Merge remote-tracking branch 'refs/remotes/origin/master' into dh-wusettings-11941622

.openpublishing.publish.config.json

@@ -426,7 +426,7 @@
       "Pdf"
     ]
   },
-  "need_generate_pdf_url_template": false,
+  "need_generate_pdf_url_template": true,
   "Targets": {
     "Pdf": {
       "template_folder": "_themes.pdf"

.openpublishing.redirection.json

@@ -487,17 +487,17 @@
 },
 {
 "source_path": "windows/deploy/upgrade-analytics-prepare-your-environment.md",
-"redirect_url": "/windows/deployment/upgrade/upgrade-analytics-identify-apps",
+"redirect_url": "/windows/deployment/upgrade/upgrade-readiness-identify-apps",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/deploy/upgrade-analytics-release-notes.md",
-"redirect_url": "/windows/deployment/upgrade/upgrade-analytics-requirements",
+"redirect_url": "/windows/deployment/upgrade/upgrade-readiness-requirements",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/deploy/upgrade-analytics-review-site-discovery.md",
-"redirect_url": "/windows/deployment/upgrade/upgrade-analytics-additional-insights",
+"redirect_url": "/windows/deployment/upgrade/upgrade-readiness-additional-insights",
 "redirect_document_id": true
 },
 {

devices/hololens/TOC.md

@@ -1,5 +1,5 @@
 # [Microsoft HoloLens](index.md)
-## [HoloLens in the enterprise: requirements](hololens-requirements.md)
+## [HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md)
 ## [Set up HoloLens](hololens-setup.md)
 ## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) 
 ## [Enroll HoloLens in MDM](hololens-enroll-mdm.md)

devices/hololens/change-history-hololens.md

@@ -14,6 +14,12 @@ localizationpriority: medium
 
 This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md).
 
+## May 2017
+
+| New or changed topic | Description |
+| --- | --- |
+| [Microsoft HoloLens in the enterprise: requirements](hololens-requirements.md) | Changed title to **Microsoft HoloLens in the enterprise: requirements and FAQ**, added questions and answers in new [FAQ section](hololens-requirements.md#faq-for-hololens) |
+
 ## January 2017
 
 | New or changed topic | Description |

devices/hololens/hololens-enroll-mdm.md

@@ -11,10 +11,10 @@ localizationpriority: medium
 
 # Enroll HoloLens in MDM
 
-You can manage multiple Microsoft HoloLens devices simultaneously using solutions like Microsoft Intune. You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need.
+You can manage multiple Microsoft HoloLens devices simultaneously using solutions like Microsoft Intune. You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need. See the [configuration service providers (CSPs) that are supported in Windows Holographic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference#hololens) and the [policies supported by Windows Holographic for Business](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#hololenspolicies).
 
 >[!NOTE]
->Mobile device management (MDM) for the Development edition of HoloLens does not include VPN, BitLocker, or kiosk mode. Those features are only available when you [upgrade to Windows Holographic for Business](hololens-upgrade-enterprise.md).
+>Mobile device management (MDM), including the VPN, Bitlocker, and kiosk mode features, is only available when you [upgrade to Windows Holographic for Business](hololens-upgrade-enterprise.md).
 
 
 ## Requirements

devices/hololens/hololens-provisioning.md

@@ -111,7 +111,7 @@ In Windows ICD, when you create a provisioning package for Windows Holographic,
 | **Certificates** | Deploy a certificate to HoloLens.  |
 | **ConnectivityProfiles** | Deploy a Wi-Fi profile to HoloLens.   |
 | **EditionUpgrade** | [Upgrade to Windows Holographic for Business.](hololens-upgrade-enterprise.md)  |
-| **Policies** | Allow or prevent developer mode on HoloLens.  |
+| **Policies** | Allow or prevent developer mode on HoloLens. [Policies supported by Windows Holographic for Business](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#hololenspolicies) |
 
 >[!NOTE]
 >App installation (**UniversalAppInstall**) using a provisioning package is not currently supported for HoloLens.
@@ -119,3 +119,6 @@ In Windows ICD, when you create a provisioning package for Windows Holographic,
 
 
 
