Merge branch 'master' into tvm-updates

windows/client-management/mdm/healthattestation-csp.md

@@ -74,7 +74,7 @@ The following is a list of functions performed by the Device HealthAttestation C
 
 <strong>DHA-Enabled MDM (Device HealthAttestation enabled device management solution)</strong>
 <p style="margin-left: 20px">Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.</p>
-<p style="margin-left: 20px">DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromized by advanced security threats or running a malicious (jailbroken) operating system.</p>
+<p style="margin-left: 20px">DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.</p>
 <p style="margin-left: 20px">The following list of operations are performed by DHA-Enabled-MDM:</p>
 <ul>
 <li>Enables the DHA feature on a DHA-Enabled device</li>
@@ -195,10 +195,10 @@ The following diagram shows the Device HealthAttestation configuration service p
 
 <p style="margin-left: 20px">The following list shows some examples of supported values. For the complete list of status see <a href="#device-healthattestation-csp-status-and-error-codes" data-raw-source="[Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes)">Device HealthAttestation CSP status and error codes</a>.</p>
 
--   0 - (HEALTHATTESTATION\_CERT\_RETRI_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service
--   1 - (HEALTHATTESTATION\_CERT\_RETRI_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device
+-   0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service
+-   1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device
 -   2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob could not be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes
--   3 - (HEALTHATTESTATION\_CERT\_RETRI_COMPLETE): DHA-Data is ready for pick up
+-   3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pick up
 
 <a href="" id="forceretrieve"></a>**ForceRetrieve** (Optional)  
 <p style="margin-left: 20px">Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.</p>
@@ -220,7 +220,7 @@ The following diagram shows the Device HealthAttestation configuration service p
 <a href="" id="correlationid"></a>**CorrelationId** (Required)  
 <p style="margin-left: 20px">Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.</p>
 
-<p style="margin-left: 20px">Value type is integer, the minimum value is - 2,147,483,648 and the maximun value is 2,147,483,647. The supported operation is Get.</p>
+<p style="margin-left: 20px">Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get.</p>
 
 <a href="" id="hasendpoint"></a>**HASEndpoint** (Optional)
 <p style="margin-left: 20px">Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.</p>
@@ -359,8 +359,8 @@ The following example shows a sample call that triggers collection and verificat
 
 After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take.
 
-- If the response is HEALTHATTESTATION\_CERT_RETRI_COMPLETE (3) then proceed to the next section.
-- If the response is HEALTHATTESTATION_CERT_RETRI_REQUESTED (1) or HEALTHATTESTATION_CERT_RETRI_UNINITIALIZED (0) wait for an alert, then proceed to the next section.
+- If the response is HEALTHATTESTATION\_CERT_RETRIEVAL_COMPLETE (3) then proceed to the next section.
+- If the response is HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED (1) or HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED (0) wait for an alert, then proceed to the next section.
 
 Here is a sample alert that is issued by DHA_CSP:
 
@@ -830,7 +830,7 @@ Each of these are described in further detail in the following sections, along w
     <tr>
         <td style="vertical-align:top">3</td>
         <td style="vertical-align:top">HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE</td>
-        <td style="vertical-align:top">This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server.</td>
+        <td style="vertical-align:top">This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server.</td>
     </tr>
     <tr>
         <td style="vertical-align:top">4</td>

windows/deployment/TOC.yml

@@ -199,6 +199,7 @@
                   - name: Data handling and privacy in Update Compliance
                     href: update/update-compliance-privacy.md
                   - name: Update Compliance schema reference
+                    href: update/update-compliance-schema.md
                     items:
                       - name: WaaSUpdateStatus
                         href: update/update-compliance-schema-waasupdatestatus.md

windows/deployment/update/update-compliance-configuration-manual.md

@@ -48,6 +48,9 @@ Each MDM Policy links to its documentation in the CSP hierarchy, providing its e
 |**System/**[**ConfigureTelemetryOptInSettingsUx**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | 1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether end-users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
 |**System/**[**AllowDeviceNameInDiagnosticData**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
 
