Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into complatblock

mdop/mbam-v25/mbam-25-supported-configurations.md

@@ -283,8 +283,14 @@ MBAM supports the following versions of Configuration Manager.
 </tr>
 </thead>
 <tbody>
+<tr class="even">
+<td align="left"><p>Microsoft System Center Configuration Manager (Current Branch), versions up to 1902</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>64-bit</p></td>
+</tr>
+
 <tr class="odd">
-<td align="left"><p>Microsoft System Center Configuration Manager (Current Branch), versions up to 1806</p></td>
+<td align="left"><p>Microsoft System Center Configuration Manager 1806</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>64-bit</p></td>
 </tr>

store-for-business/troubleshoot-microsoft-store-for-business.md

@@ -49,6 +49,10 @@ The private store for your organization is a page in Microsoft Store app that co
 
     ![Private store for Contoso publishing](images/wsfb-privatestoreapps.png)
 
+## Troubleshooting Microsoft Store for Business integration with System Center Configuration Manager
+
+If you encounter any problems when integrating Microsoft Store for Business with Configuration Manager, use the [troubleshooting guide](https://support.microsoft.com/help/4010214/understand-and-troubleshoot-microsoft-store-for-business-integration-w).
+
 ## Still having trouble?
 
 If you are still having trouble using Microsoft Store or installing an app, Admins can sign in and look for topics on our **Support** page.
@@ -56,4 +60,4 @@ If you are still having trouble using Microsoft Store or installing an app, Admi
 **To view Support page** 
 
 1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com)
-2. Click **Manage**, and then click **Support**. 
+2.Choose **Manage**> **Support**. 

windows/application-management/sideload-apps-in-windows-10.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: mobile
 author: greg-lindsay
-ms.date: 04/19/2017
+ms.date: 05/20/2019
 ---
 
 # Sideload LOB apps in Windows 10
@@ -48,10 +48,16 @@ And here's what you'll need to do:
 ## How do I sideload an app on desktop
 You can sideload apps on managed or unmanaged devices.
 
+>[!IMPORTANT]
+> To install an app on Windows 10, in addition to following [these procedures](https://docs.microsoft.com/windows/msix/app-installer/installing-windows10-apps-web), users can also double-click any APPX/MSIX package.
+
+
 **To turn on sideloading for managed devices**
 
 -   Deploy an enterprise policy.
 
+
+
 **To turn on sideloading for unmanaged devices**
 
 1.  Open **Settings**.

windows/client-management/mdm/cm-cellularentries-csp.md

@@ -183,6 +183,7 @@ The following diagram shows the CM\_CellularEntries configuration service provid
 <p style="margin-left: 20px"> Required. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
 
 -   Internet - 3E5545D2-1137-4DC8-A198-33F1C657515F
+-   LTE attach - 11A6FE68-5B47-4859-9CB6-1EAC96A8F0BD
 -   MMS - 53E2C5D3-D13C-4068-AA38-9C48FF2E55A8
 -   IMS - 474D66ED-0E4B-476B-A455-19BB1239ED13
 -   SUPL - 6D42669F-52A9-408E-9493-1071DCC437BD

windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md

@@ -107,20 +107,27 @@ Requirements:
 - Enterprise AD must be integrated with Azure AD.
 - Ensure that PCs belong to same computer group.
 
-1.	Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
+>[!IMPORTANT] 
-    >[!Note] 
+>If you do not see the policy, it may be because you don’t have the ADMX installed for Windows 10, version 1803 or version 1809. To fix the issue, follow these steps:        
-    >If you do not see the policy, it may be caused because you don’t have the ADMX installed for Windows 10, version 1803. To fix the issue, follow these steps:        
+>   1. Download:  
-    >   1. Download [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)
+>   1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/en-us/download/details.aspx?id=56880) or  
-](https://www.microsoft.com/en-us/download/details.aspx?id=56880).
+>   1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/en-us/download/details.aspx?id=57576).
-    >   2. Install the package on the Primary Domain Controller.
+>   2. Install the package on the Primary Domain Controller (PDC).
-    >   3. Navigate to the folder **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**.
+>   3. Navigate, depending on the version to the folder:
+>   1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or  
+>   1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**
 >   4. Copy policy definitions folder to **C:\Windows\SYSVOL\domain\Policies**.
 >   5. Restart the Primary Domain Controller for the policy to be available.
+>   This procedure will work for any future version as well.
 