+
+
+

devices/hololens/hololens-requirements.md

@@ -1,6 +1,6 @@
 ---
-title: HoloLens in the enterprise requirements (HoloLens)
-description: Requirements for general use, Wi-Fi, and device management for HoloLens in the enterprise.
+title: HoloLens in the enterprise requirements and FAQ (HoloLens)
+description: Requirements and FAQ for general use, Wi-Fi, and device management for HoloLens in the enterprise.
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.pagetype: hololens, devices
@@ -9,11 +9,13 @@ author: jdeckerMS
 localizationpriority: medium
 ---
 
-# Microsoft HoloLens in the enterprise: requirements
+# Microsoft HoloLens in the enterprise: requirements and FAQ
 
 When you develop for HoloLens, there are [system requirements and tools](https://developer.microsoft.com/windows/mixed-reality/install_the_tools) that you need. In an enterprise environment, there are also a few requirements to use and manage HoloLens which are listed below.
 
-## General use
+## Requirements
+
+### General use
 - Microsoft account or Azure Active Directory (Azure AD) account
 - Wi-Fi network to set up HoloLens
 
@@ -21,7 +23,7 @@ When you develop for HoloLens, there are [system requirements and tools](https:/
 >After you set up HoloLens, you can use it offline [with some limitations](https://support.microsoft.com/help/12645/hololens-use-hololens-offline).
 
 
-## Supported wireless network EAP methods 
+### Supported wireless network EAP methods 
 - PEAP-MS-CHAPv2
 - PEAP-TLS
 - TLS 
@@ -31,16 +33,36 @@ When you develop for HoloLens, there are [system requirements and tools](https:/
 - TTLS-PAP
 - TTLS-TLS
 
-## Device management 
+### Device management 
    - Users have Azure AD accounts with [Intune license assigned](https://docs.microsoft.com/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune-step-4)
    - Wi-Fi network
    - Intune or a 3rd party mobile device management (MDM) provider that uses Microsoft MDM APIs
    
-## Upgrade to Windows Holographic for Business 
+### Upgrade to Windows Holographic for Business 
 - HoloLens Enterprise license XML file
 
 
+## FAQ for HoloLens
 
+#### Is Windows Hello for Business supported on HoloLens?
+
+Hello for Business (using a PIN to sign in) is supported for HoloLens. It must be configured [using MDM](hololens-enroll-mdm.md).
+
+#### Does the type of account change the sign-in behavior?
+
+Yes, the behavior for the type of account impacts the sign-in behavior. If you apply policies for sign-in, the policy is always respected. If no policy for sign-in is applied, these are the default behaviors for each account type.
+
+- Microsoft account: signs in automatically
+- Local account: always asks for password, not configurable by Settings
+- Azure AD: asks for password by default; configurable by Settings to no longer ask for password. 
+
+>[!NOTE]
+>Inactivity timers are currently not supported, which means that the **AllowIdleReturnWithoutPassword** policy is respected only when the device goes into StandBy. 
+
+
+#### How do I remove a HoloLens device from the Intune dashboard?
+
+You cannot [unenroll](https://docs.microsoft.com/intune-user-help/unenroll-your-device-from-intune-windows) HoloLens from Intune remotely. If the administrator unenrolls the device using MDM, the device will age out of the Intune dashboard.
 
 
 ## Related resources

windows/access-protection/TOC.md

@@ -47,7 +47,6 @@
 #### [User Account Control security policy settings](user-account-control\user-account-control-security-policy-settings.md)
 #### [User Account Control Group Policy and registry key settings](user-account-control\user-account-control-group-policy-and-registry-key-settings.md)
 
-### [Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-overview.md)
 ### [Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-overview.md)
 #### [Understanding and Evaluating Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-understanding-and-evaluating.md)
 ##### [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-cards\virtual-smart-card-get-started.md)

windows/access-protection/credential-guard/credential-guard-known-issues.md

@@ -26,26 +26,29 @@ See also Knowledge Base articles [KB4015219](https://support.microsoft.com/en-us
 [KB4015221](https://support.microsoft.com/en-us/help/4015221/windows-10-update-kb4015221)
 
 The following issue is under investigation. For available workarounds, see the following Knowledge Base article:
--	[Installing AppSense Environment Manager on Windows 10 machines causes LsaIso.exe to exhibit high CPU usage when Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) *
+-	[Installing AppSense Environment Manager on Windows 10 machines causes LSAiso.exe to exhibit high CPU usage when Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) * <sup>[1]</sup>
 
-    *Registration required to access this article. 
+    *Registration required to access this article.
+    
+    <sup>[1]</sup> For further technical information on LSAiso.exe, see this MSDN article: [Isolated User Mode (IUM) Processes](https://msdn.microsoft.com/library/windows/desktop/mt809132(v=vs.85).aspx)
+    
+The following issue affects Cisco AnyConnect Secure Mobility Client:
 
 -	[Blue screen on Windows 10 computers running Device Guard and Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692)**
 
-    **Registration required to access this article. 
+**Registration required to access this article. 
 
-Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled Windows 10 clients to exhibit high CPU usage. For further information, see the following Knowledge Base articles:
+Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled Windows 10 clients to exhibit high CPU usage. For further information, see the following Knowledge Base article:
 
 -	KB88869: [Windows 10 machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869)
 
+The following issue is under investigation:
 
 -	 Windows 10 machines exhibit high CPU usage with Citrix applications installed when Credential Guard is enabled.
 
-     Microsoft is currently working with Citrix to investigate this issue.
-
-
 ## Vendor support
 
+See the following article on Citrix support for Secure Boot:
 -	[Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/)
 
 Credential Guard is not supported by either these products, products versions, computer systems, or Windows 10 versions:

windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md

@@ -287,15 +287,19 @@ You can prevent Windows from setting the time automatically.
 
     -or-
 
+-   Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**.
+
+After that, configure the following:
+
 -   Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Enable Windows NTP Server** > **Windows Time Service** > **Configure Windows NTP Client**
+    
+    > [!NOTE]  
+    > This is only available on Windows 10, version 1703 and later.
 
     -or -
 
--  Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient!Enabled** to 0 (zero).
+-  Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient!Enabled** and set it to 0 (zero).
 
-    -or-
-
--   Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**.
 
 ### <a href="" id="bkmk-devinst"></a>4. Device metadata retrieval
 
@@ -392,7 +396,6 @@ Use Group Policy to manage settings for Internet Explorer.  You can find the Int
 | Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites. <br /> Default: Enabled <br /> You can also turn this off in the UI by clearing the **Internet Options** &gt; **Advanced** &gt; **Enable Suggested Sites** check box.|
 | Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar. <br /> Default: Enabled|
 | Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar. <br /> Default: Disabled </br> You can also turn this off in the UI by clearing the <strong>Internet Options</strong> &gt; **Advanced** &gt; **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.|
-| Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version. <br /> Default: Enabled |
 | Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer. <br /> Default: Disabled|
 | Prevent managing SmartScreen filter | Choose whether employees can manage the SmartScreen Filter in Internet Explorer. <br /> Default: Disabled |
 
@@ -403,7 +406,6 @@ Alternatively, you could use the registry to set the Group Policies.
 | Turn on Suggested Sites| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Suggested Sites!Enabled <br /> REG_DWORD: 0|
 | Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\AllowServicePoweredQSA <br /> REG_DWORD: 0|
 | Turn off the auto-complete feature for web addresses | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Explorer\\AutoComplete!AutoSuggest<br /> REG_SZ: **No** |
-| Disable Periodic Check for Internet Explorer software updates| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Infodelivery\\Restrictions!NoUpdateCheck<br /> REG_DWORD: 1 |
 | Turn off browser geolocation | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation!PolicyDisableGeolocation <br /> REG_DWORD: 1 |
 | Prevent managing SmartScreen filter | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\ Internet Explorer\\PhishingFilter!EnabledV9 <br /> REG_DWORD: 0 |
 
@@ -510,8 +512,8 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
 | Configure search suggestions in Address bar              | Choose whether the address bar shows search suggestions. <br /> Default: Enabled                    |
 | Configure Windows Defender SmartScreen Filter (Windows 10, version 1703)  <br/> Configure SmartScreen Filter (Windows Server 2016)                      | Choose whether Windows Defender SmartScreen is turned on or off.  <br /> Default: Enabled                            |
 | Allow web content on New Tab page                     | Choose whether a new tab page appears.  <br /> Default: Enabled                                     |
-| Configure Start pages                       | Choose the Start page for domain-joined devices. <br /> Set this to **about:blank**        |
-| Prevent the First Run webpage from opening pages                       | Choose whether employees see the First Run webpage. <br /> Default: Enabled        |
+| Configure Start pages                       | Choose the Start page for domain-joined devices. <br /> Set this to **\<about:blank\>**        |
+| Prevent the First Run webpage from opening on Microsoft Edge                       | Choose whether employees see the First Run webpage. <br /> Default: Disabled        |
 