+> [!NOTE]
+> If you use Microsoft Intune, set the **ProviderID** to *MS DM Server*. If you use another MDM product, check with its vendor. See also [DMClient CSP](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
+
 ### Group Policies
 
 All Group Policies that need to be configured for Update Compliance are under **Computer Configuration>Administrative Templates>Windows Components\Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value* below.  

windows/deployment/update/update-compliance-configuration-script.md

@@ -19,7 +19,11 @@ ms.topic: article
 
 The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures device policies via Group Policy, ensures that required services are running, and more.
 
-You can [**download the script here**](https://www.microsoft.com/en-us/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
+> [!NOTE]
+> The Update Compliance configuration script does not offer options to configure Delivery Optimization. You have to do that separately.
+
+
+You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting.
 
 ## How the script is organized
 

windows/deployment/update/update-compliance-schema.md

@@ -20,6 +20,9 @@ When the visualizations provided in the default experience don't fulfill your re
 
 The table below summarizes the different tables that are part of the Update Compliance solution. To learn how to navigate Azure Monitor Logs to find this data, see [Get started with log queries in Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/log-query/get-started-queries).
 
+> [!NOTE]
+> Data is collected daily. The TimeGenerated field shows the time data was collected. It's added by Log Analytics when data is collected. Device data from the past 28 days is collected, even if no new data has been generated since the last time. LastScan is a clearer indicator of data freshness (that is, the last time the values were updated), while TimeGenerated indicates the freshness of data within Log Analytics.
+
 |Table |Category |Description |
 |--|--|--|
 |[**WaaSUpdateStatus**](update-compliance-schema-waasupdatestatus.md) |Device record |This table houses device-centric data and acts as the device record for Update Compliance. Each record provided in daily snapshots map to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. |

windows/security/identity-protection/access-control/special-identities.md

@@ -186,7 +186,7 @@ This group includes all domain controllers in an Active Directory forest. Domain
 
 All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to system resources. Whenever a user logs on to the network, the user is automatically added to the Everyone group.
 
-On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed).
+On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed, using Registry Editor, by going to the **Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa** key and setting the value of **everyoneincludesanonymous** DWORD to 1).
 
 Membership is controlled by the operating system.
 

windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md

@@ -458,7 +458,7 @@ contoso.sharepoint.com,contoso.internalproxy1.com|contoso.visualstudio.com,conto
 Value format without proxy:
 
 ```console
-contoso.sharepoint.com,|contoso.visualstudio.com,|contoso.onedrive.com
+contoso.sharepoint.com,|contoso.visualstudio.com,|contoso.onedrive.com,
 ```
 
 ### Protected domains

windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md

@@ -1,7 +1,7 @@
 ---
 title: Collect diagnostic data of Microsoft Defender Antivirus
 description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus
-keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av
+keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av, group policy object, setting, diagnostic data
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: manage
@@ -25,7 +25,7 @@ manager: dansimp
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV.
+This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you might encounter when using the Microsoft Defender AV.
 
 > [!NOTE]
 > As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices).
@@ -54,7 +54,7 @@ On at least two devices that are experiencing the same issue, obtain the .cab di
 4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`.
 
 > [!NOTE]
-> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation <path>`  <br/>For more information see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share).
+> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation <path>`  <br/>For more information, see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share).
 
 5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.
 
@@ -78,7 +78,7 @@ mpcmdrun.exe -GetFiles -SupportLogLocation <path>
 
 Copies the diagnostic data to the specified path. If the path is not specified, the diagnostic data will be copied to the location specified in the Support Log Location Configuration.
 
-When the SupportLogLocation parameter is used, a folder structure as below will be created in the destination path:
+When the SupportLogLocation parameter is used, a folder structure like as follows will be created in the destination path:
 
 ```Dos
 <path>\<MMDD>\MpSupport-<hostname>-<HHMM>.cab
@@ -87,12 +87,29 @@ When the SupportLogLocation parameter is used, a folder structure as below will
 | field  | Description   |
 |:----|:----|
 | path | The path as specified on the command line or retrieved from configuration
-| MMDD | Month Day when the diagnostic data was collected (eg 0530)
-| hostname | the hostname of the device on which the diagnostic data was collected.
-| HHMM | Hours Minutes when the diagnostic data was collected (eg 1422)
+| MMDD | Month and day when the diagnostic data was collected (for example, 0530)
+| hostname | The hostname of the device on which the diagnostic data was collected
+| HHMM | Hours and minutes when the diagnostic data was collected (for example, 1422)
 
 > [!NOTE]
-> When using a File share please make sure that account used to collect the diagnostic package has write access to the share.  
+> When using a file share please make sure that account used to collect the diagnostic package has write access to the share.  
+
+## Specify location where diagnostic data is created
+
+You can also specify where the diagnostic .cab file will be created using a Group Policy Object (GPO). 
+
+1. Open the Local Group Policy Editor and find the SupportLogLocation GPO at: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SupportLogLocation`
+   
+1. Select **Define the directory path to copy support log files**.
+
+    ![Screenshot of local group policy editor](images/GPO1-SupportLogLocationDefender.png)  
+        
+     ![Screenshot of define path for log files setting](images/GPO2-SupportLogLocationGPPage.png)  
+3. Inside the policy editor, select **Enabled**.
+       
+4. Specify the directory path where you want to copy the support log files in the **Options** field.
+     ![Screenshot of Enabled directory path custom setting](images/GPO3-SupportLogLocationGPPageEnabledExample.png) 
+5. Select **OK** or **Apply**.
 
 ## See also
 

windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md

@@ -11,7 +11,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.author: deniseb
 author: denisebmsft
-ms.date: 09/28/2020
+ms.date: 09/30/2020
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
@@ -87,22 +87,7 @@ You can configure the following levels of automation:
 
 
 > [!IMPORTANT]
-> Regarding automation levels and default settings:
-> - If your tenant already has device groups defined, then the automation level settings are not changed for those device groups.
-> - If your tenant was onboarded to Microsoft Defender for Endpoint *before* August 16, 2020, and you have not defined a device group, your organization's default setting is **Semi - require approval for any remediation**.
-> - If your tenant was onboarded to Microsoft Defender for Endpoint *before* August 16, 2020, and you do have a device group defined, you also have an **Ungrouped devices (default)** device group that is set to **Semi - require approval for any remediation**. 
-> - If your tenant was onboarded to Microsoft Defender for Endpoint *on or after* August 16, 2020, and you have not defined a device group, your orgnaization's default setting is **Full - remediate threats automatically**.
-> - If your tenant was onboarded to Microsoft Defender for Endpoint *on or after* August 16, 2020, and you do have a device group defined, you also have an **Ungrouped devices (default)** device group that is set to **Full - remediate threats automatically**.
-> - To change an automation level, **[edit your device groups](configure-automated-investigations-remediation.md#set-up-device-groups)**.
-
-
-### A few points to keep in mind
-
-- Your level of automation is determined by your device group settings. To learn more, see [Set up device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
-
-- If your Microsoft Defender for Endpoint tenant was created before August 16, 2020, then you have a default device group that is configured for semi-automatic remediation. In this case, some or all remediation actions for malicious entities require approval. Such actions are listed on the **Pending actions** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center). You can set your [device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups) to use full automation so that no user approval is needed. 
-
-- If your Microsoft Defender for Endpoint tenant was created on or after August 16, 2020, then you have a default device group that is configured for full automation. In this case, remediation actions are taken automatically for entities that are considered to be malicious. Such actions are listed on the **History** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center).
+> If your tenant already has device groups defined, then the automation level settings are not changed for those device groups.
 
 ## Next steps