+1.	Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
 2.	Create a Security Group for the PCs.
 3.	Link the GPO.
 4.	Filter using Security Groups.
-5.	Enforce  a GPO link
+5.	Enforce a GPO link.
+
+>[!NOTE]
+> Version 1903 (March 2019) is actually on the Insider program and doesn't yet contain a downloadable version of Templates (version 1903).
 
 ### Related topics
 
@@ -129,3 +136,8 @@ Requirements:
 - [Link a Group Policy Object](https://technet.microsoft.com/library/cc732979(v=ws.11).aspx)
 - [Filter Using Security Groups](https://technet.microsoft.com/library/cc752992(v=ws.11).aspx)
 - [Enforce a Group Policy Object Link](https://technet.microsoft.com/library/cc753909(v=ws.11).aspx)
+
+### Useful Links
+- [Windows 10 Administrative Templates for Windows 10 April 2018 Update 1803](https://www.microsoft.com/download/details.aspx?id=56880)
+- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576)
+ 

windows/client-management/mdm/policy-csp-windowslogon.md

@@ -407,8 +407,8 @@ ADMX Info:
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 Supported values:  
--   false - disabled
+-   0 - disabled
--   true  - enabled
+-   1 - enabled
 <!--/SupportedValues-->
 <!--Example-->
 

windows/client-management/mdm/vpnv2-profile-xsd.md

@@ -132,7 +132,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
               <xs:element name="NativeProtocolType" type="xs:string" minOccurs="0" maxOccurs="1"/>
               <xs:element name="L2tpPsk" type="xs:string" minOccurs="0" maxOccurs="1"/>
               <xs:element name="DisableClassBasedDefaultRoute" type="xs:boolean" minOccurs="0" maxOccurs="1"/>
-              <xs:element maxOccurs="unbounded" name="CryptographySuite"minOccurs="0" maxOccurs="1">
+              <xs:element name="CryptographySuite" minOccurs="0" maxOccurs="1">
                 <xs:complexType>
                   <xs:sequence>
                     <xs:element name="AuthenticationTransformConstants" type="xs:string" minOccurs="0" maxOccurs="1"/>

windows/client-management/troubleshoot-tcpip-port-exhaust.md

@@ -100,6 +100,8 @@ You may also see CLOSE_WAIT state connections in the same output, however CLOSE_
 >Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion.
 >
 >Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state.  An update for Windows 8.1 and Windows Server 2012 R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports.
+>
+>Until 10/2016, netstat was inaccurate. Fixes for netstat, back-ported to 2012 R2, allowed Netstat.exe and Get-NetTcpConnection to correctly report TCP or UDP port usage in Windows Server 2012 R2. See [Windows Server 2012 R2: Ephemeral ports hotfixes](https://support.microsoft.com/help/3123245/update-improves-port-exhaustion-identification-in-windows-server-2012) to learn more.
  
 4.	Open a command prompt in admin mode and run the below command
 
@@ -192,5 +194,5 @@ goto loop
 
 - [Port Exhaustion and You!](https://blogs.technet.microsoft.com/askds/2008/10/29/port-exhaustion-and-you-or-why-the-netstat-tool-is-your-friend/) - this article gives a detail on netstat states and how you can use netstat output to determine the port status
 
-- [Detecting ephemeral port exhaustion](https://blogs.technet.microsoft.com/clinth/2013/08/09/detecting-ephemeral-port-exhaustion/): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10)
+- [Detecting ephemeral port exhaustion](https://blogs.technet.microsoft.com/yongrhee/2018/01/09/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes/): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10)
 

windows/deployment/deploy-whats-new.md

@@ -25,7 +25,7 @@ This topic provides an overview of new solutions and online content related to d
 
 ## Recent additions to this page
 
-[SetupDiag](#setupdiag) 1.4 is released.<br>
+[SetupDiag](#setupdiag) 1.4.1 is released.<br>
 [MDT](#microsoft-deployment-toolkit-mdt) 8456 is released.<br>
 New [Windows Autopilot](#windows-autopilot) content is available.<br>
 The [Microsoft 365](#microsoft-365) section was added.
@@ -72,7 +72,7 @@ Recent Autopilot content includes new instructions for CSPs and OEMs on how to [
 
 [SetupDiag](upgrade/setupdiag.md) is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. 
 