 
 The Windows 10, version 1511 Microsoft Edge Group Policy names are:

windows/configuration/provisioning-packages/provisioning-multivariant.md

@@ -19,7 +19,7 @@ localizationpriority: high
 
 In your organization, you might have different configuration requirements for devices that you manage. You can create separate provisioning packages for each group of devices in your organization that have different requirements. Or, you can create a multivariant provisioning package, a single provisioning package that can work for multiple conditions. For example, in a single provisioning package, you can define one set of customization settings that will apply to devices set up for French and a different set of customization settings for devices set up for Japanese. 
 
-To provision multivariant settings, you use Windows Imaging and Configuration Designer (ICD) to create a provisioning package that contains all of the customization settings that you want to apply to any of your devices. Next, you manually edit the .XML file for that project to define each set of devices (a **Target**). For each **Target**, you specify at least one **Condition** with a value, which identifies the devices to receive the configuration. Finally, for each **Target**, you provide the customization settings to be applied to those devices.
+To provision multivariant settings, you use Windows Configuration Designer to create a provisioning package that contains all of the customization settings that you want to apply to any of your devices. Next, you manually edit the .XML file for that project to define each set of devices (a **Target**). For each **Target**, you specify at least one **Condition** with a value, which identifies the devices to receive the configuration. Finally, for each **Target**, you provide the customization settings to be applied to those devices.
 
 Let's begin by learning how to define a **Target**.
 
@@ -258,7 +258,7 @@ Follow these steps to create a provisioning package with multivariant capabiliti
 6. Save the updated customizations.xml file and note the path to this updated file. You will need the path as one of the values for the next step.
 
 
-7. Use the [Windows ICD command-line interface](provisioning-command-line.md) to create a provisioning package using the updated customizations.xml. 
+7. Use the [Windows Configuration Designer command-line interface](provisioning-command-line.md) to create a provisioning package using the updated customizations.xml. 
 
     For example:
 

windows/device-security/TOC.md

@@ -12,7 +12,6 @@
 #### [Monitor app usage with AppLocker](applocker\monitor-application-usage-with-applocker.md)
 #### [Manage packaged apps with AppLocker](applocker\manage-packaged-apps-with-applocker.md)
 #### [Working with AppLocker rules](applocker\working-with-applocker-rules.md)
-#### [Working with AppLocker rules](applocker\working-with-applocker-rules.md)
 ##### [Create a rule that uses a file hash condition](applocker\create-a-rule-that-uses-a-file-hash-condition.md)
 ##### [Create a rule that uses a path condition](applocker\create-a-rule-that-uses-a-path-condition.md)
 ##### [Create a rule that uses a publisher condition](applocker\create-a-rule-that-uses-a-publisher-condition.md)

windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md

@@ -0,0 +1,250 @@
+---
+title: WannaCrypt ransomware worm targets out-of-date systems
+description: In this blog, we provide an early analysis of the end-to-end ransomware attack. Please note this threat is still under investigation. The attack is still active, and there is a possibility that the attacker will attempt to react to our detection response.
+keywords: wannacry, wannacrypt, wanna, ransomware
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: medium
+author: iaanw
+---
+
+#   WannaCrypt ransomware worm targets out-of-date systems
+ 
+
+On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the ransomware, known as [WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt), appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install [MS17-010](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) if they have not already done so.
+
+Microsoft antimalware telemetry immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing [Windows Defender Antivirus](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10) to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware.
+
+In this blog, we provide an early analysis of the end-to-end ransomware attack. Please note this threat is still under investigation. The attack is still active, and there is a possibility that the attacker will attempt to react to our detection response.
+
+## Attack vector
+
+Ransomware threats do not typically spread rapidly. Threats like WannaCrypt (also known as WannaCry, WanaCrypt0r, WCrypt, or WCRY) usually leverage social engineering or email as primary attack vector, relying on users downloading and executing a malicious payload. However, in this unique case, the ransomware perpetrators used publicly available exploit code for the patched SMB 'EternalBlue' vulnerability, [CVE-2017-0145](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145), which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. This vulnerability was fixed in security bulletin [MS17-010](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx), which was released on March 14, 2017.
+
+WannaCrypt's spreading mechanism is borrowed from [well-known](https://packetstormsecurity.com/files/142464/MS17-010-SMBv1-SrvOs2FeaToNt-OOB-Remote-Code-Execution.html) [public SMB exploits](https://github.com/RiskSense-Ops/MS17-010), which armed this regular ransomware with worm-like functionalities, creating an entry vector for machines still unpatched even after the fix had become available.
+
+The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack.
+
+We haven't found evidence of the exact initial entry vector used by this threat, but there are two scenarios that we believe are highly possible explanations for the spread of this ransomware:
+ 
+- Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality with the SMB exploit
+- Infection through SMB exploit when an unpatched computer is addressable from other infected machines
+ 
+## Dropper
+
+The threat arrives as a dropper Trojan that has the following two components:
+
+1. A component that attempts to exploit the SMB CVE-2017-0145 vulnerability in other computers
+2. The ransomware known as WannaCrypt
+
+The dropper tries to connect the following domains using the API `InternetOpenUrlA()`:
+ 
+- www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
+- www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
+ 
+If connection to the domains is successful, the dropper does not infect the system further with ransomware or try to exploit other systems to spread; it simply stops execution. However, if the connection fails, the threat proceeds to drop the ransomware and creates a service on the system.
+
+In other words, unlike in most malware infections, **IT Administrators should NOT block these domains**. Note that the malware is not proxy-aware, so a local DNS record may be required. This does not need to point to the Internet, but can resolve to any accessible server which will accept connections on TCP 80.
+ 
+![Connection information from WannaCrypt code](images/wanna1.png)
+
+The threat creates a service named *mssecsvc2.0*, whose function is to exploit the SMB vulnerability in other computers accessible from the infected system:
+```
+Service Name: mssecsvc2.0
+Service Description: (Microsoft Security Center (2.0) Service)
+Service Parameters: '-m security'
+```
+ 
+ ![Mssecsvc2.0 process details](images/wanna2.png)
+
+## WannaCrypt ransomware
+
+The ransomware component is a dropper that contains a password-protected .zip archive in its resource section. The document encryption routine and the files in the .zip archive contain support tools, a decryption tool, and the ransom message. In the samples we analyzed, the password for the .zip archive is 'WNcry@2ol7'.
+
+When run, WannaCrypt creates the following registry keys:
+ 
+- *HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\\<random string> = '\<malware working directory>\tasksche.exe'*
+- *HKLM\SOFTWARE\WanaCrypt0r\\wd = '\<malware working directory>'*
+ 
+It changes the wallpaper to a ransom message by modifying the following registry key:
+ 
+- *HKCU\Control Panel\Desktop\Wallpaper: '\<malware working directory>\\@WanaDecryptor@.bmp'*
+ 
+It creates the following files in the malware's working directory:
+ 
+- *00000000.eky*
+- *00000000.pky*
+- *00000000.res*
+- *274901494632976.bat*
+- *@Please_Read_Me@.txt*
+- *@WanaDecryptor@.bmp*
+- *@WanaDecryptor@.exe*
+- *b.wnry*
+- *c.wnry*
+- *f.wnry*
+- *m.vbs*
+- *msg\m_bulgarian.wnry*
+- *msg\m_chinese (simplified).wnry*
+- *msg\m_chinese (traditional).wnry*
+- *msg\m_croatian.wnry*
+- *msg\m_czech.wnry*
+- *msg\m_danish.wnry*
+- *msg\m_dutch.wnry*
+- *msg\m_english.wnry*
+- *msg\m_filipino.wnry*
+- *msg\m_finnish.wnry*
+- *msg\m_french.wnry*
+- *msg\m_german.wnry*
+- *msg\m_greek.wnry*
+- *msg\m_indonesian.wnry*
+- *msg\m_italian.wnry*
+- *msg\m_japanese.wnry*
+- *msg\m_korean.wnry*
+- *msg\m_latvian.wnry*
+- *msg\m_norwegian.wnry*
+- *msg\m_polish.wnry*
+- *msg\m_portuguese.wnry*
+- *msg\m_romanian.wnry*
+- *msg\m_russian.wnry*
+- *msg\m_slovak.wnry*
+- *msg\m_spanish.wnry*
+- *msg\m_swedish.wnry*
+- *msg\m_turkish.wnry*
+- *msg\m_vietnamese.wnry*
+- *r.wnry*
+- *s.wnry*
+- *t.wnry*
+- *TaskData\Tor\libeay32.dll*
+- *TaskData\Tor\libevent-2-0-5.dll*
+- *TaskData\Tor\libevent_core-2-0-5.dll*
+- *TaskData\Tor\libevent_extra-2-0-5.dll*
+- *TaskData\Tor\libgcc_s_sjlj-1.dll*
+- *TaskData\Tor\libssp-0.dll*
+- *TaskData\Tor\ssleay32.dll*
+- *TaskData\Tor\taskhsvc.exe*
+- *TaskData\Tor\tor.exe*
+- *TaskData\Tor\zlib1.dll*
+- *taskdl.exe*
+- *taskse.exe*
+- *u.wnry*
+ 
+WannaCrypt may also create the following files:
+ 
+- *%SystemRoot%\tasksche.exe*
+- *%SystemDrive%\intel\\\<random directory name>\tasksche.exe*
+- *%ProgramData%\\\<random directory name>\tasksche.exe*
+ 
+It may create a randomly named service that has the following associated ImagePath: `cmd.exe /c '<malware working directory>\tasksche.exe'`.
+
+It then searches the whole computer for any file with any of the following file name extensions: *.123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der' , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw.*
+
+WannaCrypt encrypts all files it finds and renames them by appending *.WNCRY* to the file name. For example, if a file is named *picture.jpg*, the ransomware encrypts and renames the file to *picture.jpg.WNCRY*.
+
+This ransomware also creates the file *@Please_Read_Me@.txt* in every folder where files are encrypted. The file contains the same ransom message shown in the replaced wallpaper image (see screenshot below).
+
+After completing the encryption process, the malware deletes the volume shadow copies by running the following command:
+`cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet`
+
+It then replaces the desktop background image with the following message:
+
+![Example background image of WannaCrypt](images/wanna3.png)
+ 
+It also runs an executable showing a ransom note which indicates a $300 ransom in Bitcoins as well as a timer:
+ 
+ ![Screenshot of WannaCrypt ransom notice](images/wanna4.png)
+
+The text is localized into the following languages: Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, and Vietnamese.
+
+The ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files, free of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files.
+ 
+ ![Screenshot of decryption window](images/wanna5.png)
+
+## Spreading capability
+
+The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host, which can be observed by SecOps personnel, as shown below.
+
+![Spreading scanning activity](images/wanna6.png)
+ 
+The Internet scanning routine randomly generates octets to form the IPv4 address. The malware then targets that IP to attempt to exploit CVE-2017-0145. The threat avoids infecting the IPv4 address if the randomly generated value for first octet is 127 or if the value is equal to or greater than 224, in order to skip local loopback interfaces. Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. The vicious infection cycle continues as the scanning routing discovers unpatched computers.
+
+When it successfully infects a vulnerable computer, the malware runs kernel-level shellcode that seems to have been copied from the public backdoor known as DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems.
+ 
+ ![Kernel-level shellcode used by WannaCrypt](images/wanna7.png)
+
+ ![Kernel-level shellcode used by WannaCrypt](images/wanna8.png)
+ 
+## Protection against the WannaCrypt attack
+
+To get the latest protection from Microsoft, upgrade to [Windows 10](https://www.microsoft.com/en-us/windows/windows-10-upgrade). Keeping your computers [up-to-date](https://www.microsoft.com/en-us/security/portal/mmpc/help/updatefaqs.aspx) gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows.
+
+We recommend customers that have not yet installed the security update [MS17-010](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:
+
+- Disable SMBv1 with the steps documented at [Microsoft Knowledge Base Article 2696547](https://support.microsoft.com/kb/2696547) and as [recommended previously](https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/)
+- Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445
+ 
+[Windows Defender Antivirus](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10) detects this threat as [Ransom:Win32/WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt) as of the *1.243.297.0* update. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.
+
+For enterprises, use [Device Guard](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide) to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.
+
+Use [Office 365 Advanced Threat Protection](https://blogs.office.com/2015/04/08/introducing-exchange-online-advanced-threat-protection/), which has machine learning capability that blocks dangerous email threats, such as the emails carrying ransomware.
+
+Monitor networks with [Windows Defender Advanced Threat Protection](http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp), which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: [Windows Defender Advanced Threat Protection - Ransomware response playbook](https://www.microsoft.com/en-us/download/details.aspx?id=55090).
+
+## Resources
+
+Download English language security updates: [Windows Server 2003 SP2 x64](http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe), [Windows Server 2003 SP2 x86,](http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe) [Windows XP SP2 x64](http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe), [Windows XP SP3 x86](http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe), [Windows XP Embedded SP3 x86](http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-embedded-custom-enu_8f2c266f83a7e1b100ddb9acd4a6a3ab5ecd4059.exe), [Windows 8 x86,](http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu) [Windows 8 x64](http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu)
+
+Download localized language security updates: [Windows Server 2003 SP2 x64](http://www.microsoft.com/downloads/details.aspx?FamilyId=d3cb7407-3339-452e-8371-79b9c301132e), [Windows Server 2003 SP2 x86](http://www.microsoft.com/downloads/details.aspx?FamilyId=350ec04d-a0ba-4a50-9be3-f900dafeddf9), [Windows XP SP2 x64](http://www.microsoft.com/downloads/details.aspx?FamilyId=5fbaa61b-15ce-49c7-9361-cb5494f9d6aa), [Windows XP SP3 x86](http://www.microsoft.com/downloads/details.aspx?FamilyId=7388c05d-9de6-4c6a-8b21-219df407754f), [Windows XP Embedded SP3 x86](http://www.microsoft.com/downloads/details.aspx?FamilyId=a1db143d-6ad2-4e7e-9e90-2a73316e1add), [Windows 8 x86](http://www.microsoft.com/downloads/details.aspx?FamilyId=6e2de6b7-9e43-4b42-aca2-267f24210340), [Windows 8 x64](http://www.microsoft.com/downloads/details.aspx?FamilyId=b08bb3f1-f156-4e61-8a68-077963bae8c0)
+
+MS17-010 Security Update: [https://technet.microsoft.com/en-us/library/security/ms17-010.aspx](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx)
+
+Customer guidance for WannaCrypt attacks: [https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/)
+
+General information on ransomware: [https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx](https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx)
+
+## Indicators of compromise
+
+SHA1 of samples analyzed:
+ 
+- 51e4307093f8ca8854359c0ac882ddca427a813c
+- e889544aff85ffaf8b0d0da705105dee7c97fe26
+ 
+Files created:
+ 
+- %SystemRoot%\mssecsvc.exe
+- %SystemRoot%\tasksche.exe
+- %SystemRoot%\qeriuwjhrf
+- b.wnry
+- c.wnry
+- f.wnry
+- r.wnry
+- s.wnry
+- t.wnry
+- u.wnry
+- taskdl.exe
+- taskse.exe
+- 00000000.eky
+- 00000000.res
+- 00000000.pky
+- @WanaDecryptor@.exe
+- @Please_Read_Me@.txt
+- m.vbs
+- @WanaDecryptor@.exe.lnk
+- @WanaDecryptor@.bmp
+- 274901494632976.bat
+- taskdl.exe
+- Taskse.exe
+- Files with '.wnry' extension
+- Files with '.WNCRY' extension
+ 
+Registry keys created:
+ 
+- HKLM\SOFTWARE\WanaCrypt0r\wd
+ 
+ 
+ 
+*Karthik Selvaraj, Elia Florio, Andrea Lelli, and Tanmay Ganacharya*<br />*Microsoft Malware Protection Center*
+ 

windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md

@@ -28,7 +28,7 @@ You can use a dedicated command-line tool to perform various functions in Window
 
 This utility can be useful when you want to automate the use of Windows Defender Antivirus. 
 
-The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_ and must be run from a command prompt.
+The utility is available in _%ProgramFiles%\Windows Defender\MpCmdRun.exe_ and must be run from a command prompt.
 
 > [!NOTE]
 > You may need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
@@ -51,6 +51,7 @@ Command | Description
 \-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
 \-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
 \-ValidateMapsConnection | Used to validate connection to the [cloud-delivered protection service](configure-network-connections-windows-defender-antivirus.md)
+\-SignatureUpdate [-UNC [-Path <path>]] | Checks for new definition updates
 
 
 

windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md

@@ -146,6 +146,8 @@ Use the following argument with the Windows Defender AV command line utility (*m
 ```DOS
 MpCmdRun - ValidateMapsConnection 
 ```
+> [!NOTE]
+> You may need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
 
 See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility.