Health Attestation| Yes | Yes | Yes | |
-| Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. |
-| UEFI Secure Boot | No | Yes | Yes | |
-| TPM Platform Crypto Provider Key Storage Provider| Yes | Yes| Yes | |
-| Virtual Smart Card | Yes | Yes | Yes | |
-| Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM. |
-| Autopilot | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
-| SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
-| DRTM | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
-
+ Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details |
+-|-|-|-|-
+ Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot
+ BitLocker | Yes | Yes | Yes | TPM 1.2 or 2.0 is required, but [Automatic Device Encryption requires Modern Standby](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) including TPM 2.0 support
+ Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0.
+ Windows Defender Application Control (Device Guard) | No | Yes | Yes
+ Windows Defender System Guard | Yes | No | Yes
+ Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported.
+ Device Health Attestation| Yes | Yes | Yes
+ Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support.
+ UEFI Secure Boot | No | Yes | Yes
+ TPM Platform Crypto Provider Key Storage Provider| Yes | Yes | Yes
+ Virtual Smart Card | Yes | Yes | Yes
+ Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM.
+ Autopilot | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
+ SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
+ DRTM | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
## OEM Status on TPM 2.0 system availability and certified parts
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
index c3f0286d24..e62328236e 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
@@ -88,7 +88,7 @@ Some things that you can check on the device are:
## Related topics
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
-- [Details on the TPM standard](https://www.microsoft.com/en-us/research/project/the-trusted-platform-module-tpm/) (has links to features using TPM)
+- [Details on the TPM standard](https://www.microsoft.com/research/project/the-trusted-platform-module-tpm/) (has links to features using TPM)
- [TPM Base Services Portal](https://docs.microsoft.com/windows/desktop/TBS/tpm-base-services-portal)
- [TPM Base Services API](https://docs.microsoft.com/windows/desktop/api/_tbs/)
- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule)
diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index 441e6d2b75..5ee54b85a9 100644
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -43,6 +43,8 @@ Apps can be enlightened or unenlightened:
## List of enlightened Microsoft apps
Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
+- Microsoft 3D Viewer
+
- Microsoft Edge
- Internet Explorer 11
@@ -85,6 +87,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
| Product name | App info |
|------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Microsoft 3D Viewer | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` **Product Name:** Microsoft.Microsoft3DViewer **App Type:** Universal app |
| Microsoft Edge | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` **Product Name:** Microsoft.MicrosoftEdge **App Type:** Universal app |
| Microsoft People | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` **Product Name:** Microsoft.People **App Type:** Universal app |
| Word Mobile | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` **Product Name:** Microsoft.Office.Word **App Type:** Universal app |
diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index 246227f7c4..3854d9221b 100644
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -35,7 +35,7 @@ Windows Information Protection (WIP), previously known as enterprise data protec
## Video: Protect enterprise data from being accidentally copied to the wrong place
-> [!Video https://www.microsoft.com/en-us/videoplayer/embed/RE2IGhh]
+> [!Video https://www.microsoft.com/videoplayer/embed/RE2IGhh]
## Prerequisites
You’ll need this software to run WIP in your enterprise:
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index cd19b18d71..3b35d08e3d 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -28,17 +28,16 @@
##### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
#### [Application control](windows-defender-application-control/windows-defender-application-control.md)
-#### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
-#### [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
+#### [Exploit protection](microsoft-defender-atp/exploit-protection.md)
+#### [Network protection](microsoft-defender-atp/network-protection.md)
#### [Web threat protection]()
##### [Web threat protection overview](microsoft-defender-atp/web-threat-protection-overview.md)
##### [Monitor web security](microsoft-defender-atp/web-threat-protection-monitoring.md)
##### [Respond to web threats](microsoft-defender-atp/web-threat-protection-response.md)
-
-#### [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
-#### [Attack surface reduction](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
+#### [Controlled folder access](microsoft-defender-atp/controlled-folders.md)
+#### [Attack surface reduction](microsoft-defender-atp/attack-surface-reduction.md)
#### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
@@ -125,20 +124,19 @@
##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md)
##### [Create custom detections rules](microsoft-defender-atp/custom-detection-rules.md)
-#### [Management and APIs]()
-##### [Overview of management and APIs](microsoft-defender-atp/management-apis.md)
-##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)
-##### [Microsoft Defender ATP APIs](microsoft-defender-atp/apis-intro.md)
-##### [Managed security service provider support](microsoft-defender-atp/mssp-support.md)
+### [Management and APIs]()
+#### [Overview of management and APIs](microsoft-defender-atp/management-apis.md)
+#### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)
+#### [Managed security service provider support](microsoft-defender-atp/mssp-support.md)
-#### [Integrations]()
-##### [Microsoft Defender ATP integrations](microsoft-defender-atp/threat-protection-integration.md)
-##### [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access.md)
-##### [Microsoft Cloud App Security integration overview](microsoft-defender-atp/microsoft-cloud-app-security-integration.md)
+### [Integrations]()
+#### [Microsoft Defender ATP integrations](microsoft-defender-atp/threat-protection-integration.md)
+#### [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access.md)
+#### [Microsoft Cloud App Security integration overview](microsoft-defender-atp/microsoft-cloud-app-security-integration.md)
-#### [Information protection in Windows overview]()
-##### [Windows integration](microsoft-defender-atp/information-protection-in-windows-overview.md)
-##### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md)
+### [Information protection in Windows overview]()
+#### [Windows integration](microsoft-defender-atp/information-protection-in-windows-overview.md)
+#### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md)
### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)
@@ -162,10 +160,10 @@
##### [Attack surface reduction and nex-generation evaluation overview](microsoft-defender-atp/evaluate-atp.md)
##### [Hardware-based isolation](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
##### [Application control](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
-##### [Exploit protection](windows-defender-exploit-guard/evaluate-exploit-protection.md)
-##### [Network Protection](windows-defender-exploit-guard/evaluate-network-protection.md)
-##### [Controlled folder access](windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
-##### [Attack surface reduction](windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
+##### [Exploit protection](microsoft-defender-atp/evaluate-exploit-protection.md)
+##### [Network Protection](microsoft-defender-atp/evaluate-network-protection.md)
+##### [Controlled folder access](microsoft-defender-atp/evaluate-controlled-folder-access.md)
+##### [Attack surface reduction](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
##### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
##### [Evaluate next generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
@@ -191,20 +189,20 @@
###### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
###### [Memory integrity]()
-####### [Understand memory integrity](windows-defender-exploit-guard/memory-integrity.md)
-####### [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
-####### [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
+####### [Understand memory integrity](device-guard/memory-integrity.md)
+####### [Hardware qualifications](device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
+####### [Enable HVCI](device-guard/enable-virtualization-based-protection-of-code-integrity.md)
#### [Exploit protection]()
-##### [Enable exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md)
-##### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
+##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md)
+##### [Import/export configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md)
-#### [Network protection](windows-defender-exploit-guard/enable-network-protection.md)
-#### [Controlled folder access](windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
+#### [Network protection](microsoft-defender-atp/enable-network-protection.md)
+#### [Controlled folder access](microsoft-defender-atp/enable-controlled-folders.md)
#### [Attack surface reduction controls]()
-##### [Enable attack surface reduction rules](windows-defender-exploit-guard/enable-attack-surface-reduction.md)
-##### [Customize attack surface reduction](windows-defender-exploit-guard/customize-attack-surface-reduction.md)
+##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md)
+##### [Customize attack surface reduction](microsoft-defender-atp/customize-attack-surface-reduction.md)
#### [Network firewall](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
@@ -341,6 +339,8 @@
##### [Run a detection test on a newly onboarded machine](microsoft-defender-atp/run-detection-test.md)
##### [Run simulated attacks on machines](microsoft-defender-atp/attack-simulations.md)
##### [Configure proxy and Internet connectivity settings](microsoft-defender-atp/configure-proxy-internet.md)
+##### [Create an onboarding or offboarding notification rule](microsoft-defender-atp/onboarding-notification.md)
+
##### [Troubleshoot onboarding issues]()
###### [Troubleshoot issues during onboarding](microsoft-defender-atp/troubleshoot-onboarding.md)
@@ -404,7 +404,6 @@
####### [Get domain related alerts](microsoft-defender-atp/get-domain-related-alerts.md)
####### [Get domain related machines](microsoft-defender-atp/get-domain-related-machines.md)
####### [Get domain statistics](microsoft-defender-atp/get-domain-statistics.md)
-####### [Is domain seen in organization (Deprecated)](microsoft-defender-atp/is-domain-seen-in-org.md)
###### [File]()
####### [File methods and properties](microsoft-defender-atp/files.md)
@@ -415,9 +414,7 @@
###### [IP]()
####### [Get IP related alerts](microsoft-defender-atp/get-ip-related-alerts.md)
-####### [Get IP related machines (Deprecated)](microsoft-defender-atp/get-ip-related-machines.md)
####### [Get IP statistics](microsoft-defender-atp/get-ip-statistics.md)
-####### [Is IP seen in organization (Deprecated)](microsoft-defender-atp/is-ip-seen-org.md)
###### [User]()
####### [User methods](microsoft-defender-atp/user.md)
@@ -446,13 +443,13 @@
##### [Experiment with custom threat intelligence alerts (Deprecated)](microsoft-defender-atp/experiment-custom-ti.md)
##### [Troubleshoot custom threat intelligence issues (Deprecated)](microsoft-defender-atp/troubleshoot-custom-ti.md)
-#### [Pull alerts to your SIEM tools]()
-##### [Learn about different ways to pull alerts](microsoft-defender-atp/configure-siem.md)
+#### [Pull detections to your SIEM tools]()
+##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md)
##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
-##### [Configure Splunk to pull alerts](microsoft-defender-atp/configure-splunk.md)
-##### [Configure HP ArcSight to pull alerts](microsoft-defender-atp/configure-arcsight.md)
-##### [Microsoft Defender ATP SIEM alert API fields](microsoft-defender-atp/api-portal-mapping.md)
-##### [Pull alerts using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
+##### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md)
+##### [Configure HP ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md)
+##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md)
+##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
#### [Reporting]()
@@ -535,8 +532,8 @@
#### [Troubleshoot issues related to live response](microsoft-defender-atp/troubleshoot-live-response.md)
### [Troubleshoot attack surface reduction]()
-#### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md)
-#### [Attack surface reduction rules](windows-defender-exploit-guard/troubleshoot-asr.md)
+#### [Network protection](microsoft-defender-atp/troubleshoot-np.md)
+#### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md)
### [Troubleshoot next generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
index 8896c08c25..6ad79e3e33 100644
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
index c0611c6e06..6f5a0b10d2 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md
index 63485f34ef..9838d24e59 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing.md
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
index f416edda8c..085696c83b 100644
--- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
+++ b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
index f623632235..ca029ce938 100644
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md
index dcd17c9695..a07d45c508 100644
--- a/windows/security/threat-protection/auditing/audit-account-lockout.md
+++ b/windows/security/threat-protection/auditing/audit-account-lockout.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 07/16/2018
---
diff --git a/windows/security/threat-protection/auditing/audit-application-generated.md b/windows/security/threat-protection/auditing/audit-application-generated.md
index e880c6b05b..3e6d8f2ec9 100644
--- a/windows/security/threat-protection/auditing/audit-application-generated.md
+++ b/windows/security/threat-protection/auditing/audit-application-generated.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-application-group-management.md b/windows/security/threat-protection/auditing/audit-application-group-management.md
index 870ef553dd..4c3d308215 100644
--- a/windows/security/threat-protection/auditing/audit-application-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-application-group-management.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-audit-policy-change.md b/windows/security/threat-protection/auditing/audit-audit-policy-change.md
index f8d37dcdaa..1516cc7761 100644
--- a/windows/security/threat-protection/auditing/audit-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-audit-policy-change.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
index 0171ab438c..4235b255aa 100644
--- a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
index 329e7259b8..5bd32ce275 100644
--- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
index a9c4011dab..b3e9bd82c2 100644
--- a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
+++ b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-certification-services.md b/windows/security/threat-protection/auditing/audit-certification-services.md
index 1dd10ad26a..1e7ae82e61 100644
--- a/windows/security/threat-protection/auditing/audit-certification-services.md
+++ b/windows/security/threat-protection/auditing/audit-certification-services.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-computer-account-management.md b/windows/security/threat-protection/auditing/audit-computer-account-management.md
index 1425e2cb70..88c48d5853 100644
--- a/windows/security/threat-protection/auditing/audit-computer-account-management.md
+++ b/windows/security/threat-protection/auditing/audit-computer-account-management.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-credential-validation.md b/windows/security/threat-protection/auditing/audit-credential-validation.md
index 68b0305d77..94710f55e8 100644
--- a/windows/security/threat-protection/auditing/audit-credential-validation.md
+++ b/windows/security/threat-protection/auditing/audit-credential-validation.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
index 93757103e6..43c9f6822c 100644
--- a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-detailed-file-share.md b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
index 6d6e5b0095..e89f8981e1 100644
--- a/windows/security/threat-protection/auditing/audit-detailed-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-access.md b/windows/security/threat-protection/auditing/audit-directory-service-access.md
index a56a269acd..bd202dbd62 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-access.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-changes.md b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
index 8fc975671d..c58467c3e4 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-changes.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-directory-service-replication.md
index 6580b8f311..bd6d5e2826 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-replication.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-replication.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-distribution-group-management.md b/windows/security/threat-protection/auditing/audit-distribution-group-management.md
index 83d36fa376..40245de335 100644
--- a/windows/security/threat-protection/auditing/audit-distribution-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-distribution-group-management.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-dpapi-activity.md b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
index 3efd600fab..60055020e4 100644
--- a/windows/security/threat-protection/auditing/audit-dpapi-activity.md
+++ b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-file-share.md b/windows/security/threat-protection/auditing/audit-file-share.md
index ed86354e2b..f03007042a 100644
--- a/windows/security/threat-protection/auditing/audit-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-file-share.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md
index 6f97bd7fdd..4561cde170 100644
--- a/windows/security/threat-protection/auditing/audit-file-system.md
+++ b/windows/security/threat-protection/auditing/audit-file-system.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
index 187040144e..742645ff1f 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
index e37ee47f16..18514b74f8 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
index 6cd117429a..1b7513e57a 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-group-membership.md b/windows/security/threat-protection/auditing/audit-group-membership.md
index 7af1da773b..1075528e00 100644
--- a/windows/security/threat-protection/auditing/audit-group-membership.md
+++ b/windows/security/threat-protection/auditing/audit-group-membership.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-handle-manipulation.md b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
index 4f4f0616af..0affb3aee5 100644
--- a/windows/security/threat-protection/auditing/audit-handle-manipulation.md
+++ b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-driver.md b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
index 6b69b8a282..63b1312e9f 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 10/02/2018
---
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
index 27e7cf7591..aa272bba54 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 10/02/2018
---
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
index 84c5eda210..4aa16fbf15 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 10/02/2018
---
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
index 9f081e8e45..d93af71128 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 10/02/2018
---
diff --git a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
index 995bf11ffc..702c61040a 100644
--- a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
+++ b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
index 4e685381b1..28915808bd 100644
--- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
+++ b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-kernel-object.md b/windows/security/threat-protection/auditing/audit-kernel-object.md
index f4c965ec52..681b6fb44c 100644
--- a/windows/security/threat-protection/auditing/audit-kernel-object.md
+++ b/windows/security/threat-protection/auditing/audit-kernel-object.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md
index 3ff2570d46..573ce06cfd 100644
--- a/windows/security/threat-protection/auditing/audit-logoff.md
+++ b/windows/security/threat-protection/auditing/audit-logoff.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 07/16/2018
---
diff --git a/windows/security/threat-protection/auditing/audit-logon.md b/windows/security/threat-protection/auditing/audit-logon.md
index a1fa633cae..c0afb77337 100644
--- a/windows/security/threat-protection/auditing/audit-logon.md
+++ b/windows/security/threat-protection/auditing/audit-logon.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
index f756f7d9b5..b5a6ebf13e 100644
--- a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-network-policy-server.md b/windows/security/threat-protection/auditing/audit-network-policy-server.md
index cc023326da..c2e1974295 100644
--- a/windows/security/threat-protection/auditing/audit-network-policy-server.md
+++ b/windows/security/threat-protection/auditing/audit-network-policy-server.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
index 309f195d7d..aff3140f1e 100644
--- a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
+++ b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
index 218e662e92..69fc176e98 100644
--- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
index a52ff0d042..3b5c693e52 100644
--- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
index 77527e8253..27b1498aa4 100644
--- a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-other-object-access-events.md b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
index d9513980da..d604e37a8f 100644
--- a/windows/security/threat-protection/auditing/audit-other-object-access-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 05/29/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
index 2690694166..409fbca5d4 100644
--- a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
index bbe45925d3..4baf9e7bbb 100644
--- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-other-system-events.md b/windows/security/threat-protection/auditing/audit-other-system-events.md
index 66a05eb6c1..a32b918c93 100644
--- a/windows/security/threat-protection/auditing/audit-other-system-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-system-events.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-pnp-activity.md b/windows/security/threat-protection/auditing/audit-pnp-activity.md
index cc7a689b7c..45d18cfb54 100644
--- a/windows/security/threat-protection/auditing/audit-pnp-activity.md
+++ b/windows/security/threat-protection/auditing/audit-pnp-activity.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-process-creation.md b/windows/security/threat-protection/auditing/audit-process-creation.md
index 0868fa7fe7..9c91d85cb5 100644
--- a/windows/security/threat-protection/auditing/audit-process-creation.md
+++ b/windows/security/threat-protection/auditing/audit-process-creation.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-process-termination.md b/windows/security/threat-protection/auditing/audit-process-termination.md
index 5bf90b6f6a..d21502c0f1 100644
--- a/windows/security/threat-protection/auditing/audit-process-termination.md
+++ b/windows/security/threat-protection/auditing/audit-process-termination.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md
index 4db7d65686..05a3b64156 100644
--- a/windows/security/threat-protection/auditing/audit-registry.md
+++ b/windows/security/threat-protection/auditing/audit-registry.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-removable-storage.md b/windows/security/threat-protection/auditing/audit-removable-storage.md
index f35a441ef8..ea5157c123 100644
--- a/windows/security/threat-protection/auditing/audit-removable-storage.md
+++ b/windows/security/threat-protection/auditing/audit-removable-storage.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-rpc-events.md b/windows/security/threat-protection/auditing/audit-rpc-events.md
index 1a4b0dbfbc..fb655405ad 100644
--- a/windows/security/threat-protection/auditing/audit-rpc-events.md
+++ b/windows/security/threat-protection/auditing/audit-rpc-events.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md
index 2a7efe94ec..62a32f2cf0 100644
--- a/windows/security/threat-protection/auditing/audit-sam.md
+++ b/windows/security/threat-protection/auditing/audit-sam.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md
index 91aef3a375..e6cec0503b 100644
--- a/windows/security/threat-protection/auditing/audit-security-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-security-group-management.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 02/28/2019
---
diff --git a/windows/security/threat-protection/auditing/audit-security-state-change.md b/windows/security/threat-protection/auditing/audit-security-state-change.md
index ac8fcf4c32..fde5cabd9b 100644
--- a/windows/security/threat-protection/auditing/audit-security-state-change.md
+++ b/windows/security/threat-protection/auditing/audit-security-state-change.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-security-system-extension.md b/windows/security/threat-protection/auditing/audit-security-system-extension.md
index 97c9f853c7..b105867ec0 100644
--- a/windows/security/threat-protection/auditing/audit-security-system-extension.md
+++ b/windows/security/threat-protection/auditing/audit-security-system-extension.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
index c099b898d6..6bcdbbfa2c 100644
--- a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
+++ b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-special-logon.md b/windows/security/threat-protection/auditing/audit-special-logon.md
index faa994ab12..e711a28222 100644
--- a/windows/security/threat-protection/auditing/audit-special-logon.md
+++ b/windows/security/threat-protection/auditing/audit-special-logon.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-system-integrity.md b/windows/security/threat-protection/auditing/audit-system-integrity.md
index df2120830a..77eec9f52c 100644
--- a/windows/security/threat-protection/auditing/audit-system-integrity.md
+++ b/windows/security/threat-protection/auditing/audit-system-integrity.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-user-account-management.md b/windows/security/threat-protection/auditing/audit-user-account-management.md
index 82f8975fd5..9b29513d13 100644
--- a/windows/security/threat-protection/auditing/audit-user-account-management.md
+++ b/windows/security/threat-protection/auditing/audit-user-account-management.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md
index 7877fe6b80..12475312ea 100644
--- a/windows/security/threat-protection/auditing/audit-user-device-claims.md
+++ b/windows/security/threat-protection/auditing/audit-user-device-claims.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
index 07f239f4d3..cf85964568 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md
index 3d6f35ef9d..f0f32de6c8 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-management.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
index 65f6a0672b..c8d185907d 100644
--- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
index edba7f71a5..1ad3ccc0e1 100644
--- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md
index ae6a25d613..cbdb66dcca 100644
--- a/windows/security/threat-protection/auditing/basic-audit-object-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
index a98760482c..a648339797 100644
--- a/windows/security/threat-protection/auditing/basic-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
index 4a0ea891c0..06685065b5 100644
--- a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
+++ b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
index c99e882563..67fccdd379 100644
--- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
+++ b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/basic-audit-system-events.md b/windows/security/threat-protection/auditing/basic-audit-system-events.md
index 6283d5a530..5ad26d7ba5 100644
--- a/windows/security/threat-protection/auditing/basic-audit-system-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-system-events.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
index 80170efbf6..5d332ec48c 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
index 997ee3cfee..e1da7a0b1e 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
index a99bb14e40..efc25b527e 100644
--- a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
+++ b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/auditing/event-1100.md b/windows/security/threat-protection/auditing/event-1100.md
index 5f995bb735..cd2694a78a 100644
--- a/windows/security/threat-protection/auditing/event-1100.md
+++ b/windows/security/threat-protection/auditing/event-1100.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/event-1102.md b/windows/security/threat-protection/auditing/event-1102.md
index 1edce314ef..4fc3e0021e 100644
--- a/windows/security/threat-protection/auditing/event-1102.md
+++ b/windows/security/threat-protection/auditing/event-1102.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md
index d70f00eeb9..689ec40ce8 100644
--- a/windows/security/threat-protection/auditing/event-1104.md
+++ b/windows/security/threat-protection/auditing/event-1104.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
-author: Mir0sh
+author: dansimp
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
index 99b2a8e507..9059c18b53 100644
--- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
+++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
@@ -21,7 +21,7 @@ ms.localizationpriority: medium
- Windows 10
->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
+>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the `%windir%/Fonts` directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process.
diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
index 2517d1852c..f900f5ea9c 100644
--- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
+++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
@@ -18,31 +18,30 @@ audience: ITPro
**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Microsoft recommends [a layered approach to securing removable media](https://aka.ms/devicecontrolblog), and Windows Defender ATP provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices:
+Microsoft recommends [a layered approach to securing removable media](https://aka.ms/devicecontrolblog), and Windows Defender ATP provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices:
-1. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling:
- - [Windows Defender Antivirus real-time protection (RTP)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) to scan removable storage for malware.
- - The [Exploit Guard Attack Surface Reduction (ASR) USB rule](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to block untrusted and unsigned processes that run from USB.
- - [Direct Memory Access (DMA) protection settings](#protect-against-direct-memory-access-dma-attacks) to mitigate DMA attacks, including [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) and blocking DMA until a user signs in.
-
-2. [Detect plug and play connected events for peripherals in Windows Defender ATP advanced hunting](#detect-plug-and-play-connected-events)
- - Identify or investigate suspicious usage activity. Create customized alerts based on these PnP events or any other Windows Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules).
+1. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling:
+ - [Windows Defender Antivirus real-time protection (RTP)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) to scan removable storage for malware.
+ - The [Attack Surface Reduction (ASR) USB rule](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to block untrusted and unsigned processes that run from USB.
+ - [Direct Memory Access (DMA) protection settings](#protect-against-direct-memory-access-dma-attacks) to mitigate DMA attacks, including [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) and blocking DMA until a user signs in.
+
+2. [Detect plug and play connected events for peripherals in Windows Defender ATP advanced hunting](#detect-plug-and-play-connected-events)
+ - Identify or investigate suspicious usage activity. Create customized alerts based on these PnP events or any other Windows Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules).
3. [Respond to threats](#respond-to-threats) from peripherals in real-time based on properties reported by each peripheral:
- - Granular configuration to deny write access to removable disks and approve or deny devices by USB vendor code, product code, device IDs, or a combination.
- - Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
+ - Granular configuration to deny write access to removable disks and approve or deny devices by USB vendor code, product code, device IDs, or a combination.
+ - Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
>[!Note]
>These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Windows Defender ATP and Azure Information Protection.
-
## Prevent threats from removable storage
Windows Defender ATP can help identify and block malicious files on allowed removable storage peripherals.
-### Enable Windows Defender Antivirus Scanning
+### Enable Windows Defender Antivirus Scanning
-Protecting authorized removable storage with Windows Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) or scheduling scans and configuring removable drives for scans.
+Protecting authorized removable storage with Windows Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) or scheduling scans and configuring removable drives for scans.
- If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted, so that Windows Defender Antivirus starts scanning all files on a removable device once the removable device is attached. However, we recommend enabling real-time protection for improved scanning performance, especially for large storage devices.
- If scheduled scans are used, then you need to disable the DisableRemovableDriveScanning setting (enabled by default) to scan the removable device during a full scan. Removable devices are scanned during a quick or custom scan regardless of the DisableRemovableDriveScanning setting.
@@ -55,32 +54,32 @@ Protecting authorized removable storage with Windows Defender Antivirus requires
### Block untrusted and unsigned processes on USB peripherals
-End-users might plug in removable devices that are infected with malware.
-To prevent infections, a company can block USB files that are unsigned or untrusted.
-Alternatively, companies can leverage the audit feature of attack surface reduction rules to monitor the activity of untrusted and unsigned processes that execute on a USB peripheral.
-This can be done by setting **Untrusted and unsigned processes that run from USB** to either **Block** or **Audit only**, respectively.
-With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards.
+End-users might plug in removable devices that are infected with malware.
+To prevent infections, a company can block USB files that are unsigned or untrusted.
+Alternatively, companies can leverage the audit feature of attack surface reduction rules to monitor the activity of untrusted and unsigned processes that execute on a USB peripheral.
+This can be done by setting **Untrusted and unsigned processes that run from USB** to either **Block** or **Audit only**, respectively.
+With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards.
Affected file types include executable files (such as .exe, .dll, or .scr) and script files such as a PowerShell (.ps), VisualBasic (.vbs), or JavaScript (.js) files.
-These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
+These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
-2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
+2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
3. Use the following settings:
- - Name: Type a name for the profile
- - Description: Type a description
- - Platform: Windows 10 or later
- - Profile type: Endpoint protection
+ - Name: Type a name for the profile
+ - Description: Type a description
+ - Platform: Windows 10 or later
+ - Profile type: Endpoint protection
-4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**.
+4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**.
-5. For **Unsigned and untrusted processes that run from USB**, choose **Block**.
+5. For **Unsigned and untrusted processes that run from USB**, choose **Block**.
@@ -92,11 +91,11 @@ These settings require [enabling real-time protection](https://docs.microsoft.co
DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely. The following settings help to prevent DMA attacks:
-1. Beginning with Windows 10 version 1803, Microsoft introduced [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) to provide native protection against DMA attacks via Thunderbolt ports. Kernel DMA Protection for Thunderbolt is enabled by system manufacturers and cannot be turned on or off by users.
+1. Beginning with Windows 10 version 1803, Microsoft introduced [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) to provide native protection against DMA attacks via Thunderbolt ports. Kernel DMA Protection for Thunderbolt is enabled by system manufacturers and cannot be turned on or off by users.
Beginning with Windows 10 version 1809, you can adjust the level of Kernel DMA Protection by configuring the [DMA Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-deviceenumerationpolicy). This is an additional control for peripherals that don't support device memory isolation (also known as DMA-remapping). Memory isolation allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral (memory sandboxing). In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
-
- Peripherals that support device memory isolation can always connect. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default).
+
+ Peripherals that support device memory isolation can always connect. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default).
2. On Windows 10 systems that do not suppprt Kernel DMA Protection, you can:
@@ -107,10 +106,10 @@ DMA attacks can lead to disclosure of sensitive information residing on a PC, or
To prevent malware infections or data loss, an organization may restrict USB drives and other peripherals. The following table describes the ways Microsoft Defender Advanced Threat Protection can help prevent installation and usage of USB drives and other peripherals.
-| Control | Description |
-|----------|-------------|
-| Allow installation and usage of USB drives and other peripherals | Allow users to install only the USB drives and other peripherals included on a list of authorized devices or device types |
-| Prevent installation and usage of USB drives and other peripherals| Prevent users from installing USB drives and other peripherals included on a list of unauthorized devices and device types |
+ Control | Description
+-|-
+ Allow installation and usage of USB drives and other peripherals | Allow users to install only the USB drives and other peripherals included on a list of authorized devices or device types
+ Prevent installation and usage of USB drives and other peripherals | Prevent users from installing USB drives and other peripherals included on a list of unauthorized devices and device types
All of the above controls can be set through the Intune [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows). The relevant policies are located here in the Intune Administrator Templates:
@@ -120,18 +119,19 @@ All of the above controls can be set through the Intune [Administrative Template
>Using Intune, you can apply device configuration policies to AAD user and/or device groups.
The above policies can also be set through the [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) and the [Device Installation GPOs](https://docs.microsoft.com/previous-versions/dotnet/articles/bb530324(v=msdn.10)).
->[!Note]
->Always test and refine these settings with a pilot group of users and devices first before applying them in production.
+> [!Note]
+> Always test and refine these settings with a pilot group of users and devices first before applying them in production.
For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://www.microsoft.com/security/blog/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/).
### Allow installation and usage of USB drives and other peripherals
-One way to approach allowing installation and usage of USB drives and other peripherals is to start by allowing everything. Afterwards, you can start reducing the allowable USB drivers and other peripherals.
+One way to approach allowing installation and usage of USB drives and other peripherals is to start by allowing everything. Afterwards, you can start reducing the allowable USB drivers and other peripherals.
>[!Note]
>Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
->1. Enable **prevent installation of devices not described by other policy settings** to all users.
->2. Enable **allow installation of devices using drivers that match these device setup classes** for all [device setup classes](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
+>
+>1. Enable **prevent installation of devices not described by other policy settings** to all users.
+>2. Enable **allow installation of devices using drivers that match these device setup classes** for all [device setup classes](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
To enforce the policy for already installed devices, apply the prevent policies that have this setting.
When configuring the allow device installation policy, you will need to allow all parent attributes as well. You can view the parents of a device by opening device manager and view by connection.
@@ -144,38 +144,39 @@ In this example, the following classesneeded to be added: HID, Keboard, and {36f
If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit. Then add the device id that you want to add. For example,
-1. Remove class USBDevice from the **allow installation of devices using drivers that match these device setup**
-2. Add the VID/PID to allow in the **allow installation of device that match any of these device IDs**
+1. Remove class USBDevice from the **allow installation of devices using drivers that match these device setup**
+2. Add the VID/PID to allow in the **allow installation of device that match any of these device IDs**
->[!Note]
->How to locate the VID/PID: Using Device Manager; right click on the device and select properties. Click details tab, click property drop down list, and choose hardware Ids. Right click the top ID value and select copy.
+> [!Note]
+> How to locate the VID/PID: Using Device Manager; right click on the device and select properties. Click details tab, click property drop down list, and choose hardware Ids. Right click the top ID value and select copy.
>Using PowerShell: Get-WMIObject -Class Win32_DiskDrive |
Select-Object -Property *
>For the typical format for the USB ID please reference the following link; (https://docs.microsoft.com/windows-hardware/drivers/install/standard-usb-identifiers)
### Prevent installation and usage of USB drives and other peripherals
-If you want to prevent a device class or certain devices, you can use the prevent device installation policies.
-1. Enable **Prevent installation of devices that match any of these device IDs**.
-2. Enable the **Prevent installation of devices that match these device setup classes policy**.
+If you want to prevent a device class or certain devices, you can use the prevent device installation policies.
->[!Note]
->The prevent device installation policies take precedence over the allow device installation policies.
+1. Enable **Prevent installation of devices that match any of these device IDs**.
+2. Enable the **Prevent installation of devices that match these device setup classes policy**.
+
+> [!Note]
+> The prevent device installation policies take precedence over the allow device installation policies.
### Block installation and usage of removable storage
1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
-2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
+2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
-3. Use the following settings:
+3. Use the following settings:
- - Name: Type a name for the profile
- - Description: Type a description
- - Platform: Windows 10 and later
- - Profile type: Device restrictions
+ - Name: Type a name for the profile
+ - Description: Type a description
+ - Platform: Windows 10 and later
+ - Profile type: Device restrictions
@@ -211,34 +212,34 @@ The Microsoft Defender Advanced Threat Protection (ATP) baseline settings, repre
### Bluetooth
-Using Intune, you can limited the services that can use Bluetooth through the “Bluetooth allowed services”. The default state of “Bluetooth allowed services” settings means everything is allowed. As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and don’t add the file transfer GUIDs, file transfer should be blocked.
+Using Intune, you can limited the services that can use Bluetooth through the “Bluetooth allowed services”. The default state of “Bluetooth allowed services” settings means everything is allowed. As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and don’t add the file transfer GUIDs, file transfer should be blocked.
## Detect plug and play connected events
-You can view plug and play connected events in Windows Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations.
-For examples of Windows Defender ATP advanced hunting queries, see the [Windows Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries).
+You can view plug and play connected events in Windows Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations.
+For examples of Windows Defender ATP advanced hunting queries, see the [Windows Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries).
Based on any Windows Defender ATP event, including the plug and play events, you can create custom alerts using the Windows Defender ATP [custom detection rule feature](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules).
-## Respond to threats
+## Respond to threats
Windows Defender ATP can prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device.
->[!NOTE]
->Always test and refine these settings with a pilot group of users and devices first before applying them in production.
+> [!NOTE]
+> Always test and refine these settings with a pilot group of users and devices first before applying them in production.
-The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB peripherals.
+The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB peripherals.
For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://aka.ms/devicecontrolblog).
-| Control | Description |
-|----------|-------------|
-| [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage |
-| [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | Users can only install and use approved peripherals that report specific properties in their firmware |
-| [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware |
+ Control | Description
+-|-
+ [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage
+ [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | Users can only install and use approved peripherals that report specific properties in their firmware
+ [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware
->[!NOTE]
->Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
+> [!NOTE]
+> Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
### Custom Alerts and Response Actions
@@ -267,6 +268,3 @@ Both machine and file level actions can be applied.
- [Device Control PowerBI Template for custom reporting](https://github.com/microsoft/MDATP-PowerBI-Templates)
- [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview)
- [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure)
-
-
-
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
similarity index 83%
rename from windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
rename to windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index ea7aa818f2..91f7206e6d 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -14,16 +14,16 @@ ms.date: 04/01/2019
ms.reviewer:
---
-# Enable virtualization-based protection of code integrity
+# Enable virtualization-based protection of code integrity
**Applies to**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10.
-Some applications, including device drivers, may be incompatible with HVCI.
-This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself.
-If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
+This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10.
+Some applications, including device drivers, may be incompatible with HVCI.
+This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself.
+If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
>[!NOTE]
>HVCI works with modern 7th gen CPUs or higher and its equivalent on AMD. CPU new feature is required *Mode based execution control (MBE) Virtualization*. AMD CPUs do not have MBE.
@@ -37,13 +37,13 @@ If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
* HVCI also ensure your other Truslets, like Credential Guard have a valid certificate.
* Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI.
-## How to turn on HVCI in Windows 10
+## How to turn on HVCI in Windows 10
To enable HVCI on Windows 10 devices with supporting hardware throughout an enterprise, use any of these options:
- [Windows Security app](#windows-security-app)
- [Microsoft Intune (or another MDM provider)](#enable-hvci-using-intune)
- [Group Policy](#enable-hvci-using-group-policy)
-- [System Center Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/)
+- [System Center Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/)
- [Registry](#use-registry-keys-to-enable-virtualization-based-protection-of-code-integrity)
### Windows Security app
@@ -52,7 +52,7 @@ HVCI is labeled **Memory integrity** in the Windows Security app and it can be a
### Enable HVCI using Intune
-Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp).
+Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp).
### Enable HVCI using Group Policy
@@ -61,11 +61,11 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP]
3. Double-click **Turn on Virtualization Based Security**.
4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**.
- 
+ 
5. Click **Ok** to close the editor.
-To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated command prompt.
+To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated command prompt.
### Use registry keys to enable virtualization-based protection of code integrity
@@ -185,64 +185,64 @@ Windows 10 and Windows Server 2016 have a WMI class for related properties and f
> [!NOTE]
> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803.
-The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled.
+The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled.
#### AvailableSecurityProperties
This field helps to enumerate and report state on the relevant security properties for Windows Defender Device Guard.
-| Value | Description |
-|--------|-------------|
-| **0.** | If present, no relevant properties exist on the device. |
-| **1.** | If present, hypervisor support is available. |
-| **2.** | If present, Secure Boot is available. |
-| **3.** | If present, DMA protection is available. |
-| **4.** | If present, Secure Memory Overwrite is available. |
-| **5.** | If present, NX protections are available. |
-| **6.** | If present, SMM mitigations are available. |
-| **7.** | If present, Mode Based Execution Control is available. |
+Value | Description
+-|-
+**0.** | If present, no relevant properties exist on the device.
+**1.** | If present, hypervisor support is available.
+**2.** | If present, Secure Boot is available.
+**3.** | If present, DMA protection is available.
+**4.** | If present, Secure Memory Overwrite is available.
+**5.** | If present, NX protections are available.
+**6.** | If present, SMM mitigations are available.
+**7.** | If present, Mode Based Execution Control is available.
#### InstanceIdentifier
-A string that is unique to a particular device. Valid values are determined by WMI.
+A string that is unique to a particular device. Valid values are determined by WMI.
#### RequiredSecurityProperties
This field describes the required security properties to enable virtualization-based security.
-| Value | Description |
-|--------|-------------|
-| **0.** | Nothing is required. |
-| **1.** | If present, hypervisor support is needed. |
-| **2.** | If present, Secure Boot is needed. |
-| **3.** | If present, DMA protection is needed. |
-| **4.** | If present, Secure Memory Overwrite is needed. |
-| **5.** | If present, NX protections are needed. |
-| **6.** | If present, SMM mitigations are needed. |
-| **7.** | If present, Mode Based Execution Control is needed. |
+Value | Description
+-|-
+**0.** | Nothing is required.
+**1.** | If present, hypervisor support is needed.
+**2.** | If present, Secure Boot is needed.
+**3.** | If present, DMA protection is needed.
+**4.** | If present, Secure Memory Overwrite is needed.
+**5.** | If present, NX protections are needed.
+**6.** | If present, SMM mitigations are needed.
+**7.** | If present, Mode Based Execution Control is needed.
-#### SecurityServicesConfigured
+#### SecurityServicesConfigured
This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured.
-| Value | Description |
-|--------|-------------|
-| **0.** | No services configured. |
-| **1.** | If present, Windows Defender Credential Guard is configured. |
-| **2.** | If present, HVCI is configured. |
-| **3.** | If present, System Guard Secure Launch is configured. |
+Value | Description
+-|-
+**0.** | No services configured.
+**1.** | If present, Windows Defender Credential Guard is configured.
+**2.** | If present, HVCI is configured.
+**3.** | If present, System Guard Secure Launch is configured.
#### SecurityServicesRunning
This field indicates whether the Windows Defender Credential Guard or HVCI service is running.
-| Value | Description |
-|--------|-------------|
-| **0.** | No services running. |
-| **1.** | If present, Windows Defender Credential Guard is running. |
-| **2.** | If present, HVCI is running. |
-| **3.** | If present, System Guard Secure Launch is running. |
+Value | Description
+-|-
+**0.** | No services running.
+**1.** | If present, Windows Defender Credential Guard is running.
+**2.** | If present, HVCI is running.
+**3.** | If present, System Guard Secure Launch is running.
#### Version
@@ -252,12 +252,11 @@ This field lists the version of this WMI class. The only valid value now is **1.
This field indicates whether VBS is enabled and running.
-| Value | Description |
-|--------|-------------|
-| **0.** | VBS is not enabled. |
-| **1.** | VBS is enabled but not running. |
-| **2.** | VBS is enabled and running. |
-
+Value | Description
+-|-
+**0.** | VBS is not enabled.
+**1.** | VBS is enabled but not running.
+**2.** | VBS is enabled and running.
#### PSComputerName
@@ -265,8 +264,7 @@ This field lists the computer name. All valid values for computer name.
Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section.
-
-
+
## Troubleshooting
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md b/windows/security/threat-protection/device-guard/memory-integrity.md
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md
rename to windows/security/threat-protection/device-guard/memory-integrity.md
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
rename to windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
diff --git a/windows/security/threat-protection/images/TVM_icon.png b/windows/security/threat-protection/images/TVM_icon.png
index 41faa16718..63f8c75929 100644
Binary files a/windows/security/threat-protection/images/TVM_icon.png and b/windows/security/threat-protection/images/TVM_icon.png differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/Untitled-1.png b/windows/security/threat-protection/images/Untitled-1.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/Untitled-1.png
rename to windows/security/threat-protection/images/Untitled-1.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/asr-notif.png b/windows/security/threat-protection/images/asr-notif.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/asr-notif.png
rename to windows/security/threat-protection/images/asr-notif.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/asr-rules-gp.png b/windows/security/threat-protection/images/asr-rules-gp.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/asr-rules-gp.png
rename to windows/security/threat-protection/images/asr-rules-gp.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/asr-test-tool.png b/windows/security/threat-protection/images/asr-test-tool.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/asr-test-tool.png
rename to windows/security/threat-protection/images/asr-test-tool.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app-ps.png b/windows/security/threat-protection/images/cfa-allow-app-ps.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app-ps.png
rename to windows/security/threat-protection/images/cfa-allow-app-ps.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png b/windows/security/threat-protection/images/cfa-allow-app.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-app.png
rename to windows/security/threat-protection/images/cfa-allow-app.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-folder-ps.png b/windows/security/threat-protection/images/cfa-allow-folder-ps.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-allow-folder-ps.png
rename to windows/security/threat-protection/images/cfa-allow-folder-ps.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-audit-gp.png b/windows/security/threat-protection/images/cfa-audit-gp.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-audit-gp.png
rename to windows/security/threat-protection/images/cfa-audit-gp.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-filecreator.png b/windows/security/threat-protection/images/cfa-filecreator.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-filecreator.png
rename to windows/security/threat-protection/images/cfa-filecreator.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-gp-enable.png b/windows/security/threat-protection/images/cfa-gp-enable.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-gp-enable.png
rename to windows/security/threat-protection/images/cfa-gp-enable.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-notif.png b/windows/security/threat-protection/images/cfa-notif.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-notif.png
rename to windows/security/threat-protection/images/cfa-notif.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-on.png b/windows/security/threat-protection/images/cfa-on.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-on.png
rename to windows/security/threat-protection/images/cfa-on.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-prot-folders.png b/windows/security/threat-protection/images/cfa-prot-folders.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/cfa-prot-folders.png
rename to windows/security/threat-protection/images/cfa-prot-folders.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/check-no.png b/windows/security/threat-protection/images/check-no.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/check-no.png
rename to windows/security/threat-protection/images/check-no.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/create-endpoint-protection-profile.png b/windows/security/threat-protection/images/create-endpoint-protection-profile.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/create-endpoint-protection-profile.png
rename to windows/security/threat-protection/images/create-endpoint-protection-profile.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/create-exploit-guard-policy.png b/windows/security/threat-protection/images/create-exploit-guard-policy.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/create-exploit-guard-policy.png
rename to windows/security/threat-protection/images/create-exploit-guard-policy.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/dg-fig11-dgproperties.png b/windows/security/threat-protection/images/dg-fig11-dgproperties.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/dg-fig11-dgproperties.png
rename to windows/security/threat-protection/images/dg-fig11-dgproperties.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-allow.png b/windows/security/threat-protection/images/enable-cfa-app-allow.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-allow.png
rename to windows/security/threat-protection/images/enable-cfa-app-allow.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-folder.png b/windows/security/threat-protection/images/enable-cfa-app-folder.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app-folder.png
rename to windows/security/threat-protection/images/enable-cfa-app-folder.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app.png b/windows/security/threat-protection/images/enable-cfa-app.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-app.png
rename to windows/security/threat-protection/images/enable-cfa-app.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-intune.png b/windows/security/threat-protection/images/enable-cfa-intune.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-cfa-intune.png
rename to windows/security/threat-protection/images/enable-cfa-intune.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-ep-intune.png b/windows/security/threat-protection/images/enable-ep-intune.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-ep-intune.png
rename to windows/security/threat-protection/images/enable-ep-intune.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-hvci-gp.png b/windows/security/threat-protection/images/enable-hvci-gp.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-hvci-gp.png
rename to windows/security/threat-protection/images/enable-hvci-gp.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-np-intune.png b/windows/security/threat-protection/images/enable-np-intune.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/enable-np-intune.png
rename to windows/security/threat-protection/images/enable-np-intune.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ep-default.png b/windows/security/threat-protection/images/ep-default.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/ep-default.png
rename to windows/security/threat-protection/images/ep-default.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ep-prog.png b/windows/security/threat-protection/images/ep-prog.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/ep-prog.png
rename to windows/security/threat-protection/images/ep-prog.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/event-viewer-import.png b/windows/security/threat-protection/images/event-viewer-import.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/event-viewer-import.png
rename to windows/security/threat-protection/images/event-viewer-import.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/event-viewer.gif b/windows/security/threat-protection/images/event-viewer.gif
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/event-viewer.gif
rename to windows/security/threat-protection/images/event-viewer.gif
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/events-create.gif b/windows/security/threat-protection/images/events-create.gif
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/events-create.gif
rename to windows/security/threat-protection/images/events-create.gif
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/events-import.gif b/windows/security/threat-protection/images/events-import.gif
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/events-import.gif
rename to windows/security/threat-protection/images/events-import.gif
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/exp-prot-gp.png b/windows/security/threat-protection/images/exp-prot-gp.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/exp-prot-gp.png
rename to windows/security/threat-protection/images/exp-prot-gp.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/np-notif.png b/windows/security/threat-protection/images/np-notif.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/np-notif.png
rename to windows/security/threat-protection/images/np-notif.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-blocks.png b/windows/security/threat-protection/images/sccm-asr-blocks.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-blocks.png
rename to windows/security/threat-protection/images/sccm-asr-blocks.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-rules.png b/windows/security/threat-protection/images/sccm-asr-rules.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-asr-rules.png
rename to windows/security/threat-protection/images/sccm-asr-rules.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa-block.png b/windows/security/threat-protection/images/sccm-cfa-block.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa-block.png
rename to windows/security/threat-protection/images/sccm-cfa-block.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa.png b/windows/security/threat-protection/images/sccm-cfa.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-cfa.png
rename to windows/security/threat-protection/images/sccm-cfa.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep-xml.png b/windows/security/threat-protection/images/sccm-ep-xml.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep-xml.png
rename to windows/security/threat-protection/images/sccm-ep-xml.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep.png b/windows/security/threat-protection/images/sccm-ep.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-ep.png
rename to windows/security/threat-protection/images/sccm-ep.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np-block.png b/windows/security/threat-protection/images/sccm-np-block.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np-block.png
rename to windows/security/threat-protection/images/sccm-np-block.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np.png b/windows/security/threat-protection/images/sccm-np.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/sccm-np.png
rename to windows/security/threat-protection/images/sccm-np.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg b/windows/security/threat-protection/images/svg/check-no.svg
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg
rename to windows/security/threat-protection/images/svg/check-no.svg
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg b/windows/security/threat-protection/images/svg/check-yes.svg
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg
rename to windows/security/threat-protection/images/svg/check-yes.svg
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdeg.png b/windows/security/threat-protection/images/wdeg.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/wdeg.png
rename to windows/security/threat-protection/images/wdeg.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings-options.png b/windows/security/threat-protection/images/wdsc-exp-prot-app-settings-options.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings-options.png
rename to windows/security/threat-protection/images/wdsc-exp-prot-app-settings-options.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings.png b/windows/security/threat-protection/images/wdsc-exp-prot-app-settings.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-app-settings.png
rename to windows/security/threat-protection/images/wdsc-exp-prot-app-settings.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png b/windows/security/threat-protection/images/wdsc-exp-prot-export.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-export.png
rename to windows/security/threat-protection/images/wdsc-exp-prot-export.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-sys-settings.png b/windows/security/threat-protection/images/wdsc-exp-prot-sys-settings.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot-sys-settings.png
rename to windows/security/threat-protection/images/wdsc-exp-prot-sys-settings.png
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png b/windows/security/threat-protection/images/wdsc-exp-prot.png
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/images/wdsc-exp-prot.png
rename to windows/security/threat-protection/images/wdsc-exp-prot.png
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 97a809c8de..bba7e87609 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -58,16 +58,16 @@ This built-in capability uses a game-changing risk-based approach to the discove
**[Attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)**
-The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
+The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
-- [Hardware based isolation](microsoft-defender-atp/overview-hardware-based-isolation.md)
+- [Hardware based isolation](microsoft-defender-atp/overview-hardware-based-isolation.md)
- [Application control](windows-defender-application-control/windows-defender-application-control.md)
- [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-- [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
-- [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
-- [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
+- [Exploit protection](microsoft-defender-atp/exploit-protection.md)
+- [Network protection](microsoft-defender-atp/network-protection.md)
+- [Controlled folder access](microsoft-defender-atp/controlled-folders.md)
- [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
-- [Attack surface reduction rules](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
+- [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md)
@@ -132,7 +132,7 @@ Microsoft Defender ATP's new managed threat hunting service provides proactive h
Integrate Microsoft Defender Advanced Threat Protection into your existing workflows.
- [Onboarding](microsoft-defender-atp/onboard-configure.md)
- [API and SIEM integration](microsoft-defender-atp/configure-siem.md)
-- [Exposed APIs](microsoft-defender-atp/use-apis.md)
+- [Exposed APIs](microsoft-defender-atp/apis-intro.md)
- [Role-based access control (RBAC)](microsoft-defender-atp/rbac.md)
- [Reporting and trends](microsoft-defender-atp/powerbi-reports.md)
diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
index 31ef30f618..fef7da884b 100644
--- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
+++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
@@ -36,4 +36,4 @@ Organizations participating in the CME effort work together to help eradicate se
Any organization that is involved in cybersecurity and antimalware or interested in fighting cybercrime can participate in CME campaigns by enrolling in the [Virus Information Alliance (VIA) program](virus-information-alliance-criteria.md). It ensures that everyone agrees to use the information and tools available for campaigns for their intended purpose (that is, the eradication of malware).
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
diff --git a/windows/security/threat-protection/intelligence/developer-resources.md b/windows/security/threat-protection/intelligence/developer-resources.md
index a7e660c5da..35aec2bd9c 100644
--- a/windows/security/threat-protection/intelligence/developer-resources.md
+++ b/windows/security/threat-protection/intelligence/developer-resources.md
@@ -24,9 +24,9 @@ If you believe that your application or program has been incorrectly detected by
Check out the following resources for information on how to submit and view submissions:
-- [Submit files](https://www.microsoft.com/en-us/wdsi/filesubmission)
+- [Submit files](https://www.microsoft.com/wdsi/filesubmission)
-- [View your submissions](https://www.microsoft.com/en-us/wdsi/submissionhistory)
+- [View your submissions](https://www.microsoft.com/wdsi/submissionhistory)
## Additional resources
diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md
index 62bcff1173..bc3ecd48d1 100644
--- a/windows/security/threat-protection/intelligence/fileless-threats.md
+++ b/windows/security/threat-protection/intelligence/fileless-threats.md
@@ -96,6 +96,6 @@ Having described the broad categories, we can now dig into the details and provi
## Defeating fileless malware
-At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender Advanced Threat Protection [(Microsoft Defender ATP)](https://www.microsoft.com/en-us/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
+At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender Advanced Threat Protection [(Microsoft Defender ATP)](https://www.microsoft.com/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/)
diff --git a/windows/security/threat-protection/intelligence/images/MITRE-Microsoft-Defender-ATP.png b/windows/security/threat-protection/intelligence/images/MITRE-Microsoft-Defender-ATP.png
new file mode 100644
index 0000000000..446ad19d77
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/MITRE-Microsoft-Defender-ATP.png differ
diff --git a/windows/security/threat-protection/intelligence/images/Transparency-report-August-2.png b/windows/security/threat-protection/intelligence/images/Transparency-report-August-2.png
new file mode 100644
index 0000000000..9769fd54cb
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/Transparency-report-August-2.png differ
diff --git a/windows/security/threat-protection/intelligence/images/prevalent-malware-aug-small.png b/windows/security/threat-protection/intelligence/images/prevalent-malware-aug-small.png
new file mode 100644
index 0000000000..f797263dba
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/prevalent-malware-aug-small.png differ
diff --git a/windows/security/threat-protection/intelligence/images/prevalent-malware-small.png b/windows/security/threat-protection/intelligence/images/prevalent-malware-small.png
deleted file mode 100644
index 15a95c2276..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/prevalent-malware-small.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/real-world-aug-small.png b/windows/security/threat-protection/intelligence/images/real-world-aug-small.png
new file mode 100644
index 0000000000..303df698eb
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/real-world-aug-small.png differ
diff --git a/windows/security/threat-protection/intelligence/images/real-world-protection-aug-small.png b/windows/security/threat-protection/intelligence/images/real-world-protection-aug-small.png
new file mode 100644
index 0000000000..3a188fbf75
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/real-world-protection-aug-small.png differ
diff --git a/windows/security/threat-protection/intelligence/images/real-world-small.png b/windows/security/threat-protection/intelligence/images/real-world-small.png
deleted file mode 100644
index 89bf7a1819..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/real-world-small.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/images/transparency-report-3.png b/windows/security/threat-protection/intelligence/images/transparency-report-3.png
deleted file mode 100644
index 413454d293..0000000000
Binary files a/windows/security/threat-protection/intelligence/images/transparency-report-3.png and /dev/null differ
diff --git a/windows/security/threat-protection/intelligence/macro-malware.md b/windows/security/threat-protection/intelligence/macro-malware.md
index d4c3119d19..ec97b244a7 100644
--- a/windows/security/threat-protection/intelligence/macro-malware.md
+++ b/windows/security/threat-protection/intelligence/macro-malware.md
@@ -31,7 +31,7 @@ We've seen macro malware download threats from the following families:
* [Ransom:Win32/Teerac](Ransom:Win32/Teerac)
* [TrojanDownloader:Win32/Chanitor](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Chanitor.A)
* [TrojanSpy:Win32/Ursnif](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif)
-* [Win32/Fynloski](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Fynloski)
+* [Win32/Fynloski](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Win32/Fynloski)
* [Worm:Win32/Gamarue](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Win32/Gamarue)
## How to protect against macro malware
diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
index 59d35b2c35..63ef1862ba 100644
--- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md
+++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
@@ -53,7 +53,7 @@ Using pirated content is not only illegal, it can also expose your device to mal
Users do not openly discuss visits to these sites, so any untoward experience are more likely to stay unreported.
-To stay safe, download movies, music, and apps from official publisher websites or stores. Consider running a streamlined OS such as [Windows 10 Pro SKU S Mode](https://www.microsoft.com/en-us/windows/s-mode?ocid=cx-wdsi-articles), which ensures that only vetted apps from the Windows Store are installed.
+To stay safe, download movies, music, and apps from official publisher websites or stores. Consider running a streamlined OS such as [Windows 10 Pro SKU S Mode](https://www.microsoft.com/windows/s-mode?ocid=cx-wdsi-articles), which ensures that only vetted apps from the Windows Store are installed.
## Don't attach unfamiliar removable drives
diff --git a/windows/security/threat-protection/intelligence/rootkits-malware.md b/windows/security/threat-protection/intelligence/rootkits-malware.md
index 3dc3456226..ffe4254e2b 100644
--- a/windows/security/threat-protection/intelligence/rootkits-malware.md
+++ b/windows/security/threat-protection/intelligence/rootkits-malware.md
@@ -31,7 +31,7 @@ Many modern malware families use rootkits to try and avoid detection and removal
* [Cutwail](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fCutwail)
-* [Datrahere](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/Detrahere) (Zacinlo)
+* [Datrahere](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/Detrahere) (Zacinlo)
* [Rustock](https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fRustock)
diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md
index d3bd25dce2..f00d63e08f 100644
--- a/windows/security/threat-protection/intelligence/safety-scanner-download.md
+++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md
@@ -24,12 +24,12 @@ Microsoft Safety Scanner is a scan tool designed to find and remove malware from
- [Download Microsoft Safety Scanner (64-bit)](https://go.microsoft.com/fwlink/?LinkId=212732)
> [!NOTE]
-> The security intelligence update version of the Microsoft Safety Scanner matches the version described [in this web page](https://www.microsoft.com/en-us/wdsi/definitions).
+> The security intelligence update version of the Microsoft Safety Scanner matches the version described [in this web page](https://www.microsoft.com/wdsi/definitions).
Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan.
> [!NOTE]
-> This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection).
+> This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
> [!NOTE]
> Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download.
diff --git a/windows/security/threat-protection/intelligence/submission-guide.md b/windows/security/threat-protection/intelligence/submission-guide.md
index 545a2d7f62..05e5ab7db4 100644
--- a/windows/security/threat-protection/intelligence/submission-guide.md
+++ b/windows/security/threat-protection/intelligence/submission-guide.md
@@ -52,7 +52,7 @@ We encourage all software vendors and developers to read about [how Microsoft id
## How do I track or view past sample submissions?
-You can track your submissions through the [submission history page](https://www.microsoft.com/en-us/wdsi/submissionhistory). Your submission will only appear on this page if you were signed in when you submitted it.
+You can track your submissions through the [submission history page](https://www.microsoft.com/wdsi/submissionhistory). Your submission will only appear on this page if you were signed in when you submitted it.
If you’re not signed in when you submit a sample, you will be redirected to a tracking page. Bookmark this page if you want to come back and check on the status of your submission.
@@ -66,7 +66,7 @@ Each submission is shown to be in one of the following status types:
* Closed—a final determination has been given by an analyst
-If you are signed in, you can see the status of any files you submit to us on the [submission history page](https://www.microsoft.com/en-us/wdsi/submissionhistory).
+If you are signed in, you can see the status of any files you submit to us on the [submission history page](https://www.microsoft.com/wdsi/submissionhistory).
## How does Microsoft prioritize submissions
diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
index c1d189ea17..9bd0cfef19 100644
--- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
+++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
@@ -18,89 +18,70 @@ search.appverid: met150
# Top scoring in industry tests
-Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis.
+Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis.
## Next generation protection
[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10?ocid=cx-docs-avreports) consistently performs highly in independent tests, displaying how it is a top choice in the antivirus market. Note that these tests only provide results for antivirus and do not test for additional security protections.
-Windows Defender Antivirus is part of the [next generation](https://www.youtube.com/watch?v=Xy3MOxkX_o4) Microsoft Defender ATP security stack which addresses the latest and most sophisticated threats today. In some cases, customers might not even know they were protected because a cyberattack is stopped [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). That's because Windows Defender Antivirus detects and stops malware at first sight by using [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies.
+Windows Defender Antivirus is the [next generation protection](https://www.youtube.com/watch?v=Xy3MOxkX_o4) capability in the Microsoft Defender ATP security stack which addresses the latest and most sophisticated threats today. In some cases, customers might not even know they were protected because a cyberattack is stopped [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). That's because Windows Defender Antivirus detects and stops malware at first sight by using [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies.
+
- **Download the latest transparency report: [Examining industry test results, May 2019](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd)**
+**Download the latest transparency report: [Examining industry test results, August 2019](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)**
### AV-TEST: Protection score of 6.0/6.0 in the latest test
The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware").
-- March - April 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2019/microsoft-windows-defender-antivirus-4.18-191517/) **Latest**
+- May - June 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2019/microsoft-windows-defender-antivirus-4.18-192415/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) **Latest**
- Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with 6,849 malware samples used. This is the sixth consecutive cycle that Windows Defender Antivirus achieved a perfect Protection score.
+ Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 2,735 malware samples used. This is the seventh consecutive cycle that Windows Defender Antivirus achieved a perfect Protection score.
+
+- March - April 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2019/microsoft-windows-defender-antivirus-4.18-191517/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
- January - February 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2019/microsoft-windows-defender-antivirus-4.18-190611/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd)
- Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with 13,977 malware samples used.
-
- November - December 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2018/microsoft-windows-defender-antivirus-4.18-185074/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWusR9)
- Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 19,956 malware samples.
-
- September - October 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2018/microsoft-windows-defender-antivirus-4.18-184174/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWqOqD)
- Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, protecting against 21,566 of 21,568 tested malware samples.
-
- July - August 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2018/microsoft-windows-defender-antivirus-4.12--4.18-183212/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IL3Y)
- Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 20,022 malware samples.
+### AV-Comparatives: Protection rating of 99.9% in the latest test
-- May - June 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports)
+Business Security Test consists of three main parts: the Real-World Protection Test which mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (e.g. USB), and the Performance Test which looks at the impact on the system’s performance.
- Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 5,790 malware samples.
+- Business Security Test 2019 (March - June): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-2019-march-june/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) **Latest**
-|||
-|---|---|
-|||
+ Windows Defender Antivirus has consistently improved in Real-World Protection Rates over the past year, with 99.9% in the latest test.
-### AV-Comparatives: Protection rating of 99.7% in the latest test
+- Business Security Test 2018 (August - November): [Real-World Protection Rate 99.6%](https://www.av-comparatives.org/tests/business-security-test-2018-august-november/)
-AV-Comparatives is an independent organization offering systematic testing for security software such as PC/Mac-based antivirus products and mobile security solutions.
+- Business Security Test 2018 (March - June): [Real-World Protection Rate 98.7%](https://www.av-comparatives.org/tests/business-security-test-2018-march-june/)
-- Real-World Protection Test Enterprise March - April 2019: [Protection Rate 99.7%](https://www.av-comparatives.org/tests/real-world-protection-test-enterprise-march-april-2019-testresult/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd) **Latest**
-
- This test, as defined by AV-Comparatives, attempts to assess the effectiveness of each security program to protect a computer against active malware threats while online. The test set contained 389 test cases (such as malicious URLs).
-
-- Real-World Protection Test Enterprise August - November 2018: [Protection Rate 99.6%](https://www.av-comparatives.org/tests/real-world-protection-test-enterprise-august-november-2018-testresult/)
-
- The test set contained 1,207 test cases (such as malicious URLs).
-
-- Malware Protection Test Enterprise August 2018: [Protection Rate 99.9%](https://www.av-comparatives.org/tests/malware-protection-test-enterprise-august-2018-testresult/)
-
- This test, as defined by AV-Comparatives, attempts to assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution. The results are based on testing against 1,556 malware samples.
-
-- Real-World Protection Test Enterprise March - June 2018: [Protection Rate 98.7%](https://www.av-comparatives.org/tests/real-world-protection-test-enterprise-march-june-2018-testresult/)
-
- The test set contained 1,163 test cases (such as malicious URLs).
-
-### SE Labs: Total accuracy rating of AAA in the latest test
+### SE Labs: AAA award in the latest test
SE Labs tests a range of solutions used by products and services to detect and/or protect against attacks, including endpoint software, network appliances, and cloud services.
+- Enterprise Endpoint Protection April - June 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/apr-jun-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
+
+ Microsoft's next-gen protection was named as one of the leading products, stopping all of the targeted attacks and all but one public threat. It also handled the legitimate applications correctly.
+
+- Enterprise Endpoint Protection January - March 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jan-mar-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
+
- Enterprise Endpoint Protection October - December 2018: [AAA award](https://selabs.uk/download/enterprise/epp/2018/oct-dec-2018-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd)
- Microsoft's next-gen protection was named as one of the leading products, stopping all of the public and targeted attacks.
-
- Enterprise Endpoint Protection July - September 2018: [AAA award](https://selabs.uk/download/enterprise/epp/2018/jul-sep-2018-enterprise.pdf) **pdf**
- Microsoft's next-gen protection was named as one of the most effective products, stopping all public and targeted attacks. It showcased its ability to block malicious URLs, deal with exploits, and classify legitimate apps and websites correctly.
-
-- Enterprise Endpoint Protection April - June 2018: [AAA award](https://selabs.uk/download/enterprise/epp/2018/apr-jun-2018-enterprise.pdf) **pdf**
-
- Microsoft's next-gen protection was named as one of the most effective products, stopping all targeted attacks and the vast majority of public threats.
-
## Endpoint detection & response
Microsoft Defender ATP [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
+
+
+**Read our analysis: [MITRE evaluation highlights industry-leading EDR capabilities in Windows Defender ATP](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/MITRE-evaluation-highlights-industry-leading-EDR-capabilities-in/ba-p/369831)**
+
### MITRE: Industry-leading optics and detection capabilities
MITRE tested the ability of products to detect techniques commonly used by the targeted attack group APT3 (also known as Boron or UPS). To isolate detection capabilities, all protection and prevention features were turned off. Microsoft is happy to be one of the first EDR vendors to sign up for the MITRE evaluation based on the ATT&CK framework, widely regarded today as the most comprehensive catalog of attacker techniques and tactics.
@@ -113,6 +94,6 @@ MITRE tested the ability of products to detect techniques commonly used by the t
It is important to remember that Microsoft sees a wider and broader set of threats beyond what’s tested in the evaluations highlighted above. For example, in an average month, we identify over 100 million new threats. Even if an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In other words, the vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats.
-The capabilities within [Microsoft Defender ATP](https://www.microsoft.com/en-us/windowsforbusiness?ocid=cx-docs-avreports) provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into industry antivirus tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Microsoft Defender ATP creates a partial picture of how our security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Microsoft Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively our security suite protects customers in the real world.
+The capabilities within [Microsoft Defender ATP](https://www.microsoft.com/windowsforbusiness?ocid=cx-docs-avreports) provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into industry antivirus tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Microsoft Defender ATP creates a partial picture of how our security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Microsoft Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively our security suite protects customers in the real world.
-Using independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Microsoft Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Microsoft Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports).
+Using independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Microsoft Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Microsoft Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports).
diff --git a/windows/security/threat-protection/intelligence/understanding-malware.md b/windows/security/threat-protection/intelligence/understanding-malware.md
index 220e69b806..2486a1e427 100644
--- a/windows/security/threat-protection/intelligence/understanding-malware.md
+++ b/windows/security/threat-protection/intelligence/understanding-malware.md
@@ -21,7 +21,7 @@ Malware is a term used to describe malicious applications and code that can caus
Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or extort payment from victims.
-As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp)), businesses can stay protected with next-generation protection and other security capabilities.
+As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp)), businesses can stay protected with next-generation protection and other security capabilities.
For good general tips, check out the [prevent malware infection](prevent-malware-infection.md) topic.
diff --git a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
index 82c6baab29..cfda4379ca 100644
--- a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
+++ b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
@@ -50,4 +50,4 @@ To be eligible for VIA your organization must:
3. Be willing to sign and adhere to the VIA membership agreement.
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
index 38ad06123a..adfe6b2035 100644
--- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
+++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
@@ -54,4 +54,4 @@ Your organization must meet the following eligibility requirements to qualify fo
### Apply now
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md
index 6c51864314..6b392dcc81 100644
--- a/windows/security/threat-protection/intelligence/worms-malware.md
+++ b/windows/security/threat-protection/intelligence/worms-malware.md
@@ -34,7 +34,7 @@ Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have
Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they are doing, they try to avoid detection by security software.
-* [**WannaCrypt**](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/WannaCrypt) also deserves a mention here. Unlike older worms that often spread just because they could, modern worms often spread to drop a payload (e.g. ransomware).
+* [**WannaCrypt**](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/WannaCrypt) also deserves a mention here. Unlike older worms that often spread just because they could, modern worms often spread to drop a payload (e.g. ransomware).
This image shows how a worm can quickly spread through a shared USB drive.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
index 38d679e8fa..22fe7612b1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
@@ -22,7 +22,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)
Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Microsoft Defender ATP with.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
index 9544001b7c..11138ccab3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
@@ -24,7 +24,7 @@ ms.date: 07/24/2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The AlertEvents table in the Advanced hunting schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
index fbe2aa1d4c..918e31047d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
@@ -24,7 +24,7 @@ ms.date: 04/24/2018
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-abovefoldlink)
## Performance best practices
The following best practices serve as a guideline of query performance best practices and for you to get faster results and be able to run complex queries.
@@ -93,4 +93,4 @@ ProcessCreationEvents
| where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc"
```
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
\ No newline at end of file
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
index 9180ed1db4..2f8d8b5394 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
@@ -24,7 +24,7 @@ ms.date: 07/24/2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The FileCreationEvents table in the Advanced hunting schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
index d7e0521472..aabe8804ca 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
@@ -24,7 +24,7 @@ ms.date: 07/24/2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The ImageLoadEvents table in the Advanced hunting schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
index 1e8a0cfcc7..90d2fe815e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
@@ -24,7 +24,7 @@ ms.date: 07/24/2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The LogonEvents table in the Advanced hunting schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
index fa58a67cdd..5ac8eced92 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
@@ -24,7 +24,7 @@ ms.date: 07/24/2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The MachineInfo table in the Advanced hunting schema contains information about machines in the organization, including OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
index 3ec3dfd8f2..cb1ff3f42a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
@@ -24,7 +24,7 @@ ms.date: 07/24/2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The MachineNetworkInfo table in the Advanced hunting schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
index 01c38628be..34eb98af98 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
@@ -24,7 +24,7 @@ ms.date: 07/24/2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The MiscEvents table in the Advanced hunting schema contains information about multiple event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
index fb18d453d7..29cce6edf3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
@@ -24,7 +24,7 @@ ms.date: 07/24/2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The NetworkCommunicationEvents table in the Advanced hunting schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
index d6ef50a878..ff4bcab4b7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
@@ -24,7 +24,7 @@ ms.date: 07/24/2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The ProcessCreationEvents table in the Advanced hunting schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
index 40810a2f12..a0d1dd41a1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
@@ -24,7 +24,7 @@ ms.date: 07/24/2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
## Advanced hunting table reference
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
index 75b7b12ee6..dcf2cf5422 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
@@ -24,7 +24,7 @@ ms.date: 07/24/2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The RegistryEvents table in the Advanced hunting schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md
index 4ca2aebb87..7c51f049ba 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md
@@ -20,7 +20,7 @@ ms.date: 08/15/2018
# Query data using Advanced hunting in Microsoft Defender ATP
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
To get you started in querying your data, you can use the Basic or Advanced query examples, which have some preloaded queries to help you understand the basic query syntax.
@@ -146,7 +146,7 @@ The filter selections will resolve as an additional query term and the results w
Check out the [Advanced hunting repository](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Contribute and use example queries shared by our customers.
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)
## Related topic
- [Advanced hunting reference](advanced-hunting-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
index 652e76f78d..fe3c249332 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
@@ -23,7 +23,7 @@ ms.date: 04/24/2018
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-alertsq-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-alertsq-abovefoldlink)
The **Alerts queue** shows a list of alerts that were flagged from machines in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view, with the most recent alerts showing at the top of the list, helping you see the most recent alerts first.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
index 9706e81443..979340a3ca 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
@@ -1,7 +1,7 @@
---
-title: Microsoft Defender ATP alert API fields
-description: Understand how the alert API fields map to the values in Microsoft Defender Security Center
-keywords: alerts, alert fields, fields, api, fields, pull alerts, rest api, request, response
+title: Microsoft Defender ATP detections API fields
+description: Understand how the Detections API fields map to the values in Microsoft Defender Security Center
+keywords: detections, detections fields, fields, api, fields, pull Detections, rest api, request, response
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -15,21 +15,24 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 10/16/2017
---
-# Microsoft Defender ATP SIEM alert API fields
+# Microsoft Defender ATP detections API fields
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink)
-Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.
+Understand what data fields are exposed as part of the detections API and how they map to Microsoft Defender Security Center.
-## Alert API fields and portal mapping
-The following table lists the available fields exposed in the alerts API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
+>[!Note]
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Machine and its related **Alert** details.
+
+## Detections API fields and portal mapping
+The following table lists the available fields exposed in the detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
The ArcSight field column contains the default mapping between the Microsoft Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md).
@@ -39,33 +42,33 @@ Field numbers match the numbers in the images below.
>
> | Portal label | SIEM field name | ArcSight field | Example value | Description |
> |------------------|---------------------------|---------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-> | 1 | AlertTitle | name | Windows Defender AV detected 'Mikatz' high-severity malware | Value available for every alert. |
-> | 2 | Severity | deviceSeverity | High | Value available for every alert. |
-> | 3 | Category | deviceEventCategory | Malware | Value available for every alert. |
-> | 4 | Detection source | sourceServiceName | Antivirus | Windows Defender Antivirus or Microsoft Defender ATP. Value available for every alert. |
-> | 5 | MachineName | sourceHostName | desktop-4a5ngd6 | Value available for every alert. |
-> | 6 | FileName | fileName | Robocopy.exe | Available for alerts associated with a file or process. |
-> | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for alerts associated with a file or process. |
-> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based alerts. |
-> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Microsoft Defender ATP behavioral based alerts. |
-> | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for alerts associated with a file or process. |
-> | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Windows Defender AV alerts. |
-> | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Windows Defender AV alerts. |
-> | 13 | ThreatName | deviceCustomString1 | HackTool:Win32/Mikatz!dha | Available for Windows Defender AV alerts. |
-> | 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. |
-> | 15 | Url | requestUrl | down.esales360.cn | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. |
-> | 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. |
-> | 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. |
-> | 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every alert. |
-> | 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every alert. |
-> | 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the activity relevant to the alert occurred. Value available for every alert. |
-> | 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined machines. Value available for every alert. |
+> | 1 | AlertTitle | name | Windows Defender AV detected 'Mikatz' high-severity malware | Value available for every Detection. |
+> | 2 | Severity | deviceSeverity | High | Value available for every Detection. |
+> | 3 | Category | deviceEventCategory | Malware | Value available for every Detection. |
+> | 4 | Detection source | sourceServiceName | Antivirus | Windows Defender Antivirus or Microsoft Defender ATP. Value available for every Detection. |
+> | 5 | MachineName | sourceHostName | desktop-4a5ngd6 | Value available for every Detection. |
+> | 6 | FileName | fileName | Robocopy.exe | Available for detections associated with a file or process. |
+> | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for detections associated with a file or process. |
+> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based detections. |
+> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Microsoft Defender ATP behavioral based detections. |
+> | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for detections associated with a file or process. |
+> | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Windows Defender AV detections. |
+> | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Windows Defender AV detections. |
+> | 13 | ThreatName | deviceCustomString1 | HackTool:Win32/Mikatz!dha | Available for Windows Defender AV detections. |
+> | 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for detections associated to network events. For example, 'Communication to a malicious network destination'. |
+> | 15 | Url | requestUrl | down.esales360.cn | Available for detections associated to network events. For example, 'Communication to a malicious network destination'. |
+> | 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Windows Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE. |
+> | 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Windows Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE. |
+> | 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every Detection. |
+> | 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every Detection. |
+> | 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the event occurred. Value available for every Detection. |
+> | 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined machines. Value available for every Detection. |
> | 22 | Actor | deviceCustomString4 | BORON | Available for alerts related to a known actor group. |
-> | 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The machine fully qualified domain name. Value available for every alert. |
+> | 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The machine fully qualified domain name. Value available for every Detection. |
> | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available. |
> | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. |
> | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. |
-> | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved. |
+> | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved. |
> | | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. |
> | | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Microsoft Defender ATP'. |
> | | Not part of the schema | deviceVersion | | Static value in the ArcSight mapping - '2.0', used to identify the mapping versions.
@@ -88,7 +91,7 @@ Field numbers match the numbers in the images below.
## Related topics
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md)
-- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md)
-- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md)
+- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
+- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
+- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
index 3fd9f905d0..84db47e022 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
@@ -22,7 +22,7 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
index f7afee3646..0924219800 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
@@ -25,7 +25,7 @@ ms.date: 11/28/2018
- Office 365
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
Microsoft Defender ATP supports two ways to manage permissions:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
index ad94b7494d..f39d0ddd2f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
@@ -24,7 +24,7 @@ ms.date: 11/20/2018
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink)
>[!TIP]
>- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
@@ -58,7 +58,7 @@ Read the walkthrough document provided with each attack scenario. Each document
> Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test machine.
>
>
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink)
## Related topics
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
similarity index 100%
rename from windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
rename to windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
similarity index 80%
rename from windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
rename to windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index d4108e91a2..311f6803b0 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/07/2019
@@ -16,32 +17,28 @@ ms.reviewer:
manager: dansimp
---
-# Reduce attack surfaces with attack surface reduction rules
+# Reduce attack surfaces with attack surface reduction rules
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-
-Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019.
-
+Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, or Windows Server 2019.
To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subscription, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment.
-
Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including:
-- Executable files and scripts used in Office apps or web mail that attempt to download or run files
-- Obfuscated or otherwise suspicious scripts
-- Behaviors that apps don't usually initiate during normal day-to-day work
+* Executable files and scripts used in Office apps or web mail that attempt to download or run files
+* Obfuscated or otherwise suspicious scripts
+* Behaviors that apps don't usually initiate during normal day-to-day work
-You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
+You can use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks similar to malware. By monitoring audit data and [adding exclusions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
-Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 securty center.
+Triggered rules display a notification on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays in the Microsoft Defender Security Center and in the Microsoft 365 securty center.
For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
@@ -49,11 +46,11 @@ For information about configuring attack surface reduction rules, see [Enable at
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings could affect your environment.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how controlled folder access settings could affect your environment.
-Here is an example query:
+Here is an example query:
-```
+```PowerShell
MiscEvents
| where ActionType startswith 'Asr'
```
@@ -62,13 +59,13 @@ MiscEvents
You can review the Windows event log to view events that are created when attack surface reduction rules fire:
-1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
+1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
2. Type **Event Viewer** in the Start menu to open the Windows Event Viewer.
3. Click **Import custom view...** on the left panel, under **Actions**.
-
-4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views.md).
5. Click **OK**.
@@ -82,13 +79,12 @@ Event ID | Description
The "engine version" of attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all machines with Windows 10 installed.
-
## Attack surface reduction rules
The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use System Center Configuration Manager or Microsoft Intune, you do not need the GUIDs:
-Rule name | GUID | File & folder exclusions
--|-|-
+ Rule name | GUID | File & folder exclusions
+-----------|------|--------------------------
Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported
Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported
Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported
@@ -111,8 +107,8 @@ Each rule description indicates which apps or file types the rule applies to. In
This rule blocks the following file types from launching from email in Microsoft Outlook or Outlook.com and other popular webmail providers:
-- Executable files (such as .exe, .dll, or .scr)
-- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
+* Executable files (such as .exe, .dll, or .scr)
+* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
@@ -138,7 +134,7 @@ GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
### Block Office applications from creating executable content
-This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content.
+This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content.
This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk.
@@ -154,7 +150,7 @@ GUID: 3B576869-A4EC-4529-8536-B80A7769E899
Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process. This rule blocks code injection attempts from Office apps into other processes. There are no known legitimate business purposes for using code injection.
-This rule applies to Word, Excel, and PowerPoint.
+This rule applies to Word, Excel, and PowerPoint.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
@@ -166,12 +162,12 @@ GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
### Block JavaScript or VBScript from launching downloaded executable content
-Malware often uses JavaScript and VBScript scripts to launch other malicious apps.
+Malware often uses JavaScript and VBScript scripts to launch other malicious apps.
-Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers.
+Malware written in JavaScript or VBS often acts as a downloader to fetch and launch additional native payload from the Internet. This rule prevents scripts from launching downloaded content, helping to prevent malicious use of the scripts to spread malware and infect machines. This isn't a common line-of-business use, but line-of-business applications sometimes use scripts to download and launch installers.
->[!IMPORTANT]
->File and folder exclusions don't apply to this attack surface reduction rule.
+> [!IMPORTANT]
+> File and folder exclusions don't apply to this attack surface reduction rule.
This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
@@ -206,16 +202,16 @@ SCCM name: Block Win32 API calls from Office macros
GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
-
+
This rule blocks the following file types from launching unless they either meet prevalence or age criteria, or they're in a trusted list or exclusion list:
-
-- Executable files (such as .exe, .dll, or .scr)
->[!NOTE]
->You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+* Executable files (such as .exe, .dll, or .scr)
->[!IMPORTANT]
->The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
+> [!NOTE]
+> You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+
+> [!IMPORTANT]
+> The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
>
>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
@@ -226,13 +222,13 @@ Intune name: Executables that don't meet a prevalence, age, or trusted list crit
SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
-
+
### Use advanced protection against ransomware
-
+
This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or exclusion list.
->[!NOTE]
->You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
+> [!NOTE]
+> You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
@@ -241,14 +237,14 @@ Intune name: Advanced ransomware protection
SCCM name: Use advanced protection against ransomware
GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
-
+
### Block credential stealing from the Windows local security authority subsystem (lsass.exe)
-
+
Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
- >[!NOTE]
- >In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
-
+> [!NOTE]
+> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
+
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
Intune name: Flag credential stealing from the Windows local security authority subsystem
@@ -261,11 +257,11 @@ GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.
->[!IMPORTANT]
->File and folder exclusions do not apply to this attack surface reduction rule.
+> [!IMPORTANT]
+> File and folder exclusions do not apply to this attack surface reduction rule.
->[!WARNING]
->Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly.
+> [!WARNING]
+> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly.
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019
@@ -274,13 +270,13 @@ Intune name: Process creation from PSExec and WMI commands
SCCM name: Not applicable
GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c
-
+
### Block untrusted and unsigned processes that run from USB
-
+
With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include:
-
-- Executable files (such as .exe, .dll, or .scr)
-- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
+
+* Executable files (such as .exe, .dll, or .scr)
+* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
@@ -294,8 +290,8 @@ GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
This rule prevents Outlook from creating child processes. It protects against social engineering attacks and prevents exploit code from abusing a vulnerability in Outlook. To achieve this, the rule prevents the launch of additional payload while still allowing legitimate Outlook functions. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
->[!NOTE]
->This rule applies to Outlook and Outlook.com only.
+> [!NOTE]
+> This rule applies to Outlook and Outlook.com only.
This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
@@ -307,7 +303,7 @@ GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
### Block Adobe Reader from creating child processes
-Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes.
+Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes.
This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
@@ -319,7 +315,7 @@ GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
### Block persistence through WMI event subscription
-Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. With this rule, admins can prevent threats that abuse WMI to persist and stay hidden in WMI repository.
+Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. With this rule, admins can prevent threats that abuse WMI to persist and stay hidden in WMI repository.
This rule was introduced in: Windows 10 1903, Windows Server 1903
@@ -331,7 +327,6 @@ GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b
## Related topics
-- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
-- [Compatibility of Microsoft Defender with other antivirus/antimalware](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility)
-
+* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
+* [Compatibility of Microsoft Defender with other antivirus/antimalware](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
similarity index 65%
rename from windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
rename to windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
index dd9c960c79..cb5f42efe4 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 04/02/2019
@@ -16,12 +17,11 @@ ms.reviewer:
manager: dansimp
---
-
-# Use audit mode
+# Use audit mode
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
@@ -33,25 +33,23 @@ To find the audited entries, go to **Applications and Services** > **Microsoft**
You can use Windows Defender Advanced Threat Protection to get greater details for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
+This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
-
-|Audit options | How to enable audit mode | How to view events |
-|- | - | - |
-|Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer) |
-|Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer) |
-|Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer) |
-|Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer) |
-
+ Audit options | How to enable audit mode | How to view events
+-|-|-
+Audit applies to all events | [Enable controlled folder access](enable-controlled-folders.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer)
+Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer)
+Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer)
+|Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection.md#review-exploit-protection-events-in-windows-event-viewer)
## Related topics
-- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Protect your network](network-protection-exploit-guard.md)
-- [Protect important folders](controlled-folders-exploit-guard.md)
+* [Protect devices from exploits](exploit-protection.md)
+* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
+* [Protect your network](network-protection.md)
+* [Protect important folders](controlled-folders.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 7e77ed48e3..89c574f14d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -19,7 +19,7 @@ ms.topic: conceptual
# Overview of Automated investigations
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
The Microsoft Defender ATP service has a wide breadth of visibility on multiple machines. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
index 861f47388c..6cad0006a9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
@@ -23,7 +23,7 @@ ms.topic: article
- Azure Active Directory
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-basicaccess-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-basicaccess-abovefoldlink)
Refer to the instructions below to use basic permissions management.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
index 8057947dc2..6fcd846c60 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
@@ -23,7 +23,7 @@ ms.date: 04/24/2018
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-checksensor-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-checksensor-abovefoldlink)
The sensor health tile is found on the Security Operations dashboard. This tile provides information on the individual machine’s ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
index 396e2730fb..eb36f604f9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
@@ -24,7 +24,7 @@ ms.topic: article
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink)
Conditional Access is a capability that helps you better protect your users and enterprise information by making sure that only secure devices have access to applications.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
index 22c9359f44..65f1d888f8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
@@ -1,6 +1,6 @@
---
-title: Configure HP ArcSight to pull Microsoft Defender ATP alerts
-description: Configure HP ArcSight to receive and pull alerts from Microsoft Defender Security Center
+title: Configure HP ArcSight to pull Microsoft Defender ATP detections
+description: Configure HP ArcSight to receive and pull detections from Microsoft Defender Security Center
keywords: configure hp arcsight, security information and events management tools, arcsight
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -15,10 +15,9 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 12/20/2018
---
-# Configure HP ArcSight to pull Microsoft Defender ATP alerts
+# Configure HP ArcSight to pull Microsoft Defender ATP detections
**Applies to:**
@@ -27,12 +26,16 @@ ms.date: 12/20/2018
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink)
-You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Microsoft Defender ATP alerts.
+You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Microsoft Defender ATP detections.
+
+>[!Note]
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
## Before you begin
-Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse alerts from your Azure Active Directory (AAD) application.
+Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application.
This section guides you in getting the necessary information to set and use the required configuration files correctly.
@@ -163,7 +166,7 @@ The following steps assume that you have completed all the required steps in [Be
You can now run queries in the HP ArcSight console.
-Microsoft Defender ATP alerts will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name.
+Microsoft Defender ATP detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name.
## Troubleshooting HP ArcSight connection
@@ -187,6 +190,6 @@ Microsoft Defender ATP alerts will appear as discrete events, with "Microsoft”
## Related topics
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md)
-- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md)
+- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
+- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
index 706f90cf75..d0dfe6add3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
@@ -1,8 +1,7 @@
---
-title:
-ms.reviewer:
-description:
-keywords:
+title: Configure attack surface reduction
+description: Configure attack surface reduction
+keywords: asr, attack surface reduction, windows defender, microsoft defender, antivirus, av
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -23,22 +22,21 @@ ms.date: 07/01/2018
You can configure attack surface reduction with a number of tools, including:
-- Microsoft Intune
-- System Center Configuration Manager
-- Group Policy
-- PowerShell cmdlets
-
+* Microsoft Intune
+* System Center Configuration Manager
+* Group Policy
+* PowerShell cmdlets
The topics in this section describe how to configure attack surface reduction. Each topic includes instructions for the applicable configuration tool (or tools).
## In this section
+
Topic | Description
-:---|:---
+-|-
[Enable hardware-based isolation for Microsoft Edge](../windows-defender-application-guard/install-wd-app-guard.md) | How to preprare for and install Application Guard, including hardware and softeware requirements
[Enable application control](../windows-defender-application-control/windows-defender-application-control.md)|How to control applications run by users and potect kernel mode processes
-[Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps
-[Network protection](../windows-defender-exploit-guard/enable-network-protection.md)|How to prevent users from using any apps to acces dangerous domains
-[Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)|How to protect valuable data from malicious apps
-[Attack surface reduction](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used for by exploit-seeking malware
+[Exploit protection](./enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps
+[Network protection](./enable-network-protection.md)|How to prevent users from using any apps to acces dangerous domains
+[Controlled folder access](./enable-controlled-folders.md)|How to protect valuable data from malicious apps
+[Attack surface reduction](./enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used for by exploit-seeking malware
[Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)|How to protect devices and data across a network
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
index 3c3fa5ffff..97cc98af49 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
@@ -104,4 +104,4 @@ Take the following steps to enable Conditional Access:
For more information, see [Enable Microsoft Defender ATP with Conditional Access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
index a381b9ef5a..e0e025ebc9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
@@ -23,7 +23,7 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-emailconfig-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-emailconfig-abovefoldlink)
You can configure Microsoft Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
index 5e84c75371..ca40875aab 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
@@ -29,7 +29,7 @@ ms.date: 04/24/2018
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink)
> [!NOTE]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
index 88aa16e2cf..9710f0d825 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
@@ -25,7 +25,7 @@ ms.date: 12/06/2018
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink)
You can use mobile device management (MDM) solutions to configure machines. Microsoft Defender ATP supports MDMs by providing OMA-URIs to create policies to manage machines.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
index 8be4bddd06..b5ebde69de 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
@@ -24,7 +24,7 @@ ms.topic: article
- Linux
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-nonwindows-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-nonwindows-abovefoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
index f1e4b4412d..ab167bc4fd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
@@ -28,7 +28,7 @@ ms.date: 12/11/2018
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink)
## Onboard Windows 10 machines using System Center Configuration Manager (current branch) version 1606
@@ -36,6 +36,8 @@ System Center Configuration Manager (SCCM) (current branch) version 1606, has UI
>[!NOTE]
> If you’re using SCCM client version 1606 with server version 1610 or above, you must upgrade the client version to match the server version.
+> Starting with version 1606 of Configuration Manager, see [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/sccm/protect/deploy-use/windows-defender-advanced-threat-protection) for ATP configuration.
+
## Onboard Windows 10 machines using System Center Configuration Manager earlier versions
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
index d326a4194b..6c658e6d81 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
@@ -27,7 +27,7 @@ ms.topic: article
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
You can also manually onboard individual machines to Microsoft Defender ATP. You might want to do this first when testing the service before you commit to onboarding all machines in your network.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
index 9bcaf00305..19a1f29ebd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@@ -25,7 +25,7 @@ ms.date: 04/24/2018
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configvdi-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configvdi-abovefoldlink)
## Onboard non-persistent virtual desktop infrastructure (VDI) machines
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
index 3387e07476..f7fccc3f2b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
@@ -45,4 +45,4 @@ Topic | Description
[Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) | Learn how to use the configuration package to configure VDI machines.
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink)
\ No newline at end of file
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
index 785daef982..69c4df40de 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
@@ -20,34 +20,36 @@ ms.topic: article
# Optimize ASR rule deployment and detections
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Attack surface reduction (ASR) rules](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives.
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+
+[Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives.
*Attack surface management card*
The **Attack surface management** card is an entry point to tools in Microsoft 365 security center that you can use to:
-- Understand how ASR rules are currently deployed in your organization
-- Review ASR detections and identify possible incorrect detections
-- Analyze the impact of exclusions and generate the list of file paths to exclude
+* Understand how ASR rules are currently deployed in your organization
+* Review ASR detections and identify possible incorrect detections
+* Analyze the impact of exclusions and generate the list of file paths to exclude
Selecting **Go to attack surface management** takes you to **Monitoring & reports > Attack surface reduction rules > Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center.
*Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center*
->[!NOTE]
->To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read more about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions)
+> [!NOTE]
+> To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read more about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions)
-For more information about optimizing ASR rule deployment in Microsoft 365 security center, read [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections)
+For more information about optimizing ASR rule deployment in Microsoft 365 security center, read [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
# Related topics
-- [Ensure your machines are configured properly](configure-machines.md)
-- [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
-- [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)
\ No newline at end of file
+
+* [Ensure your machines are configured properly](configure-machines.md)
+* [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
+* [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
index 4640790859..931aeaa4a4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
@@ -22,7 +22,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
Each onboarded machine adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a machine can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks.
@@ -69,7 +69,7 @@ From the overview, create a configuration profile specifically for the deploymen
>[!TIP]
>To learn more about Intune profiles, read about [assigning user and device profiles](https://docs.microsoft.com/intune/device-profile-assign).
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
# Related topics
- [Ensure your machines are configured properly](configure-machines.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
index 5c04c5d86d..90713b48a1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
@@ -22,7 +22,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
Security baselines ensure that security features are configured according to guidance from both security experts and expert Windows system administrators. When deployed, the Microsoft Defender ATP security baseline sets Microsoft Defender ATP security controls to provide optimal protection.
@@ -95,7 +95,7 @@ Machine configuration management monitors baseline compliance only of Windows 10
>[!TIP]
>Security baselines on Intune provide a convenient way to comprehensively secure and protect your machines. [Learn more about security baselines on Intune](https://docs.microsoft.com/intune/security-baselines).
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
# Related topics
- [Ensure your machines are configured properly](configure-machines.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
index 11f16e8b9f..3c6d45957a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
@@ -22,7 +22,7 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
With properly configured machines, you can boost overall resilience against threats and enhance your capability to detect and respond to attacks. Security configuration management helps ensure that your machines:
@@ -76,4 +76,4 @@ Topic | Description
[Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) | Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed machines.
[Optimize ASR rule deployment and detections](configure-machines-asr.md) | Review rule deployment and tweak detections using impact analysis tools in Microsoft 365 security center.
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
\ No newline at end of file
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
index 406b15ff97..7738dedb9f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
@@ -26,7 +26,7 @@ ms.date: 09/03/2018
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink)
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink)
[!include[Prerelease information](prerelease.md)]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
index 71cc754e25..3ba4e51fda 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
@@ -17,15 +17,13 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-
# Configure machine proxy and Internet connectivity settings
**Applies to:**
+
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service.
@@ -43,20 +41,19 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe
> [!NOTE]
> If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
-
- Manual static proxy configuration:
- Registry based configuration
- WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
-
-
## Configure the proxy server manually using a registry-based static proxy
+
Configure a registry-based static proxy to allow only Microsoft Defender ATP sensor to report diagnostic data and communicate with Microsoft Defender ATP services if a computer is not be permitted to connect to the Internet.
-The static proxy is configurable through Group Policy (GP). The group policy can be found under:
+The static proxy is configurable through Group Policy (GP). The group policy can be found under:
+
- Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
- - Set it to **Enabled** and select **Disable Authenticated Proxy usage**:
- 
+ - Set it to **Enabled** and select **Disable Authenticated Proxy usage**:
+ 
- **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**:
- Configure the proxy:
@@ -68,6 +65,7 @@ The static proxy is configurable through Group Policy (GP). The group policy can
```text
:
```
+
For example: 10.0.0.6:8080
The registry value `DisableEnterpriseAuthProxy` should be set to 1.
@@ -87,35 +85,39 @@ Use netsh to configure a system-wide static proxy.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command and press **Enter**:
- ```
+
+ ```PowerShell
netsh winhttp set proxy :
```
+
For example: netsh winhttp set proxy 10.0.0.6:8080
To reset the winhttp proxy, enter the following command and press **Enter**
-```
+
+```PowerShell
netsh winhttp reset proxy
```
+
See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/windows-server/networking/technologies/netsh/netsh-contexts) to learn more.
## Enable access to Microsoft Defender ATP service URLs in the proxy server
+
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are not blocked by default. Do not disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic. They permit communication with Microsoft Defender ATP service in port 80 and 443:
->[!NOTE]
-> URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only needed if the machine is on Windows 10, version 1803 or later.
+> [!NOTE]
+> URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only needed if the machine is on Windows 10, version 1803 or later.
-Service location | Microsoft.com DNS record
-:---|:---
+ Service location | Microsoft.com DNS record
+-|-
Common URLs for all locations | ```*.blob.core.windows.net``` ```crl.microsoft.com``` ```ctldl.windowsupdate.com``` ```events.data.microsoft.com``` ```notify.windows.com```
European Union | ```eu.vortex-win.data.microsoft.com``` ```eu-v20.events.data.microsoft.com``` ```winatp-gw-neu.microsoft.com``` ```winatp-gw-weu.microsoft.com```
United Kingdom | ```uk.vortex-win.data.microsoft.com``` ```uk-v20.events.data.microsoft.com``` ```winatp-gw-uks.microsoft.com``` ```winatp-gw-ukw.microsoft.com```
United States | ```us.vortex-win.data.microsoft.com``` ```us-v20.events.data.microsoft.com``` ```winatp-gw-cus.microsoft.com``` ```winatp-gw-eus.microsoft.com```
-
-
If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
-## Microsoft Defender ATP service backend IP range
+## Microsoft Defender ATP service backend IP range
+
If you network devices don't support the URLs white-listed in the prior section, you can use the following information.
Microsoft Defender ATP is built on Azure cloud, deployed in the following regions:
@@ -128,13 +130,11 @@ Microsoft Defender ATP is built on Azure cloud, deployed in the following region
- \+\
- \+\
-
You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653).
->[!NOTE]
+> [!NOTE]
> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
-
## Verify client connectivity to Microsoft Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs.
@@ -151,11 +151,13 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover
4. Enter the following command and press **Enter**:
- ```
+ ```PowerShell
HardDrivePath\WDATPConnectivityAnalyzer.cmd
```
+
Replace *HardDrivePath* with the path where the WDATPConnectivityAnalyzer tool was downloaded to, for example
- ```
+
+ ```PowerShell
C:\Work\tools\WDATPConnectivityAnalyzer\WDATPConnectivityAnalyzer.cmd
```
@@ -163,13 +165,14 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover
6. Open *WDATPConnectivityAnalyzer.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.
The tool checks the connectivity of Microsoft Defender ATP service URLs that Microsoft Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Microsoft Defender ATP services. For example:
+
```text
Testing URL : https://xxx.microsoft.com/xxx
1 - Default proxy: Succeeded (200)
2 - Proxy auto discovery (WPAD): Succeeded (200)
3 - Proxy disabled: Succeeded (200)
4 - Named proxy: Doesn't exist
- 5 - Command line proxy: Doesn't exist
+ 5 - Command line proxy: Doesn't exist
```
If at least one of the connectivity options returns a (200) status, then the Microsoft Defender ATP client can communicate with the tested URL properly using this connectivity method.
@@ -177,9 +180,10 @@ If at least one of the connectivity options returns a (200) status, then the Mic
However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure.
> [!NOTE]
-> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
+> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
> When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy.
## Related topics
+
- [Onboard Windows 10 machines](configure-endpoints.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index 6b24d02ebe..0687aa77f4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -20,16 +20,14 @@ ms.topic: article
**Applies to:**
-- Windows Server 2008 R2 SP1 (pre-release)
+- Windows Server 2008 R2 SP1
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server, version 1803
- Windows Server, 2019
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[!include[Prerelease information](prerelease.md)]
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink)
Microsoft Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Microsoft Defender Security Center console.
@@ -66,7 +64,7 @@ You'll need to take the following steps if you choose to onboard servers through
- For Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements:
- Install the [February monthly update rollup](https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598)
- Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/en-us/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
- - Install either [.NET framework 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
+ - Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
- For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
index c5e8719018..351164afa3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
@@ -1,6 +1,6 @@
---
-title: Pull alerts to your SIEM tools from Microsoft Defender Advanced Threat Protection
-description: Learn how to use REST API and configure supported security information and events management tools to receive and pull alerts.
+title: Pull detections to your SIEM tools from Microsoft Defender Advanced Threat Protection
+description: Learn how to use REST API and configure supported security information and events management tools to receive and pull detections.
keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -18,16 +18,21 @@ ms.topic: article
ms.date: 10/16/2017
---
-# Pull alerts to your SIEM tools
+# Pull detections to your SIEM tools
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
-## Pull alerts using security information and events management (SIEM) tools
-Microsoft Defender ATP supports (SIEM) tools to pull alerts. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
+## Pull detections using security information and events management (SIEM) tools
+
+>[!Note]
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
+
+Microsoft Defender ATP supports (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
Microsoft Defender ATP currently supports the following SIEM tools:
@@ -39,16 +44,16 @@ To use either of these supported SIEM tools you'll need to:
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
- Configure the supported SIEM tool:
- - [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md)
- - [Configure HP ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md)
+ - [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
+ - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
-For more information on the list of fields exposed in the alerts API see, [Microsoft Defender ATP alert API fields](api-portal-mapping.md).
+For more information on the list of fields exposed in the Detection API see, [Microsoft Defender ATP Detection fields](api-portal-mapping.md).
-## Pull Microsoft Defender ATP alerts using REST API
-Microsoft Defender ATP supports the OAuth 2.0 protocol to pull alerts using REST API.
+## Pull Microsoft Defender ATP detections using REST API
+Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections using REST API.
-For more information, see [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md).
+For more information, see [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md).
## In this section
@@ -56,8 +61,8 @@ For more information, see [Pull Microsoft Defender ATP alerts using REST API](pu
Topic | Description
:---|:---
[Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
-[Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Microsoft Defender ATP alerts.
-[Configure HP ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP alerts.
-[Microsoft Defender ATP alert API fields](api-portal-mapping.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.
-[Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Microsoft Defender ATP using REST API.
+[Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)| Learn about installing the REST API Modular Input App and other configuration settings to enable Splunk to pull Microsoft Defender ATP detections.
+[Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP detections.
+[Microsoft Defender ATP Detection fields](api-portal-mapping.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.
+[Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull detections from Microsoft Defender ATP using REST API.
[Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) | Address issues you might encounter when using the SIEM integration feature.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
index 13cf662e66..fd61b88ec1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
@@ -1,6 +1,6 @@
---
-title: Configure Splunk to pull Microsoft Defender ATP alerts
-description: Configure Splunk to receive and pull alerts from Microsoft Defender Security Center.
+title: Configure Splunk to pull Microsoft Defender ATP detections
+description: Configure Splunk to receive and pull detections from Microsoft Defender Security Center.
keywords: configure splunk, security information and events management tools, splunk
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Configure Splunk to pull Microsoft Defender ATP alerts
+# Configure Splunk to pull Microsoft Defender ATP detections
**Applies to:**
@@ -26,9 +26,13 @@ ms.topic: article
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresplunk-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresplunk-abovefoldlink)
-You'll need to configure Splunk so that it can pull Microsoft Defender ATP alerts.
+You'll need to configure Splunk so that it can pull Microsoft Defender ATP detections.
+
+>[!Note]
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
## Before you begin
@@ -121,8 +125,8 @@ You'll need to configure Splunk so that it can pull Microsoft Defender ATP alert
After completing these configuration steps, you can go to the Splunk dashboard and run queries.
-## View alerts using Splunk solution explorer
-Use the solution explorer to view alerts in Splunk.
+## View detections using Splunk solution explorer
+Use the solution explorer to view detections in Splunk.
1. In Splunk, go to **Settings** > **Searchers, reports, and alerts**.
@@ -141,12 +145,12 @@ Use the solution explorer to view alerts in Splunk.
>[!TIP]
-> To mininimize alert duplications, you can use the following query:
+> To mininimize Detection duplications, you can use the following query:
>```source="rest://windows atp alerts" | spath | dedup _raw | table *```
## Related topics
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md)
-- [Microsoft Defender ATP alert API fields](api-portal-mapping.md)
-- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md)
+- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
+- [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
+- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
similarity index 78%
rename from windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
rename to windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
index 7aa48ea40e..eb5c9b65bb 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
audience: ITPro
@@ -21,7 +22,7 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It protects your data by checking against a list of known, trusted apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. It can be turned on via the Windows Security App, or from the System Center Configuration Manager (SCCM) and Intune, for managed devices. Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
@@ -35,9 +36,9 @@ Controlled folder access is especially useful in helping to protect your documen
With Controlled folder access in place, a notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
-The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
+The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
-You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019.
@@ -49,7 +50,7 @@ Controlled folder access requires enabling [Windows Defender Antivirus real-time
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
Here is an example query
@@ -62,13 +63,13 @@ MiscEvents
You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app:
-1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
+1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
1. On the left panel, under **Actions**, click **Import custom view...**.
-1. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+1. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views.md).
1. Click **OK**.
@@ -83,7 +84,7 @@ Event ID | Description
## In this section
Topic | Description
----|---
+-|-
[Evaluate controlled folder access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created.
-[Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage controlled folder access in your network
-[Customize controlled folder access](customize-controlled-folders-exploit-guard.md) | Add additional protected folders, and allow specified apps to access protected folders.
+[Enable controlled folder access](enable-controlled-folders.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage controlled folder access in your network
+[Customize controlled folder access](customize-controlled-folders.md) | Add additional protected folders, and allow specified apps to access protected folders.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md b/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md
index 2601b05b63..0a42682bb7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-ti-api.md
@@ -25,7 +25,7 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink)
You can define custom alert definitions and indicators of compromise (IOC) using the threat intelligence API. Creating custom threat intelligence alerts allows you to generate specific alerts that are applicable to your organization.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
similarity index 74%
rename from windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
rename to windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
index 2b7dec1738..839daef3d1 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/13/2019
@@ -20,10 +21,10 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
@@ -33,21 +34,20 @@ You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
## Exclude files and folders
-You can exclude files and folders from being evaluated by attack surface reduction rules. This means that even if an attack surface reduction rule detects that the file contains malicious behavior, the file will not be blocked from running.
+You can exclude files and folders from being evaluated by attack surface reduction rules. This means that even if an attack surface reduction rule detects that the file contains malicious behavior, the file will not be blocked from running.
->[!WARNING]
->This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
+> [!WARNING]
+> This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to certain rules.
An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
-Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
-
-Rule description | GUID
--|:-:|-
+Rule description | GUID
+-|-|-
Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
@@ -62,19 +62,19 @@ Block process creations originating from PSExec and WMI commands | d1e49aac-8f56
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
-Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b
+Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b
-See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
+See the [attack surface reduction](attack-surface-reduction.md) topic for details on each rule.
### Use Group Policy to exclude files and folders
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**.
+3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**.
-4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
+4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
### Use PowerShell to exclude files and folders
@@ -85,10 +85,10 @@ See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) to
Add-MpPreference -AttackSurfaceReductionOnlyExclusions ""
```
-Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more folders to the list.
+Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more folders to the list.
->[!IMPORTANT]
->Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
+> [!IMPORTANT]
+> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
### Use MDM CSPs to exclude files and folders
@@ -100,7 +100,6 @@ See the [Windows Security](../windows-defender-security-center/windows-defender-
## Related topics
-- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
-
+* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
+* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
similarity index 74%
rename from windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
rename to windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
index 1acfffd14f..3216d16b87 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/13/2019
@@ -20,19 +21,19 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
This topic describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
-- [Add additional folders to be protected](#protect-additional-folders)
-- [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders)
+* [Add additional folders to be protected](#protect-additional-folders)
+* [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders)
->[!WARNING]
->Controlled folder access monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files.
+> [!WARNING]
+> Controlled folder access monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files.
>
->This may impact your organization's productivity, so you may want to consider running the feature in [audit mode](audit-windows-defender-exploit-guard.md) to fully assess the feature's impact.
+> This may impact your organization's productivity, so you may want to consider running the feature in [audit mode](audit-windows-defender.md) to fully assess the feature's impact.
## Protect additional folders
@@ -42,7 +43,7 @@ You can add additional folders to be protected, but you cannot remove the defaul
Adding other folders to controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults.
-You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
You can use the Windows Security app or Group Policy to add and remove additional protected folders.
@@ -55,14 +56,14 @@ You can use the Windows Security app or Group Policy to add and remove additiona
3. Under the **Controlled folder access** section, click **Protected folders**
4. Click **Add a protected folder** and follow the prompts to add apps.
-
+
### Use Group Policy to protect additional folders
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
4. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder.
@@ -77,10 +78,10 @@ You can use the Windows Security app or Group Policy to add and remove additiona
Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Security app.
-
+
->[!IMPORTANT]
->Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
+> [!IMPORTANT]
+> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
### Use MDM CSPs to protect additional folders
@@ -88,17 +89,16 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.m
## Allow specific apps to make changes to controlled folders
-You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature.
+You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature.
->[!IMPORTANT]
->By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets.
->You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
+> [!IMPORTANT]
+> By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets.
+> You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access.
An allowed application or service only has write access to a controlled folder after it starts. For example, if you allow an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
-
### Use the Windows Defender Security app to allow specific apps
1. Open the Windows Security by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -109,15 +109,15 @@ An allowed application or service only has write access to a controlled folder a
4. Click **Add an allowed app** and follow the prompts to add apps.
- 
+ 
### Use Group Policy to allow specific apps
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app.
@@ -135,22 +135,24 @@ An allowed application or service only has write access to a controlled folder a
```PowerShell
Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\apps\test.exe"
```
+
Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Security app.
-
+
->[!IMPORTANT]
->Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
+> [!IMPORTANT]
+> Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
### Use MDM CSPs to allow specific apps
-Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders.
+Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders.
## Customize the notification
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics
-- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
-- [Enable controlled folder access](enable-controlled-folders-exploit-guard.md)
-- [Evaluate attack surface reduction rules](evaluate-windows-defender-exploit-guard.md)
+
+* [Protect important folders with controlled folder access](controlled-folders.md)
+* [Enable controlled folder access](enable-controlled-folders.md)
+* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
similarity index 72%
rename from windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
rename to windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
index f6197a0a67..64a77031bf 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 03/26/2019
@@ -20,18 +21,18 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
-
+
You configure these settings using the Windows Security app on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
- This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
+This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
It also describes how to enable or configure the mitigations using Windows Security, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
->[!WARNING]
->Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](evaluate-exploit-protection.md) before deploying the configuration across a production environment or the rest of your network.
+> [!WARNING]
+> Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](evaluate-exploit-protection.md) before deploying the configuration across a production environment or the rest of your network.
## Exploit protection mitigations
@@ -39,87 +40,87 @@ All mitigations can be configured for individual apps. Some mitigations can also
You can set each of the mitigations to on, off, or to their default value. Some mitigations have additional options, these are indicated in the description in the table.
-Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On".
+Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On".
The **Use default** configuration for each of the mitigation settings indicates our recommendation for a base level of protection for everyday usage for home users. Enterprise deployments should consider the protection required for their individual needs and may need to modify configuration away from the defaults.
For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic.
Mitigation | Description | Can be applied to | Audit mode available
-- | - | - | :-:
-Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
-Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
-Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
-Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
-Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
-Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
-Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
-Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
+-|-|-|-
+Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
+Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
+Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
+Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)]
+Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)]
->[!IMPORTANT]
->If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
+> [!IMPORTANT]
+> If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
>
>
->Enabled in **Program settings** | Enabled in **System settings** | Behavior
->:-: | :-: | :-:
->[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings**
->[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings**
->[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings**
->[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option
+> Enabled in **Program settings** | Enabled in **System settings** | Behavior
+> -|-|-
+> [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings**
+> [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings**
+> [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
+> [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
>
>
->
->- **Example 1**
->
+>
+> * **Example 1**
+>
> Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
->
+>
> Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
->
->The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
->
->
->- **Example 2**
->
+>
+> The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
+>
+>
+> * **Example 2**
+>
> Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
>
-> Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
+> Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
>
> Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
>
->The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
+>The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
>CFG will be enabled for *miles.exe*.
->[!NOTE]
->If you have found any issues in this article, you can report it directly to a Windows Server/Windows Client partner or use the Microsoft technical support numbers for your country.
+> [!NOTE]
+> If you have found any issues in this article, you can report it directly to a Windows Server/Windows Client partner or use the Microsoft technical support numbers for your country.
### Configure system-level mitigations with the Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
-
+
3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
- - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- - **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- - **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
+ * **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+ * **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+ * **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
>[!NOTE]
>You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting.
- Changing some settings may require a restart.
+ Changing some settings may require a restart.
4. Repeat this for all the system-level mitigations you want to configure.
@@ -127,15 +128,14 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-
+ * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+ * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
6. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
7. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
-
-You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations.
+You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations.
Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
@@ -151,33 +151,34 @@ Exporting the configuration as an XML file allows you to copy the configuration
You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
```PowerShell
-Get-ProcessMitigation -Name processName.exe
+Get-ProcessMitigation -Name processName.exe
```
->[!IMPORTANT]
->System-level mitigations that have not been configured will show a status of `NOTSET`.
+> [!IMPORTANT]
+> System-level mitigations that have not been configured will show a status of `NOTSET`.
>
->For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
+> For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
>
->For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
+> For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
>
->The default setting for each system-level mitigation can be seen in the Windows Security.
+> The default setting for each system-level mitigation can be seen in the Windows Security.
Use `Set` to configure each mitigation in the following format:
```PowerShell
Set-ProcessMitigation - -,,
```
+
Where:
-- \:
- - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
- - `-System` to indicate the mitigation should be applied at the system level
+* \:
+ * `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
+ * `-System` to indicate the mitigation should be applied at the system level
- \:
- - `-Enable` to enable the mitigation
- - `-Disable` to disable the mitigation
-- \:
- - The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma.
+ * `-Enable` to enable the mitigation
+ * `-Disable` to disable the mitigation
+* \:
+ * The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma.
For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command:
@@ -185,8 +186,8 @@ Where:
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation
```
- >[!IMPORTANT]
- >Separate each mitigation option with commas.
+ > [!IMPORTANT]
+ > Separate each mitigation option with commas.
If you wanted to apply DEP at the system level, you'd use the following command:
@@ -202,8 +203,7 @@ Where:
Set-Processmitigation -Name test.exe -Remove -Disable DEP
```
-
- You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below.
+ You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below.
For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used in the example above, you'd use the following command:
@@ -215,11 +215,10 @@ You can disable audit mode by using the same command but replacing `-Enable` wit
### PowerShell reference table
-This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
+This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
-
Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
- | - | - | -
Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available
@@ -228,39 +227,36 @@ Force randomization for images (Mandatory ASLR) | System and app-level | Force
Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available
Validate heap integrity | System and app-level | TerminateOnError | Audit not available
-Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
-Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
-Block remote images | App-level only | BlockRemoteImages | Audit not available
-Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
-Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
+Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
+Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
+Block remote images | App-level only | BlockRemoteImages | Audit not available
+Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
+Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
Disable extension points | App-level only | ExtensionPoint | Audit not available
Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall
Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess
-Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available
-Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available
-Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available
-Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available
+Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available
+Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available
+Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available
+Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available
Validate handle usage | App-level only | StrictHandle | Audit not available
-Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
-Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available
-
-
+Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
+Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available
\[1\]: Use the following format to enable EAF modules for dlls for a process:
```PowerShell
-Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
+Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
```
-
## Customize the notification
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics
-- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Evaluate exploit protection](evaluate-exploit-protection.md)
-- [Enable exploit protection](enable-exploit-protection.md)
-- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+* [Protect devices from exploits](exploit-protection.md)
+* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
index 249bf4cfb4..0a4d585b53 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
@@ -26,7 +26,7 @@ ms.date: 04/24/2018
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-gensettings-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-gensettings-abovefoldlink)
During the onboarding process, a wizard takes you through the general settings of Microsoft Defender ATP. After onboarding, you might want to update the data retention settings.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
index 2ad4f2c528..a16de0a429 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
@@ -90,6 +90,6 @@ Microsoft Defender ATP for Government (soon to be in preview) is currently under
By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run.
-For more information on the Microsoft Defender ATP ISO certification reports, see [Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/compliance/iso-iec-27001).
+For more information on the Microsoft Defender ATP ISO certification reports, see [Microsoft Trust Center](https://www.microsoft.com/trustcenter/compliance/iso-iec-27001).
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-datastorage-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-datastorage-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md
index 4d9d0fa3ce..42ef196d91 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md
@@ -28,7 +28,7 @@ ms.date: 04/24/2018
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-defendercompat-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-defendercompat-abovefoldlink)
The Microsoft Defender Advanced Threat Protection agent depends on Windows Defender Antivirus for some capabilities such as file scanning.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/deprecate.md b/windows/security/threat-protection/microsoft-defender-atp/deprecate.md
deleted file mode 100644
index 20b16719e7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/deprecate.md
+++ /dev/null
@@ -1,11 +0,0 @@
----
-ms.date: 10/17/2018
-ms.reviewer:
-manager: dansimp
-ms.author: macapara
-author: mjcaparas
----
-> [!WARNING]
->
->
-> This page documents a feature that will soon be deprecated. For the updated and supported version, see [Use the Microsoft Defender ATP APIs](use-apis.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md
new file mode 100644
index 0000000000..73df2fb5a4
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md
@@ -0,0 +1,87 @@
+---
+title: Compare the features in Exploit protection with EMET
+keywords: emet, enhanced mitigation experience toolkit, configuration, exploit, compare, difference between, versus, upgrade, convert
+description: Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET.
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+author: levinec
+ms.author: ellevin
+ms.date: 08/08/2018
+ms.reviewer:
+manager: dansimp
+---
+
+# Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender
+
+**Applies to:**
+
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+> [!IMPORTANT]
+> If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Microsoft Defender ATP.
+>
+> You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
+
+This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Microsoft Defender ATP.
+
+Exploit protection in Microsoft Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
+
+EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques.
+
+After July 31, 2018, it will not be supported.
+
+For more information about the individual features and mitigations available in Microsoft Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics:
+
+* [Protect devices from exploits](exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+
+## Mitigation comparison
+
+The mitigations available in EMET are included in Windows Defender, under the [exploit protection feature](exploit-protection.md).
+
+The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection.
+
+Mitigation | Available in Windows Defender | Available in EMET
+-|-|-
+Arbitrary code guard (ACG) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] As "Memory Protection Check"
+Block remote images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] As "Load Library Check"
+Block untrusted fonts | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Data Execution Prevention (DEP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Export address filtering (EAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+NullPage Security Mitigation | [!include[Check mark yes](../images/svg/check-yes.svg)] Included natively in Windows 10 See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+
+> [!NOTE]
+> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender as part of enabling the anti-ROP mitigations for a process.
+>
+> See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
+
+## Related topics
+
+* [Protect devices from exploits with Windows Defender](exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
similarity index 68%
rename from windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
rename to windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
index b346df9a75..80c8e25156 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/13/2019
@@ -18,7 +19,7 @@ manager: dansimp
# Enable attack surface reduction rules
-[Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019.
+[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019.
Each ASR rule contains three settings:
@@ -30,11 +31,11 @@ To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We r
You can enable attack surface reduction rules by using any of these methods:
-- [Microsoft Intune](#intune)
-- [Mobile Device Management (MDM)](#mdm)
-- [System Center Configuration Manager (SCCM)](#sccm)
-- [Group Policy](#group-policy)
-- [PowerShell](#powershell)
+* [Microsoft Intune](#intune)
+* [Mobile Device Management (MDM)](#mdm)
+* [System Center Configuration Manager (SCCM)](#sccm)
+* [Group Policy](#group-policy)
+* [PowerShell](#powershell)
Enterprise-level management such as Intune or SCCM is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup.
@@ -42,20 +43,20 @@ Enterprise-level management such as Intune or SCCM is recommended. Enterprise-le
You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices.
->[!WARNING]
->Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
->
->If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
-
->[!IMPORTANT]
->File and folder exclusions do not apply to the following ASR rules:
+> [!WARNING]
+> Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
>
->- Block process creations originating from PSExec and WMI commands
->- Block JavaScript or VBScript from launching downloaded executable content
+> If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
+
+> [!IMPORTANT]
+> File and folder exclusions do not apply to the following ASR rules:
+>
+> * Block process creations originating from PSExec and WMI commands
+> * Block JavaScript or VBScript from launching downloaded executable content
You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
-ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
+ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
The following procedures for enabling ASR rules include instructions for how to exclude files and folders.
@@ -66,8 +67,8 @@ The following procedures for enabling ASR rules include instructions for how to
2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule.
3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format:
-
- *C:\folder*, *%ProgramFiles%\folder\file*, *C:\path*
+
+ *C:\folder*, *%ProgramFiles%\folder\file*, *C:\path*
4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
@@ -75,7 +76,7 @@ The following procedures for enabling ASR rules include instructions for how to
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
-The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules).
+The following is a sample for reference, using [GUID values for ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules).
OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
@@ -83,9 +84,9 @@ Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A776
The values to enable, disable, or enable in audit mode are:
-- Disable = 0
-- Block (enable ASR rule) = 1
-- Audit = 2
+* Disable = 0
+* Block (enable ASR rule) = 1
+* Audit = 2
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
@@ -95,8 +96,8 @@ OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExc
Value: c:\path|e:\path|c:\Whitelisted.exe
->[!NOTE]
->Be sure to enter OMA-URI values without spaces.
+> [!NOTE]
+> Be sure to enter OMA-URI values without spaces.
## SCCM
@@ -105,12 +106,12 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
1. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**.
1. Choose which rules will block or audit actions and click **Next**.
1. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**.
+1. After the policy is created, click **Close**.
## Group Policy
->[!WARNING]
->If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
+> [!WARNING]
+> If you manage your computers and devices with Intune, SCCM, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -119,15 +120,17 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section:
- - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
- - Disable = 0
- - Block (enable ASR rule) = 1
- - Audit = 2
- 
+ * Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
+
+ * Disable = 0
+ * Block (enable ASR rule) = 1
+ * Audit = 2
+
+ 
+
+5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
-5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
-
## PowerShell
>[!WARNING]
@@ -141,32 +144,32 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
Set-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Enabled
```
- To enable ASR rules in audit mode, use the following cmdlet:
+ To enable ASR rules in audit mode, use the following cmdlet:
- ```PowerShell
- Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode
+ ```PowerShell
+ Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode
```
- To turn off ASR rules, use the following cmdlet:
+ To turn off ASR rules, use the following cmdlet:
- ```PowerShell
- Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Disabled
+ ```PowerShell
+ Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Disabled
```
- >[!IMPORTANT]
- >You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list.
- >
- >In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode:
- >
- >```PowerShell
- >Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode
- >```
+ > [!IMPORTANT]
+ > You must specify the state individually for each rule, but you can combine rules and states in a comma-separated list.
+ >
+ > In the following example, the first two rules will be enabled, the third rule will be disabled, and the fourth rule will be enabled in audit mode:
+ >
+ > ```PowerShell
+ > Set-MpPreference -AttackSurfaceReductionRules_Ids ,,, -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode
+ > ```
- You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list.
+ You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list.
- >[!WARNING]
- >`Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead.
- >You can obtain a list of rules and their current state by using `Get-MpPreference`
+ > [!WARNING]
+ > `Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead.
+ > You can obtain a list of rules and their current state by using `Get-MpPreference`
3. To exclude files and folders from ASR rules, use the following cmdlet:
@@ -174,14 +177,13 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
Add-MpPreference -AttackSurfaceReductionOnlyExclusions ""
```
- Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more files and folders to the list.
-
- >[!IMPORTANT]
- >Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
+ Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more files and folders to the list.
+ > [!IMPORTANT]
+ > Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
## Related topics
-- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
-- [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus)
+* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
+* [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
+* [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
similarity index 58%
rename from windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
rename to windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
index 7ed8ec4621..a7ff6da08f 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/13/2019
@@ -20,24 +21,25 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Controlled folder access](controlled-folders-exploit-guard.md) helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is included with Windows 10 and Windows Server 2019.
+[Controlled folder access](controlled-folders.md) helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is included with Windows 10 and Windows Server 2019.
You can enable controlled folder access by using any of these methods:
-- [Windows Security app](#windows-security-app)
-- [Microsoft Intune](#intune)
-- [Mobile Device Management (MDM)](#mdm)
-- [System Center Configuration Manager (SCCM)](#sccm)
-- [Group Policy](#group-policy)
-- [PowerShell](#powershell)
+* [Windows Security app](#windows-security-app)
+* [Microsoft Intune](#intune)
+* [Mobile Device Management (MDM)](#mdm)
+* [System Center Configuration Manager (SCCM)](#sccm)
+* [Group Policy](#group-policy)
+* [PowerShell](#powershell)
[Audit mode](evaluate-controlled-folder-access.md) allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
-- Windows Defender Antivirus **Configure local administrator merge behavior for lists**
-- System Center Endpoint Protection **Allow users to add exclusions and overrides**
+
+* Windows Defender Antivirus **Configure local administrator merge behavior for lists**
+* System Center Endpoint Protection **Allow users to add exclusions and overrides**
For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged).
@@ -49,9 +51,9 @@ For more information about disabling local list merging, see [Prevent or allow u
3. Set the switch for **Controlled folder access** to **On**.
->[!NOTE]
->If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device.
->If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**.
+> [!NOTE]
+> If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device.
+> If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**.
>If you are protecting user profile data, we recommend that the user profile should be on the default Windows installation drive.
@@ -60,21 +62,21 @@ For more information about disabling local list merging, see [Prevent or allow u
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
1. Click **Device configuration** > **Profiles** > **Create profile**.
1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
- 
-1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
-1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**.
+ 
+1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
+1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**.
- 
+ 
- >[!NOTE]
- >Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
+ > [!NOTE]
+ > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
-1. Click **OK** to save each open blade and click **Create**.
+1. Click **OK** to save each open blade and click **Create**.
1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
-## MDM
+## MDM
-Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders.
+Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders.
## SCCM
@@ -82,28 +84,28 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
2. Click **Home** > **Create Exploit Guard Policy**.
3. Enter a name and a description, click **Controlled folder access**, and click **Next**.
4. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**.
- >[!NOTE]
- >Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
+ > [!NOTE]
+ > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
5. Review the settings and click **Next** to create the policy.
-6. After the policy is created, click **Close**.
+6. After the policy is created, click **Close**.
## Group Policy
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
+3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
-6. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
- - **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
- - **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
- - **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
+4. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following:
+ * **Enable** - Malicious and suspicious apps will not be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log
+ * **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
+ * **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
- 
+ 
->[!IMPORTANT]
->To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
+> [!IMPORTANT]
+> To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
## PowerShell
@@ -121,6 +123,6 @@ Use `Disabled` to turn the feature off.
## Related topics
-- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
-- [Customize controlled folder access](customize-controlled-folders-exploit-guard.md)
-- [Evaluate Microsoft Defender ATP](evaluate-windows-defender-exploit-guard.md)
+* [Protect important folders with controlled folder access](controlled-folders.md)
+* [Customize controlled folder access](customize-controlled-folders.md)
+* [Evaluate Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md b/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md
index 754b7d28e8..42bfea4ccf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-custom-ti.md
@@ -27,7 +27,7 @@ ms.topic: article
> [!TIP]
> This topic has been deprecated. See [Indicators](ti-indicator.md) for the updated content.
>
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablecustomti-abovefoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablecustomti-abovefoldlink)
Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through Microsoft Defender Security Center.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
similarity index 70%
rename from windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
rename to windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
index e3fd820ba9..76bada624f 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/09/2019
@@ -20,93 +21,93 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Exploit protection](exploit-protection-exploit-guard.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps.
+[Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps.
-Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
+Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
You can enable each mitigation separately by using any of these methods:
-- [Windows Security app](#windows-security-app)
-- [Microsoft Intune](#intune)
-- [Mobile Device Management (MDM)](#mdm)
-- [System Center Configuration Manager (SCCM)](#sccm)
-- [Group Policy](#group-policy)
-- [PowerShell](#powershell)
+* [Windows Security app](#windows-security-app)
+* [Microsoft Intune](#intune)
+* [Mobile Device Management (MDM)](#mdm)
+* [System Center Configuration Manager (SCCM)](#sccm)
+* [Group Policy](#group-policy)
+* [PowerShell](#powershell)
-They are configured by default in Windows 10.
+They are configured by default in Windows 10.
-You can set each mitigation to on, off, or to its default value.
+You can set each mitigation to on, off, or to its default value.
Some mitigations have additional options.
-You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines.
+You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines.
## Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
-
+
3. Go to **Program settings** and choose the app you want to apply mitigations to:
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-
+ * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+ * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
-5. Repeat this for all the apps and mitigations you want to configure.
+5. Repeat this for all the apps and mitigations you want to configure.
-3. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
- - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- - **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- - **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
+6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
+ * **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+ * **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+ * **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
-5. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
+7. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
Enabled in **Program settings** | Enabled in **System settings** | Behavior
-:-: | :-: | :-:
-[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings**
-[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings**
-[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings**
-[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option
+-|-|-
+[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings**
+[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings**
+[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
+[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
+
+**Example 1**
-**Example 1**
-
Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
-
+
The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
**Example 2**
Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
-Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
+Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
-The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
+The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
CFG will be enabled for *miles.exe*.
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
-
+
3. Go to **Program settings** and choose the app you want to apply mitigations to:
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-
+ * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+ * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
@@ -116,11 +117,11 @@ CFG will be enabled for *miles.exe*.
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
1. Click **Device configuration** > **Profiles** > **Create profile**.
1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
- 
+ 
1. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.
1. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
- 
-1. Click **OK** to save each open blade and click **Create**.
+ 
+1. Click **OK** to save each open blade and click **Create**.
1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
## MDM
@@ -134,50 +135,51 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt
1. Enter a name and a description, click **Exploit protection**, and click **Next**.
1. Browse to the location of the exploit protection XML file and click **Next**.
1. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**.
+1. After the policy is created, click **Close**.
## Group Policy
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-1. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
+1. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
-6. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
+1. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
## PowerShell
You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
```PowerShell
-Get-ProcessMitigation -Name processName.exe
+Get-ProcessMitigation -Name processName.exe
```
->[!IMPORTANT]
->System-level mitigations that have not been configured will show a status of `NOTSET`.
+> [!IMPORTANT]
+> System-level mitigations that have not been configured will show a status of `NOTSET`.
>
->For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
+> For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
>
->For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
+> For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
>
->The default setting for each system-level mitigation can be seen in the Windows Security.
+> The default setting for each system-level mitigation can be seen in the Windows Security.
Use `Set` to configure each mitigation in the following format:
```PowerShell
Set-ProcessMitigation - -,,
```
+
Where:
-- \:
- - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
- - `-System` to indicate the mitigation should be applied at the system level
-- \:
- - `-Enable` to enable the mitigation
- - `-Disable` to disable the mitigation
-- \:
- - The mitigation's cmdlet along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma.
+* \:
+ * `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
+ * `-System` to indicate the mitigation should be applied at the system level
+* \:
+ * `-Enable` to enable the mitigation
+ * `-Disable` to disable the mitigation
+* \:
+ * The mitigation's cmdlet along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma.
For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command:
@@ -185,8 +187,8 @@ For example, to enable the Data Execution Prevention (DEP) mitigation with ATL t
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation
```
->[!IMPORTANT]
->Separate each mitigation option with commas.
+> [!IMPORTANT]
+> Separate each mitigation option with commas.
If you wanted to apply DEP at the system level, you'd use the following command:
@@ -202,8 +204,7 @@ If you need to restore the mitigation back to the system default, you need to in
Set-Processmitigation -Name test.exe -Remove -Disable DEP
```
-This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
-
+This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation.
Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet
- | - | - | -
@@ -213,39 +214,35 @@ Force randomization for images (Mandatory ASLR) | System and app-level | Force
Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available
Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available
Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available
-Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
-Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
-Block remote images | App-level only | BlockRemoteImages | Audit not available
-Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
-Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
+Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode
+Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad
+Block remote images | App-level only | BlockRemoteImages | Audit not available
+Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly
+Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned
Disable extension points | App-level only | ExtensionPoint | Audit not available
Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall
Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess
-Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available
-Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available
-Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available
-Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available
+Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available
+Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available
+Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available
+Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available
Validate handle usage | App-level only | StrictHandle | Audit not available
-Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
-Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available
-
-
+Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
+Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available
\[1\]: Use the following format to enable EAF modules for dlls for a process:
```PowerShell
-Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
+Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll
```
-
## Customize the notification
See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
-
## Related topics
-- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Evaluate exploit protection](evaluate-exploit-protection.md)
-- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
similarity index 58%
rename from windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
rename to windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
index dc62facca9..97a6409ed0 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.reviewer:
@@ -20,31 +21,29 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it.
You can enable network protection by using any of these methods:
-- [Microsoft Intune](#intune)
-- [Mobile Device Management (MDM)](#mdm)
-- [System Center Configuration Manager (SCCM)](#sccm)
-- [Group Policy](#group-policy)
-- [PowerShell](#powershell)
+* [Microsoft Intune](#intune)
+* [Mobile Device Management (MDM)](#mdm)
+* [System Center Configuration Manager (SCCM)](#sccm)
+* [Group Policy](#group-policy)
+* [PowerShell](#powershell)
## Intune
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
-2. Click **Device configuration** > **Profiles** > **Create profile**.
-3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
- 
-4. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
-
- 
-
-5. Click **OK** to save each open blade and click **Create**.
-6. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
+1. Click **Device configuration** > **Profiles** > **Create profile**.
+1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
+ 
+1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
+ 
+1. Click **OK** to save each open blade and click **Create**.
+1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
## MDM
@@ -57,60 +56,58 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://d
1. Enter a name and a description, click **Network protection**, and click **Next**.
1. Choose whether to block or audit access to suspicious domains and click **Next**.
1. Review the settings and click **Next** to create the policy.
-1. After the policy is created, click **Close**.
+1. After the policy is created, click **Close**.
-## Group Policy
+## Group Policy
-You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer.
+You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer.
-1. On a standalone computer, click **Start**, type and then click **Edit group policy**.
+1. On a standalone computer, click **Start**, type and then click **Edit group policy**.
-Or-
-
+
On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following:
- - **Block** - Users will not be able to access malicious IP addresses and domains
- - **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains
- - **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address.
+ * **Block** - Users will not be able to access malicious IP addresses and domains
+ * **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains
+ * **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address.
->[!IMPORTANT]
->To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
+> [!IMPORTANT]
+> To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
You can confirm network protection is enabled on a local computer by using Registry editor:
1. Click **Start** and type **regedit** to open **Registry Editor**.
1. Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection
-1. Click **EnableNetworkProtection** and confirm the value:
- - 0=Off
- - 1=On
- - 2=Audit
+1. Click **EnableNetworkProtection** and confirm the value:
+ * 0=Off
+ * 1=On
+ * 2=Audit
## PowerShell
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
- ```
+ ```PowerShell
Set-MpPreference -EnableNetworkProtection Enabled
```
You can enable the feature in audit mode using the following cmdlet:
-```
+```PowerShell
Set-MpPreference -EnableNetworkProtection AuditMode
```
Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off.
-
## Related topics
-- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
-- [Network protection](network-protection-exploit-guard.md)
-- [Evaluate network protection](evaluate-network-protection.md)
-- [Troubleshoot network protection](troubleshoot-np.md)
+* [Network protection](network-protection.md)
+* [Evaluate network protection](evaluate-network-protection.md)
+* [Troubleshoot network protection](troubleshoot-np.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
index 2c9fa62654..3fbbd36ff6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
@@ -1,6 +1,6 @@
---
title: Enable SIEM integration in Microsoft Defender ATP
-description: Enable SIEM integration to receive alerts in your security information and event management (SIEM) solution.
+description: Enable SIEM integration to receive detections in your security information and event management (SIEM) solution.
keywords: enable siem connector, siem, connector, security information and events
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 12/10/2018
---
# Enable SIEM integration in Microsoft Defender ATP
@@ -24,9 +23,13 @@ ms.date: 12/10/2018
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
-Enable security information and event management (SIEM) integration so you can pull alerts from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the alerts REST API.
+Enable security information and event management (SIEM) integration so you can pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API.
+
+>[!Note]
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
## Prerequisites
- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role.
@@ -55,7 +58,7 @@ Enable security information and event management (SIEM) integration so you can p
> - WDATP-connector.jsonparser.properties
> - WDATP-connector.properties
- If you want to connect directly to the alerts REST API through programmatic access, choose **Generic API**.
+ If you want to connect directly to the detections REST API through programmatic access, choose **Generic API**.
4. Copy the individual values or select **Save details to file** to download a file that contains all the values.
@@ -64,14 +67,14 @@ Enable security information and event management (SIEM) integration so you can p
> [!NOTE]
> You'll need to generate a new Refresh token every 90 days.
-You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from Microsoft Defender Security Center.
+You can now proceed with configuring your SIEM solution or connecting to the detections REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive detections from Microsoft Defender Security Center.
## Integrate Microsoft Defender ATP with IBM QRadar
-You can configure IBM QRadar to collect alerts from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
+You can configure IBM QRadar to collect detections from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
## Related topics
-- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md)
-- [Configure HP ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md)
-- [Microsoft Defender ATP alert API fields](api-portal-mapping.md)
-- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md)
+- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
+- [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
+- [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
+- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
index c589b30285..ee4f4e583c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md
@@ -19,25 +19,30 @@ ms.topic: conceptual
---
# Evaluate Microsoft Defender ATP
+
[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
-You can evaluate Microsoft Defender Advanced Threat Protection in your organization by [starting your free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp).
+You can evaluate Microsoft Defender Advanced Threat Protection in your organization by [starting your free trial](https://www.microsoft.com/WindowsForBusiness/windows-atp).
-You can also evaluate the different security capabilities in Microsoft Defender ATP by using the following instructions.
+You can also evaluate the different security capabilities in Microsoft Defender ATP by using the following instructions.
## Evaluate attack surface reduction
+
These capabilities help prevent attacks and exploitations from infecting your organization.
-- [Evaluate attack surface reduction](../windows-defender-exploit-guard/evaluate-attack-surface-reduction.md)
-- [Evaluate exploit protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
-- [Evaluate network protection](../windows-defender-exploit-guard/evaluate-exploit-protection.md)
-- [Evaluate controlled folder access](../windows-defender-exploit-guard/evaluate-controlled-folder-access.md)
+
+- [Evaluate attack surface reduction](./evaluate-attack-surface-reduction.md)
+- [Evaluate exploit protection](./evaluate-exploit-protection.md)
+- [Evaluate network protection](./evaluate-exploit-protection.md)
+- [Evaluate controlled folder access](./evaluate-controlled-folder-access.md)
- [Evaluate application guard](../windows-defender-application-guard/test-scenarios-wd-app-guard.md)
- [Evaluate network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
## Evaluate next generation protection
+
Next gen protections help detect and block the latest threats.
+
- [Evaluate antivirus](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
-
## See Also
+
[Get started with Microsoft Defender Advanced Threat Protection](get-started.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
similarity index 68%
rename from windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
rename to windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
index 145da203d5..271622f774 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 04/02/2019
@@ -20,14 +21,14 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
This topic helps you evaluate attack surface reduction rules. It explains how to enable audit mode so you can test the feature directly in your organization.
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+> [!TIP]
+> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
## Use audit mode to measure impact
@@ -43,42 +44,27 @@ Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
This enables all attack surface reduction rules in audit mode.
->[!TIP]
->If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
-You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction-exploit-guard.md).
+> [!TIP]
+> If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction.md).
## Review attack surface reduction events in Windows Event Viewer
To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events.
-
-| Event ID | Description |
-|----------|-------------|
-|5007 | Event when settings are changed |
-| 1121 | Event when an attack surface reduction rule fires in block mode |
-| 1122 | Event when an attack surface reduction rule fires in audit mode |
+ Event ID | Description
+-|-
+ 5007 | Event when settings are changed
+ 1121 | Event when an attack surface reduction rule fires in block mode
+ 1122 | Event when an attack surface reduction rule fires in audit mode
## Customize attack surface reduction rules
-During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature.
+During your evaluation, you may wish to configure each rule individually or exclude certain files and processes from being evaluated by the feature.
See the [Customize attack surface reduction rules](customize-attack-surface-reduction.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
## Related topics
-- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
-- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
-
-
-
-
-
-
-
-
-
-
-
-
-
+* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
+* [Use audit mode to evaluate Windows Defender](audit-windows-defender.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
similarity index 61%
rename from windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
rename to windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
index 08d11df095..5f8fc8a0da 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 11/16/2018
@@ -20,16 +21,16 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Controlled folder access](controlled-folders-exploit-guard.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
+[Controlled folder access](controlled-folders.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
This topic helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization.
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+> [!TIP]
+> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
## Use audit mode to measure impact
@@ -43,27 +44,28 @@ To enable audit mode, use the following PowerShell cmdlet:
Set-MpPreference -EnableControlledFolderAccess AuditMode
```
->[!TIP]
->If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
-You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders-exploit-guard.md).
+> [!TIP]
+> If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md).
## Review controlled folder access events in Windows Event Viewer
The following controlled folder access events appear in Windows Event Viewer under Microsoft/Windows/Windows Defender/Operational folder.
-| Event ID | Description |
-| --- | --- |
-| 5007 | Event when settings are changed |
-| 1124 | Audited controlled folder access event |
-| 1123 | Blocked controlled folder access event |
+Event ID | Description
+-|-
+ 5007 | Event when settings are changed
+ 1124 | Audited controlled folder access event
+ 1123 | Blocked controlled folder access event
## Customize protected folders and apps
-During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
+During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
-See [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
+See [Protect important folders with controlled folder access](controlled-folders.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
## Related topics
-- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
-- [Evaluate Microsoft Defender ATP](evaluate-windows-defender-exploit-guard.md)
-- [Use audit mode](audit-windows-defender-exploit-guard.md)
+
+* [Protect important folders with controlled folder access](controlled-folders.md)
+* [Evaluate Microsoft Defender ATP]../(microsoft-defender-atp/evaluate-atp.md)
+* [Use audit mode](audit-windows-defender.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
similarity index 57%
rename from windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
rename to windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
index 4d7e28279c..4d70c50373 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 04/02/2019
@@ -20,70 +21,69 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Exploit protection](exploit-protection-exploit-guard.md) helps protect devices from malware that uses exploits to spread and infect other devices.
+[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices.
It consists of a number of mitigations that can be applied to either the operating system or an individual app.
-Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection.
+Many of the features that were part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection.
-This topic helps you enable exploit protection in audit mode and review related events in Event Viewer.
+This topic helps you enable exploit protection in audit mode and review related events in Event Viewer.
You can enable audit mode for certain app-level mitigations to see how they will work in a test environment.
This lets you see a record of what *would* have happened if you had enabled the mitigation in production.
You can make sure it doesn't affect your line-of-business apps, and see which suspicious or malicious events occur.
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works.
+> [!TIP]
+> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works.
## Enable exploit protection in audit mode
-You can set mitigations in audit mode for specific programs either by using the Windows Security app or PowerShell.
+You can set mitigations in audit mode for specific programs either by using the Windows Security app or PowerShell.
### Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
-
+
3. Go to **Program settings** and choose the app you want to apply mitigations to:
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-
+ * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+ * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
### PowerShell
-To set app-level mitigations to audit mode, use `Set-ProcessMitigation` with the **Audit mode** cmdlet.
+To set app-level mitigations to audit mode, use `Set-ProcessMitigation` with the **Audit mode** cmdlet.
Configure each mitigation in the following format:
-
```PowerShell
Set-ProcessMitigation - -,,
```
Where:
-- \:
- - `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
-- \:
- - `-Enable` to enable the mitigation
- - `-Disable` to disable the mitigation
-- \:
- - The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma.
+* \:
+ * `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
+* \:
+ * `-Enable` to enable the mitigation
+ * `-Disable` to disable the mitigation
+* \:
+ * The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma.
-| Mitigation | Audit mode cmdlet |
-| - | - |
-|Arbitrary code guard (ACG) | AuditDynamicCode |
-|Block low integrity images | AuditImageLoad |
-|Block untrusted fonts | AuditFont, FontAuditOnly |
-|Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned |
-|Disable Win32k system calls | AuditSystemCall |
-|Do not allow child processes | AuditChildProcess |
+ Mitigation | Audit mode cmdlet
+-|-
+ Arbitrary code guard (ACG) | AuditDynamicCode
+ Block low integrity images | AuditImageLoad
+ Block untrusted fonts | AuditFont, FontAuditOnly
+ Code integrity guard | AuditMicrosoftSigned, AuditStoreSigned
+ Disable Win32k system calls | AuditSystemCall
+ Do not allow child processes | AuditChildProcess
For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command:
@@ -98,21 +98,21 @@ You can disable audit mode by replacing `-Enable` with `-Disable`.
To review which apps would have been blocked, open Event Viewer and filter for the following events in the Security-Mitigations log.
Feature | Provider/source | Event ID | Description
-:-|:-|:-:|:-
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit
+-|-|-|-
+ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit
+ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit
+ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit
+ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit
+ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit
+ Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit
## Related topics
-- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Enable exploit protection](enable-exploit-protection.md)
-- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
-- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
-- [Enable network protection](enable-network-protection.md)
-- [Enable controlled folder access](enable-controlled-folders-exploit-guard.md)
-- [Enable attack surface reduction](enable-attack-surface-reduction.md)
+* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+* [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
+* [Enable network protection](enable-network-protection.md)
+* [Enable controlled folder access](enable-controlled-folders.md)
+* [Enable attack surface reduction](enable-attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
similarity index 76%
rename from windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
rename to windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
index 5015d0f283..6e3840831e 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/10/2019
@@ -20,15 +21,14 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[Network protection](network-protection-exploit-guard.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+[Network protection](network-protection.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visited a malicious site or domain.
-
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how other protection features work.
+> [!TIP]
+> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how other protection features work.
## Enable network protection in audit mode
@@ -51,10 +51,10 @@ You might want to do this to make sure it doesn't affect line-of-business apps o
The network connection will be allowed and a test message will be displayed.
-
-
+
+
## Review network protection events in Windows Event Viewer
-
+
To review apps that would have been blocked, open Event Viewer and filter for Event ID 1125 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events.
| Event ID | Provide/Source | Description |
@@ -63,10 +63,8 @@ To review apps that would have been blocked, open Event Viewer and filter for Ev
|1125 | Windows Defender (Operational) | Event when a network connection is audited |
|1126 | Windows Defender (Operational) | Event when a network connection is blocked |
-
## Related topics
-- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
-- [Network protection](network-protection-exploit-guard.md)
-- [Enable network protection](enable-network-protection.md)
-- [Troubleshoot network protection](troubleshoot-np.md)
+* [Network protection](network-protection.md)
+* [Enable network protection](enable-network-protection.md)
+* [Troubleshoot network protection](troubleshoot-np.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
index 080111bee7..0875478e90 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
@@ -342,7 +342,7 @@ See As "Load Library Check"
+Block untrusted fonts | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Data Execution Prevention (DEP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Export address filtering (EAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+NullPage Security Mitigation | [!include[Check mark yes](../images/svg/check-yes.svg)] Included natively in Windows 10 See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Simulate execution (SimExec) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate API invocation (CallerCheck) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate exception chains (SEHOP) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Validate stack integrity (StackPivot) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](../images/svg/check-yes.svg)]
+Block low integrity images | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Code integrity guard | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Disable extension points | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Disable Win32k system calls | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Do not allow child processes | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Import address filtering (IAF) | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate handle usage | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate heap integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+Validate image dependency integrity | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)]
+
+> [!NOTE]
+> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process.
+>
+> See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
+
+## Related topics
+
+* [Protect devices from exploits](exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+* [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
index a2e28ff082..8c3bd67aa8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
@@ -21,7 +21,7 @@ ms.topic: article
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
This page describes how to create an application to get programmatic access to Microsoft Defender ATP on behalf of a user.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
index 60ecb971c5..79df3f31af 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
@@ -21,7 +21,7 @@ ms.topic: article
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
This page describes how to create an application to get programmatic access to Microsoft Defender ATP without a user.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
index 0a52c8cea1..e45e91bedd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
@@ -24,7 +24,7 @@ ms.topic: article
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supportedapis-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supportedapis-abovefoldlink)
## End Point URI and Versioning
diff --git a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
index badfd2aed7..7d03a370b8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
@@ -27,7 +27,7 @@ ms.date: 10/23/2017
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-fixsensor-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-fixsensor-abovefoldlink)
Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section provides some explanations as to what might have caused a machine to be categorized as inactive or misconfigured.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md
deleted file mode 100644
index c247c9aa81..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md
+++ /dev/null
@@ -1,122 +0,0 @@
----
-title: Get IP related machines API
-description: Retrieves a collection of machines related to a given IP address.
-keywords: apis, graph api, supported apis, get, ip, related, machines
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get IP related machines API (Deprecated)
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Retrieves a collection of machines that communicated with or from a particular IP.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-GET /api/ips/{ip}/machines
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and IP exists - 200 OK with list of [machine](machine.md) entities in the body. If IP do not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](improve-request-performance.md)]
-
-```
-GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/machines
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
- "value": [
- {
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
- "computerDnsName": "mymachine1.contoso.com",
- "firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2018-08-02T14:55:03.7791856Z",
- "osPlatform": "Windows10",
- "osVersion": "10.0.0.0",
- "lastIpAddress": "172.17.230.209",
- "lastExternalIpAddress": "167.220.196.71",
- "agentVersion": "10.5830.18209.1001",
- "osBuild": 18209,
- "healthStatus": "Active",
- "rbacGroupId": 140,
- "riskScore": "Low",
- "rbacGroupName": "The-A-Team",
- "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
- "machineTags": [ "test tag 1", "test tag 2" ]
- },
- {
- "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
- "computerDnsName": "mymachine2.contoso.com",
- "firstSeen": "2018-07-09T13:22:45.1250071Z",
- "lastSeen": "2018-07-09T13:22:45.1250071Z",
- "osPlatform": "Windows10",
- "osVersion": "10.0.0.0",
- "lastIpAddress": "192.168.12.225",
- "lastExternalIpAddress": "79.183.65.82",
- "agentVersion": "10.5820.17724.1000",
- "osBuild": 17724,
- "healthStatus": "Inactive",
- "rbacGroupId": 140,
- "rbacGroupName": "The-A-Team",
- "riskScore": "Low",
- "aadDeviceId": null,
- "machineTags": [ "test tag 1" ]
- }
- ]
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/TVM_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/TVM_icon.png
index 41faa16718..b3cb1854b9 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/TVM_icon.png and b/windows/security/threat-protection/microsoft-defender-atp/images/TVM_icon.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/alert-notification.png b/windows/security/threat-protection/microsoft-defender-atp/images/alert-notification.png
new file mode 100644
index 0000000000..69836b943c
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/alert-notification.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each-value.png b/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each-value.png
new file mode 100644
index 0000000000..2f027e9054
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each-value.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each.png b/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each.png
new file mode 100644
index 0000000000..741770b06a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/build-flow.png b/windows/security/threat-protection/microsoft-defender-atp/images/build-flow.png
new file mode 100644
index 0000000000..615e107f78
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/build-flow.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/condition1.png b/windows/security/threat-protection/microsoft-defender-atp/images/condition1.png
new file mode 100644
index 0000000000..fb441257c0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/condition1.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/condition2.png b/windows/security/threat-protection/microsoft-defender-atp/images/condition2.png
new file mode 100644
index 0000000000..e57b9d3fe4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/condition2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/condition3.png b/windows/security/threat-protection/microsoft-defender-atp/images/condition3.png
new file mode 100644
index 0000000000..25b0fe742a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/condition3.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/conditions-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/conditions-2.png
new file mode 100644
index 0000000000..714a61e399
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/conditions-2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/data-operations.png b/windows/security/threat-protection/microsoft-defender-atp/images/data-operations.png
new file mode 100644
index 0000000000..13d572f10f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/data-operations.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/flow-apply.png b/windows/security/threat-protection/microsoft-defender-atp/images/flow-apply.png
new file mode 100644
index 0000000000..3d274ebf9f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/flow-apply.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/flow-recurrence.png b/windows/security/threat-protection/microsoft-defender-atp/images/flow-recurrence.png
new file mode 100644
index 0000000000..01ad9116f0
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/flow-recurrence.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/flow2.png b/windows/security/threat-protection/microsoft-defender-atp/images/flow2.png
new file mode 100644
index 0000000000..647008af7d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/flow2.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/http-conditions.png b/windows/security/threat-protection/microsoft-defender-atp/images/http-conditions.png
new file mode 100644
index 0000000000..68eb6483c1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/http-conditions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/http-flow.png b/windows/security/threat-protection/microsoft-defender-atp/images/http-flow.png
new file mode 100644
index 0000000000..71e3aa0e9f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/http-flow.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/new-flow.png b/windows/security/threat-protection/microsoft-defender-atp/images/new-flow.png
new file mode 100644
index 0000000000..7d64c71ac8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/new-flow.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-flow.png b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-flow.png
new file mode 100644
index 0000000000..3a2b7563bf
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-flow.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-schema.png b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-schema.png
new file mode 100644
index 0000000000..2c6069ab3d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-schema.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/parse-json.png b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json.png
new file mode 100644
index 0000000000..6931f21e5a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/recurrence-add.png b/windows/security/threat-protection/microsoft-defender-atp/images/recurrence-add.png
new file mode 100644
index 0000000000..43a41fbd3b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/recurrence-add.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/send-email.png b/windows/security/threat-protection/microsoft-defender-atp/images/send-email.png
new file mode 100644
index 0000000000..f4f0bca971
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/send-email.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machine_page_flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machine_page_flyout.png
new file mode 100644
index 0000000000..7d83e1545d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machine_page_flyout.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machines_discoveredvuln.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machines_discoveredvuln.png
new file mode 100644
index 0000000000..08e0e2f831
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machines_discoveredvuln.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machineslist.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machineslist.png
new file mode 100644
index 0000000000..ea9e800b94
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machineslist.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machinetoinvestigate.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machinetoinvestigate.png
new file mode 100644
index 0000000000..864dff2f13
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machinetoinvestigate.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy.png
new file mode 100644
index 0000000000..4b1c91c9e4
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_software.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_software.png
new file mode 100644
index 0000000000..6589185f64
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_software.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_softwarecolon.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_softwarecolon.png
new file mode 100644
index 0000000000..eb0c4314c7
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_softwarecolon.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_softwareflyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_softwareflyout.png
new file mode 100644
index 0000000000..0b72121e67
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_softwareflyout.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_softwareoptions.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_softwareoptions.png
new file mode 100644
index 0000000000..8f61d18462
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_softwareoptions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vuln.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vuln.png
new file mode 100644
index 0000000000..08c0a00cc9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vuln.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnflyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnflyout.png
new file mode 100644
index 0000000000..cae0239957
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnflyout.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnoptions.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnoptions.png
new file mode 100644
index 0000000000..cf9f274980
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnoptions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyflyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyflyout.png
new file mode 100644
index 0000000000..9af2ad6945
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyflyout.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyoptions.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyoptions.png
new file mode 100644
index 0000000000..09c4876e1d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyoptions.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_weaknesses_machinepage.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_weaknesses_machinepage.png
new file mode 100644
index 0000000000..5c56b70612
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_weaknesses_machinepage.png differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
similarity index 61%
rename from windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
rename to windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
index 676188aa12..c46302a04f 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 04/30/2018
@@ -20,13 +21,11 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
-It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
-
-Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are now included in exploit protection.
+Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are now included in exploit protection.
You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings.
@@ -34,7 +33,7 @@ You can also convert and import an existing EMET configuration XML file into an
This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration.
-The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic.
+The [Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic.
## Create and export a configuration file
@@ -50,14 +49,14 @@ When you have configured exploit protection to your desired state (including bot
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**:
- 
-
+ 
+
3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved.
-
+
->[!NOTE]
->When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
+> [!NOTE]
+> When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
### Use PowerShell to export a configuration file
@@ -65,7 +64,7 @@ When you have configured exploit protection to your desired state (including bot
2. Enter the following cmdlet:
```PowerShell
- Get-ProcessMitigation -RegistryConfigFilePath filename.xml
+ Get-ProcessMitigation -RegistryConfigFilePath filename.xml
```
Change `filename` to any name or location of your choosing.
@@ -74,7 +73,7 @@ Example command
**Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml**
> [!IMPORTANT]
-> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location.
+> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location.
## Import a configuration file
@@ -84,12 +83,11 @@ After importing, the settings will be instantly applied and can be reviewed in t
### Use PowerShell to import a configuration file
-
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
- Set-ProcessMitigation -PolicyFilePath filename.xml
+ Set-ProcessMitigation -PolicyFilePath filename.xml
```
Change `filename` to the location and name of the exploit protection XML file.
@@ -97,11 +95,9 @@ Change `filename` to the location and name of the exploit protection XML file.
Example command
**Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml**
-
->[!IMPORTANT]
+> [!IMPORTANT]
>
->Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
-
+> Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
## Convert an EMET configuration file to an exploit protection configuration file
@@ -109,14 +105,13 @@ You can convert an existing EMET configuration file to the new format used by ex
You can only do this conversion in PowerShell.
->[!WARNING]
+> [!WARNING]
>
->You cannot directly convert the default EMET configuration files that are distributed with EMET. These files are intended to help set up EMET for a first-time user. Attempting to directly convert these files into an Exploit protection configuration file will not work.
+> You cannot directly convert the default EMET configuration files that are distributed with EMET. These files are intended to help set up EMET for a first-time user. Attempting to directly convert these files into an Exploit protection configuration file will not work.
>
->However, if you want to apply the same settings as in the default EMET configuration files, you must first import the default configuration file into EMET, then export the settings to a new file.
+> However, if you want to apply the same settings as in the default EMET configuration files, you must first import the default configuration file into EMET, then export the settings to a new file.
>
->You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit protection.
-
+> You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit protection.
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
@@ -127,46 +122,45 @@ You can only do this conversion in PowerShell.
Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use.
->[!IMPORTANT]
+> [!IMPORTANT]
>
->If you have enabled Mandatory ASLR for any apps in EMET, export the EMET settings to an XML file, and then convert the XML file into an Exploit protection configuration file, you will need to manually edit the converted XML file to ensure the Mandatory ASLR mitigation setting is correctly configured:
+> If you have enabled Mandatory ASLR for any apps in EMET, export the EMET settings to an XML file, and then convert the XML file into an Exploit protection configuration file, you will need to manually edit the converted XML file to ensure the Mandatory ASLR mitigation setting is correctly configured:
>
> 1. Open the PowerShell-converted XML file in a text editor.
> 2. Search for `ASLR ForceRelocateImages="false"` and change it to `ASLR ForceRelocateImages="true"` for each app that you want Mandatory ASLR to be enabled.
-
## Manage or deploy a configuration
You can use Group Policy to deploy the configuration you've created to multiple machines in your network.
> [!IMPORTANT]
-> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration XML file. Ensure you place the file in a shared location.
+> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration XML file. Ensure you place the file in a shared location.
### Use Group Policy to distribute the configuration
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**.
+3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**.
- 
+ 
-6. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**.
+4. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**.
-7. In the **Options::** section, enter the location and filename of the Exploit protection configuration file that you want to use, such as in the following examples:
- - C:\MitigationSettings\Config.XML
- - \\\Server\Share\Config.xml
- - https://localhost:8080/Config.xml
- - C:\ExploitConfigfile.xml
+5. In the **Options::** section, enter the location and filename of the Exploit protection configuration file that you want to use, such as in the following examples:
-8. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+ * C:\MitigationSettings\Config.XML
+ * \\\Server\Share\Config.xml
+ * https://localhost:8080/Config.xml
+ * C:\ExploitConfigfile.xml
+6. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
## Related topics
-- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Evaluate exploit protection](evaluate-exploit-protection.md)
-- [Enable exploit protection](enable-exploit-protection.md)
-- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Protect devices from exploits](exploit-protection.md)
+* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
index 11e43b707c..fc412ef07c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
@@ -26,7 +26,7 @@ ms.date: 04/24/2018
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatealerts-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatealerts-abovefoldlink)
Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
index 18d267c4cd..583366232a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
@@ -23,7 +23,7 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
Microsoft Defender ATP supports network connection monitoring from different levels of the network stack. A challenging case is when the network uses a forward proxy as a gateway to the Internet.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
index 8268c3ce96..e352bb1469 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
@@ -26,7 +26,7 @@ ms.date: 04/24/2018
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatedomain-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatedomain-abovefoldlink)
Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
index 6cb6750c1c..b251452de8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
@@ -26,7 +26,7 @@ ms.date: 04/24/2018
[!include[Prerelease information](prerelease.md)]
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink)
Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
index 4f3711af17..08fee8aed4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
@@ -24,7 +24,7 @@ ms.date: 04/24/2018
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
Examine possible communication between your machines and external internet protocol (IP) addresses.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
index c79fa83c94..bb15a9d358 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
@@ -23,7 +23,7 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of the breach.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
index 4ef33de1cf..ed90aafde4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
@@ -23,7 +23,7 @@ ms.date: 04/24/2018
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatgeuser-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatgeuser-abovefoldlink)
## Investigate user account entities
diff --git a/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md b/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md
deleted file mode 100644
index 38debbe291..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md
+++ /dev/null
@@ -1,82 +0,0 @@
----
-title: Is domain seen in org API
-description: Use this API to create calls related to checking whether a domain was seen in the organization.
-keywords: apis, graph api, supported apis, domain, domain seen
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Was domain seen in org (Deprecated)
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Answers whether a domain was seen in the organization.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Url.Read.All | 'Read URLs'
-Delegated (work or school account) | URL.Read.All | 'Read URLs'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
-
-## HTTP request
-```
-GET /api/domains/{domain}
-```
-
-## Request headers
-
-Header | Value
-:---|:---
-Authorization | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and domain exists - 200 OK. If domain does not exist - 404 Not Found.
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](improve-request-performance.md)]
-
-```
-GET https://api.securitycenter.windows.com/api/domains/example.com
-Content-type: application/json
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Domains/$entity",
- "host": "example.com"
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md b/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md
deleted file mode 100644
index f112796be2..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md
+++ /dev/null
@@ -1,82 +0,0 @@
----
-title: Is IP seen in org API
-description: Answers whether an IP was seen in the organization.
-keywords: apis, graph api, supported apis, is, ip, seen, org, organization
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Was IP seen in org (Deprecated)
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Answers whether an IP was seen in the organization.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Ip.Read.All | 'Read IP address profiles'
-Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
-
-## HTTP request
-```
-GET /api/ips/{ip}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and IP exists - 200 OK. If IP do not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/ips/10.209.67.177
-```
-
-**Response**
-
-Here is an example of the response.
-
-[!include[Improve request performance](improve-request-performance.md)]
-
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Ips/$entity",
- "id": "10.209.67.177"
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/licensing.md b/windows/security/threat-protection/microsoft-defender-atp/licensing.md
index 105fc8bd52..3b8b796791 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/licensing.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/licensing.md
@@ -24,7 +24,7 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-validatelicense-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-validatelicense-abovefoldlink)
## Check license state
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
index 788a106f59..e526c0bead 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
@@ -23,7 +23,7 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-machinesview-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-machinesview-abovefoldlink)
The **Machines list** shows a list of the machines in your network where alerts were generated. By default, the queue displays machines with alerts seen in the last 30 days.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
index 36e579945b..92f89df9a7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
@@ -22,7 +22,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-managealerts-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-managealerts-abovefoldlink)
Microsoft Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md
index b30f739163..942d0dc63b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-allowed-blocked-list.md
@@ -24,7 +24,7 @@ ms.topic: article
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
Create a rule to control which entities are automatically incriminated or exonerated during Automated investigations.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md
index cdf8cabeb1..7268e93b7a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md
@@ -26,7 +26,7 @@ ms.topic: article
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationefileuploads-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationefileuploads-abovefoldlink)
Enable the content analysis capability so that certain files and email attachments can automatically be uploaded to the cloud for additional inspection in Automated investigation.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
index 2ff51aee05..e05d6ca55c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
@@ -26,7 +26,7 @@ ms.topic: article
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionfolder-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionfolder-abovefoldlink)
Automation folder exclusions allow you to specify folders that the Automated investigation will skip.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
index a5f617c624..d3d6f19fe5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
@@ -23,7 +23,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
index c4c4ca728b..d6f7f0fecf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
@@ -23,7 +23,7 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mgt-apis-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-mgt-apis-abovefoldlink)
Microsoft Defender ATP supports a wide variety of options to ensure that customers can easily adopt the platform.
@@ -52,7 +52,6 @@ An important aspect of machine management is the ability to analyze the environm
Topic | Description
:---|:---
Understand threat intelligence concepts | Learn about alert definitions, indicators of compromise, and other threat intelligence concepts.
-Supported Microsoft Defender ATP APIs | Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses.
Managed security service provider | Get a quick overview on managed security service provider support.
@@ -61,7 +60,7 @@ Managed security service provider | Get a quick overview on managed security ser
## Related topics
- [Onboard machines](onboard-configure.md)
- [Enable the custom threat intelligence application](enable-custom-ti.md)
-- [Microsoft Defender ATP Public API](use-apis.md)
+- [Microsoft Defender ATP Public API](apis-intro.md)
- [Pull alerts to your SIEM tools](configure-siem.md)
- [Create and build Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
- [Role-based access control](rbac.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
index 70561d13b0..884822f607 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
@@ -19,7 +19,7 @@ ms.topic: conceptual
# Microsoft Defender Advanced Threat Protection
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-main-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-main-abovefoldlink)
>
>For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index ba54f650be..bf702f03ac 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -24,7 +24,7 @@ ms.topic: conceptual
There are some minimum requirements for onboarding machines to the service. Learn about the licensing, hardware and software requirements, and other configuration settings to onboard devices to the service.
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-minreqs-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-minreqs-abovefoldlink)
>[!TIP]
@@ -38,7 +38,7 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr
- Windows 10 Education E5
- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
-For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare).
+For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare).
For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://go.microsoft.com/fwlink/p/?linkid=2069559).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md
index 35519d3909..c9a4eb35da 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md
@@ -22,7 +22,7 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
similarity index 80%
rename from windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
rename to windows/security/threat-protection/microsoft-defender-atp/network-protection.md
index e4fccb655d..eb4b64456b 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 04/30/2019
@@ -20,40 +21,40 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
Network protection is supported beginning with Windows 10, version 1709.
->[!TIP]
->You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+> [!TIP]
+> You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
Network protection works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
When network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
-You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Network protection would impact your organization if it were enabled.
+You can also use [audit mode](audit-windows-defender.md) to evaluate how Network protection would impact your organization if it were enabled.
## Requirements
Network protection requires Windows 10 Pro, Enterprise E3, E5 and Windows Defender AV real-time protection.
Windows 10 version | Windows Defender Antivirus
-- | -
+-|-
Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
## Review network protection events in the Microsoft Defender ATP Security Center
-Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
+Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled.
+You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled.
-Here is an example query
+Here is an example query
-```
+```PowerShell
MiscEvents
| where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked')
```
@@ -62,7 +63,7 @@ MiscEvents
You can review the Windows event log to see events that are created when network protection blocks (or audits) access to a malicious IP or domain:
-1. [Copy the XML directly](event-views-exploit-guard.md).
+1. [Copy the XML directly](event-views.md).
2. Click **OK**.
@@ -71,12 +72,10 @@ You can review the Windows event log to see events that are created when network
Event ID | Description
-|-
5007 | Event when settings are changed
- 1125 | Event when network protection fires in audit mode
- 1126 | Event when network protection fires in block mode
+ 1125 | Event when network protection fires in audit mode
+ 1126 | Event when network protection fires in block mode
- ## Related topics
+## Related topics
-Topic | Description
----|---
[Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created.
[Enable network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
index ada385d846..06e453c687 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
@@ -27,7 +27,7 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-offboardmachines-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-offboardmachines-abovefoldlink)
Follow the corresponding instructions depending on your preferred deployment method.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
index 422ba4da32..9dd1998f62 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
+++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
@@ -27,10 +27,10 @@
#### [Application control]()
##### [Windows Defender Application Guard](../windows-defender-application-control/windows-defender-application-control.md)
-#### [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md)
-#### [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md)
-#### [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
-#### [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
+#### [Exploit protection](../windows-defender-exploit-guard/exploit-protection.md)
+#### [Network protection](../windows-defender-exploit-guard/network-protection.md)
+#### [Controlled folder access](../windows-defender-exploit-guard/controlled-folders.md)
+#### [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction.md)
#### [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md)
@@ -196,8 +196,8 @@
#### [Network protection](../windows-defender-exploit-guard/enable-network-protection.md)
#### [Controlled folder access]()
-##### [Enable controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)
-##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md)
+##### [Enable controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders.md)
+##### [Customize controlled folder access](../windows-defender-exploit-guard/customize-controlled-folders.md)
#### [Attack surface reduction controls]()
##### [Enable attack surface reduction rules](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)
@@ -392,7 +392,6 @@
####### [Get domain related alerts](get-domain-related-alerts.md)
####### [Get domain related machines](get-domain-related-machines.md)
####### [Get domain statistics](get-domain-statistics.md)
-####### [Is domain seen in organization (Deprecated)](is-domain-seen-in-org.md)
###### [File]()
####### [Methods and properties](files.md)
@@ -403,9 +402,7 @@
###### [IP]()
####### [Get IP related alerts](get-ip-related-alerts.md)
-####### [Get IP related machines (Deprecated)](get-ip-related-machines.md)
####### [Get IP statistics](get-ip-statistics.md)
-####### [Is IP seen in organization (Deprecated)](is-ip-seen-org.md)
###### [User]()
####### [Methods](user.md)
@@ -428,13 +425,13 @@
##### [Experiment with custom threat intelligence alerts](experiment-custom-ti.md)
##### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti.md)
-#### [Pull alerts to your SIEM tools]()
-##### [Learn about different ways to pull alerts](configure-siem.md)
+#### [Pull Detections to your SIEM tools]()
+##### [Learn about different ways to pull Detections](configure-siem.md)
##### [Enable SIEM integration](enable-siem-integration.md)
-##### [Configure Splunk to pull alerts](configure-splunk.md)
-##### [Configure HP ArcSight to pull alerts](configure-arcsight.md)
-##### [Microsoft Defender ATP SIEM alert API fields](api-portal-mapping.md)
-##### [Pull alerts using SIEM REST API](pull-alerts-using-rest-api.md)
+##### [Configure Splunk to pull Detections](configure-splunk.md)
+##### [Configure HP ArcSight to pull Detections](configure-arcsight.md)
+##### [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
+##### [Pull Detections using SIEM REST API](pull-alerts-using-rest-api.md)
##### [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
#### [Reporting]()
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md
index e6720fb5ed..52819cd05d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md
@@ -24,7 +24,7 @@ ms.topic: conceptual
[!include[Prerelease information](prerelease.md)]
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
You'll need to go the onboarding section of the Microsoft Defender ATP portal to onboard any of the supported devices. Depending on the device, you'll be guided with appropriate steps and provided management and deployment tool options suitable for the device.
@@ -46,7 +46,7 @@ Topic | Description
[Configure proxy and Internet settings](configure-proxy-internet.md)| Enable communication with the Microsoft Defender ATP cloud service by configuring the proxy and Internet connectivity settings.
[Troubleshoot onboarding issues](troubleshoot-onboarding.md) | Learn about resolving issues that might arise during onboarding.
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
index 1d8fa91df1..48502bca90 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
@@ -28,7 +28,7 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-downlevel-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-downlevel-abovefoldlink)
Microsoft Defender ATP extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions.
@@ -64,7 +64,7 @@ Review the following details to verify minimum system requirements:
- Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
-- Install either [.NET framework 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
+- Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
>[!NOTE]
>Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
@@ -112,7 +112,7 @@ Agent Resource | Ports
## Offboard client endpoints
To offboard, you can uninstall the MMA agent from the endpoint or detach it from reporting to your Microsoft Defender ATP workspace. After offboarding the agent, the endpoint will no longer send sensor data to Microsoft Defender ATP.
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-downlevele-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-downlevele-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md
new file mode 100644
index 0000000000..ce96f68340
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md
@@ -0,0 +1,199 @@
+---
+title: Create an onboarding or offboarding notification rule
+description: Get a notification when a local onboarding or offboarding script is used.
+keywords: onboarding, offboarding, local, script, notification, rule
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Create a notification rule when a local onboarding or offboarding script is used
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Create a notification rule so that when a local onboarding or offboardiing script is used, you'll be notified.
+
+## Before you begin
+You'll need to have access to:
+ - Microsoft Flow (Flow Plan 1 at a minimum). For more information, see [Flow pricing page](https://flow.microsoft.com/pricing/).
+ - Azure Table or SharePoint List or Library / SQL DB
+
+## Create the notification flow
+
+1. In [flow.microsoft.com](https://flow.microsoft.com/).
+
+2. Navigate to **My flows > New > Scheduled - from blank**.
+
+ 
+
+
+3. Build a scheduled flow.
+ 1. Enter a flow name.
+ 2. Specify the start and time.
+ 3. Specify the frequency. For example, every 5 minutes.
+
+ 
+
+4. Select the + button to add a new action. The new action will be an HTTP request to the Microsoft Defender ATP security center machine(s) API. You can also replace it with the out-of-the-box "WDATP Connector" (action: "Machines - Get list of machines").
+
+ 
+
+
+5. Enter the following HTTP fields:
+
+ - Method: "GET" as a value to get the list of machines.
+ - URI: Enter `https://api.securitycenter.windows.com/api/machines`.
+ - Authentication: Select "Active Directory OAuth".
+ - Tenant: Sign-in to http://portal.azure.com and navigate to **Azure Active Directory > App Registrations** and get the Tenant ID value.
+ - Audience: `https://securitycenter.onmicrosoft.com/windowsatpservice\`
+ - Client ID: Sign-in to http://portal.azure.com and navigate to **Azure Active Directory > App Registrations** and get the Client ID value.
+ - Credential Type: Select "Secret".
+ - Secret: Sign-in to http://portal.azure.com and navigate tnd navigate to **Azure Active Directory > App Registrations** and get the Tenant ID value.
+
+ 
+
+
+6. Add a new step by selecting **Add new action** then search for **Data Operations** and select
+**Parse JSON**.
+
+ 
+
+7. Add Body in the **Content** field.
+
+ 
+
+8. Select the **Use sample payload to generate schema** link.
+
+ 
+
+9. Copy and paste the following JSON snippet:
+
+ ```
+ {
+ "type": "object",
+ "properties": {
+ "@@odata.context": {
+ "type": "string"
+ },
+ "value": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "string"
+ },
+ "computerDnsName": {
+ "type": "string"
+ },
+ "firstSeen": {
+ "type": "string"
+ },
+ "lastSeen": {
+ "type": "string"
+ },
+ "osPlatform": {
+ "type": "string"
+ },
+ "osVersion": {},
+ "lastIpAddress": {
+ "type": "string"
+ },
+ "lastExternalIpAddress": {
+ "type": "string"
+ },
+ "agentVersion": {
+ "type": "string"
+ },
+ "osBuild": {
+ "type": "integer"
+ },
+ "healthStatus": {
+ "type": "string"
+ },
+ "riskScore": {
+ "type": "string"
+ },
+ "exposureScore": {
+ "type": "string"
+ },
+ "aadDeviceId": {},
+ "machineTags": {
+ "type": "array"
+ }
+ },
+ "required": [
+ "id",
+ "computerDnsName",
+ "firstSeen",
+ "lastSeen",
+ "osPlatform",
+ "osVersion",
+ "lastIpAddress",
+ "lastExternalIpAddress",
+ "agentVersion",
+ "osBuild",
+ "healthStatus",
+ "rbacGroupId",
+ "rbacGroupName",
+ "riskScore",
+ "exposureScore",
+ "aadDeviceId",
+ "machineTags"
+ ]
+ }
+ }
+ }
+ }
+
+ ```
+
+10. Extract the values from the JSON call and check if the onboarded machine(s) is / are already registered at the SharePoint list as an example:
+- If yes, no notification will be triggered
+- If no, will register the new onboarded machine(s) in the SharePoint list and a notification will be sent to the Microsoft Defender ATP admin
+
+ 
+
+ 
+
+11. Under **Condition**, add the following expression: "length(body('Get_items')?['value'])" and set the condition to equal to 0.
+
+ 
+ 
+ 
+ 
+
+## Alert notification
+The following image is an example of an email notification.
+
+
+
+
+## Tips
+
+- You can filter here using lastSeen only:
+ - Every 60 min:
+ - Take all machines last seen in the past 7 days.
+
+- For each machine:
+ - If last seen property is on the one hour interval of [-7 days, -7days + 60 minutes ] -> Alert for offboarding possibility.
+ - If first seen is on the past hour -> Alert for onboarding.
+
+In this solution you will not have duplicate alerts:
+There are tenants that have numerous machines. Getting all those machines might be very expensive and might require paging.
+
+You can split it to two queries:
+1. For offboarding take only this interval using the OData $filter and only notify if the conditions are met.
+2. Take all machines last seen in the past hour and check first seen property for them (if the first seen property is on the past hour, the last seen must be there too).
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
index 71c91ea9c0..eeaaedc402 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
@@ -2,7 +2,7 @@
title: Overview of attack surface reduction
ms.reviewer:
description: Learn about the attack surface reduction capability in Microsoft Defender ATP
-keywords:
+keywords: asr, attack surface reduction, microsoft defender atp, microsoft defender, antivirus, av, windows defender
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -21,16 +21,16 @@ ms.topic: conceptual
# Overview of attack surface reduction
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Reduce your attack surfaces by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization.
+Reduce your attack surfaces by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization.
-| Article | Description |
-|------------|-------------|
-| [Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites. |
-| [Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run. |
-| [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) |Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. |
-| [Network protection](../windows-defender-exploit-guard/network-protection-exploit-guard.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) |
-| [Controlled folder access](../windows-defender-exploit-guard/controlled-folders-exploit-guard.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus) |
-| [Attack surface reduction](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) |Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus) |
-| [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) |Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering. |
+Article | Description
+-|-
+[Hardware-based isolation](../windows-defender-application-guard/wd-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites.
+[Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run.
+[Exploit protection](./exploit-protection.md) |Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions.
+[Network protection](./network-protection.md) |Extend protection to your network traffic and connectivity on your organization's devices. (Requires Windows Defender Antivirus) |
+[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Windows Defender Antivirus)
+[Attack surface reduction](./attack-surface-reduction.md) |Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus)
+[Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) |Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
index 84cf299759..a9df33b283 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
@@ -24,7 +24,7 @@ ms.topic: conceptual
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
Enterprise security teams can use Microsoft Defender Security Center to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
index 8a85c8796f..e5488e3ca6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
@@ -28,7 +28,7 @@ ms.topic: article
> [!TIP]
> Go to **Advanced features** in the **Settings** page to turn on the preview features.
>
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-powerbireports-abovefoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-powerbireports-abovefoldlink)
Understand the security status of your organization, including the status of machines, alerts, and investigations using the Microsoft Defender ATP reporting feature that integrates with Power BI.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md b/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md
index f61fc0625f..f6b61b0834 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md
@@ -172,7 +172,7 @@ $ioc =
-Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
```
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-psexample-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-psexample-belowfoldlink)
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
index e5f2d93731..8254b7e5b3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
@@ -22,7 +22,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-prefsettings-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-prefsettings-abovefoldlink)
Use the **Settings** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md
index b92d9d416a..148fcc631d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md
@@ -21,7 +21,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-previewsettings-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-previewsettings-abovefoldlink)
Turn on the preview experience setting to be among the first to try upcoming features.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index a18bcddf2c..672accaabf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -45,8 +45,6 @@ The following features are included in the preview release:
- [Evaluation lab](evaluation-lab.md) The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can
focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
-- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016) You can now onboard Windows Server 2008 R2 SP1.
-
- [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac) Microsoft Defender ATP for Mac brings the next-generation protection, and endpoint detection and response coverage to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices.
- [Live response](live-response.md) Get instantaneous access to a machine using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time.
@@ -71,4 +69,4 @@ Information protection is an integral part of Microsoft 365 Enterprise suite, pr
- [Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
index abf6c2fb00..4be1886be4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
@@ -1,7 +1,7 @@
---
-title: Pull Microsoft Defender ATP alerts using REST API
-description: Pull alerts from Microsoft Defender ATP REST API.
-keywords: alerts, pull alerts, rest api, request, response
+title: Pull Microsoft Defender ATP detections using REST API
+description: Pull detections from Microsoft Defender ATP REST API.
+keywords: detections, pull detections, rest api, request, response
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@@ -17,16 +17,20 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Pull Microsoft Defender ATP alerts using SIEM REST API
+# Pull Microsoft Defender ATP detections using SIEM REST API
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
-Microsoft Defender ATP supports the OAuth 2.0 protocol to pull alerts from the portal.
+>[!Note]
+>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
+>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
+
+Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections from the API.
In general, the OAuth 2.0 protocol supports four types of flows:
- Authorization grant flow
@@ -36,19 +40,19 @@ In general, the OAuth 2.0 protocol supports four types of flows:
For more information about the OAuth specifications, see the [OAuth Website](http://www.oauth.net).
-Microsoft Defender ATP supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to generate alerts from the portal, with Azure Active Directory (AAD) as the authorization server.
+Microsoft Defender ATP supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to pull detections, with Azure Active Directory (AAD) as the authorization server.
The _Authorization grant flow_ uses user credentials to get an authorization code, which is then used to obtain an access token.
The _Client credential flow_ uses client credentials to authenticate against the Microsoft Defender ATP endpoint URL. This flow is suitable for scenarios when an OAuth client creates requests to an API that doesn't require user credentials.
-Use the following method in the Microsoft Defender ATP API to pull alerts in JSON format.
+Use the following method in the Microsoft Defender ATP API to pull detections in JSON format.
>[!NOTE]
>Microsoft Defender Security Center merges similar alert detections into a single alert. This API pulls alert detections in its raw form based on the query parameters you set, enabling you to apply your own grouping and filtering.
## Before you begin
-- Before calling the Microsoft Defender ATP endpoint to pull alerts, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md).
+- Before calling the Microsoft Defender ATP endpoint to pull detections, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md).
- Take note of the following values in your Azure application registration. You need these values to configure the OAuth flow in your service or daemon app:
- Application ID (unique to your application)
@@ -59,7 +63,7 @@ Use the following method in the Microsoft Defender ATP API to pull alerts in JSO
## Get an access token
Before creating calls to the endpoint, you'll need to get an access token.
-You'll use the access token to access the protected resource, which are alerts in Microsoft Defender ATP.
+You'll use the access token to access the protected resource, which are detections in Microsoft Defender ATP.
To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request:
@@ -105,23 +109,23 @@ Use optional query parameters to specify and control the amount of data returned
Name | Value| Description
:---|:---|:---
-DateTime?sinceTimeUtc | string | Defines the lower time bound alerts are retrieved from, based on field: `LastProcessedTimeUtc` The time range will be: from sinceTimeUtc time to current time.
**NOTE**: When not specified, all alerts generated in the last two hours are retrieved.
-DateTime?untilTimeUtc | string | Defines the upper time bound alerts are retrieved. The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time.
**NOTE**: When not specified, the default value will be the current time.
-string ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time.
Value should be set according to **ISO 8601** duration format E.g. `ago=PT10M` will pull alerts received in the last 10 minutes.
-int?limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.
**NOTE**: When not specified, all alerts available in the time range will be retrieved.
-machinegroups | String | Specifies machine groups to pull alerts from.
**NOTE**: When not specified, alerts from all machine groups will be retrieved.
Example:
```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines```
+sinceTimeUtc | DateTime | Defines the lower time bound alerts are retrieved from, based on field: `LastProcessedTimeUtc` The time range will be: from sinceTimeUtc time to current time.
**NOTE**: When not specified, all alerts generated in the last two hours are retrieved.
+untilTimeUtc | DateTime | Defines the upper time bound alerts are retrieved. The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time.
**NOTE**: When not specified, the default value will be the current time.
+ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time.
Value should be set according to **ISO 8601** duration format E.g. `ago=PT10M` will pull alerts received in the last 10 minutes.
+limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.
**NOTE**: When not specified, all alerts available in the time range will be retrieved.
+machinegroups | string | Specifies machine groups to pull alerts from.
**NOTE**: When not specified, alerts from all machine groups will be retrieved.
Example:
```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines```
DeviceCreatedMachineTags | string | Single machine tag from the registry.
CloudCreatedMachineTags | string | Machine tags that were created in Microsoft Defender Security Center.
### Request example
-The following example demonstrates how to retrieve all the alerts in your organization.
+The following example demonstrates how to retrieve all the detections in your organization.
```syntax
GET https://wdatp-alertexporter-eu.windows.com/api/alerts
Authorization: Bearer
```
-The following example demonstrates a request to get the last 20 alerts since 2016-09-12 00:00:00.
+The following example demonstrates a request to get the last 20 detections since 2016-09-12 00:00:00.
```syntax
GET https://wdatp-alertexporter-eu.windows.com/api/alerts?limit=20&sinceTimeUtc=2016-09-12T00:00:00.000
@@ -178,14 +182,14 @@ AuthenticationContext context = new AuthenticationContext(string.Format("https:/
ClientCredential clientCredentials = new ClientCredential(clientId, clientSecret);
AuthenticationResult authenticationResult = context.AcquireToken(resource, clientCredentials);
```
-### Use token to connect to the alerts endpoint
+### Use token to connect to the detections endpoint
```
HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(authenticationResult.AccessTokenType, authenticationResult.AccessToken);
HttpResponseMessage response = httpClient.GetAsync("https://wdatp-alertexporter-eu.windows.com/api/alert").GetAwaiter().GetResult();
-string alertsJson = response.Content.ReadAsStringAsync().Result;
-Console.WriteLine("Got alert list: {0}", alertsJson);
+string detectionsJson = response.Content.ReadAsStringAsync().Result;
+Console.WriteLine("Got detections list: {0}", detectionsJson);
```
@@ -203,7 +207,7 @@ HTTP error code | Description
## Related topics
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md)
-- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md)
-- [Microsoft Defender ATP alert API fields](api-portal-mapping.md)
+- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
+- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
+- [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/python-example-code.md b/windows/security/threat-protection/microsoft-defender-atp/python-example-code.md
index 58a9f19fcf..b43a956f6e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/python-example-code.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/python-example-code.md
@@ -176,7 +176,7 @@ with requests.Session() as session:
```
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-pyexample-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-pyexample-belowfoldlink)
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
index 6dfcdb8e95..eb9229c327 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
@@ -23,7 +23,7 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
+Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
## Before you begin:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
index d969ecb9ab..9af5941965 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
@@ -23,7 +23,7 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
+Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
## Before you begin:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
index 3da3cdc512..fa657fb30d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
@@ -23,7 +23,7 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
## Stream Advanced Hunting events to Event Hubs and/or Azure storage account.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/rbac.md b/windows/security/threat-protection/microsoft-defender-atp/rbac.md
index 2264afd86c..8fe8e896cd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/rbac.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/rbac.md
@@ -23,7 +23,7 @@ ms.topic: article
- Office 365
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-rbac-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-rbac-abovefoldlink)
Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal. Based on the roles and groups you create, you have fine-grained control over what users with access to the portal can see and do.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
index 3910cda2ff..b16fd509b6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
@@ -25,7 +25,7 @@ ms.topic: article
[!include[Prerelease information](prerelease.md)]
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-responddile-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-responddile-abovefoldlink)
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details in the Action center.
@@ -40,6 +40,18 @@ Response actions run along the top of the file page, and include:
You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete, you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep analysis and read past reports by selecting the **Deep analysis** tab. It's located below the file information cards.
+Some actions require certain permissions. The following table describes what action certain permissions can take on portable executable (PE) and non-PE files:
+
+Permission | PE files | Non-PE files
+:---|:---|:---
+View data | X | X
+Alerts investigation | ☑ | X
+Live response basic | X | X
+Live response advanced | ☑ |☑
+
+For more information on roles, see [Create and manage roles for role-based access control](user-roles.md).
+
+
## Stop and quarantine files in your network
You can contain an attack in your organization by stopping the malicious process and quarantining the file where it was observed.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
index d9cfb97c3f..725657d4e9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
@@ -22,7 +22,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-respondmachine-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-respondmachine-abovefoldlink)
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center.
@@ -188,3 +188,4 @@ All other related details are also shown, for example, submission date/time, sub
## Related topic
- [Take response actions on a file](respond-file-alerts.md)
+- [Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md
index 1bef9658a6..75423bc86d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md
@@ -18,38 +18,44 @@ ms.topic: conceptual
---
# Configure the security controls in Secure score
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->[!NOTE]
-> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
+**Applies to:**
+
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+> [!NOTE]
+> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
Each security control lists recommendations that you can take to increase the security posture of your organization.
### Endpoint detection and response (EDR) optimization
+
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for your Endpoint detection and response tool.
->[!IMPORTANT]
->This feature is available for machines on Windows 10, version 1607 or later.
+> [!IMPORTANT]
+> This feature is available for machines on Windows 10, version 1607 or later.
-#### Minimum baseline configuration setting for EDR:
-- Microsoft Defender ATP sensor is on
-- Data collection is working correctly
-- Communication to Microsoft Defender ATP service is not impaired
+#### Minimum baseline configuration setting for EDR
+
+* Microsoft Defender ATP sensor is on
+* Data collection is working correctly
+* Communication to Microsoft Defender ATP service is not impaired
+
+##### Recommended actions
-##### Recommended actions:
You can take the following actions to increase the overall security score of your organization:
-- Turn on sensor
-- Fix sensor data collection
-- Fix impaired communications
-For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
+* Turn on sensor
+* Fix sensor data collection
+* Fix impaired communications
+
+For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
### Windows Defender Antivirus (Windows Defender AV) optimization
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AV.
->[!IMPORTANT]
->This feature is available for machines on Windows 10, version 1607 or later.
+> [!IMPORTANT]
+> This feature is available for machines on Windows 10, version 1607 or later.
#### Minimum baseline configuration setting for Windows Defender AV:
A well-configured machine for Windows Defender AV meets the following requirements:
@@ -60,7 +66,6 @@ A well-configured machine for Windows Defender AV meets the following requiremen
- Real-time protection is on
- Potentially Unwanted Application (PUA) protection is enabled
-##### Recommended actions:
You can take the following actions to increase the overall security score of your organization:
>[!NOTE]
@@ -75,52 +80,56 @@ You can take the following actions to increase the overall security score of you
For more information, see [Configure Windows Defender Antivirus](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md).
-
### OS security updates optimization
+
This tile shows you the number of machines that require the latest security updates. It also shows machines that are running on the latest Windows Insider preview build and serves as a reminder to ensure that users should run the latest builds.
-
->[!IMPORTANT]
->This feature is available for machines on Windows 10, version 1607 or later.
+
+> [!IMPORTANT]
+> This feature is available for machines on Windows 10, version 1607 or later.
You can take the following actions to increase the overall security score of your organization:
-- Install the latest security updates
-- Fix sensor data collection
- - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
+
+* Install the latest security updates
+* Fix sensor data collection
+ * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/help/4027322/windows-windows-update-troubleshooter).
-
### Windows Defender Exploit Guard (Windows Defender EG) optimization
-A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on machines to meet the minimum baseline configuration setting for Windows Defender EG. When endpoints are configured according to the baseline, the Windows Defender EG events shows on the Microsoft Defender ATP Machine timeline.
+
+A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on machines to meet the minimum baseline configuration setting for Microsoft Defender EG. When endpoints are configured according to the baseline the Microsoft Defender EG events shows on the Microsoft Defender ATP Machine timeline.
->[!IMPORTANT]
->This security control is only applicable for machines with Windows 10, version 1709 or later.
+> [!IMPORTANT]
+> This security control is only applicable for machines with Windows 10, version 1709 or later.
-#### Minimum baseline configuration setting for Windows Defender EG:
-A well-configured machine for Windows Defender EG meets the following requirements:
+#### Minimum baseline configuration setting for Windows Defender EG
-- System level protection settings are configured correctly
-- Attack Surface Reduction rules are configured correctly
-- Controlled Folder Access setting is configured correctly
+Machines are considered "well configured" for Microsoft Defender EG if the following requirements are met:
+
+* System level protection settings are configured correctly
+* Attack Surface Reduction rules are configured correctly
+* Controlled Folder Access setting is configured correctly
+
+##### System level protection
-##### System level protection:
The following system level configuration settings must be set to **On or Force On**:
-1. Control Flow Guard
+1. Control Flow Guard
2. Data Execution Prevention (DEP)
3. Randomize memory allocations (Bottom-up ASLR)
4. Validate exception chains (SEHOP)
5. Validate heap integrity
->[!NOTE]
->The setting **Force randomization for images (Mandatory ASLR)** is currently excluded from the baseline.
->Consider configuring **Force randomization for images (Mandatory ASLR)** to **On or Force On** for better protection.
+> [!NOTE]
+> The setting **Force randomization for images (Mandatory ASLR)** is currently excluded from the baseline.
+> Consider configuring **Force randomization for images (Mandatory ASLR)** to **On or Force On** for better protection.
+
+##### Attack Surface Reduction (ASR) rules
-##### Attack Surface Reduction (ASR) rules:
The following ASR rules must be configured to **Block mode**:
-Rule description | GUIDs
+Rule description | GUIDs
-|-
Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
@@ -129,34 +138,34 @@ Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-5
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
-
-
->[!NOTE]
->The setting **Block Office applications from injecting into other processes** with GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 is excluded from the baseline.
->Consider enabling this rule in **Audit** or **Block mode** for better protection.
-
+> [!NOTE]
+> The setting **Block Office applications from injecting into other processes** with GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 is excluded from the baseline.
+> Consider enabling this rule in **Audit** or **Block mode** for better protection.
##### Controlled Folder Access
+
The Controlled Folder Access setting must be configured to **Audit mode** or **Enabled**.
->[!NOTE]
+> [!NOTE]
> Audit mode, allows you to see audit events in the Microsoft Defender ATP Machine timeline however it does not block suspicious applications.
->Consider enabling Controlled Folder Access for better protection.
+> Consider enabling Controlled Folder Access for better protection.
+
+##### Recommended actions
-##### Recommended actions:
You can take the following actions to increase the overall security score of your organization:
+
- Turn on all system-level Exploit Protection settings
- Set all ASR rules to enabled or audit mode
- Turn on Controlled Folder Access
- Turn on Windows Defender Antivirus on compatible machines
-For more information, see [Windows Defender Exploit Guard](../windows-defender-exploit-guard/windows-defender-exploit-guard.md).
-
### Windows Defender Application Guard (Windows Defender AG) optimization
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AG. When endpoints are configured according to the baseline, Windows Defender AG events shows on the Microsoft Defender ATP Machine timeline.
->[!IMPORTANT]
->This security control is only applicable for machines with Windows 10, version 1709 or later.
+A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender AG. When endpoints are configured according to the baseline, Microsoft Defender AG events shows on the Microsoft Defender ATP Machine timeline.
+
+> [!IMPORTANT]
+> This security control is only applicable for machines with Windows 10, version 1709 or later.
#### Minimum baseline configuration setting for Windows Defender AG:
A well-configured machine for Windows Defender AG meets the following requirements:
@@ -165,104 +174,114 @@ A well-configured machine for Windows Defender AG meets the following requiremen
- Windows Defender AG is turned on compatible machines
- Managed mode is turned on
-##### Recommended actions:
You can take the following actions to increase the overall security score of your organization:
-- Ensure that you meet the hardware and software prerequisites
-
- >[!NOTE]
- >This improvement item does not contribute to the security score in itself because it's not a prerequisite for Windows Defender AG. It gives an indication of a potential reason why Windows Defender AG is not turned on.
-- Turn on Windows Defender AG on compatible machines
-- Turn on managed mode
+* Ensure hardware and software prerequisites are met
+
+ > [!NOTE]
+ > This improvement item does not contribute to the security score in itself because it's not a prerequisite for Microsoft Defender AG. It gives an indication of a potential reason why Microsoft Defender AG is not turned on.
+
+* Turn on Microsoft Defender AG on compatible machines
+* Turn on managed mode
-For more information, see [Windows Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md).
+For more information, see [Microsoft Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md).
+### Windows Defender SmartScreen optimization
-### Windows Defender SmartScreen optimization
-A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender SmartScreen.
+A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender SmartScreen.
->[!WARNING]
-> Data collected by Windows Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Microsoft Defender ATP data.
+> [!WARNING]
+> Data collected by Microsoft Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Microsoft Defender ATP data.
-
->[!IMPORTANT]
->This security control is only applicable for machines with Windows 10, version 1709 or later.
+> [!IMPORTANT]
+> This security control is only applicable for machines with Windows 10, version 1709 or later.
#### Minimum baseline configuration setting for Windows Defender SmartScreen:
-The following settings must be configured with the following settings:
-- Check apps and files: **Warn** or **Block**
-- SmartScreen for Microsoft Edge: **Warn** or **Block**
-- SmartScreen for Microsoft store apps: **Warn** or **Off**
+The following settings must be configured with the following settings:
+
+* Check apps and files: **Warn** or **Block**
+* SmartScreen for Microsoft Edge: **Warn** or **Block**
+* SmartScreen for Microsoft store apps: **Warn** or **Off**
You can take the following actions to increase the overall security score of your organization:
+
- Set **Check app and files** to **Warn** or **Block**
- Set **SmartScreen for Microsoft Edge** to **Warn** or **Block**
- Set **SmartScreen for Microsoft store apps** to **Warn** or **Off**
For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
+* Set **Check app and files** to **Warn** or **Block**
+* Set **SmartScreen for Microsoft Edge** to **Warn** or **Block**
+* Set **SmartScreen for Microsoft store apps** to **Warn** or **Off**
+For more information, see [Microsoft Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
### Windows Defender Firewall optimization
-A well-configured machine must have Windows Defender Firewall turned on and enabled for all profiles so that inbound connections are blocked by default. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender Firewall.
->[!IMPORTANT]
->This security control is only applicable for machines with Windows 10, version 1709 or later.
+A well-configured machine must have Microsoft Defender Firewall turned on and enabled for all profiles so that inbound connections are blocked by default. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender Firewall.
-#### Minimum baseline configuration setting for Windows Defender Firewall
+> [!IMPORTANT]
+> This security control is only applicable for machines with Windows 10, version 1709 or later.
-- Windows Defender Firewall is turned on for all network connections
-- Secure domain profile by enabling Windows Defender Firewall and ensure that Inbound connections are set to Blocked
-- Secure private profile by enabling Windows Defender Firewall and ensure that Inbound connections are set to Blocked
-- Secure public profile is configured by enabling Windows Defender Firewall and ensure that Inbound connections are set to Blocked
+#### Minimum baseline configuration setting for Windows Defender Firewall
+
+* Microsoft Defender Firewall is turned on for all network connections
+* Secure domain profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked
+* Secure private profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked
+* Secure public profile is configured by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked
For more information on Windows Defender Firewall settings, see [Planning settings for a basic firewall policy](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy).
->[!NOTE]
+> [!NOTE]
> If Windows Defender Firewall is not your primary firewall, consider excluding it from the security score calculations and make sure that your third-party firewall is configured in a securely.
+##### Recommended actions
-##### Recommended actions:
You can take the following actions to increase the overall security score of your organization:
-- Turn on firewall
-- Secure domain profile
-- Secure private profile
-- Secure public profile
-- Verify secure configuration of third-party firewall
-- Fix sensor data collection
- - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
+
+* Turn on firewall
+* Secure domain profile
+* Secure private profile
+* Secure public profile
+* Verify secure configuration of third-party firewall
+* Fix sensor data collection
+ * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
For more information, see [Windows Defender Firewall with Advanced Security](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security).
### BitLocker optimization
-A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for BitLocker.
->[!IMPORTANT]
->This security control is only applicable for machines with Windows 10, version 1803 or later.
+A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for BitLocker.
+
+> [!IMPORTANT]
+> This security control is only applicable for machines with Windows 10, version 1803 or later.
#### Minimum baseline configuration setting for BitLocker
-- Ensure all supported drives are encrypted
-- Ensure that all suspended protection on drives resume protection
-- Ensure that drives are compatible
+* Ensure all supported drives are encrypted
+* Ensure that all suspended protection on drives resume protection
+* Ensure that drives are compatible
+
+##### Recommended actions
-##### Recommended actions:
You can take the following actions to increase the overall security score of your organization:
-- Encrypt all supported drives
-- Resume protection on all drives
-- Ensure drive compatibility
-- Fix sensor data collection
- - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
+
+* Encrypt all supported drives
+* Resume protection on all drives
+* Ensure drive compatibility
+* Fix sensor data collection
+ * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
For more information, see [Bitlocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview).
### Windows Defender Credential Guard optimization
A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender Credential Guard.
->[!IMPORTANT]
->This security control is only applicable for machines with Windows 10, version 1709 or later.
+> [!IMPORTANT]
+> This security control is only applicable for machines with Windows 10, version 1709 or later.
#### Minimum baseline configuration setting for Windows Defender Credential Guard:
Well-configured machines for Windows Defender Credential Guard meets the following requirements:
@@ -270,31 +289,28 @@ Well-configured machines for Windows Defender Credential Guard meets the followi
- Hardware and software prerequisites are met
- Windows Defender Credential Guard is turned on compatible machines
+##### Recommended actions
-##### Recommended actions:
You can take the following actions to increase the overall security score of your organization:
-- Ensure hardware and software prerequisites are met
-- Turn on Credential Guard
-- Fix sensor data collection
- - The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
+* Ensure hardware and software prerequisites are met
+* Turn on Credential Guard
+* Fix sensor data collection
+ * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
For more information, see [Manage Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage).
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink)
## Related topics
-- [Overview of Secure score](overview-secure-score.md)
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Configuration score](configuration-score.md)
-- [Security recommendations](tvm-security-recommendation.md)
-- [Remediation](tvm-remediation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Weaknesses](tvm-weaknesses.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
-
-
-
+* [Overview of Secure score](overview-secure-score.md)
+* [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+* [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+* [Exposure score](tvm-exposure-score.md)
+* [Configuration score](configuration-score.md)
+* [Security recommendations](tvm-security-recommendation.md)
+* [Remediation](tvm-remediation.md)
+* [Software inventory](tvm-software-inventory.md)
+* [Weaknesses](tvm-weaknesses.md)
+* [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
index 731963f220..498aa87ab1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
@@ -22,7 +22,7 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink)
The **Security operations dashboard** is where the endpoint detection and response capabilities are surfaced. It provides a high level overview of where detections were seen and highlights where response actions are needed.
@@ -116,7 +116,7 @@ The tile shows you a list of user accounts with the most active alerts and the n
Click the user account to see details about the user account. For more information see [Investigate a user account](investigate-user.md).
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-belowfoldlink)
## Related topics
- [Understand the Microsoft Defender Advanced Threat Protection portal](use.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/service-status.md b/windows/security/threat-protection/microsoft-defender-atp/service-status.md
index afa8a14d4f..d325456ebe 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/service-status.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/service-status.md
@@ -24,7 +24,7 @@ ms.topic: article
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-servicestatus-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-servicestatus-abovefoldlink)
The **Service health** provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
index c77fa63c0f..6c8f2cc9a9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
@@ -23,7 +23,7 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supported-response-apis-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supported-response-apis-abovefoldlink)
Learn about the supported response related API calls you can run and details such as the required request headers, and expected response from the calls.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
index 499d34f2f0..fb697ba2a7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -1,156 +1,156 @@
----
-title: Threat & Vulnerability Management scenarios
-description: Learn how to use Threat & Vulnerability Management in the context of scenarios that Security Administrators encounter when you collaborate with IT Administrators and SecOps as you protect your organization from cybersecurity threats.
-keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase configuration score, increase threat & vulnerability configuration score, configuration score, exposure score, security controls
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Threat & Vulnerability Management scenarios
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-## Before you begin
-Ensure that your machines:
-- Are onboarded to Microsoft Defender Advanced Threat Protection
-- Run with Windows 10 1709 (Fall Creators Update) or later
-
->[!NOTE]
->Threat & Vulnerability Management can also scan machines that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday.
-
-- Have the following mandatory updates installed:
-- (1) RS3 customers | [KB4493441](https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441)
-- (2) RS4 customers | [KB4493464](https://support.microsoft.com/en-us/help/4493464)
-- Are onboarded to Microsoft Intune and System Center Configuration Manager (SCCM). If you are use SCCM, update your console to the latest May version 1905
-- Have at least one security recommendation that can be viewed in the machine page
-- Are tagged or marked as co-managed
-
-
-## Reduce your threat and vulnerability exposure
-Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your machines are to imminent threats.
-
-The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
-- Weaknesses, such as vulnerabilities discovered on the device
-- External and internal threats such as public exploit code and security alerts
-- Likelihood of the device to get breached given its current security posture
-- Value of the device to the organization given its role and content
-
-The exposure score is broken down into the following levels:
-- 0–29: low exposure score
-- 30–69: medium exposure score
-- 70–100: high exposure score
-
-You can remediate the issues based on prioritized security recommendations to reduce the exposure score. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization.
-
-To lower down your threat and vulnerability exposure:
-
-1. Review the **Top security recommendations** from your **Threat & Vulnerability Management dashboard**, and select the first item on the list. The **Security recommendation** page opens.
-
- >>
-
- >[!NOTE]
- > There are two types of recommendations:
- > - Security update which refers to recommendations that require a package installation
- > - Configuration change which refers to recommendations that require a registry or GPO modification
- > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon and possible active alert  icon.
-
-2. The **Security recommendations** page shows the list of items to remediate. Select the security recommendation that you need to investigate. When you select a recommendation from the list, a fly-out panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Click **Open software page** option from the flyout panel. 
-
-3. Click **Installed machines** and select the affected machine from the list to open the flyout panel with the relevant machine details, exposure and risk levels, alert and incident activities. 
-
-4. Click **Open machine page** to connect to the machine and apply the selected recommendation. See [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) for details. 
-
-5. Allow a few hours for the changes to propagate in the system.
-
-6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases.
-
-## Improve your security configuration
->[!NOTE]
-> Secure score is now part of Threat & Vulnerability Management as [configuration score](configuration-score.md). The secure score page is available for a few weeks. View the [secure score](https://securitycenter.windows.com/securescore) page.
-
-You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
-
-1. From the Configuration score widget, select **Security controls**. The **Security recommendations** page opens and shows the list of issues related to security controls.
-
- >
-
-2. Select the first item on the list. The flyout panel will open with a description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**.
- 
-
-3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up.
-
- >.
-
- >You will see a confirmation message that the remediation task has been created.
- >
-
-4. Save your CSV file.
- 
-
-5. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system.
-
-6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase.
-
-## Request a remediation
->[!NOTE]
->To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
-
-The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT Administrators through the remediation request workflow.
-
-Security Administrators like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune.
-
-1. Click a security recommendation you would like to request remediation for, and then click **Remediation options**.
-
-2. Select **Open a ticket in Intune (for AAD joined devices)**, select a due date, and add optional notes for the IT Administrator. Click **Submit request**.
-
-3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.
-
-4. Go to the **Remediation** page to view the status of your remediation request.
-
-See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
-
->[!NOTE]
->If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to Intune.
-
-## File for exception
-With Threat & Vulnerability Management, you can create exceptions for recommendations, as an alternative to a remediation request.
-
-There are many reasons why organizations create exceptions for a recommendation. For example, if there's a business justification that prevents the company from applying the recommendation, the existence of a compensating or alternative control that provides as much protection than the recommendation would, a false positive, among other reasons.
-
-Exceptions can be created for both *Security update* and *Configuration change* recommendations.
-
-When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list.
-
-
-1. Navigate to the **Security recommendations** page under the **Threat & Vulnerability Management** section menu.
-
-2. Click the top-most recommendation. A flyout panel opens with the recommendation details.
-
-3. Click **Exception options**.
-
-4. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
-
-5. Click **Submit**. A confirmation message at the top of the page indicates that the exception has been created.
-
-6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past).
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Configuration score](configuration-score.md)
-- [Security recommendations](tvm-security-recommendation.md)
-- [Remediation](tvm-remediation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Weaknesses](tvm-weaknesses.md)
+---
+title: Threat & Vulnerability Management scenarios
+description: Learn how to use Threat & Vulnerability Management in the context of scenarios that Security Administrators encounter when you collaborate with IT Administrators and SecOps as you protect your organization from cybersecurity threats.
+keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase configuration score, increase threat & vulnerability configuration score, configuration score, exposure score, security controls
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Threat & Vulnerability Management scenarios
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+## Before you begin
+Ensure that your machines:
+- Are onboarded to Microsoft Defender Advanced Threat Protection
+- Run with Windows 10 1709 (Fall Creators Update) or later
+
+>[!NOTE]
+>Threat & Vulnerability Management can also scan machines that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday.
+
+- Have the following mandatory updates installed:
+- (1) RS3 customers | [KB4493441](https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441)
+- (2) RS4 customers | [KB4493464](https://support.microsoft.com/en-us/help/4493464)
+- Are onboarded to Microsoft Intune and System Center Configuration Manager (SCCM). If you are use SCCM, update your console to the latest May version 1905
+- Have at least one security recommendation that can be viewed in the machine page
+- Are tagged or marked as co-managed
+
+
+## Reduce your threat and vulnerability exposure
+Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your machines are to imminent threats.
+
+The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
+- Weaknesses, such as vulnerabilities discovered on the device
+- External and internal threats such as public exploit code and security alerts
+- Likelihood of the device to get breached given its current security posture
+- Value of the device to the organization given its role and content
+
+The exposure score is broken down into the following levels:
+- 0–29: low exposure score
+- 30–69: medium exposure score
+- 70–100: high exposure score
+
+You can remediate the issues based on prioritized security recommendations to reduce the exposure score. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization.
+
+To lower down your threat and vulnerability exposure:
+
+1. Review the **Top security recommendations** from your **Threat & Vulnerability Management dashboard**, and select the first item on the list. The **Security recommendation** page opens.
+
+ >>
+
+ >[!NOTE]
+ > There are two types of recommendations:
+ > - Security update which refers to recommendations that require a package installation
+ > - Configuration change which refers to recommendations that require a registry or GPO modification
+ > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon and possible active alert  icon.
+
+2. The **Security recommendations** page shows the list of items to remediate. Select the security recommendation that you need to investigate. When you select a recommendation from the list, a fly-out panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Click **Open software page** option from the flyout panel. 
+
+3. Click **Installed machines** and select the affected machine from the list to open the flyout panel with the relevant machine details, exposure and risk levels, alert and incident activities. 
+
+4. Click **Open machine page** to connect to the machine and apply the selected recommendation. See [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) for details. 
+
+5. Allow a few hours for the changes to propagate in the system.
+
+6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases.
+
+## Improve your security configuration
+>[!NOTE]
+> Secure score is now part of Threat & Vulnerability Management as [configuration score](configuration-score.md). The secure score page is available for a few weeks. View the [secure score](https://securitycenter.windows.com/securescore) page.
+
+You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
+
+1. From the Configuration score widget, select **Security controls**. The **Security recommendations** page opens and shows the list of issues related to security controls.
+
+ >
+
+2. Select the first item on the list. The flyout panel will open with a description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**.
+ 
+
+3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up.
+
+ >.
+
+ >You will see a confirmation message that the remediation task has been created.
+ >
+
+4. Save your CSV file.
+ 
+
+5. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system.
+
+6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase.
+
+## Request a remediation
+>[!NOTE]
+>To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
+
+The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT Administrators through the remediation request workflow.
+
+Security Administrators like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune.
+
+1. Click a security recommendation you would like to request remediation for, and then click **Remediation options**.
+
+2. Select **Open a ticket in Intune (for AAD joined devices)**, select a due date, and add optional notes for the IT Administrator. Click **Submit request**.
+
+3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.
+
+4. Go to the **Remediation** page to view the status of your remediation request.
+
+See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
+
+>[!NOTE]
+>If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to Intune.
+
+## File for exception
+With Threat & Vulnerability Management, you can create exceptions for recommendations, as an alternative to a remediation request.
+
+There are many reasons why organizations create exceptions for a recommendation. For example, if there's a business justification that prevents the company from applying the recommendation, the existence of a compensating or alternative control that provides as much protection than the recommendation would, a false positive, among other reasons.
+
+Exceptions can be created for both *Security update* and *Configuration change* recommendations.
+
+When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list.
+
+
+1. Navigate to the **Security recommendations** page under the **Threat & Vulnerability Management** section menu.
+
+2. Click the top-most recommendation. A flyout panel opens with the recommendation details.
+
+3. Click **Exception options**.
+
+4. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
+
+5. Click **Submit**. A confirmation message at the top of the page indicates that the exception has been created.
+
+6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past).
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Configuration score](configuration-score.md)
+- [Security recommendations](tvm-security-recommendation.md)
+- [Remediation](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
index 0be4b4e073..e0ba7d55f6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
@@ -24,7 +24,7 @@ ms.topic: conceptual
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-threatindicator-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-threatindicator-abovefoldlink)
Advanced cybersecurity attacks comprise of multiple complex malicious events, attributes, and contextual information. Identifying and deciding which of these activities qualify as suspicious can be a challenging task. Your knowledge of known attributes and abnormal activities specific to your industry is fundamental in knowing when to call an observed behavior as suspicious.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
index d527fa77fd..c99a26affb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
@@ -55,7 +55,7 @@ Microsoft Cloud App Security leverages Microsoft Defender ATP endpoint signals t
> Office 365 ATP data is displayed for events within the last 30 days. For alerts, Office 365 ATP data is displayed based on first activity time. After that, the data is no longer available in Office 365 ATP.
## Skype for Business
-The Skype for Business integration provides s a way for analysts to communicate with a potentially compromised user or device owner through ao simple button from the portal.
+The Skype for Business integration provides a way for analysts to communicate with a potentially compromised user or device owner through a simple button from the portal.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
index 7f6c773756..97484fcfe2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
@@ -24,7 +24,7 @@ ms.topic: article
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-settings-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-settings-abovefoldlink)
Use the **Time zone** menu  to configure the time zone and view license information.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
similarity index 80%
rename from windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
index 373d0c8387..dc8f75b9f2 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: dansimp
ms.author: dansimp
ms.date: 03/27/2019
@@ -20,44 +21,44 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-When you use [attack surface reduction rules](attack-surface-reduction-exploit-guard.md) you may encounter issues, such as:
+When you use [attack surface reduction rules](attack-surface-reduction.md) you may encounter issues, such as:
-- A rule blocks a file, process, or performs some other action that it should not (false positive)
-- A rule does not work as described, or does not block a file or process that it should (false negative)
+* A rule blocks a file, process, or performs some other action that it should not (false positive)
+* A rule does not work as described, or does not block a file or process that it should (false negative)
There are four steps to troubleshooting these problems:
1. Confirm prerequisites
2. Use audit mode to test the rule
3. Add exclusions for the specified rule (for false positives)
-3. Submit support logs
+4. Submit support logs
## Confirm prerequisites
Attack surface reduction rules will only work on devices with the following conditions:
->[!div class="checklist"]
-> - Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).
-> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
-> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
-> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
+> [!div class="checklist"]
+> * Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).
+> * Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
+> * [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
+> * Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode.
## Use audit mode to test the rule
-You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only.
+You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only.
Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you are encountering problems with.
1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but will still allow it to run.
2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed).
-3. [Review the attack surface reductio rule event logs](attack-surface-reduction-exploit-guard.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
+3. [Review the attack surface reductio rule event logs](attack-surface-reduction.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
>
->If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled.
+>If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled.
>
>Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
@@ -78,25 +79,28 @@ To add an exclusion, see [Customize Attack surface reduction](customize-attack-s
## Report a false positive or false negative
-Use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md).
+Use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md).
## Collect diagnostic data for file submissions
-When you report a problem with attack surface reduction rules, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
+When you report a problem with attack surface reduction rules, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
1. Open an elevated command prompt and change to the Windows Defender directory:
+
```console
cd c:\program files\windows defender
```
+
2. Run this command to generate the diagnostic logs:
+
```console
mpcmdrun -getfiles
```
-3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
+
+3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
## Related topics
-- [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
-
+* [Attack surface reduction rules](attack-surface-reduction.md)
+* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti.md
index 159081aa19..217b980381 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti.md
@@ -48,7 +48,7 @@ If your client secret expires or if you've misplaced the copy provided when you
7. Copy the value and save it in a safe place.
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootcustomti-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootcustomti-belowfoldlink)
## Related topics
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
similarity index 79%
rename from windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
index 63963825e3..ae216de7bb 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: dansimp
ms.author: dansimp
ms.date: 08/09/2018
@@ -20,7 +21,7 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
When you create a set of exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations.
@@ -46,7 +47,7 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
Write-Host "Removing MitigationAuditOptions for: " $Name
Remove-ItemProperty -Path $Key.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop;
}
-
+
# Remove the FilterFullPath value if there is nothing else
if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 1) -and ($Key.GetValue("FilterFullPath"))) {
Remove-ItemProperty -Path $Key.PSPath -Name "FilterFullPath" -ErrorAction Stop;
@@ -58,19 +59,19 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
Remove-Item -Path $Key.PSPath -ErrorAction Stop
}
}
- Catch {
- Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
+ Catch {
+ Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
}
}
# Delete all ExploitGuard ProcessMitigations
function Remove-All-ProcessMitigations {
if (!(Test-IsAdmin)) {
- throw "ERROR: No Administrator-Privileges detected!"; return
+ throw "ERROR: No Administrator-Privileges detected!"; return
}
Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | ForEach-Object {
- $MitigationItem = $_;
+ $MitigationItem = $_;
$MitigationItemName = $MitigationItem.PSChildName
Try {
@@ -85,7 +86,7 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
Write-Host "Removing FullPathEntry: " $Name
Remove-ProcessMitigations $FullPathItem $Name
}
-
+
# If there are no subkeys now, we can delete the "UseFilter" value
if ($MitigationItem.SubKeyCount -eq 0) {
Remove-ItemProperty -Path $MitigationItem.PSPath -Name "UseFilter" -ErrorAction Stop
@@ -97,8 +98,8 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
Remove-Item -Path $MitigationItem.PSPath -ErrorAction Stop
}
}
- Catch {
- Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
+ Catch {
+ Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
}
}
}
@@ -106,18 +107,18 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
# Delete all ExploitGuard System-wide Mitigations
function Remove-All-SystemMitigations {
- if (!(Test-IsAdmin)) {
- throw "ERROR: No Administrator-Privileges detected!"; return
+ if (!(Test-IsAdmin)) {
+ throw "ERROR: No Administrator-Privileges detected!"; return
}
-
+
$Kernel = Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel"
- Try {
- if ($Kernel.GetValue("MitigationOptions"))
+ Try {
+ if ($Kernel.GetValue("MitigationOptions"))
{ Write-Host "Removing System MitigationOptions"
Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationOptions" -ErrorAction Stop;
}
- if ($Kernel.GetValue("MitigationAuditOptions"))
+ if ($Kernel.GetValue("MitigationAuditOptions"))
{ Write-Host "Removing System MitigationAuditOptions"
Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop;
}
@@ -132,30 +133,30 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
2. Create and import an XML configuration file with the following default mitigations, as described in Import, export, and deploy Exploit Protection configurations:
- ```xml
+ ```xml
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
-
+
-
-
+
+
-
-
-
-
-
+
+
+
+
+
@@ -180,9 +181,9 @@ You can manually remove unwanted mitigations in Windows Security, or you can use
-
-
-
+
+
+
@@ -195,9 +196,9 @@ If you haven’t already, it's a good idea to download and use the [Windows Secu
## Related topics
-- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Evaluate exploit protection](evaluate-exploit-protection.md)
-- [Enable exploit protection](enable-exploit-protection.md)
-- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+* [Protect devices from exploits](exploit-protection.md)
+* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md)
+* [Evaluate exploit protection](evaluate-exploit-protection.md)
+* [Enable exploit protection](enable-exploit-protection.md)
+* [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
index 3cd0504b1f..a8109f849e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md
@@ -62,7 +62,7 @@ The following date and time formats are currently not supported:
**Use of comma to indicate thousand**
Support of use of comma as a separator in numbers are not supported. Regions where a number is separated with a comma to indicate a thousand, will only see the use of a dot as a separator. For example, 15,5K is displayed as 15.5K.
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink)
## Microsoft Defender ATP tenant was automatically created in Europe
When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created. The Microsoft Defender ATP data is stored in Europe by default.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
similarity index 69%
rename from windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
rename to windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
index cfd19843a9..af397987a0 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: dansimp
ms.author: dansimp
ms.date: 03/27/2019
@@ -20,48 +21,50 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-- IT administrators
+* IT administrators
-When you use [Network protection](network-protection-exploit-guard.md) you may encounter issues, such as:
+When you use [Network protection](network-protection.md) you may encounter issues, such as:
-- Network protection blocks a website that is safe (false positive)
-- Network protection fails to block a suspicious or known malicious website (false negative)
+* Network protection blocks a website that is safe (false positive)
+* Network protection fails to block a suspicious or known malicious website (false negative)
There are four steps to troubleshooting these problems:
1. Confirm prerequisites
2. Use audit mode to test the rule
3. Add exclusions for the specified rule (for false positives)
-3. Submit support logs
+4. Submit support logs
## Confirm prerequisites
Network protection will only work on devices with the following conditions:
>[!div class="checklist"]
-> - Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update).
-> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
-> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
-> - [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled.
-> - Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**).
+> * Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update).
+> * Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
+> * [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
+> * [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled.
+> * Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**).
+## Use audit mode
-## Use audit mode
-
-You can enable network protection in audit mode and then visit a website that we've created to demo the feature. All website connections will be allowed by network protection but an event will be logged to indicate any connection that would have been blocked if network protection was enabled.
+You can enable network protection in audit mode and then visit a website that we've created to demo the feature. All website connections will be allowed by network protection but an event will be logged to indicate any connection that would have been blocked if network protection was enabled.
1. Set network protection to **Audit mode**.
- ```powershell
+
+ ```PowerShell
Set-MpPreference -EnableNetworkProtection AuditMode
```
-2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
-3. [Review the network protection event logs](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
+
+1. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
+
+1. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
>
>If network protection is not blocking a connection that you are expecting it should block, enable the feature.
-```powershell
+```PowerShell
Set-MpPreference -EnableNetworkProtection Enabled
```
@@ -75,21 +78,24 @@ To whitelist the website that is being blocked (false positive), add its URL to
## Collect diagnostic data for file submissions
-When you report a problem with network protection, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
+When you report a problem with network protection, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
1. Open an elevated command prompt and change to the Windows Defender directory:
- ```
+
+ ```PowerShell
cd c:\program files\windows defender
```
-2. Run this command to generate the diagnostic logs:
- ```
+
+1. Run this command to generate the diagnostic logs:
+
+ ```PowerShell
mpcmdrun -getfiles
```
-3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
+
+1. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
## Related topics
-- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
-- [Network protection](network-protection-exploit-guard.md)
-- [Evaluate network protection](evaluate-network-protection.md)
-- [Enable network protection](enable-network-protection.md)
+* [Network protection](network-protection.md)
+* [Evaluate network protection](evaluate-network-protection.md)
+* [Enable network protection](enable-network-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
index 078fc9543d..f27f90ae22 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
@@ -24,7 +24,7 @@ ms.topic: troubleshooting
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink)
This page provides detailed steps to troubleshoot issues that might occur when setting up your Microsoft Defender ATP service.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
index 5f81c16bed..24b7d6924e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
@@ -302,10 +302,10 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr
- Windows 10 Education E5
- Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5
-For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
+For more information, see [Windows 10 Licensing](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx#tab=2).
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootonboarding-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootonboarding-belowfoldlink)
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md
index c45bc362d2..858ebde2ec 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md
@@ -25,7 +25,7 @@ ms.topic: troubleshooting
-You might need to troubleshoot issues while pulling alerts in your SIEM tools.
+You might need to troubleshoot issues while pulling detections in your SIEM tools.
This page provides detailed steps to troubleshoot issues you might encounter.
@@ -76,11 +76,11 @@ If you encounter an error when trying to enable the SIEM connector application,
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink)
## Related topics
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md)
-- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md)
-- [Microsoft Defender ATP alert API fields](api-portal-mapping.md)
-- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md)
+- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
+- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
+- [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
+- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
index f6488ecbd0..8eebb66298 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
@@ -1,48 +1,48 @@
----
-title: Exposure score
-description: Your exposure level reflects how vulnerable your organization is to cybersecurity threats. Apply the Threat & Vulnerability Management security recommendations to keep your exposure level low.
-keywords: exposure score, mdatp exposure score, mdatp tvm exposure score, organization exposure score, tvm organization exposure score
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 06/30/2019
----
-# Exposure score
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Your exposure score reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your machines are less vulnerable from exploitation.
-
-The widget also gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further.
-
-
-
-## How it works
-
-Several factors affect your organization exposure score:
-- Weakness discovered on the device
-- Likelihood of a device getting breached
-- Value of the device to the organization
-- Relevant alert discovered on the device
-
-Reduce the exposure score by addressing what needs to be remediated based on the prioritized security recommendations. See [Security recommendations](tvm-security-recommendation.md) for details.
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-- [Configuration score](configuration-score.md)
-- [Security recommendations](tvm-security-recommendation.md)
-- [Remediation](tvm-remediation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Weaknesses](tvm-weaknesses.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+---
+title: Exposure score
+description: Your exposure level reflects how vulnerable your organization is to cybersecurity threats. Apply the Threat & Vulnerability Management security recommendations to keep your exposure level low.
+keywords: exposure score, mdatp exposure score, mdatp tvm exposure score, organization exposure score, tvm organization exposure score
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 06/30/2019
+---
+# Exposure score
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Your exposure score reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your machines are less vulnerable from exploitation.
+
+The widget also gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further.
+
+
+
+## How it works
+
+Several factors affect your organization exposure score:
+- Weakness discovered on the device
+- Likelihood of a device getting breached
+- Value of the device to the organization
+- Relevant alert discovered on the device
+
+Reduce the exposure score by addressing what needs to be remediated based on the prioritized security recommendations. See [Security recommendations](tvm-security-recommendation.md) for details.
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Configuration score](configuration-score.md)
+- [Security recommendations](tvm-security-recommendation.md)
+- [Remediation](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
index 6e208209cb..674d4b0309 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
@@ -1,66 +1,66 @@
----
-title: Remediation
-description: You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations. Threat & Vulnerability Management bridges the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM).
-keywords: microsoft defender atp tvm remediation, mdatp tvm, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 04/11/2019
----
-# Remediation
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->[!NOTE]
->To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
-
-After your organization's cybersecurity weaknesses are identified and mapped to actionable security recommendations, you can start creating security tasks through the integration with Microsoft Intune where remediation tickets are created.
-
-You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.
-
-## Navigate through your remediation options
-You'll see your remediation options when you select one of the security recommendation blocks from your **Top security recommendations** widget in the dashboard.
-1. From the flyout panel, you'll see the security recommendation details including your next steps. Click **Remediation options**.
-2. In the **Remediation options** page, select **Open a ticket in Intune (for AAD joined devices)**.
-
->[!NOTE]
->If your request involves remediating more than 10,000 machines, we will only send 10,000 machines for remediation to Intune.
-
-3. Select a remediation due date.
-4. Add notes to give your IT administrator a context of your remediation request. For example, you can indicate urgency of the remediation request to avoid potential exposure to a recent exploit activity, or if the request is a part of compliance.
-
-If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
-
-## How it works
-
-When you submit a remediation request from Threat & Vulnerability Management, it kicks-off a remediation activity.
-
-It creates a security task which will be tracked in Threat & Vulnerability Management **Remediation** page, and it also creates a remediation ticket in Microsoft Intune.
-
-You also have the option to export all remediation activity data to CSV for records, reporting purposes, or if you want to notify your IT administration counterpart that a remediation ticket has been submitted.
-
-The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task.
-
-However, if the security recommendation stemmed from a false positive report, or if there are existing business justification that blocks the remediation, such as compensating control, productivity needs, compliance, or if there's already a planned remediation grace period, you can file an exception and indicate the reason. The exceptions you've filed will also show up in the **Remediation** page, in the **Exceptions** tab.
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Configuration score](configuration-score.md)
-- [Security recommendation](tvm-security-recommendation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Weaknesses](tvm-weaknesses.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
-
-
+---
+title: Remediation
+description: You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations. Threat & Vulnerability Management bridges the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM).
+keywords: microsoft defender atp tvm remediation, mdatp tvm, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/11/2019
+---
+# Remediation
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>[!NOTE]
+>To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
+
+After your organization's cybersecurity weaknesses are identified and mapped to actionable security recommendations, you can start creating security tasks through the integration with Microsoft Intune where remediation tickets are created.
+
+You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.
+
+## Navigate through your remediation options
+You'll see your remediation options when you select one of the security recommendation blocks from your **Top security recommendations** widget in the dashboard.
+1. From the flyout panel, you'll see the security recommendation details including your next steps. Click **Remediation options**.
+2. In the **Remediation options** page, select **Open a ticket in Intune (for AAD joined devices)**.
+
+>[!NOTE]
+>If your request involves remediating more than 10,000 machines, we will only send 10,000 machines for remediation to Intune.
+
+3. Select a remediation due date.
+4. Add notes to give your IT administrator a context of your remediation request. For example, you can indicate urgency of the remediation request to avoid potential exposure to a recent exploit activity, or if the request is a part of compliance.
+
+If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
+
+## How it works
+
+When you submit a remediation request from Threat & Vulnerability Management, it kicks-off a remediation activity.
+
+It creates a security task which will be tracked in Threat & Vulnerability Management **Remediation** page, and it also creates a remediation ticket in Microsoft Intune.
+
+You also have the option to export all remediation activity data to CSV for records, reporting purposes, or if you want to notify your IT administration counterpart that a remediation ticket has been submitted.
+
+The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task.
+
+However, if the security recommendation stemmed from a false positive report, or if there are existing business justification that blocks the remediation, such as compensating control, productivity needs, compliance, or if there's already a planned remediation grace period, you can file an exception and indicate the reason. The exceptions you've filed will also show up in the **Remediation** page, in the **Exceptions** tab.
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Configuration score](configuration-score.md)
+- [Security recommendation](tvm-security-recommendation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
index a866f2ef4f..f5dbb8135e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -1,66 +1,91 @@
----
-title: Security recommendation
-description: The weaknesses identified in the environment are mapped to actionable security recommendations and prioritized by their impact on the organizational exposure score.
-keywords: threat and vulnerability management, mdatp tvm security recommendation, cybersecurity recommendation, actionable security recommendation
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 04/11/2019
----
-# Security recommendation
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-The cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact on the security recommendation list. Prioritized recommendation helps shorten the mean time to mitigate or remediate vulnerabilities and drive compliance.
-
-Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and SCCM. It is also dynamic in the sense that when the threat landscape changes, the recommendation also changes as it continuously collect information from your environment.
-
-## The basis of the security recommendation
-Each machine in the organization is scored based on three important factors: threat, likelihood to be breached, and value, to help customers to focus on the right things at the right time.
-
-- Threat - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations shows the correponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
-
-- Breach likelihood - Your organization's security posture and resilience against threats
-
-- Business value - Your organization's assets, critical processes, and intellectual properties
-
-
-## Navigate through your security recommendations
-You can access the security recommendation from the Microsoft Defender ATP Threat & Vulnerability Management menu, dashboard, software page, and machine page, to give you the context that you need as you require it.
-
-There are security recommendations for application, operating system, network, accounts, and security controls.
-
-In a given day as a Security Administrator, you can take a look at the dashboard to see your exposure score side-by-side with your configuration score. The goal is to lower down your organization's exposure from vulnerabilities, and increase your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
-
-The top security recommendations lists down the improvement opportunities prioritized based on the three important factors mentioned in the previous section - threat, likelihood to be breached, and value.
-
-You can click on each one of them and see the details, the description, the potential risk if you don't act on or remediate it, insights, how many exposed devices are associated with the security recommendation, vulnerabilities, and other threats.
-
-From that page, you can do any of the following depending on what you need to do:
-
-- Open software page - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, and charts so you can see the exposure trend over time.
-
-- Choose from remediation options - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
-
-- Choose from exception options - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet due to specific business reasons, compensation controls, or if it is a false positive.
-
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Configuration score](configuration-score.md)
-- [Remediation](tvm-remediation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Weaknesses](tvm-weaknesses.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+---
+title: Security recommendation
+description: The weaknesses identified in the environment are mapped to actionable security recommendations and prioritized by their impact on the organizational exposure score.
+keywords: threat and vulnerability management, mdatp tvm security recommendation, cybersecurity recommendation, actionable security recommendation
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/11/2019
+---
+# Security recommendation
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+The cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact on the security recommendation list. Prioritized recommendation helps shorten the mean time to mitigate or remediate vulnerabilities and drive compliance.
+
+Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and SCCM. It is also dynamic in the sense that when the threat landscape changes, the recommendation also changes as it continuously collect information from your environment.
+
+## The basis of the security recommendation
+Each machine in the organization is scored based on three important factors: threat, likelihood to be breached, and value, to help customers to focus on the right things at the right time.
+
+- Threat - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations shows the correponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports.
+
+- Breach likelihood - Your organization's security posture and resilience against threats
+
+- Business value - Your organization's assets, critical processes, and intellectual properties
+
+
+## Navigate through your security recommendations
+You can access the security recommendation from the Microsoft Defender ATP Threat & Vulnerability Management menu, dashboard, software page, and machine page, to give you the context that you need as you require it.
+
+There are security recommendations for application, operating system, network, accounts, and security controls.
+
+In a given day as a Security Administrator, you can take a look at the dashboard to see your exposure score side-by-side with your configuration score. The goal is to lower down your organization's exposure from vulnerabilities, and increase your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
+
+The top security recommendations lists down the improvement opportunities prioritized based on the three important factors mentioned in the previous section - threat, likelihood to be breached, and value.
+
+You can click on each one of them and see the details, the description, the potential risk if you don't act on or remediate it, insights, how many exposed devices are associated with the security recommendation, vulnerabilities, and other threats.
+
+From that page, you can do any of the following depending on what you need to do:
+
+- Open software page - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, and charts so you can see the exposure trend over time.
+
+- Choose from remediation options - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
+
+- Choose from exception options - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet due to specific business reasons, compensation controls, or if it is a false positive.
+
+## Report inaccuracy
+
+You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information in the machine page.
+
+1. Select the **Security recommendation** tab.
+
+2. Click **:** beside the security recommendation that you want to report about, then select **Report inaccuracy**.
+
+ A flyout pane opens.
+
+
+3. From the flyout pane, select the inaccuracy category from the drop-down menu.
+ 
+
+4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported.
+
+5. Include your machine name for investigation context.
+
+>[!NOTE]
+> You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context.
+
+6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.
+
+
+
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Configuration score](configuration-score.md)
+- [Remediation](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
index 6954b3f5d6..a7ff6812ce 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
@@ -1,44 +1,68 @@
----
-title: Software inventory
-description: Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the software inventory page. You can see the name of the product, vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected.
-keywords: microsoft defender atp, microsoft defender atp software inventory, mdatp threat & vulnerability management, mdatp threat & vulnerability management software inventory, mdatp tvm software inventory, tvm software inventory
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 04/11/2019
----
-# Software inventory
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it.
-
-## Navigate through your software inventory
-1. Select **Software inventory** from the Threat & Vulnerability management navigation menu.
-2. In the **Software inventory** page, select the application that you want to investigate and a flyout panel opens up with the software details, vendor information, prevalence in the organization, exposed machines, threat context, and its impact to your organization's exposure score.
-3. In the flyout panel, select **Open software page** to dive deeper into your software inventory. You will see how many weaknesses are discovered with the application, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified.
-
-## How it works
-In the field of discovery, we are leveraging the same set of signals in Microsoft Defender ATP's endpoint detection and response that's responsible for detection, for vulnerability assessment.
-
-Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular application is connected to a live campaign. It also provides a link to a Threat Analytics report soon as it's available.
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Configuration score](configuration-score.md)
-- [Security recommendation](tvm-security-recommendation.md)
-- [Remediation](tvm-remediation.md)
-- [Weaknesses](tvm-weaknesses.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+---
+title: Software inventory
+description: Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the software inventory page. You can see the name of the product, vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected.
+keywords: microsoft defender atp, microsoft defender atp software inventory, mdatp threat & vulnerability management, mdatp threat & vulnerability management software inventory, mdatp tvm software inventory, tvm software inventory
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/11/2019
+---
+# Software inventory
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it.
+
+## Navigate through your software inventory
+1. Select **Software inventory** from the Threat & Vulnerability management navigation menu.
+2. In the **Software inventory** page, select the application that you want to investigate and a flyout panel opens up with the software details, vendor information, prevalence in the organization, exposed machines, threat context, and its impact to your organization's exposure score.
+3. In the flyout panel, select **Open software page** to dive deeper into your software inventory. You will see how many weaknesses are discovered with the application, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified.
+
+## How it works
+In the field of discovery, we are leveraging the same set of signals in Microsoft Defender ATP's endpoint detection and response that's responsible for detection, for vulnerability assessment.
+
+Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular application is connected to a live campaign. It also provides a link to a Threat Analytics report soon as it's available.
+
+## Report inaccuracy
+
+You can report a false positive when you see any vague, inaccurate version, incomplete, or already remediated software inventory information in the machine page.
+
+1. Select the **Software inventory** tab.
+
+2. Click **:** beside the software that you want to report about, and then select **Report inaccuracy**.
+
+ A flyout pane opens.
+
+
+3. From the flyout pane, select the inaccuracy category from the **Software inventory inaccuracy reason** drop-down menu.
+ 
+
+4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported.
+
+5. Include your machine name for investigation context.
+
+>[!NOTE]
+> You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context.
+
+6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.
+
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Configuration score](configuration-score.md)
+- [Security recommendation](tvm-security-recommendation.md)
+- [Remediation](tvm-remediation.md)
+- [Weaknesses](tvm-weaknesses.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
index 108aef13b2..ab8bccc02c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
@@ -1,78 +1,113 @@
----
-title: Weaknesses
-description: The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, breach, and threat insights.
-keywords: mdatp threat & vulnerability management, mdatp tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 04/11/2019
----
-# Weaknesses
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Threat & Vulnerability Management leverages the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities.
-
-The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, corresponding breach, and threat insights.
-
-## Navigate through your organization's weaknesses page
-You can see the list of vulnerabilities in three ways:
-
-*Vulnerabilities in global search*
-1. Click the global search drop-down menu.
-2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you are looking for, then click the search icon. The **Weaknesses** page opens with the CVE information that you are looking for.
-
-3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits available, severity level, CVSS v3 rating, publishing and update dates.
-
->[!NOTE]
->To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then click search.
-
-*Weaknesses page in the menu*
-1. Go to the Threat & Vulnerability Management navigation menu and select **Weaknesses** to open up the list of vulnerabilities found in your organization.
-2. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
-
-*Top vulnerable software widget in the dashboard*
-1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time.
-
-2. Click the software that you want to investigate and it takes you to the software page. You will the weaknesses found in your machine per severity level, in which machines are they installed, version distribution, and the corresponding security recommendation.
-3. Select the **Discovered vulnerabilities** tab.
-4. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
-
-## How it works
-When new vulnerabilities are released, you would want know how many of your assets are exposed. You can see the list of vulnerabilities and the details in the **Weaknesses** page.
-
-If the **Exposed Machines** column shows 0, that means you are not infected.
-
-If there's a number in the **Exposed Machines**, that means you need to remediate the vulnerabilities in those machines because they put the rest of your assets and your organization at risk.
-
-You can also see the related alert and threat insights in the **Threat** column.
-
-The breach insights icons are highlighted if there are active alerts associated with the vulnerability found in your organization.
-
-
-The threat insights icons are highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is connected to specific campaign for which, Threat Analytics report links are provided that you can read.
-
-
- >[!NOTE]
- > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon and possible active alert  icon.
-
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Configuration score](configuration-score.md)
-- [Security recommendation](tvm-security-recommendation.md)
-- [Remediation](tvm-remediation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+---
+title: Weaknesses
+description: The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, breach, and threat insights.
+keywords: mdatp threat & vulnerability management, mdatp tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dolmont
+author: DulceMontemayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+ms.date: 04/11/2019
+---
+# Weaknesses
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Threat & Vulnerability Management leverages the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities.
+
+The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, corresponding breach, and threat insights.
+
+## Navigate through your organization's weaknesses page
+You can see the list of vulnerabilities in four ways:
+
+*Vulnerabilities in global search*
+1. Click the global search drop-down menu.
+2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you are looking for, then click the search icon. The **Weaknesses** page opens with the CVE information that you are looking for.
+
+3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits available, severity level, CVSS v3 rating, publishing and update dates.
+
+>[!NOTE]
+>To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then click search.
+
+*Weaknesses page in the menu*
+1. Go to the Threat & Vulnerability Management navigation menu and select **Weaknesses** to open up the list of vulnerabilities found in your organization.
+2. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
+
+*Top vulnerable software widget in the dashboard*
+1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time.
+
+2. Click the software that you want to investigate and it takes you to the software page. You will the weaknesses found in your machine per severity level, in which machines are they installed, version distribution, and the corresponding security recommendation.
+3. Select the **Discovered vulnerabilities** tab.
+4. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
+
+*Discovered vulnerabilities in the machine page*
+1. Go to the left-hand navigation menu bar, then select the machine icon. The **Machines list** page opens.
+ 
+2. In the **Machines list** page, select the machine that you want to investigate.
+ 
+ A flyout pane opens with machine details and response action options.
+
+3. In the flyout pane, select **Open machine page**. A page opens with details and response options for the machine you want to investigate.
+ 
+4. Select **Discovered vulnerabilities**.
+5. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
+
+## How it works
+When new vulnerabilities are released, you would want know how many of your assets are exposed. You can see the list of vulnerabilities and the details in the **Weaknesses** page.
+
+If the **Exposed Machines** column shows 0, that means you are not infected.
+
+If there's a number in the **Exposed Machines**, that means you need to remediate the vulnerabilities in those machines because they put the rest of your assets and your organization at risk.
+
+You can also see the related alert and threat insights in the **Threat** column.
+
+The breach insights icons are highlighted if there are active alerts associated with the vulnerability found in your organization.
+
+
+The threat insights icons are highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is connected to specific campaign for which, Threat Analytics report links are provided that you can read.
+
+
+ >[!NOTE]
+ > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon and possible active alert  icon.
+
+## Report inaccuracy
+
+You can report a false positive when you see any vague, inaccurate, missing, or already remediated vulnerability information in the machine page.
+
+1. Select the **Discovered vulnerabilities** tab.
+
+2. Click **:** beside the vulnerability that you want to report about, and then select **Report inaccuracy**.
+
+ A flyout pane opens.
+
+
+3. From the flyout pane, select the inaccuracy category from the **Discovered vulnerability inaccuracy reason** drop-down menu.
+ 
+
+4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported.
+
+5. Include your machine name for investigation context.
+
+>[!NOTE]
+> You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context.
+
+6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.
+
+
+## Related topics
+- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
+- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
+- [Exposure score](tvm-exposure-score.md)
+- [Configuration score](configuration-score.md)
+- [Security recommendation](tvm-security-recommendation.md)
+- [Remediation](tvm-remediation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md b/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md
index 9452c634c4..86e1ee7a44 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/use-custom-ti.md
@@ -26,7 +26,7 @@ ms.date: 04/24/2018
> [!TIP]
> This topic has been deprecated. See [Indicators](ti-indicator.md) for the updated content.
>
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink)
Understand threat intelligence concepts, then enable the custom threat intelligence application so that you can proceed to create custom threat intelligence alerts that are specific to your organization.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/use.md b/windows/security/threat-protection/microsoft-defender-atp/use.md
index 5b80236d1c..f8b5c0061c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/use.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/use.md
@@ -23,7 +23,7 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink)
Microsoft Defender Security Center is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
index 668831d19d..1e1f628b6b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
@@ -23,7 +23,7 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-roles-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-roles-abovefoldlink)
## Create roles and assign the role to an Azure Active Directory group
The following steps guide you on how to create roles in Microsoft Defender Security Center. It assumes that you have already created Azure Active Directory user groups.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
index b3c05cd9a2..10cba3e6d8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
@@ -28,6 +28,11 @@ The following features are generally available (GA) in the latest release of Mic
For more information preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection).
+
+## September 2019
+- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016) You can now onboard Windows Server 2008 R2 SP1.
+
+
## June 2019
- [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
@@ -50,7 +55,7 @@ For more information preview features, see [Preview features](https://docs.micro
## April 2019
- [Microsoft Threat Experts Targeted Attack Notification capability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts#targeted-attack-notification) Microsoft Threat Experts' Targeted Attack Notification alerts are tailored to organizations to provide as much information as can be quickly delivered thus bringing attention to critical threats in their network, including the timeline, scope of breach, and the methods of intrusion.
-- [Microsoft Defender ATP API](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use-apis) Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities.
+- [Microsoft Defender ATP API](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro) Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities.
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index 3168a333af..06c44d0ef2 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -106,7 +106,7 @@ Windows Defender Antivirus in Windows 10 uses a multi-pronged approach to improv
For more information, see [Windows Defender in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) and [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server).
-For information about Microsoft Defender Advanced Threat Protection, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Microsoft Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) (resources) and [Microsoft Defender Advanced Threat Protection (ATP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) (documentation).
+For information about Microsoft Defender Advanced Threat Protection, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Microsoft Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/WindowsForBusiness/windows-atp) (resources) and [Microsoft Defender Advanced Threat Protection (ATP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) (documentation).
### Data Execution Prevention
@@ -450,10 +450,10 @@ Microsoft Consulting Services (MCS) and Microsoft Support/Premier Field Engineer
## Related topics
- [Security and Assurance in Windows Server 2016](https://technet.microsoft.com/windows-server-docs/security/security-and-assurance)
-- [Microsoft Defender Advanced Threat Protection (ATP) - resources](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp)
+- [Microsoft Defender Advanced Threat Protection (ATP) - resources](https://www.microsoft.com/WindowsForBusiness/windows-atp)
- [Microsoft Defender Advanced Threat Protection (ATP) - documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)
- [Exchange Online Advanced Threat Protection Service Description](https://technet.microsoft.com/library/exchange-online-advanced-threat-protection-service-description.aspx)
- [Office 365 Advanced Threat Protection](https://products.office.com/en-us/exchange/online-email-threat-protection)
-- [Microsoft Malware Protection Center](https://www.microsoft.com/en-us/security/portal/mmpc/default.aspx)
+- [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/mmpc/default.aspx)
diff --git a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
index a485a13590..af394cc02a 100644
--- a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
+++ b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md
@@ -22,7 +22,7 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
+>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
Describes the best practices, location, values, policy management, and security considerations for the **Bypass traverse checking** security policy setting.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
index b4f0324679..3aa61ca9b4 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
@@ -76,7 +76,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-By default, the domain members submit a password change every 30 days. If you increase this interval significantly, or set it to 0 so that the computers no longer submit a password change, an attacker has more time to undertake a brute-force attack to guess the password of one or more computer accounts.
+By default, the domain members submit a password change every 30 days. If you increase this interval significantly so that the computers no longer submit a password change, an attacker has more time to undertake a brute-force attack to guess the password of one or more computer accounts.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
index 00c2b3a1a2..2e2b5f172a 100644
--- a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md
@@ -74,7 +74,7 @@ The longer a password exists, the higher the likelihood that it will be compromi
### Considerations
-Mandated password changes are a long-standing security practice, but current research strongly indicates that password expiration has a negative effect. See [Microsoft Password Guidance](https://www.microsoft.com/en-us/research/publication/password-guidance/) for further information.
+Mandated password changes are a long-standing security practice, but current research strongly indicates that password expiration has a negative effect. See [Microsoft Password Guidance](https://www.microsoft.com/research/publication/password-guidance/) for further information.
Configure the **Maximum password age** policy setting to a value that is suitable for your organization's business requirements. For example, many organisations have compliance or insurance mandates requiring a short lifespan on passwords. Where such a requirement exists, the **Maximum password age** policy setting can be used to meet business requirements.
diff --git a/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md b/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
index a9d12cc027..9901c940a8 100644
--- a/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
+++ b/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md
@@ -182,7 +182,7 @@ When it successfully infects a vulnerable computer, the malware runs kernel-leve
## Protection against the WannaCrypt attack
-To get the latest protection from Microsoft, upgrade to [Windows 10](https://www.microsoft.com/en-us/windows/windows-10-upgrade). Keeping your computers [up-to-date](https://www.microsoft.com/en-us/security/portal/mmpc/help/updatefaqs.aspx) gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows.
+To get the latest protection from Microsoft, upgrade to [Windows 10](https://www.microsoft.com/windows/windows-10-upgrade). Keeping your computers [up-to-date](https://www.microsoft.com/security/portal/mmpc/help/updatefaqs.aspx) gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows.
We recommend customers that have not yet installed the security update [MS17-010](https://technet.microsoft.com/library/security/ms17-010.aspx) do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:
@@ -195,7 +195,7 @@ For enterprises, use [Device Guard](https://technet.microsoft.com/itpro/windows/
Use [Office 365 Advanced Threat Protection](https://blogs.office.com/2015/04/08/introducing-exchange-online-advanced-threat-protection/), which has machine learning capability that blocks dangerous email threats, such as the emails carrying ransomware.
-Monitor networks with [Windows Defender Advanced Threat Protection](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp), which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: [Windows Defender Advanced Threat Protection - Ransomware response playbook](https://www.microsoft.com/en-us/download/details.aspx?id=55090).
+Monitor networks with [Windows Defender Advanced Threat Protection](https://www.microsoft.com/WindowsForBusiness/windows-atp), which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: [Windows Defender Advanced Threat Protection - Ransomware response playbook](https://www.microsoft.com/download/details.aspx?id=55090).
## Resources
@@ -207,7 +207,7 @@ MS17-010 Security Update: [https://technet.microsoft.com/library/security/ms17-0
Customer guidance for WannaCrypt attacks: [https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/)
-General information on ransomware: [https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx](https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx)
+General information on ransomware: [https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx](https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx)
## Indicators of compromise
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
index 39bb11b2f0..e73bbfe476 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
@@ -46,7 +46,7 @@ See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender
After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints.
-As a cloud service, it is required that computers have access to the internet and that the ATP machine learning services are reachable. The following table lists the services and their associated URLs. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an allow rule specifically for them:
+As a cloud service, it is required that computers have access to the internet and that the ATP machine learning services are reachable. The URL: "\*.blob.core.windows.net" should not be excluded from any kind of network inspection. The table below lists the services and their associated URLs. You should ensure there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL: "\*.blob.core.windows.net").
| **Service**| **Description** |**URL** |
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
index 115361ba35..307d8fcd7d 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
@@ -24,7 +24,7 @@ manager: dansimp
In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.
-See the [Microsoft Desktop virtualization site](https://www.microsoft.com/en-us/server-cloud/products/virtual-desktop-infrastructure/) for more details on Microsoft Remote Desktop Services and VDI support.
+See the [Microsoft Desktop virtualization site](https://www.microsoft.com/server-cloud/products/virtual-desktop-infrastructure/) for more details on Microsoft Remote Desktop Services and VDI support.
For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection) topic.
@@ -143,7 +143,7 @@ You can initiate the update manually by right-clicking on the task and clicking
If you would prefer to do everything manually, this what you would need to do to replicate the script’s behavior:
1. Create a new folder on the system root called *wdav_update* to store intelligence updates, for example, create the folder *c:\wdav_update*
1. Create a subfolder under *wdav_update* with a GUID name, such as *{00000000-0000-0000-0000-000000000000}*; for example *c:\wdav_update\{00000000-0000-0000-0000-000000000000}* (note, in the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time)
-1. Download a security intelligence package from https://www.microsoft.com/en-us/wdsi/definitions into the GUID folder. The file should be named *mpam-fe.exe*.
+1. Download a security intelligence package from https://www.microsoft.com/wdsi/definitions into the GUID folder. The file should be named *mpam-fe.exe*.
1. Open a cmd prompt window and navigate to the GUID folder you created. Use the **/X** extraction command to extract the files, for example **mpam-fe.exe /X**.
Note: The VMs will pick up the updated package whenever a new GUID folder is created with an extracted update package or whenever an existing folder is updated with a new extracted package.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md
index 856b617100..8d22a596c8 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md
@@ -35,6 +35,9 @@ This topic describes the structure of this profile (including a recommended prof
The configuration profile is a .plist file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can either be simple (such as a numerical value) or complex, such as a nested list of preferences.
+>[!CAUTION]
+>The layout of the configuration profile depends on the management console that you are using. The following sections contain examples of configuration profiles for JAMF and Intune.
+
The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections.
### Antivirus engine preferences
@@ -222,6 +225,8 @@ The following configuration profile will:
- Enable cloud delivered protection
- Enable automatic sample submission
+### JAMF profile
+
```XML
@@ -258,10 +263,91 @@ The following configuration profile will:
```
+### Intune profile
+
+```XML
+
+
+
+
+ PayloadUUID
+ C4E6A782-0C8D-44AB-A025-EB893987A295
+ PayloadType
+ Configuration
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP settings
+ PayloadDescription
+ Microsoft Defender ATP configuration settings
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ PayloadRemovalDisallowed
+
+ PayloadScope
+ System
+ PayloadContent
+
+
+ PayloadUUID
+ 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295
+ PayloadType
+ com.microsoft.wdav
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ com.microsoft.wdav
+ PayloadDisplayName
+ Microsoft Defender ATP configuration settings
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ antivirusEngine
+
+ enableRealTimeProtection
+
+ threatTypeSettings
+
+
+ key
+ potentially_unwanted_application
+ value
+ block
+
+
+ key
+ archive_bomb
+ value
+ audit
+
+
+
+ cloudService
+
+ enabled
+
+ automaticSampleSubmission
+
+
+
+
+
+
+```
+
## Full configuration profile example
The following configuration profile contains entries for all settings described in this document and can be used for more advanced scenarios where you want more control over the product.
+### JAMF profile
+
```XML
@@ -329,6 +415,116 @@ The following configuration profile contains entries for all settings described
```
+### Intune profile
+
+```XML
+
+
+
+
+ PayloadUUID
+ C4E6A782-0C8D-44AB-A025-EB893987A295
+ PayloadType
+ Configuration
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ C4E6A782-0C8D-44AB-A025-EB893987A295
+ PayloadDisplayName
+ Microsoft Defender ATP settings
+ PayloadDescription
+ Microsoft Defender ATP configuration settings
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ PayloadRemovalDisallowed
+
+ PayloadScope
+ System
+ PayloadContent
+
+
+ PayloadUUID
+ 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295
+ PayloadType
+ com.microsoft.wdav
+ PayloadOrganization
+ Microsoft
+ PayloadIdentifier
+ 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295
+ PayloadDisplayName
+ Microsoft Defender ATP configuration settings
+ PayloadDescription
+
+ PayloadVersion
+ 1
+ PayloadEnabled
+
+ antivirusEngine
+
+ enableRealTimeProtection
+
+ exclusions
+
+
+ $type
+ excludedPath
+ isDirectory
+
+ path
+ /var/log/system.log
+
+
+ $type
+ excludedPath
+ isDirectory
+
+ path
+ /home
+
+
+ $type
+ excludedFileExtension
+ extension
+ pdf
+
+
+ allowedThreats
+
+ eicar
+
+ threatTypeSettings
+
+
+ key
+ potentially_unwanted_application
+ value
+ block
+
+
+ key
+ archive_bomb
+ value
+ audit
+
+
+
+ cloudService
+
+ enabled
+
+ diagnosticLevel
+ optional
+ automaticSampleSubmission
+
+
+
+
+
+
+```
+
## Configuration profile deployment
Once you've built the configuration profile for your enterprise, you can deploy it through the management console that your enterprise is using. The following sections provide instructions on how to deploy this profile using JAMF and Intune.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md
index 977d404c8d..7cf18820f8 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md
@@ -122,6 +122,7 @@ The following fields are collected:
| cloud_service.service_uri | URI used to communicate with the cloud. |
| cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). |
| cloud_service.automatic_sample_submission | Whether automatic sample submission is turned on or not. |
+| edr.early_preview | Whether the machine should run EDR early preview features. |
| features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. |
#### Product and service performance data events
diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
index 44eb90d185..5553e762b8 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
@@ -34,7 +34,7 @@ To take advantage of the power and speed of these next-gen technologies, Windows
With cloud-delivered protection, next-gen technologies provide rapid identification of new threats, sometimes even before a single machine is infected. Watch the following video about Microsoft AI and Windows Defender Antivirus in action:
+src="https://www.microsoft.com/videoplayer/embed/RE1Yu4B" width="768" height="432" allowFullScreen="true" frameBorder="0" scrolling="no">
To understand how next-gen technologies shorten protection delivery time through the cloud, watch the following video:
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
index dfac2bdc61..78fd4446c6 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
@@ -76,7 +76,7 @@ Uninstall-WindowsFeature -Name Windows-Defender-GUI
You can also uninstall Windows Defender AV completely with the **Remove Roles and Features Wizard** by deselecting the **Windows Defender Features** option at the **Features** step in the wizard.
-This is useful if you have a third-party antivirus product installed on the machine already. Multiple AV products can cause problems when installed and actively running on the same machine. See the question "Should I run Microsoft security software at the same time as other security products?" on the [Windows Defender Security Intelligence Antivirus and antimalware software FAQ](https://www.microsoft.com/en-us/wdsi/help/antimalware-faq#multiple-products).
+This is useful if you have a third-party antivirus product installed on the machine already. Multiple AV products can cause problems when installed and actively running on the same machine. See the question "Should I run Microsoft security software at the same time as other security products?" on the [Windows Defender Security Intelligence Antivirus and antimalware software FAQ](https://www.microsoft.com/wdsi/help/antimalware-faq#multiple-products).
>[!NOTE]
>Deselecting **Windows Defender** on its own under the **Windows Defender Features** section will automatically prompt you to remove the interface option **GUI for Windows Defender**.
diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
index 8fb9a6ccaf..fbad450704 100644
--- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
@@ -116,7 +116,7 @@ If the app you intend to block is not installed on the system you are using the
3. Copy the GUID in the URL for the app
- Example: the GUID for the Microsoft To-Do app is 9nblggh5r558
- - https://www.microsoft.com/en-us/p/microsoft-to-do-list-task-reminder/9nblggh5r558?activetab=pivot:overviewtab
+ - https://www.microsoft.com/p/microsoft-to-do-list-task-reminder/9nblggh5r558?activetab=pivot:overviewtab
4. Use the GUID in the following REST query URL to retrieve the identifiers for the app
- Example: for the Microsoft To-Do app, the URL would be https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblggh5r558/applockerdata
- The URL will return:
diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
index c129bb0353..c39a63739c 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
@@ -33,7 +33,7 @@ These settings, located at **Computer Configuration\Administrative Templates\Net
|Policy name|Supported versions|Description|
|-----------|------------------|-----------|
|Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
-|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) If you want to specify a complete domain, include a full domain name (for example "**contoso.com**") in the configuration. 2) You may optionally use "." as a previous wildcard character to automatically trust all subdomains (when there is more than one subdomain). Configuring "**.constoso.com**" will automatically trust "**subdomain1.contoso.com**", "**subdomain2.contoso.com**", etc. 3) To trust a subdomain, precede your domain with two dots, for example "**..contoso.com**". |
+|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) Include a full domain name in the configuration, for example **www.contoso.com**, to trust only in this literal value. 2) You may optionally use "." as a wildcard character to automatically trust subdomains on only one level of the domain hierarchy that is to the left of the dot. Configuring **".constoso.com"** will automatically trust **"local.contoso.com"**, **"shop.contoso.com"**, and all other values on the left. 3) You may optionally use ".." as a wildcard character to automatically trust subdomains on all the levels of the domain hierarchy that are to the left of the dots. Configuring **"..constoso.com"** will automatically trust **"us.shop.contoso.com"**, **"trainning.contoso.com"**, and all other values on the left. |
|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment.|
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
deleted file mode 100644
index 0a5a679109..0000000000
--- a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
+++ /dev/null
@@ -1,118 +0,0 @@
----
-title: Compare the features in Exploit protection with EMET
-keywords: emet, enhanced mitigation experience toolkit, configuration, exploit, compare, difference between, versus, upgrade, convert
-description: Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET.
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: levinec
-ms.author: ellevin
-ms.date: 08/08/2018
-ms.reviewer:
-manager: dansimp
----
-
-# Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->[!IMPORTANT]
->If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Microsoft Defender ATP.
->
->You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
-
-This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Microsoft Defender ATP.
-
-Exploit protection in Microsoft Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
-
-EMET is a standalone product for earlier versions of Windows and provides some mitigation against older, known exploit techniques.
-
-After July 31, 2018, it will not be supported.
-
-For more information about the individual features and mitigations available in Microsoft Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics:
-
-- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-
-
- ## Feature comparison
-
- The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard.
-
- | Windows Defender Exploit Guard | EMET
- -|:-:|:-:
-Windows versions | [!include[Check mark yes](images/svg/check-yes.svg)] All versions of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.svg)] Windows 8.1; Windows 8; Windows 7 Cannot be installed on Windows 10, version 1709 and later
-Installation requirements | [Windows Security in Windows 10](../windows-defender-security-center/windows-defender-security-center.md) (no additional installation required) Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device
-User interface | Modern interface integrated with the [Windows Security app](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training
-Supportability | [!include[Check mark yes](images/svg/check-yes.svg)] [Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)[[1](#fn1)] [Part of the Windows 10 support lifecycle](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.svg)] Ends after July 31, 2018
-Updates | [!include[Check mark yes](images/svg/check-yes.svg)] Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.svg)] No planned updates or development
-Exploit protection | [!include[Check mark yes](images/svg/check-yes.svg)] All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison)) [Can convert and import existing EMET configurations](import-export-exploit-protection-emet-xml.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Limited set of mitigations
-Attack surface reduction[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)] [Helps block known infection vectors](attack-surface-reduction-exploit-guard.md) [Can configure individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Limited ruleset configuration only for modules (no processes)
-Network protection[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)] [Helps block malicious network connections](network-protection-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)] Not available
-Controlled folder access[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)] [Helps protect important folders](controlled-folders-exploit-guard.md) [Configurable for apps and folders](customize-controlled-folders-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)] Not available
-Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)] [Use Windows Security app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Requires installation and use of EMET tool
-Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes.svg)] [Use Group Policy to deploy and manage configurations](import-export-exploit-protection-emet-xml.md#manage-or-deploy-a-configuration) | [!include[Check mark yes](images/svg/check-yes.svg)] Available
-Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)] [Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)] Requires use of EMET tool (EMET_CONF)
-System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)] [Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)] Not available
-Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)] [Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)] Not available
-Reporting | [!include[Check mark yes](images/svg/check-yes.svg)] With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md) [Full integration with Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/secure-score-dashboard.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Limited Windows event log monitoring
-Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)] [Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)] Limited to EAF, EAF+, and anti-ROP mitigations
-
-([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx).
-
-([2](#ref2-1)) Additional requirements may apply (such as use of Windows Defender Antivirus). See [Windows Defender Exploit Guard requirements](windows-defender-exploit-guard.md#requirements) for more details. Customizable mitigation options that are configured with [Exploit protection](exploit-protection-exploit-guard.md) do not require Windows Defender Antivirus.
-
-## Mitigation comparison
-
-The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [exploit protection feature](exploit-protection-exploit-guard.md).
-
-The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection.
-
-Mitigation | Available in Windows Defender Exploit Guard | Available in EMET
--|:-:|:-:
-Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] As "Memory Protection Check"
-Block remote images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] As "Load Library Check"
-Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.svg)] Included natively in Windows 10 See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)]
-Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](images/svg/check-yes.svg)]
-Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)]
-Block low integrity images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Code integrity guard | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Disable extension points | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Validate handle usage | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-
-
->[!NOTE]
->The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process.
->
->See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
-
-
-## Related topics
-
-- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
-- [Evaluate exploit protection](evaluate-exploit-protection.md)
-- [Enable exploit protection](enable-exploit-protection.md)
-- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
-
-
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
deleted file mode 100644
index 7a23a23e04..0000000000
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
+++ /dev/null
@@ -1,53 +0,0 @@
----
-title: Evaluate the impact of Windows Defender Exploit Guard
-description: Use our evaluation guides to quickly enable and configure features, and test them against common attack scenarios
-keywords: evaluate, guides, evaluation, exploit guard, controlled folder access, attack surface reduction, exploit protection, network protection, test, demo
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: levinec
-ms.author: ellevin
-ms.date: 05/30/2018
-ms.reviewer:
-manager: dansimp
----
-
-# Evaluate Windows Defender Exploit Guard
-
-**Applies to:**
-
-- Windows 10, version 1709 and later
-- Windows Server 2016
-
-Windows Defender Exploit Guard is a collection of tools and features that help you keep your network safe from exploits. Exploits are infection vectors for malware that rely on vulnerabilities in software.
-
-Windows Defender Exploit Guard is comprised of four features. We've developed evaluation guides for each of the features so you can easily and quickly see how they work and determine if they are suitable for your organization.
-
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
-
-Before you begin, you should read the main [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) topic to get an understanding of each of the features and what their prerequisites are.
-
-- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
-- [Evaluate controlled folder access](evaluate-controlled-folder-access.md)
-- [Evaluate exploit protection](evaluate-exploit-protection.md)
-- [Evaluate network protection](evaluate-network-protection.md)
-
-You might also be interested in enabling the features in audit mode - which allows you to see how the features work in the real world without impacting your organization or employee's work habits:
-
-- [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md)
-
-## Related topics
-
-| Topic | Description |
-|-------|-------------|
-| | |
-
-- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
-- [Protect your network](network-protection-exploit-guard.md)
-- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
deleted file mode 100644
index d701915788..0000000000
--- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
+++ /dev/null
@@ -1,174 +0,0 @@
----
-title: Apply mitigations to help prevent attacks through vulnerabilities
-keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
-description: Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET.
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: levinec
-ms.author: ellevin
-ms.date: 04/02/2019
-ms.reviewer:
-manager: dansimp
----
-
-# Protect devices from exploits
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps.
-
-It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server 2016, version 1803.
-
->[!TIP]
->You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
-
-Exploit protection works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-
-You can [enable exploit protection](enable-exploit-protection.md) on an individual machine, and then use [Group Policy](import-export-exploit-protection-emet-xml.md) to distribute the XML file to multiple devices at once.
-
-When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
-
-You can also use [audit mode](evaluate-exploit-protection.md) to evaluate how exploit protection would impact your organization if it were enabled.
-
-Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard](emet-exploit-protection-exploit-guard.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10.
-
->[!IMPORTANT]
->If you are currently using EMET you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10. You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
-
->[!WARNING]
->Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.
-
-## Review exploit protection events in the Microsoft Security Center
-
-Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
-
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how exploit protection settings could affect your environment.
-
-Here is an example query:
-
-```
-MiscEvents
-| where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'
-```
-
-## Review exploit protection events in Windows Event Viewer
-
-You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:
-
-Provider/source | Event ID | Description
--|:-:|-
-Security-Mitigations | 1 | ACG audit
-Security-Mitigations | 2 | ACG enforce
-Security-Mitigations | 3 | Do not allow child processes audit
-Security-Mitigations | 4 | Do not allow child processes block
-Security-Mitigations | 5 | Block low integrity images audit
-Security-Mitigations | 6 | Block low integrity images block
-Security-Mitigations | 7 | Block remote images audit
-Security-Mitigations | 8 | Block remote images block
-Security-Mitigations | 9 | Disable win32k system calls audit
-Security-Mitigations | 10 | Disable win32k system calls block
-Security-Mitigations | 11 | Code integrity guard audit
-Security-Mitigations | 12 | Code integrity guard block
-Security-Mitigations | 13 | EAF audit
-Security-Mitigations | 14 | EAF enforce
-Security-Mitigations | 15 | EAF+ audit
-Security-Mitigations | 16 | EAF+ enforce
-Security-Mitigations | 17 | IAF audit
-Security-Mitigations | 18 | IAF enforce
-Security-Mitigations | 19 | ROP StackPivot audit
-Security-Mitigations | 20 | ROP StackPivot enforce
-Security-Mitigations | 21 | ROP CallerCheck audit
-Security-Mitigations | 22 | ROP CallerCheck enforce
-Security-Mitigations | 23 | ROP SimExec audit
-Security-Mitigations | 24 | ROP SimExec enforce
-WER-Diagnostics | 5 | CFG Block
-Win32K | 260 | Untrusted Font
-
-## Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard
-
->[!IMPORTANT]
->If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Microsoft Defender ATP.
->
->You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
-
-This section compares exploit protection in Microsoft Defender ATP with the Enhance Mitigation Experience Toolkit (EMET) for reference.
-The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard.
-
- | Windows Defender Exploit Guard | EMET
- -|:-:|:-:
-Windows versions | [!include[Check mark yes](images/svg/check-yes.svg)] All versions of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.svg)] Windows 8.1; Windows 8; Windows 7 Cannot be installed on Windows 10, version 1709 and later
-Installation requirements | [Windows Security in Windows 10](../windows-defender-security-center/windows-defender-security-center.md) (no additional installation required) Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device
-User interface | Modern interface integrated with the [Windows Security app](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training
-Supportability | [!include[Check mark yes](images/svg/check-yes.svg)] [Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)[[1](#fn1)] [Part of the Windows 10 support lifecycle](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.svg)] Ends after July 31, 2018
-Updates | [!include[Check mark yes](images/svg/check-yes.svg)] Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.svg)] No planned updates or development
-Exploit protection | [!include[Check mark yes](images/svg/check-yes.svg)] All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison)) [Can convert and import existing EMET configurations](import-export-exploit-protection-emet-xml.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Limited set of mitigations
-Attack surface reduction[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)] [Helps block known infection vectors](attack-surface-reduction-exploit-guard.md) [Can configure individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Limited ruleset configuration only for modules (no processes)
-Network protection[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)] [Helps block malicious network connections](network-protection-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)] Not available
-Controlled folder access[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)] [Helps protect important folders](controlled-folders-exploit-guard.md) [Configurable for apps and folders](customize-controlled-folders-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)] Not available
-Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)] [Use Windows Security app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Requires installation and use of EMET tool
-Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes.svg)] [Use Group Policy to deploy and manage configurations](import-export-exploit-protection-emet-xml.md#manage-or-deploy-a-configuration) | [!include[Check mark yes](images/svg/check-yes.svg)] Available
-Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)] [Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)] Requires use of EMET tool (EMET_CONF)
-System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)] [Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)] Not available
-Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)] [Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)] Not available
-Reporting | [!include[Check mark yes](images/svg/check-yes.svg)] With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md) [Full integration with Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/secure-score-dashboard.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Limited Windows event log monitoring
-Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)] [Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)] Limited to EAF, EAF+, and anti-ROP mitigations
-
-([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx).
-
-([2](#ref2-1)) Additional requirements may apply (such as use of Windows Defender Antivirus). See [Windows Defender Exploit Guard requirements](windows-defender-exploit-guard.md#requirements) for more details. Customizable mitigation options that are configured with [exploit protection](exploit-protection-exploit-guard.md) do not require Windows Defender Antivirus.
-
-## Mitigation comparison
-
-The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [exploit protection feature](exploit-protection-exploit-guard.md).
-
-The table in this section indicates the availability and support of native mitigations between EMET and exploit protection.
-
-Mitigation | Available in Windows Defender Exploit Guard | Available in EMET
--|:-:|:-:
-Arbitrary code guard (ACG) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] As "Memory Protection Check"
-Block remote images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] As "Load Library Check"
-Block untrusted fonts | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Data Execution Prevention (DEP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Export address filtering (EAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Force randomization for images (Mandatory ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-NullPage Security Mitigation | [!include[Check mark yes](images/svg/check-yes.svg)] Included natively in Windows 10 See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)]
-Randomize memory allocations (Bottom-Up ASLR) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Simulate execution (SimExec) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Validate API invocation (CallerCheck) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Validate exception chains (SEHOP) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Validate stack integrity (StackPivot) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
-Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | [!include[Check mark yes](images/svg/check-yes.svg)]
-Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | [!include[Check mark yes](images/svg/check-yes.svg)]
-Block low integrity images | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Code integrity guard | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Disable extension points | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Disable Win32k system calls | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Do not allow child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Import address filtering (IAF) | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Validate handle usage | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-
->[!NOTE]
->The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process.
->
->See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
-
-
-## Related topics
-
-- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Evaluate exploit protection](evaluate-exploit-protection.md)
-- [Enable exploit protection](enable-exploit-protection.md)
-- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
-- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
-
-
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/graphics.md b/windows/security/threat-protection/windows-defender-exploit-guard/graphics.md
deleted file mode 100644
index 111bb99fc5..0000000000
--- a/windows/security/threat-protection/windows-defender-exploit-guard/graphics.md
+++ /dev/null
@@ -1,11 +0,0 @@
----
-ms.date: 09/18/2017
-ms.reviewer:
-manager: dansimp
-ms.author: ellevin
-author: levinec
----
-
-
-
-
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_50.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_50.png
deleted file mode 100644
index bab791f3c0..0000000000
Binary files a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_50.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_75.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_75.png
deleted file mode 100644
index de277c05e1..0000000000
Binary files a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_75.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_empty.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_empty.png
deleted file mode 100644
index 97f905f5ea..0000000000
Binary files a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_empty.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_full.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_full.png
deleted file mode 100644
index 2bc45259d3..0000000000
Binary files a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_full.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/turn-windows-features-on-or-off.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/turn-windows-features-on-or-off.png
deleted file mode 100644
index 8d47a53b51..0000000000
Binary files a/windows/security/threat-protection/windows-defender-exploit-guard/images/turn-windows-features-on-or-off.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md b/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md
deleted file mode 100644
index eedb76c8dc..0000000000
--- a/windows/security/threat-protection/windows-defender-exploit-guard/oldTOC.md
+++ /dev/null
@@ -1,30 +0,0 @@
-# [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
-
-## [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
-### [Use auditing mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
-### [View Exploit Guard events](event-views-exploit-guard.md)
-
-## [Exploit protection](exploit-protection-exploit-guard.md)
-### [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-### [Evaluate Exploit protection](evaluate-exploit-protection.md)
-### [Enable Exploit protection](enable-exploit-protection.md)
-### [Customize Exploit protection](customize-exploit-protection.md)
-#### [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
-### [Memory integrity](memory-integrity.md)
-#### [Requirements for virtualization-based protection of code integrity](requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
-#### [Enable virtualization-based protection of code integrity](enable-virtualization-based-protection-of-code-integrity.md)
-## [Attack surface reduction](attack-surface-reduction-exploit-guard.md)
-### [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md)
-### [Enable Attack surface reduction](enable-attack-surface-reduction.md)
-### [Customize Attack surface reduction](customize-attack-surface-reduction.md)
-### [Troubleshoot Attack surface reduction rules](troubleshoot-asr.md)
-## [Network Protection](network-protection-exploit-guard.md)
-### [Evaluate Network Protection](evaluate-network-protection.md)
-### [Enable Network Protection](enable-network-protection.md)
-### [Troubleshoot Network protection](troubleshoot-np.md)
-## [Controlled folder access](controlled-folders-exploit-guard.md)
-### [Evaluate Controlled folder access](evaluate-controlled-folder-access.md)
-### [Enable Controlled folder access](enable-controlled-folders-exploit-guard.md)
-### [Customize Controlled folder access](customize-controlled-folders-exploit-guard.md)
-
-
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/prerelease.md b/windows/security/threat-protection/windows-defender-exploit-guard/prerelease.md
deleted file mode 100644
index 6e993c8c0a..0000000000
--- a/windows/security/threat-protection/windows-defender-exploit-guard/prerelease.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-ms.date: 08/25/2017
-ms.reviewer:
-manager: dansimp
-ms.author: ellevin
-author: levinec
----
-> [!IMPORTANT]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
deleted file mode 100644
index a60d5f5a24..0000000000
--- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
+++ /dev/null
@@ -1,90 +0,0 @@
----
-title: Use Windows Defender Exploit Guard to protect your network
-description: Windows Defender EG employs features that help protect your network from threats, including helping prevent ransomware encryption and exploit attacks
-keywords: emet, exploit guard, Controlled folder access, Network protection, Exploit protection, Attack surface reduction, hips, host intrusion prevention system
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-ms.date: 08/09/2018
-ms.reviewer:
-manager: dansimp
----
-
-# Windows Defender Exploit Guard
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees.
-
-There are four features in Windows Defender EG:
-
-- [Exploit protection](exploit-protection-exploit-guard.md) can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps. Works with third-party antivirus solutions and Windows Defender Antivirus (Windows Defender AV).
-- [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware. Requires Windows Defender AV.
-- [Network protection](network-protection-exploit-guard.md) extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization's devices. Requires Windows Defender AV.
-- [Controlled folder access](controlled-folders-exploit-guard.md) helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware. Requires Windows Defender AV.
-
-Windows 10, version 1803 provides additional protections:
-
-- New Attack surface reduction rules
-- Controlled folder access can now block disk sectors
-
-You can evaluate each feature of Windows Defender EG with the guides at the following link, which provide pre-built PowerShell scripts and testing tools so you can see the features in action:
-- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
-
-
-You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for the features, which provides you with basic event logs that indicate how the feature would have responded if it had been fully enabled. This can be useful when evaluating the impact of Windows Defender EG and to help determine the impact of the features on your network's security.
-
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how each of them work.
-
-Windows Defender EG can be managed and reported on in the Windows Security app as part of the Microsoft Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies.
-
-You can use the Windows Security app to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). You can [sign up for a free trial of Microsoft Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works.
-
-## Requirements
-
-This section covers requirements for each feature in Windows Defender EG.
-
-| Symbol | Support |
-|--------|---------|
-|  | Not supported |
-|  | Supported |
-|  | Recommended. Includes full, automated reporting into the Microsoft Defender ATP console. Provides additional cloud-powered capabilities, including the Network protection ability to block apps from accessing low-reputation websites and an attack surface reduction rule that blocks executable files that meet age or prevalence criteria.|
-
-| Feature | Windows 10 Home | Windows 10 Professional | Windows 10 Enterprise | Windows 10 with Enterprise E3 subscription | Windows 10 with Enterprise E5 subscription |
-| ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: | :--------------------------------------: |
-| Exploit protection |  |  |  |  |  |
-| Attack surface reduction rules |  |  |  |  |  |
-| Network protection |  |  |  |  |  |
-| Controlled folder access |  |  |  |  |  |
-
->[!NOTE]
-> The [Identity & Threat Protection package](https://www.microsoft.com/microsoft-365/blog/2019/01/02/introducing-new-advanced-security-and-compliance-offerings-for-microsoft-365/), available for Microsoft 365 E3 customers, provides the same Windows Defender ATP capabilities as the Enterprise E5 subscription.
-
-The following table lists which features in Windows Defender EG require enabling [real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) from Windows Defender Antivirus.
-
-| Feature | Real-time protection |
-|-----------------| ------------------------------------ |
-| Exploit protection | No requirement |
-| Attack surface reduction rules | Must be enabled |
-| Network protection | Must be enabled |
-| Controlled folder access | Must be enabled |
-
- ## In this library
-
-Topic | Description
----|---
-[Protect devices from exploits](exploit-protection-exploit-guard.md) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once.
-[Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts.
-[Protect your network](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors.
-[Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data.
-
-
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
index ca32f2c55a..001c490193 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
@@ -9,6 +9,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
+audience: ITPro
author: dansimp
ms.author: dansimp
ms.date: 04/30/2018
@@ -16,64 +17,63 @@ ms.reviewer:
manager: dansimp
---
-
# App and browser control
**Applies to**
- Windows 10, version 1703 and later
-
The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](https://docs.microsoft.com/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview).
-In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at the [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) topic in the Windows Defender Exploit Guard library.
+In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at [Exploit protection](../microsoft-defender-atp/exploit-protection.md).
You can also choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
-
## Prevent users from making changes to the Exploit protection area in the App & browser control section
You can prevent users from modifying settings in the Exploit protection area. The settings will be either greyed out or not appear if you enable this setting. Users will still have access to other settings in the App & browser control section, such as those for Windows Defender SmartScreen, unless those options have been configured separately.
You can only prevent users from modifying Exploit protection settings by using Group Policy.
->[!IMPORTANT]
->### Requirements
+> [!IMPORTANT]
>
->You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> ### Requirements
+>
+> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Security > App and browser protection**.
+3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
-6. Open the **Prevent users from modifying settings** setting and set it to **Enabled**. Click **OK**.
+4. Open the **Prevent users from modifying settings** setting and set it to **Enabled**. Click **OK**.
-7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
## Hide the App & browser control section
-You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app.
This can only be done in Group Policy.
->[!IMPORTANT]
->### Requirements
+> [!IMPORTANT]
>
->You must have Windows 10, version 1709 (the Fall Creators Update). The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> ### Requirements
+>
+> You must have Windows 10, version 1709 (the Fall Creators Update). The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Security > App and browser protection**.
+3. Expand the tree to **Windows components > Windows Security > App and browser protection**.
-6. Open the **Hide the App and browser protection area** setting and set it to **Enabled**. Click **OK**.
+4. Open the **Hide the App and browser protection area** setting and set it to **Enabled**. Click **OK**.
-7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->
->
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
index 9692fa9046..d84d263388 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
@@ -30,23 +30,23 @@ manager: dansimp
- Group Policy
-You can add information about your organization in a contact card to the Windows Security app. This can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
+You can add information about your organization in a contact card to the Windows Security app. This can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
-
+
-This information will also be shown in some enterprise-specific notifications (including those for [Windows Defender Exploit Guard](/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard), the [Block at first sight feature](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus).
-
-
+This information will also be shown in some enterprise-specific notifications (including those for the [Block at first sight feature](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus).
+
Users can click on the displayed information to initiate a support request:
+
- Clicking **Call** or the phone number will open Skype to start a call to the displayed number
- Clicking **Email** or the email address will create a new email in the machine's default email app address to the displayed email
- Clicking **Help portal** or the website URL will open the machine's default web browser and go to the displayed address
## Requirements
-You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
## Use Group Policy to enable and customize contact information
@@ -54,29 +54,26 @@ There are two stages to using the contact card and customized notifications. Fir
This can only be done in Group Policy.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Security > Enterprise Customization**.
+3. Expand the tree to **Windows components > Windows Security > Enterprise Customization**.
-6. You enable the contact card and the customized notifications by configuring two separate Group Policy settings. They will both use the same source of information (explained in Steps 7 and 8), and you can enable both or only one or the other:
+4. Enable the contact card and the customized notifications by configuring two separate Group Policy settings. They will both use the same source of information (explained in Steps 5 and 6). You can enable both, or slect one or the other:
1. To enable the contact card, open the **Configure customized contact information** setting and set it to **Enabled**. Click **OK**.
2. To enable the customized notifications, open the **Configure customized notifications** setting and set it to **Enabled**. Click **OK**.
-7. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**.
+5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**.
-8. To ensure the custom notifications or contact card appear, you must also configure at least one of the following settings by opening them, setting them to **Enabled** and adding the contact information in the field under **Options**:
+6. To ensure the custom notifications or contact card appear, you must also configure at least one of the following settings by opening them, setting them to **Enabled** and adding the contact information in the field under **Options**:
1. **Specify contact email address or Email ID**
2. **Specify contact phone number or Skype ID**
3. **Specify contact website**
-9. Click **OK** after configuring each setting to save your changes.
-
+7. Click **OK** after configuring each setting to save your changes.
>[!IMPORTANT]
>You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized.
-
-
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index a12e0b136b..af8816db71 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -16,10 +16,6 @@ ms.reviewer:
manager: dansimp
---
-
-
-
-
# The Windows Security app
**Applies to**
@@ -29,6 +25,7 @@ manager: dansimp
This library describes the Windows Security app, and provides information on configuring certain features, including:
+
- [Showing and customizing contact information on the app and in notifications](wdsc-customize-contact-information.md)
- [Hiding notifications](wdsc-hide-notifications.md)
@@ -38,33 +35,32 @@ In Windows 10, version 1803, the app has two new areas, **Account protection** a
->[!NOTE]
->The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
+> [!NOTE]
+> The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
You can't uninstall the Windows Security app, but you can do one of the following:
-- Disable the interface on Windows Server 2016. See [Windows Defender Antivirus on Windows Server 2016](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016).
+- Disable the interface on Windows Server 2016. See [Windows Defender Antivirus on Windows Server 2016](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016).
- Hide all of the sections on client computers (see below).
- Disable Windows Defender Antivirus, if needed. See [Enable and configure Windows Defender AV always-on protection and monitoring](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
You can find more information about each section, including options for configuring the sections - such as hiding each of the sections - at the following topics:
-
-- [Virus & threat protection](wdsc-virus-threat-protection.md), which has information and access to antivirus ransomware protection settings and notifications, including the Controlled folder access feature of Windows Defender Exploit Guard and sign-in to Microsoft OneDrive.
-- [Account protection](wdsc-account-protection.md), which has information and access to sign-in and account protection settings.
+- [Virus & threat protection](wdsc-virus-threat-protection.md), which has information and access to antivirus ransomware protection settings and notifications, including Controlled folder access, and sign-in to Microsoft OneDrive.
+- [Account protection](wdsc-account-protection.md), which has information and access to sign-in and account protection settings.
- [Firewall & network protection](wdsc-firewall-network-protection.md), which has information and access to firewall settings, including Windows Defender Firewall.
- [App & browser control](wdsc-app-browser-control.md), covering Windows Defender SmartScreen settings and Exploit protection mitigations.
- [Device security](wdsc-device-security.md), which provides access to built-in device security settings.
- [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues.
- [Family options](wdsc-family-options.md), which includes access to parental controls along with tips and information for keeping kids safe online.
-
->[!NOTE]
->If you hide all sections then the app will show a restricted interface, as in the following screenshot:
->
->
+> [!NOTE]
+> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+>
+> 
## Open the Windows Security app
+
- Click the icon in the notification area on the taskbar.
@@ -75,34 +71,30 @@ You can find more information about each section, including options for configur
-
> [!NOTE]
> Settings configured with management tools, such as Group Policy, Microsoft Intune, or System Center Configuration Manager, will generally take precedence over the settings in the Windows Security. See the topics for each of the sections for links to configuring the associated features or products.
-
-
## How the Windows Security app works with Windows security features
-
->[!IMPORTANT]
->Windows Defender AV and the Windows Security app use similarly named services for specific purposes.
->
->The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Servce*), which in turn utilizes the Security Center service ([*wscsvc*](https://technet.microsoft.com/library/bb457154.aspx#EDAA)) to ensure the app provides the most up-to-date information about the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
->
+> [!IMPORTANT]
+> Windows Defender AV and the Windows Security app use similarly named services for specific purposes.
+>
+> The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Servce*), which in turn utilizes the Security Center service ([*wscsvc*](https://technet.microsoft.com/library/bb457154.aspx#EDAA)) to ensure the app provides the most up-to-date information about the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
+>
>These services do not affect the state of Windows Defender AV. Disabling or modifying these services will not disable Windows Defender AV, and will lead to a lowered protection state on the endpoint, even if you are using a third-party antivirus product.
->
+>
>Windows Defender AV will be [disabled automatically when a third-party antivirus product is installed and kept up to date](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
->
->Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security).
+>
+> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security).
> [!WARNING]
-> If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
->
->It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
->
->This will significantly lower the protection of your device and could lead to malware infection.
+> If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
+>
+> It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
+>
+> This will significantly lower the protection of your device and could lead to malware infection.
-The Windows Security app operates as a separate app or process from each of the individual features, and will display notifications through the Action Center.
+The Windows Security app operates as a separate app or process from each of the individual features, and will display notifications through the Action Center.
It acts as a collector or single place to see the status and perform some configuration for each of the features.
@@ -112,18 +104,3 @@ Disabling any of the individual features (through Group Policy or other manageme
> Individually disabling any of the services will not disable the other services or the Windows Security app.
For example, [using a third-party antivirus will disable Windows Defender Antivirus](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility). However, the Windows Security app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/whats-new/get-started-with-1709.md b/windows/whats-new/get-started-with-1709.md
index 6dc2400981..b7879030be 100644
--- a/windows/whats-new/get-started-with-1709.md
+++ b/windows/whats-new/get-started-with-1709.md
@@ -38,7 +38,7 @@ To view availability dates and servicing options for each version and update of
## Windows 10 Roadmap
-If you'd like to gain some insight into preview, or in-development features, visit the [Windows 10 Roadmap](https://www.microsoft.com/en-us/WindowsForBusiness/windows-roadmap) page. You'll be able to filter by feature state and product category, to make this information easier to navigate.
+If you'd like to gain some insight into preview, or in-development features, visit the [Windows 10 Roadmap](https://www.microsoft.com/WindowsForBusiness/windows-roadmap) page. You'll be able to filter by feature state and product category, to make this information easier to navigate.
## Top support solutions for Windows 10
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
index df1f40120d..2c5570e18c 100644
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@@ -25,7 +25,7 @@ A brief description of new or updated features in this version of Windows 10 is
-> [!video https://www.microsoft.com/en-us/videoplayer/embed/43942201-bec9-4f8b-8ba7-2d9bfafa8bba?autoplay=false]
+> [!video https://www.microsoft.com/videoplayer/embed/43942201-bec9-4f8b-8ba7-2d9bfafa8bba?autoplay=false]
## Deployment
@@ -96,7 +96,7 @@ Windows Defender Application Guard hardens a favorite attacker entry-point by is
### Window Defender Exploit Guard
-Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. For more information, see [Windows Defender Exploit Guard](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard).
+Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. These mitigations include [Exploit protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/exploit-protection), [Attack surface reduction protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction), [Controlled folder access](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/controlled-folder-access), and [Network protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/network-protection).
### Windows Defender Device Guard
diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
index 7c41c62396..bdc31a26e4 100644
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -25,7 +25,7 @@ This article lists new and updated features and content that are of interest to
The following 3-minute video summarizes some of the new features that are available for IT Pros in this release.
-> [!video https://www.microsoft.com/en-us/videoplayer/embed/RE21ada?autoplay=false]
+> [!video https://www.microsoft.com/videoplayer/embed/RE21ada?autoplay=false]
## Deployment
@@ -66,7 +66,7 @@ With this release you can easily deploy and manage kiosk devices with Microsoft
- To help with troubleshooting, you can now view error reports generated if an assigned access-configured app has issues.
For more information, see:
-- [Making IT simpler with a modern workplace](https://www.microsoft.com/en-us/microsoft-365/blog/2018/04/27/making-it-simpler-with-a-modern-workplace/)
+- [Making IT simpler with a modern workplace](https://www.microsoft.com/microsoft-365/blog/2018/04/27/making-it-simpler-with-a-modern-workplace/)
- [Simplifying kiosk management for IT with Windows 10](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Simplifying-kiosk-management-for-IT-with-Windows-10/ba-p/187691)
### Windows 10 Subscription Activation
@@ -178,11 +178,11 @@ Windows Defender Antivirus now shares detection status between M365 services and
### Windows Defender Exploit Guard
-Windows Defender Exploit Guard enhanced attack surface area reduction, extended support to Microsoft Office applications, and now supports Windows Server. [Virtualization-based Security](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/Windows-Defender-System-Guard-Making-a-leap-forward-in-platform/m-p/167303) (VBS) and Hypervisor-protected code integrity (HVCI) can now be enabled across the Windows 10 ecosystem. These Exploit Guard features can now be enabled through the Windows Defender Security Center.
+Windows Defender Exploit Guard enhanced attack surface area reduction, extended support to Microsoft Office applications, and now supports Windows Server. [Virtualization-based Security](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/Windows-Defender-System-Guard-Making-a-leap-forward-in-platform/m-p/167303) (VBS) and Hypervisor-protected code integrity (HVCI) can now be enabled across the Windows 10 ecosystem. These Exploit Guard features can now be enabled through the Windows Defender Security Center.
-For more information, see [Reduce attack surfaces with Windows Defender Exploit Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
+For more information, see [Reduce attack surfaces](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction)
-### Windows Defender ATP
+### Windows Defender ATP
[Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) has been enhanced with many new capabilities. For more information, see the following topics:
diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md
index b4e4f4f224..42ef6de59b 100644
--- a/windows/whats-new/whats-new-windows-10-version-1809.md
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@@ -160,6 +160,15 @@ Windows Defender ATP now adds support for Windows Server 2019. You'll be able to
- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor
+## Cloud Clipboard
+
+Cloud clipboard helps users copy content between devices. It also manages the clipboard histroy so that you can paste your old copied data. You can access it by using **Windows+V**. Set up Cloud clipboard:
+
+1. Go to **Windows Settings** and select **Systems**.
+2. On the left menu, click on **Clipboard**.
+3. Turn on **Clipboard history**.
+4. Turn on **Sync across devices**. Chose whether or not to automatically sync copied text across your devices.
+
## Kiosk setup experience
We introduced a simplified assigned access configuration experience in **Settings** that allows device administrators to easily set up a PC as a kiosk or digital sign. A wizard experience walks you through kiosk setup including creating a kiosk account that will automatically sign in when a device starts.
-Simplified updates
+Simplified updates
Windows 10 end user readiness
diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md
index 6524be0563..1edad940a4 100644
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@@ -105,13 +105,13 @@ Once the device is in the pending restart state, it will attempt to restart the
-#### Suggested configuration {OK}
+#### Suggested configuration
|Policy|Location|3-day compliance|5-day compliance|7-day compliance|
|-|-|-|-|-|
|Specify deadline before auto-restart for update installation| GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadline before auto-restart for update installation |State: Enabled