-SetupDiag version 1.4 was released on 12/18/2018.
+SetupDiag version 1.4.1 was released on 5/17/2019.
 
 ### Upgrade Readiness
 

windows/deployment/upgrade/setupdiag.md

@@ -7,7 +7,6 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
-ms.date: 12/18/2018
 ms.localizationpriority: medium
 ms.topic: article
 ---
@@ -25,7 +24,7 @@ ms.topic: article
 
 ## About SetupDiag
 
-<I>Current version of SetupDiag: 1.4.0.0</I>
+<I>Current version of SetupDiag: 1.4.1.0</I>
 
 SetupDiag is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. 
 
@@ -64,8 +63,9 @@ The [Release notes](#release-notes) section at the bottom of this topic has info
 | /Output:\<path to results file\> | <ul><li>This optional parameter enables you to specify the output file for results. This is where you will find what SetupDiag was able to determine.  Only text format output is supported.  UNC paths will work, provided the context under which SetupDiag runs has access to the UNC path.  If the path has a space in it, you must enclose the entire path in double quotes (see the example section below). <li>Default: If not specified, SetupDiag will create the file **SetupDiagResults.log** in the same  directory where SetupDiag.exe is run.</ul> |
 | /LogsPath:\<Path to logs\> | <ul><li>This optional parameter tells SetupDiag.exe where to find the log files for an offline analysis. These log files can be in a flat folder format, or containing multiple subdirectories.  SetupDiag will recursively search all child directories.</ul> |
 | /ZipLogs:\<True \| False\> | <ul><li>This optional parameter tells SetupDiag.exe to create a zip file containing the results and all the log files it parsed.  The zip file is created in the same directory where SetupDiag.exe is run.<li>Default: If not specified, a value of 'true' is used.</ul> |
-| /Verbose | <ul><li>This optional parameter will output much more data to a log file.  By default, SetupDiag will only produce a log file entry for serious errors.  Using **/Verbose** will cause SetupDiag to always produce an additional log file with debugging details. These details can be useful when reporting a problem with SetupDiag.</ul> |
 | /Format:\<xml \| json\> | <ul><li>This optional parameter can be used to output log files in xml or JSON format.  If this parameter is not specified, text format is used by default.</ul> |
+| /Scenario:\[Recovery\] | This optional parameter instructs SetupDiag.exe to look for and process reset and recovery logs and ignore setup/upgrade logs.|
+| /Verbose | <ul><li>This optional parameter will output much more data to a log file.  By default, SetupDiag will only produce a log file entry for serious errors.  Using **/Verbose** will cause SetupDiag to always produce an additional log file with debugging details. These details can be useful when reporting a problem with SetupDiag.</ul> |
 | /NoTel | <ul><li>This optional parameter tells SetupDiag.exe not to send diagnostic telemetry to Microsoft.</ul> |
 
 Note: The **/Mode** parameter is deprecated in version 1.4.0.0 of SetupDiag. 
@@ -97,6 +97,19 @@ The following example specifies that SetupDiag is to run in offline mode, and to
 SetupDiag.exe /Output:C:\SetupDiag\Results.log /LogsPath:D:\Temp\Logs\LogSet1
 ```
 
+The following example sets recovery scenario in offline mode. In the example, SetupDiag will search for reset/recovery logs in the specified LogsPath location and output the resuts to the directory specified by the /Output parameter.
+
+```
+SetupDiag.exe /Output:C:\SetupDiag\RecoveryResults.log /LogsPath:D:\Temp\Cabs\PBR_Log /Scenario:Recovery
+```
+
+The following example sets recovery scenario in online mode. In the example, SetupDiag will search for reset/recovery logs on the current system and output results in XML format.
+
+```
+SetupDiag.exe /Scenario:Recovery /Format:xml
+```
+
+
 ## Log files
 
 [Windows Setup Log Files and Event Logs](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs) has information about where logs are created during Windows Setup. For offline processing, you should run SetupDiag against the contents of the entire folder. For example, depending on when the upgrade failed, copy one of the following folders to your offline location:
@@ -141,7 +154,7 @@ The output also provides an error code 0xC1900208 - 0x4000C which corresponds to
 ```
 C:\SetupDiag>SetupDiag.exe /Output:C:\SetupDiag\Results.log /LogsPath:C:\Temp\BobMacNeill
 
-SetupDiag v1.4.0.0
+SetupDiag v1.4.1.0
 Copyright (c) Microsoft Corporation. All rights reserved.
 
 Searching for setup logs, this can take a minute or more depending on the number and size of the logs...please wait.
@@ -397,6 +410,9 @@ Each rule name and its associated unique rule identifier are listed with a descr
 
 ## Release notes
 
+05/17/2019 - SetupDiag v1.4.1.0 is released with 53 rules, as a standalone tool available from the Download Center.
+   - This release dds the ability to find and diagnose reset and recovery failures (Push Button Reset).  
+
 12/18/2018 - SetupDiag v1.4.0.0 is released with 53 rules, as a standalone tool available from the Download Center.
    - This release includes major improvements in rule processing performance: ~3x faster rule processing performance!
        - The FindDownlevelFailure rule is up to 10x faster.

windows/security/identity-protection/access-control/special-identities.md

@@ -149,7 +149,7 @@ Any user who accesses the system through a sign-in process has the Authenticated
 </tr>
 <tr class="odd">
 <td><p>Default Location in Active Directory</p></td>
-<td><p>cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
+<td><p>cn=System,cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
 </tr>
 <tr class="even">
 <td><p>Default User Rights</p></td>

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md

@@ -30,7 +30,7 @@ Your environment is federated and you are ready to configure device registration
 
 Use this three-phased approach for configuring device registration.
 1. [Configure devices to register in Azure](#configure-azure-for-device-registration)
-2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-syncrhonization)
+2. [Synchronize devices to on-premises Active Directory](#configure-active-directory-to-support-azure-device-synchronization)
 3. [Configure AD FS to use cloud devices](#configure-ad-fs-to-use-azure-registered-devices)
 
 > [!NOTE]

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md

@@ -1,5 +1,5 @@
 ---
-title: Hybrid Windows Hello for Business Prerequistes (Windows Hello for Business)
+title: Hybrid Windows Hello for Business Prerequisites (Windows Hello for Business)
 description: Prerequisites for Hybrid Windows Hello for Business Deployments
 keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
 ms.prod: w10

windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md

@@ -1,7 +1,7 @@
 ---
 title: Configure Directory Synchronization for Hybrid key trust Windows Hello for Business
-description: Azure Directory Syncrhonization for Hybrid Certificate Key Deployment (Windows Hello for Business)
+description: Azure Directory Synchronization for Hybrid Certificate Key Deployment (Windows Hello for Business)
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, directory, syncrhonization, AADConnect
+keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, directory, synchronization, AADConnect
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library

windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md

@@ -43,7 +43,7 @@ When the PIN is created, it establishes a trusted relationship with the identity
 
 The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.
 
-User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised.
+User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetric key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised.
 
 The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
 

windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md

@@ -31,7 +31,7 @@ Learn how you can use Microsoft Defender ATP to expand the coverage of Microsoft
 ## Prerequisites
 - Endpoints need to be on Windows 10, version 1809 or later
 - You'll need the appropriate license to leverage the Microsoft Defender ATP and Azure Information Protection integration
-- Your tenant needs to be onboarded to Azure Information Protection analytics, for more information see, [Configure a Log Analytics workspace for the reports](https://docs.microsoft.comazure/information-protection/reports-aip#configure-a-log-analytics-workspace-for-the-reports)
+- Your tenant needs to be onboarded to Azure Information Protection analytics, for more information see, [Configure a Log Analytics workspace for the reports](https://docs.microsoft.com/azure/information-protection/reports-aip#configure-a-log-analytics-workspace-for-the-reports)
 
 
 ## Configuration steps

windows/security/threat-protection/microsoft-defender-atp/live-response.md

@@ -20,7 +20,7 @@ ms.topic: article
 # Investigate entities on machines using live response
 
 **Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
 [!include[Prerelease information](prerelease.md)]
 

windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 09/03/2018
 ---
 
 # View and organize the Microsoft Defender ATP Machines list

windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md

@@ -37,7 +37,10 @@ You can control the following attributes about the folder that you'd like to be
 
 
 **Folders**<br>
-You can specify a folder and its subfolders to be skipped. You can use wild cards so that all files under the directory is skipped by the automated investigation. 
+You can specify a folder and its subfolders to be skipped. 
+
+> [!NOTE]
+> Wild cards are not yet supported.
 
 **Extensions**<br>
 You can specify the extensions to exclude in a specific directory. The extensions are a way to prevent an attacker from using an excluded folder to hide an exploit. The extensions explicitly define which files to ignore. 

windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md

@@ -1,7 +1,7 @@
 ---
 title: What's new in Microsoft Defender ATP
 description: Lists the new features and functionality in Microsoft Defender ATP
-keywords: what's new in windows defender atp
+keywords: what's new in microsoft defender atp, ga, generally available, capabilities, available, new
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10

windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md

@@ -87,9 +87,7 @@ The installation will proceed.
     The client machine is not associated with orgId.  Note that the orgid is blank.
 
     ```bash
-    mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
+    mavel-mojave:wdavconfig testuser$ mdatp --health orgId
-    uuid  : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
-    orgid :
     ```
 
 2. Install the configuration file on a client machine:
@@ -102,9 +100,8 @@ The installation will proceed.
 3. Verify that the machine is now associated with orgId:
 
     ```bash
-    mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
+    mavel-mojave:wdavconfig testuser$ mdatp --health orgId
-    uuid  : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
+    E6875323-A6C0-4C60-87AD-114BBE7439B8
-    orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8
     ```
 
 After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.

windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md

@@ -175,26 +175,29 @@ You can monitor policy installation on a machine by following the JAMF's log fil
 You can also check the onboarding status:
 
 ```bash
-    mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
+mavel-mojave:~ testuser$ mdatp --health
-    uuid            : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
+...
-    orgid           : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
+licensed                                : true
-    orgid managed   : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
+orgId                                   : "4751b7d4-ea75-4e8f-a1f5-6d640c65bc45"
-    orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
+...
 ```
 
-- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set.
+- **licensed**: This confirms that the machine has an ATP license.
 
-- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed.
+- **orgid**: Your ATP org id, it will be the same for your organization.
 
 ## Check onboarding status
 
 You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded:
 
 ```bash
-    sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+'
+mdatp --health healthy
 ```
 
-This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered.
+This script returns:
+- 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service
+- 1 if the machine is not onboarded
+- 3 if the connection to the daemon cannot be established (daemon is not running)
 
 ## Logging installation issues
 

windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md

@@ -0,0 +1,82 @@
+---
+title: Installing Microsoft Defender ATP for Mac with different MDM product
+description: Describes how to install Microsoft Defender ATP for Mac, using an unsupported MDM solution.
+keywords: microsoft, defender, atp, mac, installation, deploy, macos, mojave, high sierra, sierra
+search.product: eADQiWindows 10XVcnh
+search.appverid: #met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: mavel
+author: maximvelichko
+ms.localizationpriority: #medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: #conceptual
+---
+
+# Deployment with a different MDM system
+
+**Applies to:**
+
+[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???)
+ 
+>[!IMPORTANT]
+>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+## Prerequisites and system requirements
+
+Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version.
+
+## Approach
+
+Your organization may use a Mobile Device Management (MDM) solution we do not officially support.
+This does not mean you will be unable to deploy or run Microsoft Defender ATP for Mac.
+However, we will not be able to provide support for deploying or managing Defender via these solutions.
+
+Microsoft Defender ATP for Mac does not depend on any vendor-specific features. It can be used with any MDM solution that supports the following features:
+
+- Deploying a macOS .pkg to managed machines.
+- Deploying macOS system configuration profiles to managed machines.
+- Running an arbitrary admin-configured tool/script on managed machines. 
+
+The majority of modern MDM solutions include these features, however, they may call them differently.
+
+You can deploy Defender without the last requirement from the list above, however:
+
+- You won't be able to collect status in a centralized way
+- If you decide to uninstall Defender, you'll need to logon to the client machine locally as an administrator
+
+## Deployment
+
+Most MDM solution use the same model for managing macOS machines, with similar terminology.
+Use [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md) as a template.
+
+### Package
+
+Configure deployment of a [required application package](microsoft-defender-atp-mac-install-with-jamf.md#package), 
+with the installation package (wdav.pkg) downloaded from [ATP](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages).
+
+Your MDM solution can allow you uploading of an arbitrary application package, or require you to wrap it into a custom package first. 
+
+### License settings
+
+Setup [a system configuration profile](microsoft-defender-atp-mac-install-with-jamf.md#configuration-profile). 
+Your MDM solution may call it something like "Custom Settings Profile", as Microsoft Defender ATP for Mac is not part of macOS.
+
+Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can extracted from an onboarding package downloaded from [ATP](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages).
+Your system may support an arbitrary property list in XML format. You can just upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case. 
+Alternatively, it may require you to convert the property list to a different format first.
+
+Note that your custom profile would have an id, name or domain attribute. You must use exactly "com.microsoft.wdav.atp". 
+MDM will use it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client machine, and Defender will use this file for loading onboarding info.
+
+### KEXT
+
+Setup a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to whitelist kernel extensions provided by Microsoft. 
+
+## Was it successful?
+
+Run [mdatp](microsoft-defender-atp-mac-install-with-jamf.md#check-onboarding-status) on a client machine.

windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md

@@ -33,7 +33,7 @@ If you can reproduce a problem, please increase the logging level, run the syste
 1. Increase logging level:
 
 ```bash
-   mavel-mojave:~ testuser$ mdatp log-level --verbose
+   mavel-mojave:~ testuser$ mdatp --log-level verbose
    Creating connection to daemon
    Connection established
    Operation succeeded
@@ -41,10 +41,10 @@ If you can reproduce a problem, please increase the logging level, run the syste
 
 2. Reproduce the problem
 
-3. Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file.
+3. Run `mdatp --diagnostic --create` to backup Defender ATP's logs. The command will print out location with generated zip file.
 
    ```bash
-   mavel-mojave:~ testuser$ mdatp --diagnostic
+   mavel-mojave:~ testuser$ mdatp --diagnostic --create
    Creating connection to daemon
    Connection established
    "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip"
@@ -53,7 +53,7 @@ If you can reproduce a problem, please increase the logging level, run the syste
 4. Restore logging level:
 
    ```bash
-   mavel-mojave:~ testuser$ mdatp log-level --info
+   mavel-mojave:~ testuser$ mdatp --log-level info
    Creating connection to daemon
    Connection established
    Operation succeeded
@@ -112,21 +112,21 @@ Important tasks, such as controlling product settings and triggering on-demand s
 
 |Group        |Scenario                                   |Command                                                                |
 |-------------|-------------------------------------------|-----------------------------------------------------------------------|
-|Configuration|Turn on/off real-time protection           |`mdatp config --rtp [true/false]`                                      |
+|Configuration|Turn on/off real-time protection           |`mdatp --config rtp [true/false]`                                      |
-|Configuration|Turn on/off cloud protection               |`mdatp config --cloud [true/false]`                                    |
+|Configuration|Turn on/off cloud protection               |`mdatp --config cloud [true/false]`                                    |
-|Configuration|Turn on/off product diagnostics            |`mdatp config --diagnostic [true/false]`                               |
+|Configuration|Turn on/off product diagnostics            |`mdatp --config diagnostic [true/false]`                               |
-|Configuration|Turn on/off automatic sample submission    |`mdatp config --sample-submission [true/false]`                        |
+|Configuration|Turn on/off automatic sample submission    |`mdatp --config sample-submission [true/false]`                        |
-|Configuration|Turn on PUA protection                     |`mdatp threat --type-handling --potentially_unwanted_application block`|
+|Configuration|Turn on PUA protection                     |`mdatp --threat --type-handling potentially_unwanted_application block`|
-|Configuration|Turn off PUA protection                    |`mdatp threat --type-handling --potentially_unwanted_application off`  |
+|Configuration|Turn off PUA protection                    |`mdatp --threat --type-handling potentially_unwanted_application off`  |
-|Configuration|Turn on audit mode for PUA protection      |`mdatp threat --type-handling --potentially_unwanted_application audit`|
+|Configuration|Turn on audit mode for PUA protection      |`mdatp --threat --type-handling potentially_unwanted_application audit`|
-|Diagnostics  |Change the log level                       |`mdatp log-level --[error/warning/info/verbose]`                       |
+|Diagnostics  |Change the log level                       |`mdatp --log-level [error/warning/info/verbose]`                       |
-|Diagnostics  |Generate diagnostic logs                   |`mdatp --diagnostic`                                                   |
+|Diagnostics  |Generate diagnostic logs                   |`mdatp --diagnostic --create`                                          |
 |Health       |Check the product's health                 |`mdatp --health`                                                       |
-|Protection   |Scan a path                                |`mdatp scan --path [path]`                                             |
+|Protection   |Scan a path                                |`mdatp --scan --path [path]`                                           |
-|Protection   |Do a quick scan                            |`mdatp scan --quick`                                                   |
+|Protection   |Do a quick scan                            |`mdatp --scan --quick`                                                 |
-|Protection   |Do a full scan                             |`mdatp scan --full`                                                    |
+|Protection   |Do a full scan                             |`mdatp --scan --full`                                                  |
-|Protection   |Cancel an ongoing on-demand scan           |`mdatp scan --cancel`                                                  |
+|Protection   |Cancel an ongoing on-demand scan           |`mdatp --scan --cancel`                                                |
-|Protection   |Request a definition update                |`mdatp --signature-update`                                             |
+|Protection   |Request a definition update                |`mdatp --definition-update`                                            |
 
 ## Microsoft Defender ATP portal information
 

windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md

@@ -45,6 +45,7 @@ In general you'll need to take the following steps:
 - Deploy Microsoft Defender ATP for Mac using one of the following deployment methods:
   - [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md)
   - [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md)
+  - [Other MDM products](microsoft-defender-atp-mac-install-with-other-mdm.md)
   - [Manual deployment](microsoft-defender-atp-mac-install-manually.md)
 
 ### Prerequisites
@@ -69,13 +70,14 @@ The following table lists the services and their associated URLs that your netwo
 
 | Service        | Description                          | URL                                                                  |
 | -------------- |:------------------------------------:| --------------------------------------------------------------------:|
-| ATP            | Advanced threat protection service   | `https://x.cp.wd.microsoft.com/`, `https://*.x.cp.wd.microsoft.com/` |
+| ATP            | Advanced threat protection service   | `https://x.cp.wd.microsoft.com`, `https://cdn.x.cp.wd.microsoft.com` |
 
-To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://wu-cdn.x.cp.wd.microsoft.com/` in a browser, or run the following command in Terminal:
+To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://cdn.x.cp.wd.microsoft.com/ping` in a browser, or run the following command in Terminal:
 
 ```bash
-    mavel-mojave:~ testuser$ curl 'https://x.cp.wd.microsoft.com/api/report'
+    mavel-mojave:~ testuser$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
-    OK
+    OK https://x.cp.wd.microsoft.com/api/report
+    OK https://cdn.x.cp.wd.microsoft.com/ping
 ```
 
 We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines.