-
-### Supported values
-
-| Group Policy | MDM | Registry | Description |
-|--------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------|
-| Not configured | Blank | Blank | If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. |
-| Enabled | 0 | 0 | Load the Start page. |
-| Enabled | 1 | 1 | Load the New Tab page. |
-| Enabled | 2 | 2 | Load the previous pages. |
-| Enabled
**(default)** | 3 | 3 | Load a specific page or pages. |
-
----
-
-
->[!TIP]
->If you want to make changes to this policy:
value, which honors both domain and non domain-joined devices when it's the only configured URL.
+
+**version 1809:**
When you enable this policy (Configure Open Microsoft Edge With) and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.
+
+### Supported values
+
+| Group Policy | MDM | Registry | Description |
+|--------------------------|:-----:|:--------:|---------------------------------------------------------------------------------------------------------------------------------------------|
+| Not configured | Blank | Blank | If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. |
+| Enabled | 0 | 0 | Load the Start page. |
+| Enabled | 1 | 1 | Load the New Tab page. |
+| Enabled | 2 | 2 | Load the previous pages. |
+| Enabled
**(default)** | 3 | 3 | Load a specific page or pages. |
+
+---
+
+> [!TIP]
+> If you want to make changes to this policy:
- Set the **Disabled Lockdown of Start Pages** policy to not configured.
- Make changes to the **Configure Open Microsoft With** policy.
- Enable the **Disabled Lockdown of Start Pages** policy.
+
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Configure Open Microsoft Edge With
+- **GP name:** ConfigureOpenMicrosoftEdgeWith
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[ConfigureOpenEdgeWith](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith)
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureOpenEdgeWith
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings
+- **Value name:** ConfigureOpenEdgeWith
+- **Value type:** REG_DWORD
+
+### Related policies
+
+- [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)]
+- [Disable lockdown of Start pages](../available-policies.md#disable-lockdown-of-start-pages): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)]
+
+
+---
diff --git a/browsers/edge/includes/provision-favorites-include.md b/browsers/edge/includes/provision-favorites-include.md
index fdb0016715..739f15e3be 100644
--- a/browsers/edge/includes/provision-favorites-include.md
+++ b/browsers/edge/includes/provision-favorites-include.md
@@ -1,52 +1,53 @@
----
-author: eavena
-ms.author: eravena
-ms.date: 10/02/2018
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-
->*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
->*Default setting: Disabled or not configured (Customizable)*
-
-[!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)]
-
-
->[!IMPORTANT]
->Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers.
-
-### Supported values
-
-| Group Policy | Description | Most restricted |
-|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
-| Disabled or not configured
**(default)** | Users can customize the favorites list, such as adding folders, or adding and removing favorites. | |
-| Enabled | Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.To define a default list of favorites, do the following:
- In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
- Click **Import from another browser**, click **Export to file** and save the file.
- In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
- HTTP location: "SiteList"=
- Local network: "SiteList"="\network\shares\URLs.html"
- Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
|  |
-
----
-
-### ADMX info and settings
-#### ADMX info
-- **GP English name:** Provision Favorites
-- **GP name:** ConfiguredFavorites
-- **GP element:** ConfiguredFavoritesPrompt
-- **GP path:** Windows Components/Microsoft Edge
-- **GP ADMX file name:** MicrosoftEdge.admx
-
-#### MDM settings
-- **MDM name:** Browser/[ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites)
-- **Supported devices:** Desktop
-- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites
-- **Data type:** String
-
-#### Registry settings
-- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Favorites
-- **Value name:** ConfiguredFavorites
-- **Value type:** REG_SZ
-
-### Related policies
-[Keep favorites in sync between Internet Explorer and Microsoft Edge](../available-policies.md#keep-favorites-in-sync-between-internet-explorer-and-microsoft-edge): [!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)]
-
-
+---
+author: eavena
+ms.author: eravena
+ms.date: 10/02/2018
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+
+> *Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
+> *Default setting: Disabled or not configured (Customizable)*
+
+[!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)]
+
+
+> [!IMPORTANT]
+> Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers.
+
+### Supported values
+
+| Group Policy | Description | Most restricted |
+|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
+| Disabled or not configured
**(default)** | Users can customize the favorites list, such as adding folders, or adding and removing favorites. | |
+| Enabled | Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.To define a default list of favorites, do the following:
- In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
- Click **Import from another browser**, click **Export to file** and save the file.
- In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
- HTTP location: "SiteList"=
- Local network: "SiteList"="\network\shares\URLs.html"
- Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
|  |
+
+---
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Provision Favorites
+- **GP name:** ConfiguredFavorites
+- **GP element:** ConfiguredFavoritesPrompt
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites)
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites
+- **Data type:** String
+
+#### Registry settings
+- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Favorites
+- **Value name:** ConfiguredFavorites
+- **Value type:** REG_SZ
+
+### Related policies
+[Keep favorites in sync between Internet Explorer and Microsoft Edge](../available-policies.md#keep-favorites-in-sync-between-internet-explorer-and-microsoft-edge): [!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)]
+
+
diff --git a/browsers/edge/includes/send-all-intranet-sites-ie-include.md b/browsers/edge/includes/send-all-intranet-sites-ie-include.md
index 2d8195f03e..0f909d31d7 100644
--- a/browsers/edge/includes/send-all-intranet-sites-ie-include.md
+++ b/browsers/edge/includes/send-all-intranet-sites-ie-include.md
@@ -1,62 +1,63 @@
----
-author: eavena
-ms.author: eravena
-ms.date: 10/02/2018
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-
->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured*
-
-[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)]
-
->[!TIP]
->Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager.
-
-
-### Supported values
-
-| Group Policy | MDM | Registry | Description | Most restricted |
-|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
-| Disabled or not configured
**(default)** | 0 | 0 | All sites, including intranet sites, open in Microsoft Edge automatically. |  |
-| Enabled | 1 | 1 | Only intranet sites open in Internet Explorer 11 automatically.Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.
- In Group Policy Editor, navigate to:
**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**
- Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.
A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.
| |
-
----
-
-
-### ADMX info and settings
-#### ADMX info
-- **GP English name:** Send all intranet sites to Internet Explorer 11
-- **GP name:** SendIntranetTraffictoInternetExplorer
-- **GP path:** Windows Components/Microsoft Edge
-- **GP ADMX file name:** MicrosoftEdge.admx
-
-#### MDM settings
-- **MDM name:** Browser/[SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer)
-- **Supported devices:** Desktop
-- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer
-- **Data type:** Integer
-
-#### Registry settings
-- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main
-- **Value name:** SendIntranetTraffictoInternetExplorer
-- **Value type:** REG_DWORD
-
-### Related Policies
-- [Configure the Enterprise Mode Site List](../available-policies.md#configure-the-enterprise-mode-site-list): [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)]
-
-- [Show message when opening sites in Internet Explorer](../available-policies.md#show-message-when-opening-sites-in-internet-explorer): [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)]
-
-
-### Related topics
-- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035). Many customers depend on legacy features only available in older versions of Internet Explorer and are familiar with our Enterprise Mode tools for IE11. The Enterprise Mode has been extended to support to Microsoft Edge by opening any site specified on the Enterprise Mode Site List in IE11. IT Pros can use their existing IE11 Enterprise Mode Site List, or they can create a new one specifically for Microsoft Edge. By keeping Microsoft Edge as the default browser in Windows 10 and only opening legacy line of business sites in IE11 when necessary, you can help keep newer development projects on track, using the latest web standards on Microsoft Edge.
-
-- [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company.
-
-- [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode.
-
-
+---
+author: eavena
+ms.author: eravena
+ms.date: 10/02/2018
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+
+> *Supported versions: Microsoft Edge on Windows 10*
+> *Default setting: Disabled or not configured*
+
+[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../shortdesc/send-all-intranet-sites-to-ie-shortdesc.md)]
+
+> [!TIP]
+> Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and needs IE11 to run, you can add them to the Enterprise Mode site list, using Enterprise Mode Site List Manager.
+
+
+### Supported values
+
+| Group Policy | MDM | Registry | Description | Most restricted |
+|---------------------------------------------|:---:|:--------:|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------:|
+| Disabled or not configured
**(default)** | 0 | 0 | All sites, including intranet sites, open in Microsoft Edge automatically. |  |
+| Enabled | 1 | 1 | Only intranet sites open in Internet Explorer 11 automatically.Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.
- In Group Policy Editor, navigate to:
**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**
- Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.
A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.
| |
+
+---
+
+
+### ADMX info and settings
+#### ADMX info
+- **GP English name:** Send all intranet sites to Internet Explorer 11
+- **GP name:** SendIntranetTraffictoInternetExplorer
+- **GP path:** Windows Components/Microsoft Edge
+- **GP ADMX file name:** MicrosoftEdge.admx
+
+#### MDM settings
+- **MDM name:** Browser/[SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer)
+- **Supported devices:** Desktop
+- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer
+- **Data type:** Integer
+
+#### Registry settings
+- **Path:** HKLM\\Software\\Policies\\Microsoft\\MicrosoftEdge\\Main
+- **Value name:** SendIntranetTraffictoInternetExplorer
+- **Value type:** REG_DWORD
+
+### Related Policies
+- [Configure the Enterprise Mode Site List](../available-policies.md#configure-the-enterprise-mode-site-list): [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../shortdesc/configure-enterprise-mode-site-list-shortdesc.md)]
+
+- [Show message when opening sites in Internet Explorer](../available-policies.md#show-message-when-opening-sites-in-internet-explorer): [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)]
+
+
+### Related topics
+- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035). Many customers depend on legacy features only available in older versions of Internet Explorer and are familiar with our Enterprise Mode tools for IE11. The Enterprise Mode has been extended to support to Microsoft Edge by opening any site specified on the Enterprise Mode Site List in IE11. IT Pros can use their existing IE11 Enterprise Mode Site List, or they can create a new one specifically for Microsoft Edge. By keeping Microsoft Edge as the default browser in Windows 10 and only opening legacy line of business sites in IE11 when necessary, you can help keep newer development projects on track, using the latest web standards on Microsoft Edge.
+
+- [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company.
+
+- [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode.
+
+
diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
index c4141688d8..8249262926 100644
--- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
+++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
@@ -1,8 +1,8 @@
---
title: Deploy Microsoft Edge Legacy kiosk mode
description: Microsoft Edge Legacy kiosk mode works with assigned access to allow IT admins to create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge Legacy kiosk mode, you must configure Microsoft Edge Legacy as an application in assigned access.
-ms.assetid:
-ms.reviewer:
+ms.assetid:
+ms.reviewer:
audience: itpro
manager: dansimp
author: dansimp
@@ -16,28 +16,28 @@ ms.date: 01/17/2020
# Deploy Microsoft Edge Legacy kiosk mode
->Applies to: Microsoft Edge Legacy (version 45 and earlier) on Windows 10, version 1809 or later
->Professional, Enterprise, and Education
+> Applies to: Microsoft Edge Legacy (version 45 and earlier) on Windows 10, version 1809 or later
+> Professional, Enterprise, and Education
> [!NOTE]
> You've reached the documentation for Microsoft Edge Legacy (version 45 and earlier.) To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). For information about kiosk mode in the new version of Microsoft Edge, see [Microsoft Edge kiosk mode](https://docs.microsoft.com/DeployEdge/microsoft-edge-kiosk-mode).
In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge Legacy as a kiosk using assigned access. With assigned access, you create a tailored browsing experience locking down a Windows 10 device to only run as a single-app or multi-app kiosk. Assigned access restricts a local standard user account so that it only has access to one or more Windows app, such as Microsoft Edge Legacy in kiosk mode.
-In this topic, you'll learn:
+In this topic, you'll learn:
- How to configure the behavior of Microsoft Edge Legacy when it's running in kiosk mode with assigned access.
-- What's required to run Microsoft Edge Legacy kiosk mode on your kiosk devices.
-- You'll also learn how to set up your kiosk device using either Windows Setting or Microsoft Intune or an other MDM service.
+- What's required to run Microsoft Edge Legacy kiosk mode on your kiosk devices.
+- You'll also learn how to set up your kiosk device using either Windows Setting or Microsoft Intune or an other MDM service.
-At the end of this topic, you can find a list of [supported policies](#supported-policies-for-kiosk-mode) for kiosk mode and a [feature comparison](#feature-comparison-of-kiosk-mode-and-kiosk-browser-app) of the kiosk mode policy and kiosk browser app. You also find instructions on how to provide us feedback or get support.
+At the end of this topic, you can find a list of [supported policies](#supported-policies-for-kiosk-mode) for kiosk mode and a [feature comparison](#feature-comparison-of-kiosk-mode-and-kiosk-browser-app) of the kiosk mode policy and kiosk browser app. You also find instructions on how to provide us feedback or get support.
## Kiosk mode configuration types
->**Policy** = Configure kiosk mode (ConfigureKioskMode)
+> **Policy** = Configure kiosk mode (ConfigureKioskMode)
-Microsoft Edge Legacy kiosk mode supports four configurations types that depend on how Microsoft Edge Legacy is set up with assigned access, either as a single-app or multi-app kiosk. These configuration types help you determine what is best suited for your kiosk device or scenario.
+Microsoft Edge Legacy kiosk mode supports four configurations types that depend on how Microsoft Edge Legacy is set up with assigned access, either as a single-app or multi-app kiosk. These configuration types help you determine what is best suited for your kiosk device or scenario.
- Learn about [creating a kiosk experience](https://docs.microsoft.com/windows-hardware/customize/enterprise/create-a-kiosk-image)
@@ -50,9 +50,9 @@ Microsoft Edge Legacy kiosk mode supports four configurations types that depend
### Important things to note before getting started
-- There are [required steps to follow](#setup- required-for-microsoft-edge-legacy-kiosk-mode) in order to use the following Microsoft Edge Legacy kiosk mode types either alongside the new version of Microsoft Edge or prevent the new version of Microsoft Edge from being installed on your kiosk device.
+- There are [required steps to follow](#setup- required-for-microsoft-edge-legacy-kiosk-mode) in order to use the following Microsoft Edge Legacy kiosk mode types either alongside the new version of Microsoft Edge or prevent the new version of Microsoft Edge from being installed on your kiosk device.
-- The public browsing kiosk types run Microsoft Edge Legacy InPrivate mode to protect user data with a browsing experience designed for public kiosks.
+- The public browsing kiosk types run Microsoft Edge Legacy InPrivate mode to protect user data with a browsing experience designed for public kiosks.
- Microsoft Edge Legacy kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue, and if no user activity Microsoft Edge Legacy resets the session to the default URL. By default, the idle timer is 5 minutes, but you can choose a value of your own.
@@ -67,7 +67,7 @@ Microsoft Edge Legacy kiosk mode supports four configurations types that depend
- [Guidelines for choosing an app for assigned access (kiosk mode)](https://aka.ms/Ul7dw3).
-### Supported configuration types
+### Supported configuration types
[!INCLUDE [configure-kiosk-mode-supported-values-include](includes/configure-kiosk-mode-supported-values-include.md)]
@@ -75,9 +75,9 @@ Microsoft Edge Legacy kiosk mode supports four configurations types that depend
Now that you're familiar with the different kiosk mode configurations and have the one you want to use in mind, you can use one of the following methods to set up Microsoft Edge Legacy kiosk mode:
-- **Windows Settings.** Use only to set up a couple of single-app devices because you perform these steps physically on each device. For a multi-app kiosk device, use Microsoft Intune or other MDM service.
+- **Windows Settings.** Use only to set up a couple of single-app devices because you perform these steps physically on each device. For a multi-app kiosk device, use Microsoft Intune or other MDM service.
-- **Microsoft Intune or other MDM service.** Use to set up several single-app or multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge Legacy kiosk mode experience using any of the [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode).
+- **Microsoft Intune or other MDM service.** Use to set up several single-app or multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge Legacy kiosk mode experience using any of the [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode).
### Prerequisites
@@ -89,14 +89,14 @@ Now that you're familiar with the different kiosk mode configurations and have t
- URL to load when the kiosk launches. The URL that you provide sets the Home button, Start page, and New Tab page.
- _**For Microsoft Intune or other MDM service**_, you must have the AppUserModelID (AUMID) to set up Microsoft Edge Legacy:
-
+
```
Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge
```
### Setup required for Microsoft Edge Legacy kiosk mode
-When the new version of Microsoft Edge Stable channel is installed, Microsoft Edge Legacy is hidden and all attempts to launch Microsoft Edge Legacy are redirected to the new version of Microsoft Edge.
+When the new version of Microsoft Edge Stable channel is installed, Microsoft Edge Legacy is hidden and all attempts to launch Microsoft Edge Legacy are redirected to the new version of Microsoft Edge.
To continue using Microsoft Edge Legacy kiosk mode on your kiosk devices take one of the following actions:
@@ -104,11 +104,11 @@ To continue using Microsoft Edge Legacy kiosk mode on your kiosk devices take on
- To prevent Microsoft Edge Stable channel from being installed on your kiosk devices deploy the Microsoft Edge [Allow installation default](https://docs.microsoft.com/DeployEdge/microsoft-edge-update-policies#installdefault) policy for Stable channel or consider using the [Blocker toolkit](https://docs.microsoft.com/DeployEdge/microsoft-edge-blocker-toolkit) to disable automatic delivery of Microsoft Edge.
> [!NOTE]
-> For more information about accessing Microsoft Edge Legacy after installing Microsoft Edge, see [How to access the old version of Microsoft Edge](https://docs.microsoft.com/DeployEdge/microsoft-edge-sysupdate-access-old-edge).
+> For more information about accessing Microsoft Edge Legacy after installing Microsoft Edge, see [How to access the old version of Microsoft Edge](https://docs.microsoft.com/DeployEdge/microsoft-edge-sysupdate-access-old-edge).
### Use Windows Settings
-Windows Settings is the simplest and the only way to set up one or a couple of single-app devices.
+Windows Settings is the simplest and the only way to set up one or a couple of single-app devices.
1. On the kiosk device, open Windows Settings, and in the search field type **kiosk** and then select **Set up a kiosk (assigned access)**.
@@ -120,9 +120,9 @@ Windows Settings is the simplest and the only way to set up one or a couple of s
5. Select how Microsoft Edge Legacy displays when running in kiosk mode:
- - **As a digital sign or interactive display** - Displays a specific site in full-screen mode, running Microsoft Edge Legacy InPrivate protecting user data.
+ - **As a digital sign or interactive display** - Displays a specific site in full-screen mode, running Microsoft Edge Legacy InPrivate protecting user data.
- - **As a public browser** - Runs a limited multi-tab version of Microsoft Edge Legacy, protecting user data.
+ - **As a public browser** - Runs a limited multi-tab version of Microsoft Edge Legacy, protecting user data.
6. Select **Next**.
@@ -136,23 +136,23 @@ Windows Settings is the simplest and the only way to set up one or a couple of s
11. Restart the kiosk device and sign in with the local kiosk account to validate the configuration.
-**_Congratulations!_** You’ve just finished setting up a single-app kiosk device using Windows Settings.
+**_Congratulations!_**
You’ve just finished setting up a single-app kiosk device using Windows Settings.
-**_What's next?_**
+**_What's next?_**
- User your new kiosk device.
OR
- Make changes to your kiosk device. In Windows Settings, on the **Set up a kiosk** page, make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge Legacy**.
----
+---
### Use Microsoft Intune or other MDM service
With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge Legacy kiosk mode in assigned access and how it behaves on a kiosk device. To learn about a few app fundamentals and requirements before adding them to Intune, see [Add apps to Microsoft Intune](https://docs.microsoft.com/intune/apps-add).
->[!IMPORTANT]
->If you are using a local account as a kiosk account in Microsoft Intune, make sure to sign into this account and then sign out before configuring the kiosk device.
+> [!IMPORTANT]
+> If you are using a local account as a kiosk account in Microsoft Intune, make sure to sign into this account and then sign out before configuring the kiosk device.
1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps.
@@ -166,7 +166,7 @@ With this method, you can use Microsoft Intune or other MDM services to configur
| **[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**
 | Configure how the Home Button behaves.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton
**Data type:** Integer
**Allowed values:**
- **0 (default)** - Not configured. Show home button, and load the default Start page.
- **1** - Enabled. Show home button and load New Tab page
- **2** - Enabled. Show home button & set a specific page.
- **3** - Enabled. Hide the home button.
|
| **[SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)** | If you set ConfigureHomeButton to 2, configure the home button URL.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.bing.com |
| **[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**
 | Set a custom URL for the New Tab page.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.msn.com |
-
+
**_Congratulations!_**
You’ve just finished setting up a kiosk or digital signage with policies for Microsoft Edge Legacy kiosk mode using Microsoft Intune or other MDM service.
@@ -177,7 +177,7 @@ With this method, you can use Microsoft Intune or other MDM services to configur
## Supported policies for kiosk mode
-Use any of the Microsoft Edge Legacy policies listed below to enhance the kiosk experience depending on the Microsoft Edge Legacy kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser).
+Use any of the Microsoft Edge Legacy policies listed below to enhance the kiosk experience depending on the Microsoft Edge Legacy kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser).
Make sure to check with your provider for instructions.
@@ -251,18 +251,18 @@ Make sure to check with your provider for instructions.
 = Not applicable or not supported
 = Supported
----
+---
## Feature comparison of kiosk mode and kiosk browser app
In the following table, we show you the features available in both Microsoft Edge Legacy kiosk mode and Kiosk Browser app available in Microsoft Store. Both kiosk mode and kiosk browser app work in assigned access.
-| **Feature** | **Microsoft Edge Legacy kiosk mode** | **Microsoft Kiosk browser app** |
+| **Feature** | **Microsoft Edge Legacy kiosk mode** | **Microsoft Kiosk browser app** |
|-----------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------------------------------------------------------------------------:|
| Print support |  |  |
| Multi-tab support |  |  |
-| Allow/Block URL support |   |
+| Allow/Block URL support |  |  |
| Configure Home Button |  |  |
| Set Start page(s) URL |  | 
*Same as Home button URL* |
| Set New Tab page URL |  |  |
@@ -280,6 +280,6 @@ To prevent access to unwanted websites on your kiosk device, use Windows Defende
## Provide feedback or get support
-To provide feedback on Microsoft Edge Legacy kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory.
+To provide feedback on Microsoft Edge Legacy kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory.
**_For multi-app kiosk only._** If you have set up the Feedback Hub in assigned access, you can you submit the feedback from the device running Microsoft Edge in kiosk mode in which you can include diagnostic logs. In the Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory.
diff --git a/browsers/edge/web-app-compat-toolkit.md b/browsers/edge/web-app-compat-toolkit.md
index 8ec157e607..00e7a02d51 100644
--- a/browsers/edge/web-app-compat-toolkit.md
+++ b/browsers/edge/web-app-compat-toolkit.md
@@ -1,6 +1,6 @@
---
title: Web Application Compatibility lab kit
-ms.reviewer:
+ms.reviewer:
audience: itpro
manager: dansimp
description: Learn how to use the web application compatibility toolkit for Microsoft Edge.
@@ -14,7 +14,7 @@ ms.localizationpriority: high
# Web Application Compatibility lab kit
->Updated: October, 2017
+> Updated: October, 2017
Upgrading web applications to modern standards is the best long-term solution to ensure compatibility with today’s web browsers, but using backward compatibility can save time and money. Internet Explorer 11 has features that can ease your browser and operating system upgrades, reducing web application testing and remediation costs. On Windows 10, you can standardize on Microsoft Edge for faster, safer browsing and fall back to Internet Explorer 11 just for sites that need backward compatibility.
@@ -22,7 +22,7 @@ The Web Application Compatibility Lab Kit is a primer for the features and techn
The Web Application Compatibility Lab Kit includes:
-- A pre-configured Windows 7 and Windows 10 virtual lab environment with:
+- A pre-configured Windows 7 and Windows 10 virtual lab environment with:
- Windows 7 Enterprise Evaluation
- Windows 10 Enterprise Evaluation (version 1607)
- Enterprise Mode Site List Manager
@@ -36,10 +36,10 @@ Depending on your environment, your web apps may "just work” using the methods
There are two versions of the lab kit available:
-- Full version (8 GB) - includes a complete virtual lab environment
+- Full version (8 GB) - includes a complete virtual lab environment
- Lite version (400 MB) - includes guidance for running the Lab Kit on your own Windows 7 or Windows 10 operating system
-The Web Application Compatibility Lab Kit is also available in the following languages:
+The Web Application Compatibility Lab Kit is also available in the following languages:
- Chinese (Simplified)
- Chinese (Traditional)
@@ -48,11 +48,11 @@ The Web Application Compatibility Lab Kit is also available in the following lan
- Italian
- Japanese
- Korean
-- Portuguese (Brazil)
+- Portuguese (Brazil)
- Russian
- Spanish
[DOWNLOAD THE LAB KIT](https://www.microsoft.com/evalcenter/evaluate-windows-10-web-application-compatibility-lab)
->[!TIP]
->Please use a broad bandwidth to download this content to enhance your downloading experience. Lab environment requires 8 GB of available memory and 100 GB of free disk space.
+> [!TIP]
+> Please use a broad bandwidth to download this content to enhance your downloading experience. Lab environment requires 8 GB of available memory and 100 GB of free disk space.
diff --git a/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md
index cbfc5f11b5..867bb143b8 100644
--- a/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md
+++ b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md
@@ -8,7 +8,7 @@ ms.prod: ie11
title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
ms.date: 07/27/2017
-ms.reviewer:
+ms.reviewer:
manager: dansimp
ms.author: dansimp
---
@@ -17,16 +17,16 @@ ms.author: dansimp
**Applies to:**
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal.
->[!Important]
->Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
+> [!Important]
+> Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
**To create a new change request**
1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**.
@@ -36,7 +36,7 @@ Employees assigned to the Requester role can create a change request. A change r
2. Fill out the required fields, based on the group and the app, including:
- **Group name.** Select the name of your group from the dropdown box.
-
+
- **App name.** Type the name of the app you want to add, delete, or update in the Enterprise Mode Site List.
- **Search all apps.** If you can't remember the name of your app, you can click **Search all apps** and search the list.
@@ -58,16 +58,16 @@ Employees assigned to the Requester role can create a change request. A change r
- **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes.
- **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/library/cc288325(v=vs.85).aspx).
-
+
4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing.
-
+
A message appears that the request was successful, including a **Request ID** number, saying that the change is being made to the pre-production environment site list.
5. The Requester gets an email with a batch script, that when run, configures their test machine for the pre-production environment, along with the necessary steps to make sure the changed info is correct.
- **If the change is correct.** The Requester asks the approvers to approve the change request by selecting **Successful** and clicking **Send for approval**.
-
+
- **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator.
## Next steps
-After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see the [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md) topic.
+After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md).
diff --git a/browsers/enterprise-mode/enterprise-mode-features-include.md b/browsers/enterprise-mode/enterprise-mode-features-include.md
index 8090fc9ba8..9da0e79778 100644
--- a/browsers/enterprise-mode/enterprise-mode-features-include.md
+++ b/browsers/enterprise-mode/enterprise-mode-features-include.md
@@ -1,4 +1,5 @@
### Enterprise Mode features
+
Enterprise Mode includes the following features:
- **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting several site patterns that aren’t currently supported by existing document modes.
@@ -8,9 +9,9 @@ Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microso
- **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools.
- >[!Important]
- >All centrally-made decisions override any locally-made choices.
+ > [!Important]
+ > All centrally-made decisions override any locally-made choices.
- **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites.
-- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list.
\ No newline at end of file
+- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list.
diff --git a/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md b/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md
index a72f720a3f..3e06b8b806 100644
--- a/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md
+++ b/browsers/enterprise-mode/verify-changes-preprod-enterprise-mode-portal.md
@@ -8,7 +8,7 @@ ms.prod: ie11
title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
ms.date: 07/27/2017
-ms.reviewer:
+ms.reviewer:
manager: dansimp
ms.author: dansimp
---
@@ -17,18 +17,18 @@ ms.author: dansimp
**Applies to:**
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
->[!Important]
->This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
+> [!Important]
+> This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including:
-- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List.
+- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List.
- **Test steps**. The suggested steps about how to test the change request details to make sure they're accurate in the pre-production environment.
diff --git a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md
index 22464cc569..31961c97a1 100644
--- a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md
+++ b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md
@@ -1,22 +1,23 @@
----
-author: eavena
-ms.author: eravena
-ms.date: 10/02/2018
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager.
-
->[!IMPORTANT]
->Importing your file overwrites everything that’s currently in the tool, so make sure it’s what want to do.
-
-1. In the Enterprise Mode Site List Manager, click **File \> Import**.
-
-2. Go to the exported .EMIE file.
For example, `C:\users\\documents\sites.emie`
-
-1. Click **Open**.
-
-2. Review the alert message about all of your entries being overwritten and click **Yes**.
+---
+author: eavena
+ms.author: eravena
+ms.date: 10/02/2018
+ms.reviewer:
+audience: itpro
+manager: dansimp
+ms.prod: edge
+ms.topic: include
+---
+
+If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager.
+
+> [!IMPORTANT]
+> Importing your file overwrites everything that’s currently in the tool, so make sure it’s what want to do.
+
+1. In the Enterprise Mode Site List Manager, click **File \> Import**.
+
+2. Go to the exported .EMIE file.For example, `C:\users\\documents\sites.emie`
+
+1. Click **Open**.
+
+2. Review the alert message about all of your entries being overwritten and click **Yes**.
diff --git a/browsers/includes/interoperability-goals-enterprise-guidance.md b/browsers/includes/interoperability-goals-enterprise-guidance.md
index 04470d33af..407e07bf91 100644
--- a/browsers/includes/interoperability-goals-enterprise-guidance.md
+++ b/browsers/includes/interoperability-goals-enterprise-guidance.md
@@ -26,8 +26,8 @@ You must continue using IE11 if web apps use any of the following:
If you have uninstalled IE11, you can download it from the Microsoft Store or the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11.
->[!TIP]
->If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=620714).
+> [!TIP]
+> If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=620714).
|Technology |Why it existed |Why we don't need it anymore |
@@ -38,4 +38,3 @@ If you have uninstalled IE11, you can download it from the Microsoft Store or th
---
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
index d15192b9d3..278408ab38 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
@@ -8,7 +8,7 @@ ms.prod: ie11
title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
ms.date: 07/27/2017
-ms.reviewer:
+ms.reviewer:
audience: itpro
manager: dansimp
ms.author: dansimp
@@ -18,16 +18,16 @@ ms.author: dansimp
**Applies to:**
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal.
->[!Important]
->Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
+> [!Important]
+> Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
**To create a new change request**
1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**.
@@ -37,7 +37,7 @@ Employees assigned to the Requester role can create a change request. A change r
2. Fill out the required fields, based on the group and the app, including:
- **Group name.** Select the name of your group from the dropdown box.
-
+
- **App name.** Type the name of the app you want to add, delete, or update in the Enterprise Mode Site List.
- **Search all apps.** If you can't remember the name of your app, you can click **Search all apps** and search the list.
@@ -59,16 +59,17 @@ Employees assigned to the Requester role can create a change request. A change r
- **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes.
- **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/library/cc288325(v=vs.85).aspx).
-
+
4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing.
-
+
A message appears that the request was successful, including a **Request ID** number, saying that the change is being made to the pre-production environment site list.
5. The Requester gets an email with a batch script, that when run, configures their test machine for the pre-production environment, along with the necessary steps to make sure the changed info is correct.
- **If the change is correct.** The Requester asks the approvers to approve the change request by selecting **Successful** and clicking **Send for approval**.
-
+
- **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator.
## Next steps
-After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see the [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md) topic.
+
+After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/images/configmgrhardwareinventory.png b/browsers/internet-explorer/ie11-deploy-guide/images/configmgrhardwareinventory.png
index d2508016be..7626296e87 100644
Binary files a/browsers/internet-explorer/ie11-deploy-guide/images/configmgrhardwareinventory.png and b/browsers/internet-explorer/ie11-deploy-guide/images/configmgrhardwareinventory.png differ
diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
index 8a161b2ffb..a3fce1731d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
@@ -8,7 +8,7 @@ ms.prod: ie11
title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
ms.date: 07/27/2017
-ms.reviewer:
+ms.reviewer:
audience: itpro
manager: dansimp
ms.author: dansimp
@@ -18,18 +18,18 @@ ms.author: dansimp
**Applies to:**
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
->[!Important]
->This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
+> [!Important]
+> This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including:
-- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List.
+- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List.
- **Test steps**. The suggested steps about how to test the change request details to make sure they're accurate in the pre-production environment.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
index da309b68cd..1a2c6fc17a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
@@ -20,11 +20,11 @@ ms.date: 10/25/2018
**Applies to:**
-- Windows 10
-- Windows 8.1
-- Windows 7
-- Windows Server 2012 R2
-- Windows Server 2008 R2 with Service Pack 1 (SP1)
+- Windows 10
+- Windows 8.1
+- Windows 7
+- Windows Server 2012 R2
+- Windows Server 2008 R2 with Service Pack 1 (SP1)
Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge. Working with multiple browsers can be difficult, particularly if you have a substantial number of internal sites. To help manage this dual-browser experience, we are introducing a new web tool specifically targeted towards larger organizations: the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal).
@@ -33,7 +33,7 @@ If you have specific websites and apps that you know have compatibility problems
Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11.
->[!TIP]
+> [!TIP]
> If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly.
For Windows 10 and Windows 10 Mobile, Microsoft Edge is the default browser experience. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List.
@@ -54,8 +54,8 @@ Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microso
- **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools.
- >[!Important]
- >All centrally-made decisions override any locally-made choices.
+ > [!Important]
+ > All centrally-made decisions override any locally-made choices.
- **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites.
@@ -121,11 +121,11 @@ There are 2 versions of this tool, both supported on Windows 7, Windows 8.1, and
- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501). This is an older version of the schema that you must use if you want to create and update your Enterprise Mode Site List for devices running the v.1 version of the schema.
- We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).
+ We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).
- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974). The updated version of the schema, including new functionality. You can use this version of the schema to create and update your Enterprise Mode Site List for devices running the v.2 version of the schema.
- If you open a v.1 version of your Enterprise Mode Site List using this version, it will update the schema to v.2, automatically. For more info, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
+ If you open a v.1 version of your Enterprise Mode Site List using this version, it will update the schema to v.2, automatically. For more info, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
If your list is too large to add individual sites, or if you have more than one person managing the site list, we recommend using the Enterprise Site List Portal.
diff --git a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
index a4cb639bc5..e35b64b8a4 100644
--- a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
+++ b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
@@ -5,8 +5,8 @@ description: Get answers to commonly asked questions about the Internet Explorer
author: dansimp
ms.author: dansimp
ms.prod: ie11
-ms.assetid:
-ms.reviewer:
+ms.assetid:
+ms.reviewer:
audience: itpro
manager: dansimp
title: Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions
@@ -16,50 +16,50 @@ ms.date: 05/10/2018
# Internet Explorer 11 Blocker Toolkit - Frequently Asked Questions
-Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit.
+Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit.
->[!Important]
->If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment.
+> [!Important]
+> If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment.
-- [Automatic updates delivery process](#automatic-updates-delivery-process)
+- [Automatic updates delivery process](#automatic-updates-delivery-process)
-- [How the Internet Explorer 11 Blocker Toolkit works](#how-the-internet-explorer-11-blocker-toolkit-works)
+- [How the Internet Explorer 11 Blocker Toolkit works](#how-the-internet-explorer-11-blocker-toolkit-works)
-- [Internet Explorer 11 Blocker Toolkit and other update services](#internet-explorer-11-blocker-toolkit-and-other-update-services)
+- [Internet Explorer 11 Blocker Toolkit and other update services](#internet-explorer-11-blocker-toolkit-and-other-update-services)
## Automatic Updates delivery process
-**Q. Which users will receive Internet Explorer 11 as an important update?**
-A. Users running either Windows 7 with Service Pack 1 (SP1) or the 64-bit version of Windows Server 2008 R2 with Service Pack 1 (SP1) will receive Internet Explorer 11 as an important update, if Automatic Updates are turned on. Windows Update is manually run. Automatic Updates will automatically download and install the Internet Explorer 11 files if it’s turned on. For more information about how Internet Explorer works with Automatic Updates and information about other deployment blocking options, see [Internet Explorer 11 Delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md).
-
-**Q. When is the Blocker Toolkit available?**
-A. The Blocker Toolkit is currently available from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722).
-
-**Q. What tools can I use to manage Windows Updates and Microsoft Updates in my company?**
-A. We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You can also use the more advanced configuration management tool, [System Center 2012 Configuration Manager](https://technet.microsoft.com/library/gg682041.aspx).
-
-**Q. How long does the blocker mechanism work?**
-A. The Internet Explorer 11 Blocker Toolkit uses a registry key value to permanently turn off the automatic delivery of Internet Explorer 11. This behavior lasts as long as the registry key value isn’t removed or changed.
-
-**Q. Why should I use the Internet Explorer 11 Blocker Toolkit to stop delivery of Internet Explorer 11? Why can’t I just disable all of Automatic Updates?**
-A. Automatic Updates provide you with ongoing critical security and reliability updates. Turning this feature off can leave your computers more vulnerable. Instead, we suggest that you use an update management solution, such as WSUS, to fully control your environment while leaving this feature running, managing how and when the updates get to your user’s computers.
-
+**Q. Which users will receive Internet Explorer 11 as an important update?**
+A. Users running either Windows 7 with Service Pack 1 (SP1) or the 64-bit version of Windows Server 2008 R2 with Service Pack 1 (SP1) will receive Internet Explorer 11 as an important update, if Automatic Updates are turned on. Windows Update is manually run. Automatic Updates will automatically download and install the Internet Explorer 11 files if it’s turned on. For more information about how Internet Explorer works with Automatic Updates and information about other deployment blocking options, see [Internet Explorer 11 Delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md).
+
+**Q. When is the Blocker Toolkit available?**
+A. The Blocker Toolkit is currently available from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722).
+
+**Q. What tools can I use to manage Windows Updates and Microsoft Updates in my company?**
+A. We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You can also use the more advanced configuration management tool, [System Center 2012 Configuration Manager](https://technet.microsoft.com/library/gg682041.aspx).
+
+**Q. How long does the blocker mechanism work?**
+A. The Internet Explorer 11 Blocker Toolkit uses a registry key value to permanently turn off the automatic delivery of Internet Explorer 11. This behavior lasts as long as the registry key value isn’t removed or changed.
+
+**Q. Why should I use the Internet Explorer 11 Blocker Toolkit to stop delivery of Internet Explorer 11? Why can’t I just disable all of Automatic Updates?**
+A. Automatic Updates provide you with ongoing critical security and reliability updates. Turning this feature off can leave your computers more vulnerable. Instead, we suggest that you use an update management solution, such as WSUS, to fully control your environment while leaving this feature running, managing how and when the updates get to your user’s computers.
+
The Internet Explorer 11 Blocker Toolkit safely allows Internet Explorer 11 to download and install in companies that can’t use WSUS, Configuration Manager, or
-other update management solution.
-
-**Q. Why don’t we just block URL access to Windows Update or Microsoft Update?**
+other update management solution.
+
+**Q. Why don’t we just block URL access to Windows Update or Microsoft Update?**
A. Blocking the Windows Update or Microsoft Update URLs also stops delivery of critical security and reliability updates for all of the supported versions of the Windows operating system; leaving your computers more vulnerable.
## How the Internet Explorer 11 Blocker Toolkit works
-**Q. How should I test the Internet Explorer 11 Blocker Toolkit in my company?**
-A. Because the toolkit only sets a registry key to turn on and off the delivery of Internet Explorer 11, there should be no additional impact or side effects to your environment. No additional testing should be necessary.
-
-**Q. What’s the registry key used to block delivery of Internet Explorer 11?**
-A. HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\11.0
-
-**Q. What’s the registry key name and values?**
+**Q. How should I test the Internet Explorer 11 Blocker Toolkit in my company?**
+A. Because the toolkit only sets a registry key to turn on and off the delivery of Internet Explorer 11, there should be no additional impact or side effects to your environment. No additional testing should be necessary.
+
+**Q. What’s the registry key used to block delivery of Internet Explorer 11?**
+A. HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\11.0
+
+**Q. What’s the registry key name and values?**
The registry key name is **DoNotAllowIE11**, where:
- A value of **1** turns off the automatic delivery of Internet Explorer 11 using Automatic Updates and turns off the Express install option.
@@ -67,23 +67,23 @@ The registry key name is **DoNotAllowIE11**, where:
- Not providing a registry key, or using a value of anything other than **1**, lets the user install Internet Explorer 11 through Automatic Updates or a
manual update.
-**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from manually installing Internet Explorer 11?**
-A. No. The Internet Explorer 11 Blocker Toolkit only stops computers from automatically installing Internet Explorer 11 through Automatic Updates. Users can still download and install Internet Explorer 11 from the Microsoft Download Center or from external media.
-
-**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from automatically upgrading to Internet Explorer 11?**
-A. Yes. The Internet Explorer 11 Blocker Toolkit also prevents Automatic Updates from automatically upgrading a computer from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11.
-
-**Q. How does the provided script work?**
+**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from manually installing Internet Explorer 11?**
+A. No. The Internet Explorer 11 Blocker Toolkit only stops computers from automatically installing Internet Explorer 11 through Automatic Updates. Users can still download and install Internet Explorer 11 from the Microsoft Download Center or from external media.
+
+**Q. Does the Internet Explorer 11 Blocker Toolkit stop users from automatically upgrading to Internet Explorer 11?**
+A. Yes. The Internet Explorer 11 Blocker Toolkit also prevents Automatic Updates from automatically upgrading a computer from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11.
+
+**Q. How does the provided script work?**
A. The script accepts one of two command line options:
- **Block:** Creates the registry key that stops Internet Explorer 11 from installing through Automatic Updates.
- **Unblock:** Removes the registry key that stops Internet Explorer 11 from installing through Automatic Updates.
-**Q. What’s the ADM template file used for?**
-A. The Administrative Template (.adm file) lets you import the new Group Policy environment and use Group Policy Objects to centrally manage all of the computers in your company.
-
-**Q. Is the tool localized?**
+**Q. What’s the ADM template file used for?**
+A. The Administrative Template (.adm file) lets you import the new Group Policy environment and use Group Policy Objects to centrally manage all of the computers in your company.
+
+**Q. Is the tool localized?**
A. No. The tool isn’t localized, it’s only available in English (en-us). However, it does work, without any modifications, on any language edition of the supported operating systems.
## Internet Explorer 11 Blocker Toolkit and other update services
@@ -91,17 +91,17 @@ A. No. The tool isn’t localized, it’s only available in English (en-us). How
**Q: Is there a version of the Internet Explorer Blocker Toolkit that will prevent automatic installation of IE11?**
Yes. The IE11 Blocker Toolkit is available for download. For more information, see [Toolkit to Disable Automatic Delivery of IE11](https://go.microsoft.com/fwlink/p/?LinkId=328195) on the Microsoft Download Center.
-**Q. Does the Internet Explorer 11 blocking mechanism also block delivery of Internet Explorer 11 through update management solutions, like WSUS?**
-A. No. You can still deploy Internet Explorer 11 using one of the upgrade management solutions, even if the blocking mechanism is activated. The Internet Explorer 11 Blocker Toolkit is only intended for companies that don’t use upgrade management solutions.
-
-**Q. If WSUS is set to 'auto-approve' Update Rollup packages (this is not the default configuration), how do I stop Internet Explorer 11 from automatically installing throughout my company?**
+**Q. Does the Internet Explorer 11 blocking mechanism also block delivery of Internet Explorer 11 through update management solutions, like WSUS?**
+A. No. You can still deploy Internet Explorer 11 using one of the upgrade management solutions, even if the blocking mechanism is activated. The Internet Explorer 11 Blocker Toolkit is only intended for companies that don’t use upgrade management solutions.
+
+**Q. If WSUS is set to 'auto-approve' Update Rollup packages (this is not the default configuration), how do I stop Internet Explorer 11 from automatically installing throughout my company?**
A. You only need to change your settings if:
-- You use WSUS to manage updates and allow auto-approvals for Update Rollup installation.
+- You use WSUS to manage updates and allow auto-approvals for Update Rollup installation.
-and-
-- You have computers running either Windows 7 SP1 or Windows Server 2008 R2 (SP1) with Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 installed.
+- You have computers running either Windows 7 SP1 or Windows Server 2008 R2 (SP1) with Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 installed.
-and-
@@ -112,10 +112,10 @@ If these scenarios apply to your company, see [Internet Explorer 11 delivery thr
## Additional resources
-- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722)
+- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722)
-- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
+- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
-- [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md)
+- [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md)
-- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index)
+- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index)
diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md
index 3187f8b507..29b8c0ceca 100644
--- a/browsers/internet-explorer/ie11-ieak/index.md
+++ b/browsers/internet-explorer/ie11-ieak/index.md
@@ -14,12 +14,12 @@ manager: dansimp
# Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide
-The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment.
+The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment.
Use this guide to learn about the several options and processes you'll need to consider while you're using the Internet Explorer Administration Kit 11 (IEAK 11) to customize, deploy, and manage Internet Explorer 11 for your employee's devices.
->[!IMPORTANT]
->Because this content isn't intended to be a step-by-step guide, not all of the steps are necessary.
+> [!IMPORTANT]
+> Because this content isn't intended to be a step-by-step guide, not all of the steps are necessary.
## Included technology
@@ -41,7 +41,7 @@ IE11 and IEAK 11 offers differing experiences between Windows 7 and Windows 8.1
## Related topics
- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md)
-- [Download IEAK 11](ieak-information-and-downloads.md)
+- [Download IEAK 11](ieak-information-and-downloads.md)
- [IEAK 11 administrators guide](https://docs.microsoft.com/internet-explorer/ie11-ieak/index)
- [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md)
- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md)
diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
index 296dec1688..ea1f1cb9e1 100644
--- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
@@ -6,7 +6,7 @@ author: dansimp
ms.author: dansimp
ms.prod: ie11
ms.assetid: 69d25451-08af-4db0-9daa-44ab272acc15
-ms.reviewer:
+ms.reviewer:
audience: itpro
manager: dansimp
title: Determine the licensing version and features to use in IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros)
@@ -21,8 +21,8 @@ In addition to the Software License Terms for the Internet Explorer Administrati
During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment.
- **External Distribution as an Internet Service Provider (ISP), Internet Content Provider (ICP), or Developer.** If you are an ISP or an ICP, your license agreement also states that you must show the Internet Explorer logo on your packaging and promotional goods, as well as on your website.
- >[!IMPORTANT]
- >Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations.
+ > [!IMPORTANT]
+ > Original Equipment Manufacturers (OEMs) that install IEAK 11 as part of a Windows product, under an OEM license agreement with Microsoft, must use their appropriate Windows OEM Preinstallation document (OPD) as the guide for allowable customizations.
- **Internal Distribution via a Corporate Intranet.** This version is for network admins that plan to directly deploy IE11 into a corporate environment.
@@ -64,10 +64,10 @@ During installation, you must pick a version of IEAK 11, either **External** or
Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software.
-- **External Distribution**
+- **External Distribution**
This mode is available to anyone who wants to create a customized browser for distribution outside their company (for example, websites, magazines, retailers, non-profit organizations, independent hardware vendors, independent software vendors, Internet service providers, Internet content providers, software developers, and marketers).
-- **Internal Distribution**
+- **Internal Distribution**
This mode is available to companies for the creation and distribution of a customized browser only to their employees over a corporate intranet.
The table below identifies which customizations you may or may not perform based on the mode you selected.
@@ -100,8 +100,8 @@ Support for some of the Internet Explorer settings on the wizard pages varies de
Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software.
-- **External Distribution**
+- **External Distribution**
You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy).
-- **Internal Distribution - corporate intranet**
+- **Internal Distribution - corporate intranet**
The software is solely for use by your employees within your company's organization and affiliated companies through your corporate intranet. Neither you nor any of your employees may permit redistribution of the software to or for use by third parties other than for third parties such as consultants, contractors, and temporary staff accessing your corporate intranet.
diff --git a/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md b/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md
index 0031c6792e..7adcb24c17 100644
--- a/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md
+++ b/browsers/internet-explorer/kb-support/clear-ie-cache-from-command-line.md
@@ -9,7 +9,7 @@ ms.reviewer: ramakoni, DEV_Triage
ms.prod: internet-explorer
ms.technology:
ms.topic: kb-support
-ms.custom: CI=111020
+ms.custom: CI=111026
ms.localizationpriority: Normal
# localization_priority: medium
# ms.translationtype: MT
@@ -71,10 +71,18 @@ The batch file offers the following options:
**Contents of the batch file**
-```console
+```dos
@echo off
-:: AxelR Test Batch
-:: tested on Windows 8 + IE10, Windows7 + IE9
+# This sample script is not supported under any Microsoft standard support program or service.
+# The sample script is provided AS IS without warranty of any kind. Microsoft further disclaims
+# all implied warranties including, without limitation, any implied warranties of merchantability
+# or of fitness for a particular purpose. The entire risk arising out of the use or performance of
+# the sample scripts and documentation remains with you. In no event shall Microsoft, its authors,
+# or anyone else involved in the creation, production, or delivery of the scripts be liable for any
+# damages whatsoever (including, without limitation, damages for loss of business profits, business
+# interruption, loss of business information, or other pecuniary loss) arising out of the use of or
+# inability to use the sample scripts or documentation, even if Microsoft has been advised of the
+# possibility of such damages
:home
cls
@@ -83,55 +91,33 @@ echo Delete IE History
echo Please select the task you wish to run.
echo Pick one:
echo.
-echo 1. Delete Non-trusted web History(low level hidden clean up)
-echo 2. Delete History
-echo 3. Delete Cookies
-echo 4. Delete Temporary Internet Files
-echo 5. Delete Form Data
-echo 6. Delete Stored Passwords
-echo 7. Delete All
-echo 8. Delete All "Also delete files and settings stored by add-ons"
-echo 9. Delete IE10 and 9 Temporary Internet Files
-echo 10. Reset IE Settings
-echo 77. EXIT
+echo 1. Delete History
+echo 2. Delete Cookies
+echo 3. Delete Temporary Internet Files
+echo 4. Delete Form Data
+echo 5. Delete Stored Passwords
+echo 6. Delete All
+echo 7. Delete All "Also delete files and settings stored by add-ons"
+echo 8. Delete IE10 and 9 Temporary Internet Files
+echo 9. Reset IE Settings
+echo 00. EXIT
:choice
Echo Hit a number [1-10] and press enter.
set /P CH=[1-10]
-if "%CH%"=="1" set x=del /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\History\low\* /ah
-if "%CH%"=="2" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1
-if "%CH%"=="3" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2
-if "%CH%"=="4" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
-if "%CH%"=="5" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16
-if "%CH%"=="6" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32
-if "%CH%"=="7" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255
-if "%CH%"=="8" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351
-if "%CH%"=="9" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 9
-if "%CH%"=="10" set x=rundll32.exe inetcpl.cpl ResetIEtoDefaults
-if "%CH%"=="77" goto quit
+if "%CH%"=="1" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1
+if "%CH%"=="2" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2
+if "%CH%"=="3" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
+if "%CH%"=="4" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 16
+if "%CH%"=="5" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 32
+if "%CH%"=="6" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255
+if "%CH%"=="7" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351
+if "%CH%"=="8" set x=RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 9
+if "%CH%"=="9" set x=rundll32.exe inetcpl.cpl ResetIEtoDefaults
+if "%CH%"=="00" goto quit
%x%
-goto Home
-
-::Temporary Internet Files > Delete files - To delete copies of web pages, images, and media
-::that are saved for faster viewing.
-::Cookies > Delete cookies - To delete cookies, which are files that are stored on your computer by
-::websites to save preferences such as login information.
-::History > Delete history - To delete the history of the websites you have visited.
-::Form data > Delete forms - To delete all the saved information that you have typed into
-::forms.
-::Passwords > Delete passwords - To delete all the passwords that are automatically filled in
-::when you log on to a website that you've previously visited.
-::Delete all - To delete all of these listed items in one operation.
-
-::enter below in search/run to see Low history dir if exists
-::C:\Users\%username%\AppData\Local\Microsoft\Windows\History\low
-
-::Delete all low (untrusted history) very hidden
-::this will clean any unlocked files under the dir and not delete the dir structure
-::del /s /q low\* /ah ::del /s /q C:\Users\%username%\AppData\Local\Microsoft\Windows\History\low\* /ah
-
goto Home
:quit
```
diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index 49166b9f72..330bc3286e 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -66,6 +66,9 @@
## [Status of the HoloLens services](hololens-status.md)
## [Get support](https://support.microsoft.com/supportforbusiness/productselection?sapid=3ec35c62-022f-466b-3a1e-dbbb7b9a55fb)
+# Resources
+## [Windows Autopilot for HoloLens 2 evaluation guide](hololens2-autopilot.md)
+
# [HoloLens release notes](hololens-release-notes.md)
# [Give us feedback](hololens-feedback.md)
# [Insider preview for Microsoft HoloLens](hololens-insider.md)
diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md
index 4b3449e838..9a1b48b3eb 100644
--- a/devices/hololens/change-history-hololens.md
+++ b/devices/hololens/change-history-hololens.md
@@ -1,7 +1,7 @@
---
title: Change history for Microsoft HoloLens documentation
ms.reviewer:
-manager: dansimp
+manager: laurawi
description: This topic lists new and updated topics for HoloLens.
keywords: change history
ms.prod: hololens
diff --git a/devices/hololens/hololens-encryption.md b/devices/hololens/hololens-encryption.md
index af44d41fb3..6b2cfb74bc 100644
--- a/devices/hololens/hololens-encryption.md
+++ b/devices/hololens/hololens-encryption.md
@@ -10,7 +10,7 @@ ms.topic: article
ms.localizationpriority: medium
ms.date: 01/26/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
appliesto:
- HoloLens (1st gen)
---
diff --git a/devices/hololens/hololens-enroll-mdm.md b/devices/hololens/hololens-enroll-mdm.md
index c8b54ac1f2..bce3d27644 100644
--- a/devices/hololens/hololens-enroll-mdm.md
+++ b/devices/hololens/hololens-enroll-mdm.md
@@ -10,7 +10,7 @@ ms.topic: article
ms.localizationpriority: medium
ms.date: 07/15/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
appliesto:
- HoloLens (1st gen)
- HoloLens 2
diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md
index 68262afb5b..c4d1cee1a2 100644
--- a/devices/hololens/hololens-insider.md
+++ b/devices/hololens/hololens-insider.md
@@ -11,9 +11,9 @@ ms.custom:
- CSSTroubleshooting
ms.localizationpriority: medium
audience: ITPro
-ms.date: 1/6/2020
+ms.date: 4/14/2020
ms.reviewer:
-manager: dansimp
+manager: laurawi
appliesto:
- HoloLens 2
---
@@ -64,7 +64,7 @@ Here's a quick summary of what's new:
- Support for FIDO2 Security Keys to enable secure and easy authentication for shared devices
- Seamlessly apply a provisioning package from a USB drive to your HoloLens
- Use a provisioning packages to enroll your HoloLens to your Mobile Device Management system
-- Use Windows AutoPilot to set up and pre-configure new devices, quickly getting them ready for productive use. Send a note to hlappreview@microsoft.com to join the preview.
+- Use Windows Autopilot to set up and pre-configure new devices, quickly getting them ready for productive use. To participate in the program you'll need to meet a few requirements. While the program is in preview mode you'll need to be using Microsoft Intune. You'll need to use a tenant that is flighted for HoloLens. Lastly you'll need to have installed an insider preview buildon your HoloLens 2. To praticipate in the preview of this new program send a note to hlappreview@microsoft.com to join the preview.
- Dark Mode - HoloLens customers can now choose the default mode for apps that support both color schemes! Based on customer feedback, with this update we are setting the default app mode to "dark," but you can easily change this setting at any time.
- Support for additional system voice commands
- An updated Cortana app with a focus on productivity
@@ -120,6 +120,19 @@ Here are some of the in-box apps that support Dark mode!
- 3D Viewer
- Movies & TV
+### Windows Autopilot for HoloLens 2
+
+This Autopilot program supports Autopilot self-deploying mode to provision HoloLens 2 devices as shared devices under your tenant. Self-deploying mode leverages the device's preinstalled OEM image and drivers during the provisioning process. A user can provision the device without putting the device on and going through the Out-of-the-box Experience (OOBE).
+
+When a user starts the Autopilot self-deploying process, the process completes the following steps:
+1. Join the device to Azure Active Directory (Azure AD).
+2. Use Azure AD to enroll the device in Microsoft Intune (or another MDM service).
+3. Download the device-targeted policies, certificates, and networking profiles.
+4. Provision the device.
+5. Present the sign-in screen to the user.
+
+For full information about Autopilot, see [Windows Autopilot for HoloLens 2 evaluation guide](hololens2-autopilot.md).
+
### FFU download and flash directions
To test with a flight signed ffu, you first have to flight unlock your device prior to flashing the flight signed ffu.
1. On PC
diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md
index aab93e1b8a..2043128011 100644
--- a/devices/hololens/hololens-kiosk.md
+++ b/devices/hololens/hololens-kiosk.md
@@ -12,7 +12,7 @@ ms.custom:
- CI 111456
- CSSTroubleshooting
ms.reviewer:
-manager: dansimp
+manager: laurawi
appliesto:
- HoloLens (1st gen)
- HoloLens 2
diff --git a/devices/hololens/hololens-known-issues.md b/devices/hololens/hololens-known-issues.md
index e3ac50bec3..de39da5999 100644
--- a/devices/hololens/hololens-known-issues.md
+++ b/devices/hololens/hololens-known-issues.md
@@ -4,7 +4,7 @@ description: This is the list of known issues that may affect HoloLens developer
keywords: troubleshoot, known issue, help
author: mattzmsft
ms.author: mazeller
-ms.date: 8/30/2019
+ms.date: 4/20/2020
ms.topic: article
ms.custom:
- CI 111456
@@ -13,14 +13,60 @@ HoloLens and holograms: Frequently asked questions
manager: jarrettr
ms.prod: hololens
appliesto:
-- HoloLens 1
+- HoloLens (1st Gen)
+- HoloLens 2
---
# Known issues for HoloLens
-This is the current list of known issues for HoloLens that affect developers. Check here first if you are seeing an odd behavior. This list will be kept updated as new issues are discovered or reported, or as issues are addressed in future HoloLens software updates.
+This is the current list of known issues for HoloLens devices. Check here first if you are seeing an odd behavior. This list will be kept updated as new issues are discovered or reported, or as issues are addressed in future HoloLens software updates.
-## Unable to connect and deploy to HoloLens through Visual Studio
+>[!NOTE]
+> - If you discover an issue that is not blocking you please report it on your HoloLens device via [Feedback Hub](hololens-feedback.md).
+> - If the issue you are facing is blocking you, in addtion to filing feedback, please [file a support request](https://aka.ms/hlsupport).
+
+- [Known issues for all HoloLens generations](#known-issues-for-all-hololens-generations)
+- [Known issues for HoloLens 2 devices](#known-issues-for-hololens-2-devices)
+- [Known issues for HoloLens (1st Gen)](#known-issues-for-hololens-1st-gen)
+- [Known issues for HoloLens emulator](#known-issues-for-hololens-emulator)
+
+## Known issues for all HoloLens generations
+
+### Unity
+
+- See [Install the tools](https://docs.microsoft.com/windows/mixed-reality/install-the-tools) for the most up-to-date version of Unity recommended for HoloLens development.
+- Known issues with the Unity HoloLens Technical Preview are documented in the [HoloLens Unity forums](https://forum.unity3d.com/threads/known-issues.394627/).
+
+### Windows Device Portal
+
+- The Live Preview feature in Mixed Reality capture may exhibit several seconds of latency.
+- On the Virtual Input page, the Gesture and Scroll controls under the Virtual Gestures section are not functional. Using them will have no effect. The virtual keyboard on the same page works correctly.
+- After enabling Developer Mode in Settings, it may take a few seconds before the switch to turn on the Device Portal is enabled.
+
+## Known issues for HoloLens 2 devices
+
+### Blue screen is shown after unenrolling from Insider preview builds on a device reflashed with a Insider build
+
+This is an issue affecting that affects users who are were on an Insider preview build, reflashed their HoloLens 2 with a new insider preview build, and then unenrolled from the Insider program.
+
+This does not affect:
+- Users who are not enrolled in Windows Insider
+- Insiders:
+ - If a device has been enrolled since Insider builds were version 18362.x
+ - If they flashed a Insider signed 19041.x build AND stay enrolled in the Insider program
+
+Work-around:
+- Avoid the issue
+ - Flash a non-insider build. One of the regular monthly updates.
+ - Stay on Insider Preview
+- Reflash the device
+ 1. Put the [HoloLens 2 into flashing mode](https://review.docs.microsoft.com/hololens/hololens-recovery?branch=master#hololens-2) manually by fully powering down while not connect. Then while holding Volume up, tap the Power button.
+ 1. Connect to the PC and open Advanced Recovery Companion.
+ 1. Flash the HoloLens 2 to the default build.
+
+## Known issues for HoloLens (1st Gen)
+
+### Unable to connect and deploy to HoloLens through Visual Studio
> [!NOTE]
> Last Update: 8/8 @ 5:11PM - Visual Studio has released VS 2019 Version 16.2 which includes a fix to this issue. We recommend updating to this newest version to avoid experiencing this error.
@@ -29,7 +75,7 @@ Visual Studio has released VS 2019 Version 16.2 which includes a fix to this iss
Issue root-cause: Users who used Visual Studio 2015 or early releases of Visual Studio 2017 to deploy and debug applications on their HoloLens and then subsequently used the latest versions of Visual Studio 2017 or Visual Studio 2019 with the same HoloLens will be affected. The newer releases of Visual Studio deploy a new version of a component, but files from the older version are left over on the device, causing the newer version to fail. This causes the following error message: DEP0100: Please ensure that target device has developer mode enabled. Could not obtain a developer license on \ due to error 80004005.
-### Workaround
+#### Workaround
Our team is currently working on a fix. In the meantime, you can use the following steps to work around the issue and help unblock deployment and debugging:
@@ -79,7 +125,7 @@ Our team is currently working on a fix. In the meantime, you can use the followi
We will provide further updates as they become available.
-## Issues launching the Microsoft Store and apps on HoloLens
+### Issues launching the Microsoft Store and apps on HoloLens
> [!NOTE]
> Last Update: 4/2 @ 10 AM - Issue resolved.
@@ -126,38 +172,27 @@ If your device is still unable to load apps, you can sideload a version of the .
We appreciate your patience as we have gone through the process to get this issue resolved, and we look forward to continued working with our community to create successful Mixed Reality experiences.
-## Device Update
+### Device Update
- 30 seconds after a new update, the shell may disappear one time. Please perform the **bloom** gesture to resume your session.
-## Visual Studio
+### Visual Studio
- See [Install the tools](https://docs.microsoft.com/windows/mixed-reality/install-the-tools) for the most up-to-date version of Visual Studio that is recommended for HoloLens development.
- When deploying an app from Visual Studio to your HoloLens, you may see the error: **The requested operation cannot be performed on a file with a user-mapped section open. (Exception from HRESULT: 0x800704C8)**. If this happens, try again and your deployment will generally succeed.
-## Emulator
-
-- Not all apps in the Microsoft Store are compatible with the emulator. For example, Young Conker and Fragments are not playable on the emulator.
-- You cannot use the PC webcam in the Emulator.
-- The Live Preview feature of the Windows Device Portal does not work with the emulator. You can still capture Mixed Reality videos and images.
-
-## Unity
-
-- See [Install the tools](https://docs.microsoft.com/windows/mixed-reality/install-the-tools) for the most up-to-date version of Unity recommended for HoloLens development.
-- Known issues with the Unity HoloLens Technical Preview are documented in the [HoloLens Unity forums](https://forum.unity3d.com/threads/known-issues.394627/).
-
-## Windows Device Portal
-
-- The Live Preview feature in Mixed Reality capture may exhibit several seconds of latency.
-- On the Virtual Input page, the Gesture and Scroll controls under the Virtual Gestures section are not functional. Using them will have no effect. The virtual keyboard on the same page works correctly.
-- After enabling Developer Mode in Settings, it may take a few seconds before the switch to turn on the Device Portal is enabled.
-
-## API
+### API
- If the application sets the [focus point](https://docs.microsoft.com/windows/mixed-reality/focus-point-in-unity) behind the user or the normal to camera.forward, holograms will not appear in Mixed Reality Capture photos or videos. Until this bug is fixed in Windows, if applications actively set the [focus point](https://docs.microsoft.com/windows/mixed-reality/focus-point-in-unity) they should ensure the plane normal is set opposite camera-forward (for example, normal = -camera.forward).
-## Xbox Wireless Controller
+### Xbox Wireless Controller
- Xbox Wireless Controller S must be updated before it can be used with HoloLens. Ensure you are [up to date](https://support.xbox.com/xbox-one/accessories/update-controller-for-stereo-headset-adapter) before attempting to pair your controller with a HoloLens.
- If you reboot your HoloLens while the Xbox Wireless Controller is connected, the controller will not automatically reconnect to HoloLens. The Guide button light will flash slowly until the controller powers off after 3 minutes. To reconnect your controller immediately, power off the controller by holding the Guide button until the light turns off. When you power your controller on again, it will reconnect to HoloLens.
- If your HoloLens enters standby while the Xbox Wireless Controller is connected, any input on the controller will wake the HoloLens. You can prevent this by powering off your controller when you are done using it.
+
+## Known issues for HoloLens emulator
+
+- Not all apps in the Microsoft Store are compatible with the emulator. For example, Young Conker and Fragments are not playable on the emulator.
+- You cannot use the PC webcam in the Emulator.
+- The Live Preview feature of the Windows Device Portal does not work with the emulator. You can still capture Mixed Reality videos and images.
diff --git a/devices/hololens/hololens-multiple-users.md b/devices/hololens/hololens-multiple-users.md
index 4bd8b317ef..d65929d676 100644
--- a/devices/hololens/hololens-multiple-users.md
+++ b/devices/hololens/hololens-multiple-users.md
@@ -9,7 +9,7 @@ ms.topic: article
ms.localizationpriority: medium
ms.date: 09/16/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
appliesto:
- HoloLens (1st gen)
- HoloLens 2
diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md
index 70edc38d5e..5eea91fcbe 100644
--- a/devices/hololens/hololens-provisioning.md
+++ b/devices/hololens/hololens-provisioning.md
@@ -16,7 +16,7 @@ ms.custom:
ms.localizationpriority: medium
ms.date: 03/10/2020
ms.reviewer: Teresa-Motiv
-manager: dansimp
+manager: laurawi
appliesto:
- HoloLens (1st gen)
- HoloLens 2
diff --git a/devices/hololens/hololens-release-notes.md b/devices/hololens/hololens-release-notes.md
index 79c2e77dc1..b289b56df1 100644
--- a/devices/hololens/hololens-release-notes.md
+++ b/devices/hololens/hololens-release-notes.md
@@ -3,7 +3,7 @@ title: HoloLens release notes
description: Learn about updates in each new HoloLens release.
author: scooley
ms.author: scooley
-manager: dansimp
+manager: laurawi
ms.prod: hololens
ms.sitesec: library
ms.topic: article
@@ -26,7 +26,7 @@ appliesto:
> [!Note]
> HoloLens Emulator Release Notes can be found [here](https://docs.microsoft.com/windows/mixed-reality/hololens-emulator-archive).
-### Coming Soon
+### April Update - build 18362.1059
**Dark mode for supported apps**
diff --git a/devices/hololens/hololens2-autopilot.md b/devices/hololens/hololens2-autopilot.md
new file mode 100644
index 0000000000..1d2c68e80e
--- /dev/null
+++ b/devices/hololens/hololens2-autopilot.md
@@ -0,0 +1,249 @@
+---
+title: Windows Autopilot for HoloLens 2 evaluation guide
+description:
+author: Teresa-Motiv
+ms.author: v-tea
+ms.date: 4/10/2020
+ms.prod: hololens
+ms.topic: article
+ms.custom:
+- CI 116283
+- CSSTroubleshooting
+audience: ITPro
+ms.localizationpriority: high
+keywords: autopilot
+manager: jarrettr
+appliesto:
+- HoloLens 2
+---
+
+# Windows Autopilot for HoloLens 2 evaluation guide
+
+When you set up HoloLens 2 devices for the Windows Autopilot program, your users can follow a simple process to provision the devices from the cloud.
+
+This Autopilot program supports Autopilot self-deploying mode to provision HoloLens 2 devices as shared devices under your tenant. Self-deploying mode leverages the device's preinstalled OEM image and drivers during the provisioning process. A user can provision the device without putting the device on and going through the Out-of-the-box Experience (OOBE).
+
+
+
+When a user starts the Autopilot self-deploying process, the process completes the following steps:
+
+1. Join the device to Azure Active Directory (Azure AD).
+ > [!NOTE]
+ > Autopilot for HoloLens does not support Active Directory join or Hybrid Azure AD join.
+1. Use Azure AD to enroll the device in Microsoft Intune (or another MDM service).
+1. Download the device-targeted policies, certificates, and networking profiles.
+1. Provision the device.
+1. Present the sign-in screen to the user.
+
+## Windows Autopilot for HoloLens 2: Get started
+
+The following steps summarize the process of setting up your environment for the Windows Autopilot for HoloLens 2. The rest of this section provides the details of these steps.
+
+1. Enroll in the Windows Autopilot for HoloLens 2 program.
+1. Make sure that you meet the requirements for Windows Autopilot for HoloLens.
+1. Verify that your tenant is flighted (enrolled to participate in the program).
+1. Register devices in Windows Autopilot.
+1. Create a device group.
+1. Create a deployment profile.
+1. Verify the ESP configuration.
+1. Configure a custom configuration profile for HoloLens devices (known issue).
+1. Verify the profile status of the HoloLens devices.
+
+### 1. Enroll in the Windows Autopilot for HoloLens 2 program
+
+To participate in the program, you have to use a tenant that is flighted for HoloLens. To do this, go to [Windows Autopilot for HoloLens Private Preview request](https://aka.ms/APHoloLensTAP) or use the following QR code to submit a request.
+
+
+
+In this request, provide the following information:
+
+- Tenant domain
+- Tenant ID
+- Number of HoloLens 2 devices that are participating in this evaluation
+- Number of HoloLens 2 devices that you plan to deploy by using Autopilot self-deploying mode
+
+### 2. Make sure that you meet the requirements for Windows Autopilot for HoloLens
+
+For the latest information about how to participate in the program, review [Windows Insider Release Notes](hololens-insider.md#windows-insider-release-notes).
+
+Review the following sections of the Windows Autopilot requirements article:
+
+- [Network requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-requirements#networking-requirements)
+- [Licensing requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-requirements#licensing-requirements)
+- [Configuration requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-requirements#configuration-requirements)
+ > [!IMPORTANT]
+ > For information about how to register devices and configure profiles, see [4. Register devices in Windows Autopilot](#4-register-devices-in-windows-autopilot) and [6. Create a deployment profile](#6-create-a-deployment-profile) in this article. These sections provide steps that are specific to HoloLens.
+
+> [!IMPORTANT]
+> Unlike other Windows Autopilot programs, Windows Autopilot for HoloLens 2 has specific operating system requirements.
+
+Review the "[Requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying#requirements)" section of the Windows Autopilot Self-Deploying mode article. Your environment has to meet these requirements as well as the standard Windows Autopilot requirements.
+
+> [!NOTE]
+> You do not have to review the "Step by step" and "Validation" sections of the article. The procedures later in this article provide corresponding steps that are specific to HoloLens.
+
+Before you start the OOBE and provisioning process, make sure that the HoloLens devices meet the following requirements:
+
+- The devices are not already members of Azure AD, and are not enrolled in Intune (or another MDM system). The Autopilot self-deploying process completes these steps. To make sure that all the device-related information is cleaned up, check the **Devices** pages in both Azure AD and Intune.
+- Every device can connect to the internet. You can use a wired or wireless connection.
+- Every device can connect to a computer by using a USB-C cable, and that computer has the following available:
+ - Advanced Recovery Companion (ARC)
+ - The latest Windows update: Windows 10, version 19041.1002.200107-0909 or a later version)
+
+To configure and manage the Autopilot self-deploying mode profiles, make sure that you have access to [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).
+
+### 3. Verify that your tenant is flighted
+
+To verify that your tenant is flighted for the Autopilot program after you submit your request, follow these steps:
+
+1. Sign in to [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).
+1. Select **Devices** > **Windows** > **Windows enrollment** > **Windows Autopilot deployment profiles** > **Create profile**.
+
+ 
+ You should see a list that includes **HoloLens**. If this option is not present, use one of the [Feedback](#feedback) options to contact us.
+
+### 4. Register devices in Windows Autopilot
+
+To register a HoloLens device in the Windows Autopilot program, you have to obtain the hardware hash of the device (also known as the hardware ID). The device can record its hardware hash in a CSV file during the OOBE process, or later when a device owner starts the diagnostic log collection process (described in the following procedure). Typically, the device owner is the first user to sign in to the device.
+
+**Retrieve a device hardware hash**
+
+1. Start the HoloLens 2 device, and make sure that you sign in by using an account that is the device owner.
+1. On the device, press the Power and Volume Down buttons at the same time and then release them. The device collects diagnostic logs and the hardware hash, and stores them in a set of .zip files.
+1. Use a USB-C cable to connect the device to a computer.
+1. On the computer, open File Explorer. Open **This PC\\\<*HoloLens device name*>\\Internal Storage\\Documents**, and locate the AutopilotDiagnostics.zip file.
+
+ > [!NOTE]
+ > The .zip file may not immediately be available. If the file is not ready yet you may see a HoloLensDiagnostics.temp file in the Documents folder. To update the list of files, refresh the window.
+
+1. Extract the contents of the AutopilotDiagnostics.zip file.
+1. In the extracted files, locate the CSV file that has a file name prefix of "DeviceHash." Copy that file to a drive on the computer where you can access it later.
+ > [!IMPORTANT]
+ > The data in the CSV file should use the following header and line format:
+ > ```
+ > Device Serial Number,Windows Product ID,Hardware Hash,Group Tag,Assigned User ,,,,
+ >```
+
+**Register the device in Windows Autopilot**
+
+1. In Microsoft Endpoint Manager Admin Center, select **Devices** > **Windows** > **Windows enrollment**, and then select **Devices** > **Import** under **Windows Autopilot Deployment Program**.
+
+1. Under **Add Windows Autopilot devices**, select the DeviceHash CSV file, select **Open**, and then select **Import**.
+
+ 
+1. After the import finishes, select **Devices** > **Windows** > **Windows enrollment** > **Devices** > **Sync**. The process might take a few minutes to complete, depending on how many devices are being synchronized. To see the registered device, select **Refresh**.
+
+ 
+
+### 5. Create a device group
+
+1. In Microsoft Endpoint Manager admin center, select **Groups** > **New group**.
+1. For **Group type**, select **Security**, and then enter a group name and description.
+1. For **Membership type**, select either **Assigned** or **Dynamic Device**.
+1. Do one of the following:
+
+ - If you selected **Assigned** for **Membership type** in the previous step, select **Members**, and then add Autopilot devices to the group. Autopilot devices that aren't yet enrolled are listed by using the device serial number as the device name.
+ - If you selected **Dynamic Devices** for **Membership type** in the previous step, select **Dynamic device members**, and then enter code in **Advanced rule** that resembles the following:
+ - If you want to create a group that includes all of your Autopilot devices, type: `(device.devicePhysicalIDs -any _ -contains "[ZTDId]")`
+ - Intune's group tag field maps to the **OrderID** attribute on Azure AD devices. If you want to create a group that includes all of your Autopilot devices that have a specific group tag (the Azure AD device OrderID), you must type: `(device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881")`
+ - If you want to create a group that includes all your Autopilot devices that have a specific Purchase Order ID, type: `(device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342")`
+
+ > [!NOTE]
+ > These rules target attributes that are unique to Autopilot devices.
+1. Select **Save**, and then select **Create**.
+
+### 6. Create a deployment profile
+
+1. In Microsoft Endpoint Manager admin center, select **Devices** > **Windows** > **Windows enrollment** > **Windows Autopilot deployment profiles** > **Create profile** > **HoloLens**.
+1. Enter a profile name and description, and then select **Next**.
+
+ 
+1. On the **Out-of-box experience (OOBE)** page, most of the settings are pre-configured to streamline OOBE for this evaluation. Optionally, you can configure the following settings:
+
+ - **Language (Region)**: Select the language for OOBE. We recommend that you select a language from the list of [supported languages for HoloLens 2](hololens2-language-support.md).
+ - **Automatically configure keyboard**: To make sure that the keyboard matches the selected language, select **Yes**.
+ - **Apply device name template**: To automatically set the device name during OOBE, select **Yes** and then enter the template phrase and placeholders in **Enter a name** For example, enter a prefix and `%RAND:4%`—a placeholder for a four-digit random number.
+ > [!NOTE]
+ > If you use a device name template, the OOBE process restarts the device one additional time after it applies the device name and before it joins the device to Azure AD. This restart enables the new name to take effect.
+
+ 
+1. After you configure the settings, select **Next**.
+1. On the **Scope tags** page, optionally add the scope tags that you want to apply to this profile. For more information about scope tags, see [Use role-based access control and scope tags for distributed IT](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags.md). When finished, select **Next**.
+1. On the **Assignments** page, select **Selected groups** for **Assign to**.
+1. Under **SELECTED GROUPS**, select **+ Select groups to include**.
+1. In the **Select groups to include** list, select the device group that you created for the Autopilot HoloLens devices, and then select **Next**.
+
+ If you want to exclude any groups, select **Select groups to exclude**, and select the groups that you want to exclude.
+
+ 
+1. On the **Review + Create** page, review the settings and then select **Create** to create the profile.
+
+ 
+
+### 7. Verify the ESP configuration
+
+The Enrollment Status Page (ESP) displays the status of the complete device configuration process that runs when an MDM managed user signs into a device for the first time. Make sure that your ESP configuration resembles the following, and verify that the assignments are correct.
+
+
+
+### 8. Configure a custom configuration profile for HoloLens devices (known issue)
+
+1. In [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com), select **Devices** > **Configuration profiles** > **Create profile**.
+1. For **Platform**, specify **Windows 10 and later**, and for **Profile**, select **Custom**.
+1. Select **Create**.
+1. Enter a name for the profile, and then select **Settings** > **Configure**.
+
+ 
+1. Select **Add**, and then specify the following information:
+
+ - **Name**: SidecarPath
+ - **OMA-URI**: ./images/Device/Vendor/MSFT/EnrollmentStatusTracking/DevicePreparation/PolicyProviders/Sidecar/InstallationState
+ - **Data type**: Integer
+ - **Value**: 2
+1. Select **OK** two times, and then select **Create** to create the profile.
+1. After Intune creates the configuration profile, assign the configuration profile to the device group for the HoloLens devices.
+
+### 9. Verify the profile status of the HoloLens devices
+
+1. In Microsoft Endpoint Manager Admin Center, select **Devices** > **Windows** > **Windows enrollment** > **Devices**.
+1. Verify that the HoloLens devices are listed, and that their profile status is **Assigned**.
+ > [!NOTE]
+ > It may take a few minutes for the profile to be assigned to the device.
+
+ 
+
+## Windows Autopilot for HoloLens 2 User Experience
+
+Your HoloLens users can follow these steps to provision HoloLens devices.
+
+1. Use the USB-C cable to connect the HoloLens device to a computer that has Advanced Recovery Companion (ARC) installed and has the appropriate Windows update downloaded.
+1. Use ARC to flash the appropriate version of Windows on to the device.
+1. Connect the device to the network, and then restart the device.
+ > [!IMPORTANT]
+ > You must connect the device to the network before the Out-of-the-Box-Experience (OOBE) starts. The device determines whether it is provisioning as an Autopilot device while on the first OOBE screen. If the device cannot connect to the network, or if you choose not to provision the device as an Autopilot device, you cannot change to Autopilot provisioning at a later time. Instead, you would have to start this procedure over in order to provision the device as an Autopilot device.
+
+ The device should automatically start OOBE. Do not interact with OOBE. Instead sit, back and relax! Let HoloLens 2 detect network connectivity and allow it complete OOBE automatically. The device may restart during OOBE. The OOBE screens should resemble the following.
+
+ 
+ 
+ 
+ 
+
+At the end of OOBE, you can sign in to the device by using your user name and password.
+
+ 
+
+## Known Issues
+
+- The list of supported languages for Autopilot deployment profiles includes languages that HoloLens does not support. Select a language that [HoloLens supports](hololens2-language-support.md).
+
+## Feedback
+
+To provide feedback or report issues, use one of the following methods:
+
+- Use the Feedback Hub app. You can find this app on a HoloLens-connected computer. In Feedback Hub, select the **Enterprise Management** > **Device** category.
+
+ When you provide feedback or report an issue, provide a detailed description. If applicable, include screenshots and logs.
+- Send an email message to [hlappreview@microsoft.com](mailto:hlappreview@microsoft.com). For the email subject, enter **\<*Tenant*> Autopilot for HoloLens 2 evaluation feedback** (where \<*Tenant*> is the name of your Intune tenant).
+
+ Provide a detailed description in your message. However, unless Support personnel specifically request it, do not include data such as screenshots or logs. Such data might include private or personally identifiable information (PII).
diff --git a/devices/hololens/hololens2-maintenance.md b/devices/hololens/hololens2-maintenance.md
index 1faaca4425..845e36cba1 100644
--- a/devices/hololens/hololens2-maintenance.md
+++ b/devices/hololens/hololens2-maintenance.md
@@ -3,7 +3,7 @@ title: HoloLens 2 device care and cleaning FAQ
description:
author: Teresa-Motiv
ms.author: v-tea
-ms.date: 3/26/2020
+ms.date: 4/14/2020
ms.prod: hololens
ms.topic: article
ms.custom:
@@ -69,10 +69,10 @@ To clean the brow pad, wipe it by using a cloth that's moistened by using water
## Can I use ultraviolet (UV) light to sanitize the device?
-UV germicidal irradiation has not been tested on HoloLens 2.
+UV-C germicidal irradiation has not been tested on HoloLens 2.
> [!CAUTION]
-> High levels of UV exposure can degrade the display quality of the device and damage the visor coating. Over-exposure to UV radiation has the following effects, in order of the duration and intensity of exposure:
+> High levels of UV-A and UV-B exposure can degrade the display quality of the device and damage the visor coating. Over-exposure to UV-A and UV-B radiation has the following effects, in order of the duration and intensity of exposure:
>
> 1. The brow pad and device closures become discolored.
> 1. Defects appear in the anti-reflective (AR) coating on the visor and on the sensor windows.
diff --git a/devices/hololens/images/hololens-ap-devices-assignments.png b/devices/hololens/images/hololens-ap-devices-assignments.png
new file mode 100644
index 0000000000..f99eaa367d
Binary files /dev/null and b/devices/hololens/images/hololens-ap-devices-assignments.png differ
diff --git a/devices/hololens/images/hololens-ap-devices-sync.png b/devices/hololens/images/hololens-ap-devices-sync.png
new file mode 100644
index 0000000000..fe970f7983
Binary files /dev/null and b/devices/hololens/images/hololens-ap-devices-sync.png differ
diff --git a/devices/hololens/images/hololens-ap-enrollment-profiles.png b/devices/hololens/images/hololens-ap-enrollment-profiles.png
new file mode 100644
index 0000000000..1e3e8dfaa4
Binary files /dev/null and b/devices/hololens/images/hololens-ap-enrollment-profiles.png differ
diff --git a/devices/hololens/images/hololens-ap-hash-import.png b/devices/hololens/images/hololens-ap-hash-import.png
new file mode 100644
index 0000000000..078e73d78c
Binary files /dev/null and b/devices/hololens/images/hololens-ap-hash-import.png differ
diff --git a/devices/hololens/images/hololens-ap-intro.png b/devices/hololens/images/hololens-ap-intro.png
new file mode 100644
index 0000000000..8095114167
Binary files /dev/null and b/devices/hololens/images/hololens-ap-intro.png differ
diff --git a/devices/hololens/images/hololens-ap-profile-assign-devicegroup.png b/devices/hololens/images/hololens-ap-profile-assign-devicegroup.png
new file mode 100644
index 0000000000..9e6dc92a3c
Binary files /dev/null and b/devices/hololens/images/hololens-ap-profile-assign-devicegroup.png differ
diff --git a/devices/hololens/images/hololens-ap-profile-name.png b/devices/hololens/images/hololens-ap-profile-name.png
new file mode 100644
index 0000000000..a427b437b8
Binary files /dev/null and b/devices/hololens/images/hololens-ap-profile-name.png differ
diff --git a/devices/hololens/images/hololens-ap-profile-oobe.png b/devices/hololens/images/hololens-ap-profile-oobe.png
new file mode 100644
index 0000000000..e14226d7ad
Binary files /dev/null and b/devices/hololens/images/hololens-ap-profile-oobe.png differ
diff --git a/devices/hololens/images/hololens-ap-profile-settings-oma.png b/devices/hololens/images/hololens-ap-profile-settings-oma.png
new file mode 100644
index 0000000000..7528f55292
Binary files /dev/null and b/devices/hololens/images/hololens-ap-profile-settings-oma.png differ
diff --git a/devices/hololens/images/hololens-ap-profile-settings.png b/devices/hololens/images/hololens-ap-profile-settings.png
new file mode 100644
index 0000000000..5753814e1b
Binary files /dev/null and b/devices/hololens/images/hololens-ap-profile-settings.png differ
diff --git a/devices/hololens/images/hololens-ap-profile-summ.png b/devices/hololens/images/hololens-ap-profile-summ.png
new file mode 100644
index 0000000000..4fb955bbdf
Binary files /dev/null and b/devices/hololens/images/hololens-ap-profile-summ.png differ
diff --git a/devices/hololens/images/hololens-ap-qrcode.png b/devices/hololens/images/hololens-ap-qrcode.png
new file mode 100644
index 0000000000..c5296e3e91
Binary files /dev/null and b/devices/hololens/images/hololens-ap-qrcode.png differ
diff --git a/devices/hololens/images/hololens-ap-uex-1.png b/devices/hololens/images/hololens-ap-uex-1.png
new file mode 100644
index 0000000000..f89faa366a
Binary files /dev/null and b/devices/hololens/images/hololens-ap-uex-1.png differ
diff --git a/devices/hololens/images/hololens-ap-uex-2.png b/devices/hololens/images/hololens-ap-uex-2.png
new file mode 100644
index 0000000000..5bf1beb3f0
Binary files /dev/null and b/devices/hololens/images/hololens-ap-uex-2.png differ
diff --git a/devices/hololens/images/hololens-ap-uex-3.png b/devices/hololens/images/hololens-ap-uex-3.png
new file mode 100644
index 0000000000..59a7362269
Binary files /dev/null and b/devices/hololens/images/hololens-ap-uex-3.png differ
diff --git a/devices/hololens/images/hololens-ap-uex-4.png b/devices/hololens/images/hololens-ap-uex-4.png
new file mode 100644
index 0000000000..f17557b5c4
Binary files /dev/null and b/devices/hololens/images/hololens-ap-uex-4.png differ
diff --git a/devices/hololens/images/hololens-ap-uex-5.png b/devices/hololens/images/hololens-ap-uex-5.png
new file mode 100644
index 0000000000..0bd23da48e
Binary files /dev/null and b/devices/hololens/images/hololens-ap-uex-5.png differ
diff --git a/devices/surface-hub/accessibility-surface-hub.md b/devices/surface-hub/accessibility-surface-hub.md
index 031501c2b4..8237e61a08 100644
--- a/devices/surface-hub/accessibility-surface-hub.md
+++ b/devices/surface-hub/accessibility-surface-hub.md
@@ -3,7 +3,7 @@ title: Accessibility (Surface Hub)
description: Accessibility settings for the Microsoft Surface Hub can be changed by using the Settings app. You'll find them under Ease of Access. Your Surface Hub has the same accessibility options as Windows 10.
ms.assetid: 1D44723B-1162-4DF6-99A2-8A3F24443442
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: Accessibility settings, Settings app, Ease of Access
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/admin-group-management-for-surface-hub.md b/devices/surface-hub/admin-group-management-for-surface-hub.md
index 8125113887..81c03b484c 100644
--- a/devices/surface-hub/admin-group-management-for-surface-hub.md
+++ b/devices/surface-hub/admin-group-management-for-surface-hub.md
@@ -3,7 +3,7 @@ title: Admin group management (Surface Hub)
description: Every Microsoft Surface Hub can be configured individually by opening the Settings app on the device.
ms.assetid: FA67209E-B355-4333-B903-482C4A3BDCCE
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: admin group management, Settings app, configure Surface Hub
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
index 7b44ff3d38..f74f2297fa 100644
--- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
+++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
@@ -3,7 +3,7 @@ title: PowerShell for Surface Hub (Surface Hub)
description: PowerShell scripts to help set up and manage your Microsoft Surface Hub.
ms.assetid: 3EF48F63-8E4C-4D74-ACD5-461F1C653784
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: PowerShell, set up Surface Hub, manage Surface Hub
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
index 7ea2bc584c..66dd43f75c 100644
--- a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md
@@ -3,7 +3,7 @@ title: Applying ActiveSync policies to device accounts (Surface Hub)
description: The Microsoft Surface Hub's device account uses ActiveSync to sync mail and calendar. This allows people to join and start scheduled meetings from the Surface Hub, and allows them to email any whiteboards they have made during their meeting.
ms.assetid: FAABBA74-3088-4275-B58E-EC1070F4D110
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: Surface Hub, ActiveSync policies
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md
index 2d55222b1b..77ce204725 100644
--- a/devices/surface-hub/change-history-surface-hub.md
+++ b/devices/surface-hub/change-history-surface-hub.md
@@ -1,7 +1,7 @@
---
title: Change history for Surface Hub
ms.reviewer:
-manager: dansimp
+manager: laurawi
description: This topic lists new and updated topics for Surface Hub.
keywords: change history
ms.prod: surface-hub
diff --git a/devices/surface-hub/change-surface-hub-device-account.md b/devices/surface-hub/change-surface-hub-device-account.md
index 142af6e80e..d20e57a184 100644
--- a/devices/surface-hub/change-surface-hub-device-account.md
+++ b/devices/surface-hub/change-surface-hub-device-account.md
@@ -3,7 +3,7 @@ title: Change the Microsoft Surface Hub device account
description: You can change the device account in Settings to either add an account if one was not already provisioned, or to change any properties of an account that was already provisioned.
ms.assetid: AFC43043-3319-44BC-9310-29B1F375E672
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: change device account, change properties, Surface Hub
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/connect-and-display-with-surface-hub.md b/devices/surface-hub/connect-and-display-with-surface-hub.md
index 5fd13d7b95..d5f39c55db 100644
--- a/devices/surface-hub/connect-and-display-with-surface-hub.md
+++ b/devices/surface-hub/connect-and-display-with-surface-hub.md
@@ -3,7 +3,7 @@ title: Connect other devices and display with Surface Hub
description: You can connect other device to your Surface Hub to display content.
ms.assetid: 8BB80FA3-D364-4A90-B72B-65F0F0FC1F0D
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.prod: surface-hub
ms.sitesec: library
author: dansimp
diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md
index ff76987746..29f9557045 100644
--- a/devices/surface-hub/create-a-device-account-using-office-365.md
+++ b/devices/surface-hub/create-a-device-account-using-office-365.md
@@ -3,7 +3,7 @@ title: Create a device account using UI (Surface Hub)
description: If you prefer to use a graphical user interface, you can create a device account for your Microsoft Surface Hub with either the Office 365 UI or the Exchange Admin Center.
ms.assetid: D11BCDC4-DABA-4B9A-9ECB-58E02CC8218C
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: create device account, Office 365 UI, Exchange Admin center, Microsoft 365 admin center, Skype for Business, mobile device mailbox policy
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
index dc72c7463a..8985f70c9d 100644
--- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
+++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md
@@ -3,7 +3,7 @@ title: Create and test a device account (Surface Hub)
description: This topic introduces how to create and test the device account that Microsoft Surface Hub uses to communicate with Microsoft Exchange and Skype.
ms.assetid: C8605B5F-2178-4C3A-B4E0-CE32C70ECF67
ms.reviewer: rikot
-manager: dansimp
+manager: laurawi
keywords: create and test device account, device account, Surface Hub and Microsoft Exchange, Surface Hub and Skype
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md
index d8d0269900..8eb3486d7d 100644
--- a/devices/surface-hub/device-reset-surface-hub.md
+++ b/devices/surface-hub/device-reset-surface-hub.md
@@ -3,7 +3,7 @@ title: Reset or recover a Surface Hub
description: Describes the reset and recovery processes for the Surface Hub, and provides instructions.
ms.assetid: 44E82EEE-1905-464B-A758-C2A1463909FF
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: reset Surface Hub, recover
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
index 73a50f66c9..9309e9b2a3 100644
--- a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
+++ b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 06/20/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/enable-8021x-wired-authentication.md b/devices/surface-hub/enable-8021x-wired-authentication.md
index bf91e2e42c..8ac2baccb6 100644
--- a/devices/surface-hub/enable-8021x-wired-authentication.md
+++ b/devices/surface-hub/enable-8021x-wired-authentication.md
@@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 11/15/2017
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
index b6fca3a49e..9a100d4a60 100644
--- a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md
@@ -3,7 +3,7 @@ title: Microsoft Exchange properties (Surface Hub)
description: Some Microsoft Exchange properties of the device account must be set to particular values to have the best meeting experience on Microsoft Surface Hub.
ms.assetid: 3E84393B-C425-45BF-95A6-D6502BA1BF29
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: Microsoft Exchange properties, device account, Surface Hub, Windows PowerShell cmdlet
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/finishing-your-surface-hub-meeting.md b/devices/surface-hub/finishing-your-surface-hub-meeting.md
index 8776870779..3e02c9bb0a 100644
--- a/devices/surface-hub/finishing-your-surface-hub-meeting.md
+++ b/devices/surface-hub/finishing-your-surface-hub-meeting.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 07/27/2017
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md
index 3d38a356f5..8a3bfc6e91 100644
--- a/devices/surface-hub/first-run-program-surface-hub.md
+++ b/devices/surface-hub/first-run-program-surface-hub.md
@@ -3,7 +3,7 @@ title: First-run program (Surface Hub)
description: The term \ 0034;first run \ 0034; refers to the series of steps you'll go through the first time you power up your Microsoft Surface Hub, and means the same thing as \ 0034;out-of-box experience \ 0034; (OOBE). This section will walk you through the process.
ms.assetid: 07C9E84C-1245-4511-B3B3-75939AD57C49
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: first run, Surface Hub, out-of-box experience, OOBE
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
index ea543e69f2..73c94f6557 100644
--- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md
@@ -3,7 +3,7 @@ title: Hybrid deployment (Surface Hub)
description: A hybrid deployment requires special processing to set up a device account for your Microsoft Surface Hub.
ms.assetid: 7BFBB7BE-F587-422E-9CE4-C9DDF829E4F1
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: hybrid deployment, device account for Surface Hub, Exchange hosted on-prem, Exchange hosted online
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md
index 74505ca6ff..9e1c8767f5 100644
--- a/devices/surface-hub/install-apps-on-surface-hub.md
+++ b/devices/surface-hub/install-apps-on-surface-hub.md
@@ -3,7 +3,7 @@ title: Install apps on your Microsoft Surface Hub
description: Admins can install apps can from either the Microsoft Store or the Microsoft Store for Business.
ms.assetid: 3885CB45-D496-4424-8533-C9E3D0EDFD94
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: install apps, Microsoft Store, Microsoft Store for Business
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/local-management-surface-hub-settings.md b/devices/surface-hub/local-management-surface-hub-settings.md
index 810691dfe8..886e4b79f3 100644
--- a/devices/surface-hub/local-management-surface-hub-settings.md
+++ b/devices/surface-hub/local-management-surface-hub-settings.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 07/08/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
index 5394d7c761..3762de36a4 100644
--- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
+++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md
@@ -3,7 +3,7 @@ title: Manage settings with an MDM provider (Surface Hub)
description: Microsoft Surface Hub provides an enterprise management solution to help IT administrators manage policies and business applications on these devices using a mobile device management (MDM) solution.
ms.assetid: 18EB8464-6E22-479D-B0C3-21C4ADD168FE
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: mobile device management, MDM, manage policies
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/manage-surface-hub-settings.md b/devices/surface-hub/manage-surface-hub-settings.md
index a5d76ff156..b217ccee4d 100644
--- a/devices/surface-hub/manage-surface-hub-settings.md
+++ b/devices/surface-hub/manage-surface-hub-settings.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 07/27/2017
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md
index 4ad681ff5f..10240a192f 100644
--- a/devices/surface-hub/manage-surface-hub.md
+++ b/devices/surface-hub/manage-surface-hub.md
@@ -3,7 +3,7 @@ title: Manage Microsoft Surface Hub
description: How to manage your Surface Hub after finishing the first-run program.
ms.assetid: FDB6182C-1211-4A92-A930-6C106BCD5DC1
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: manage Surface Hub
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
index 2dc9f71874..9dee3e2a4b 100644
--- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md
+++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md
@@ -3,7 +3,7 @@ title: Manage Windows updates on Surface Hub
description: You can manage Windows updates on your Microsoft Surface Hub or Surface Hub 2S by setting the maintenance window, deferring updates, or using Windows Server Update Services (WSUS).
ms.assetid: A737BD50-2D36-4DE5-A604-55053D549045
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: manage Windows updates, Surface Hub, Windows Server Update Services, WSUS
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/miracast-over-infrastructure.md b/devices/surface-hub/miracast-over-infrastructure.md
index 1b09f33999..2bb6381924 100644
--- a/devices/surface-hub/miracast-over-infrastructure.md
+++ b/devices/surface-hub/miracast-over-infrastructure.md
@@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 06/20/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
@@ -41,7 +41,6 @@ If you have a Surface Hub or other Windows 10 device that has been updated to Wi
- As a Miracast source, the Windows PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
- The DNS Hostname (device name) of the Surface Hub or device needs to be resolvable via your DNS servers. You can achieve this by either allowing your Surface Hub to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the Surface Hub's hostname.
- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
-- On Windows 10 PCs, the **Projecting to this PC** feature must be enabled within System Settings, and the device must have a Wi-Fi interface enabled in order to respond to discovery requests.
It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
diff --git a/devices/surface-hub/miracast-troubleshooting.md b/devices/surface-hub/miracast-troubleshooting.md
index eb33f483d6..c4e2ff5b3e 100644
--- a/devices/surface-hub/miracast-troubleshooting.md
+++ b/devices/surface-hub/miracast-troubleshooting.md
@@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 06/20/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/monitor-surface-hub.md b/devices/surface-hub/monitor-surface-hub.md
index 262c565327..9828a8a268 100644
--- a/devices/surface-hub/monitor-surface-hub.md
+++ b/devices/surface-hub/monitor-surface-hub.md
@@ -3,7 +3,7 @@ title: Monitor your Microsoft Surface Hub
description: Monitoring for Microsoft Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS).
ms.assetid: 1D2ED317-DFD9-423D-B525-B16C2B9D6942
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: monitor Surface Hub, Microsoft Operations Management Suite, OMS
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
index 88b0653b00..d35f03b804 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
@@ -3,7 +3,7 @@ title: On-premises deployment single forest (Surface Hub)
description: This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment.
ms.assetid: 80E12195-A65B-42D1-8B84-ECC3FCBAAFC6
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: single forest deployment, on prem deployment, device account, Surface Hub
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
index f643e4cfe6..170dd03968 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
@@ -8,7 +8,7 @@ author: dansimp
ms.author: dansimp
ms.date: 08/28/2018
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
index 0cd6fc5219..30f0e34b1f 100644
--- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md
@@ -3,7 +3,7 @@ title: Online deployment with Office 365 (Surface Hub)
description: This topic has instructions for adding a device account for your Microsoft Surface Hub when you have a pure, online deployment.
ms.assetid: D325CA68-A03F-43DF-8520-EACF7C3EDEC1
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: device account for Surface Hub, online deployment
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
index 22e7e1284c..1ef2fcaa46 100644
--- a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
+++ b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md
@@ -3,7 +3,7 @@ title: Password management (Surface Hub)
description: Every Microsoft Surface Hub device account requires a password to authenticate and enable features on the device.
ms.assetid: 0FBFB546-05F0-430E-905E-87111046E4B8
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: password, password management, password rotation, device account
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/physically-install-your-surface-hub-device.md b/devices/surface-hub/physically-install-your-surface-hub-device.md
index 6d06a9ac69..aeadcb900a 100644
--- a/devices/surface-hub/physically-install-your-surface-hub-device.md
+++ b/devices/surface-hub/physically-install-your-surface-hub-device.md
@@ -3,7 +3,7 @@ title: Physically install Microsoft Surface Hub
description: The Microsoft Surface Hub Readiness Guide will help make sure that your site is ready for the installation.
ms.assetid: C764DBFB-429B-4B29-B4E8-D7F0073BC554
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: Surface Hub, readiness guide, installation location, mounting options
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
index 198dba4f74..69ca8e6c3e 100644
--- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md
+++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md
@@ -3,7 +3,7 @@ title: Prepare your environment for Microsoft Surface Hub
description: This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Microsoft Surface Hub.
ms.assetid: 336A206C-5893-413E-A270-61BFF3DF7DA9
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: prepare environment, features of Surface Hub, create and test device account, check network availability
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/provisioning-packages-for-surface-hub.md b/devices/surface-hub/provisioning-packages-for-surface-hub.md
index 607c66829e..305403b9dc 100644
--- a/devices/surface-hub/provisioning-packages-for-surface-hub.md
+++ b/devices/surface-hub/provisioning-packages-for-surface-hub.md
@@ -3,7 +3,7 @@ title: Create provisioning packages (Surface Hub)
description: For Windows 10, settings that use the registry or a configuration service provider (CSP) can be configured using provisioning packages.
ms.assetid: 8AA25BD4-8A8F-4B95-9268-504A49BA5345
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: add certificate, provisioning package
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/remote-surface-hub-management.md b/devices/surface-hub/remote-surface-hub-management.md
index 7a9acbe0fd..1794a9bcac 100644
--- a/devices/surface-hub/remote-surface-hub-management.md
+++ b/devices/surface-hub/remote-surface-hub-management.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 07/27/2017
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/save-bitlocker-key-surface-hub.md b/devices/surface-hub/save-bitlocker-key-surface-hub.md
index 6bbfd1532a..12e59349d6 100644
--- a/devices/surface-hub/save-bitlocker-key-surface-hub.md
+++ b/devices/surface-hub/save-bitlocker-key-surface-hub.md
@@ -3,7 +3,7 @@ title: Save your BitLocker key (Surface Hub)
description: Every Microsoft Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.
ms.assetid: E11E4AB6-B13E-4ACA-BCE1-4EDC9987E4F2
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: Surface Hub, BitLocker, Bitlocker recovery keys
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/set-up-your-surface-hub.md b/devices/surface-hub/set-up-your-surface-hub.md
index 96f42c3df1..08ca875984 100644
--- a/devices/surface-hub/set-up-your-surface-hub.md
+++ b/devices/surface-hub/set-up-your-surface-hub.md
@@ -3,7 +3,7 @@ title: Set up Microsoft Surface Hub
description: Set up instructions for Surface Hub include a setup worksheet, and a walkthrough of the first-run program.
ms.assetid: 4D1722BC-704D-4471-BBBE-D0500B006221
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: set up instructions, Surface Hub, setup worksheet, first-run program
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/setup-worksheet-surface-hub.md b/devices/surface-hub/setup-worksheet-surface-hub.md
index 6043d88f1d..e7352a5dbe 100644
--- a/devices/surface-hub/setup-worksheet-surface-hub.md
+++ b/devices/surface-hub/setup-worksheet-surface-hub.md
@@ -3,7 +3,7 @@ title: Setup worksheet (Surface Hub)
description: When you've finished pre-setup and are ready to start first-time setup for your Microsoft Surface Hub, make sure you have all the information listed in this section.
ms.assetid: AC6F925B-BADE-48F5-8D53-8B6FFF6EE3EB
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: Setup worksheet, pre-setup, first-time setup
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/skype-hybrid-voice.md b/devices/surface-hub/skype-hybrid-voice.md
index c805fb9005..910f2d0129 100644
--- a/devices/surface-hub/skype-hybrid-voice.md
+++ b/devices/surface-hub/skype-hybrid-voice.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 07/27/2017
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/support-solutions-surface-hub.md b/devices/surface-hub/support-solutions-surface-hub.md
index b683f85daf..9de0b753f9 100644
--- a/devices/surface-hub/support-solutions-surface-hub.md
+++ b/devices/surface-hub/support-solutions-surface-hub.md
@@ -3,7 +3,7 @@ title: Top support solutions for Microsoft Surface Hub
description: Find top solutions for common issues using Surface Hub.
ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: Troubleshoot common problems, setup issues
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/surface-hub-authenticator-app.md b/devices/surface-hub/surface-hub-authenticator-app.md
index 9ad0606641..80c7dbefd1 100644
--- a/devices/surface-hub/surface-hub-authenticator-app.md
+++ b/devices/surface-hub/surface-hub-authenticator-app.md
@@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 08/28/2017
ms.reviewer:
-manager: dansimp
+manager: laurawi
localizationpriority: medium
---
diff --git a/devices/surface-hub/surface-hub-downloads.md b/devices/surface-hub/surface-hub-downloads.md
index 5e5073588a..79ff342ba9 100644
--- a/devices/surface-hub/surface-hub-downloads.md
+++ b/devices/surface-hub/surface-hub-downloads.md
@@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 08/22/2017
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/surface-hub-qos.md b/devices/surface-hub/surface-hub-qos.md
index 105a188ae1..aa1b746b8d 100644
--- a/devices/surface-hub/surface-hub-qos.md
+++ b/devices/surface-hub/surface-hub-qos.md
@@ -1,7 +1,7 @@
---
title: Implement Quality of Service on Surface Hub
ms.reviewer:
-manager: dansimp
+manager: laurawi
description: Learn how to configure QoS on Surface Hub.
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/surface-hub-recovery-tool.md b/devices/surface-hub/surface-hub-recovery-tool.md
index 75feb89fc2..2db5f9706e 100644
--- a/devices/surface-hub/surface-hub-recovery-tool.md
+++ b/devices/surface-hub/surface-hub-recovery-tool.md
@@ -3,7 +3,7 @@ title: Using the Surface Hub Recovery Tool
description: How to use the Surface Hub Recovery Tool to re-image the SSD.
ms.assetid: FDB6182C-1211-4A92-A930-6C106BCD5DC1
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: manage Surface Hub
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/surface-hub-ssd-replacement.md b/devices/surface-hub/surface-hub-ssd-replacement.md
index 7896a7d634..12f256388d 100644
--- a/devices/surface-hub/surface-hub-ssd-replacement.md
+++ b/devices/surface-hub/surface-hub-ssd-replacement.md
@@ -1,7 +1,7 @@
---
title: Surface Hub SSD replacement
ms.reviewer:
-manager: dansimp
+manager: laurawi
description: Learn how to replace the solid state drive in a Surface Hub.
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/surface-hub-technical-55.md b/devices/surface-hub/surface-hub-technical-55.md
index 6abc46e411..209e77df4c 100644
--- a/devices/surface-hub/surface-hub-technical-55.md
+++ b/devices/surface-hub/surface-hub-technical-55.md
@@ -1,7 +1,7 @@
---
title: Technical information for 55" Surface Hub
ms.reviewer:
-manager: dansimp
+manager: laurawi
description: Specifications for the 55" Surface Hub
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/surface-hub-technical-84.md b/devices/surface-hub/surface-hub-technical-84.md
index 0ba7d45aa1..1c08da5a6b 100644
--- a/devices/surface-hub/surface-hub-technical-84.md
+++ b/devices/surface-hub/surface-hub-technical-84.md
@@ -1,7 +1,7 @@
---
title: Technical information for 84" Surface Hub
ms.reviewer:
-manager: dansimp
+manager: laurawi
description: Specifications for the 84" Surface Hub
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/surface-hub-wifi-direct.md b/devices/surface-hub/surface-hub-wifi-direct.md
index 8d94858bfa..fc1ada3230 100644
--- a/devices/surface-hub/surface-hub-wifi-direct.md
+++ b/devices/surface-hub/surface-hub-wifi-direct.md
@@ -9,7 +9,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 11/27/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/surfacehub-whats-new-1703.md b/devices/surface-hub/surfacehub-whats-new-1703.md
index 0626c4a0d7..4c324d33ce 100644
--- a/devices/surface-hub/surfacehub-whats-new-1703.md
+++ b/devices/surface-hub/surfacehub-whats-new-1703.md
@@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 01/18/2018
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md
index cf02da1a6e..4a30281eff 100644
--- a/devices/surface-hub/troubleshoot-surface-hub.md
+++ b/devices/surface-hub/troubleshoot-surface-hub.md
@@ -3,7 +3,7 @@ title: Troubleshoot Microsoft Surface Hub
description: Troubleshoot common problems, including setup issues, Exchange ActiveSync errors.
ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: Troubleshoot common problems, setup issues, Exchange ActiveSync errors
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
index 33233a023b..cf9f2b6339 100644
--- a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
+++ b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md
@@ -7,7 +7,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 07/27/2017
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md
index cbc437e783..1ec1e19ab5 100644
--- a/devices/surface-hub/use-room-control-system-with-surface-hub.md
+++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md
@@ -3,7 +3,7 @@ title: Using a room control system (Surface Hub)
description: Room control systems can be used with your Microsoft Surface Hub.
ms.assetid: DC365002-6B35-45C5-A2B8-3E1EB0CB8B50
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: room control system, Surface Hub
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface-hub/whiteboard-collaboration.md b/devices/surface-hub/whiteboard-collaboration.md
index 416610d656..a1e05d92b5 100644
--- a/devices/surface-hub/whiteboard-collaboration.md
+++ b/devices/surface-hub/whiteboard-collaboration.md
@@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.date: 03/18/2019
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
---
diff --git a/devices/surface-hub/wireless-network-management-for-surface-hub.md b/devices/surface-hub/wireless-network-management-for-surface-hub.md
index 0a314fe596..96162edafe 100644
--- a/devices/surface-hub/wireless-network-management-for-surface-hub.md
+++ b/devices/surface-hub/wireless-network-management-for-surface-hub.md
@@ -3,7 +3,7 @@ title: Wireless network management (Surface Hub)
description: Microsoft Surface Hub offers two options for network connectivity to your corporate network and Internet wireless, and wired. While both provide network access, we recommend you use a wired connection.
ms.assetid: D2CFB90B-FBAA-4532-B658-9AA33CAEA31D
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: network connectivity, wired connection
ms.prod: surface-hub
ms.sitesec: library
diff --git a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
index 2ab8b6b45b..017f34559f 100644
--- a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
+++ b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md
@@ -3,7 +3,7 @@ title: Advanced UEFI security features for Surface Pro 3 (Surface)
description: This article describes how to install and configure the v3.11.760.0 UEFI update to enable additional security options for Surface Pro 3 devices.
ms.assetid: 90F790C0-E5FC-4482-AD71-60589E3C9C93
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: security, features, configure, hardware, device, custom, script, update
ms.localizationpriority: medium
ms.prod: w10
diff --git a/devices/surface/assettag.md b/devices/surface/assettag.md
index 21d5947ce2..296a57b10e 100644
--- a/devices/surface/assettag.md
+++ b/devices/surface/assettag.md
@@ -9,7 +9,7 @@ author: coveminer
ms.author: v-jokai
ms.topic: article
ms.reviewer: hachidan
-manager: dansimp
+manager: laurawi
---
# Surface Asset Tag Tool
diff --git a/devices/surface/battery-limit.md b/devices/surface/battery-limit.md
index 8866b5c37b..c260718254 100644
--- a/devices/surface/battery-limit.md
+++ b/devices/surface/battery-limit.md
@@ -7,7 +7,7 @@ ms.pagetype: surface, devices
ms.sitesec: library
author: coveminer
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.author: v-jokai
ms.topic: article
ms.localizationpriority: medium
diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md
index c3a2ef2f31..35be5e736d 100644
--- a/devices/surface/change-history-for-surface.md
+++ b/devices/surface/change-history-for-surface.md
@@ -1,7 +1,7 @@
---
title: Change history for Surface documentation (Windows 10)
ms.reviewer:
-manager: dansimp
+manager: laurawi
description: This topic lists new and updated topics in the Surface documentation library.
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
index 5aac305c5a..f68989b045 100644
--- a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
+++ b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md
@@ -12,7 +12,7 @@ ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
ms.reviewer:
-manager: dansimp
+manager: laurawi
---
# Considerations for Surface and Microsoft Endpoint Configuration Manager
diff --git a/devices/surface/customize-the-oobe-for-surface-deployments.md b/devices/surface/customize-the-oobe-for-surface-deployments.md
index bd26347d6a..70d53dae71 100644
--- a/devices/surface/customize-the-oobe-for-surface-deployments.md
+++ b/devices/surface/customize-the-oobe-for-surface-deployments.md
@@ -3,7 +3,7 @@ title: Customize the OOBE for Surface deployments (Surface)
description: This article will walk you through the process of customizing the Surface out-of-box experience for end users in your organization.
ms.assetid: F6910315-9FA9-4297-8FA8-2C284A4B1D87
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: deploy, customize, automate, network, Pen, pair, boot
ms.localizationpriority: medium
ms.prod: w10
diff --git a/devices/surface/deploy-surface-app-with-windows-store-for-business.md b/devices/surface/deploy-surface-app-with-windows-store-for-business.md
index 4b24dd9589..121be61007 100644
--- a/devices/surface/deploy-surface-app-with-windows-store-for-business.md
+++ b/devices/surface/deploy-surface-app-with-windows-store-for-business.md
@@ -12,7 +12,7 @@ ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
ms.reviewer:
-manager: dansimp
+manager: laurawi
---
# Deploy Surface app with Microsoft Store for Business and Education
diff --git a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
index e1debff872..a12b2f2dc4 100644
--- a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
+++ b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md
@@ -12,7 +12,7 @@ ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
ms.reviewer:
-manager: dansimp
+manager: laurawi
---
# Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit
diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md
index f0b8a6490f..a7220315da 100644
--- a/devices/surface/deploy.md
+++ b/devices/surface/deploy.md
@@ -7,7 +7,7 @@ ms.pagetype: surface, devices
ms.sitesec: library
author: coveminer
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.author: v-jokai
ms.topic: article
ms.localizationpriority: medium
diff --git a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
index 65453aeaf5..d51a90413e 100644
--- a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
+++ b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md
@@ -3,7 +3,7 @@ title: Enable PEAP, EAP-FAST, and Cisco LEAP on Surface devices (Surface)
description: Find out how to enable support for PEAP, EAP-FAST, or Cisco LEAP protocols on your Surface device.
ms.assetid: A281EFA3-1552-467D-8A21-EB151E58856D
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: network, wireless, device, deploy, authentication, protocol
ms.localizationpriority: medium
ms.prod: w10
diff --git a/devices/surface/enroll-and-configure-surface-devices-with-semm.md b/devices/surface/enroll-and-configure-surface-devices-with-semm.md
index 8e512c1511..0147596761 100644
--- a/devices/surface/enroll-and-configure-surface-devices-with-semm.md
+++ b/devices/surface/enroll-and-configure-surface-devices-with-semm.md
@@ -12,7 +12,7 @@ ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
ms.reviewer:
-manager: dansimp
+manager: laurawi
---
# Enroll and configure Surface devices with SEMM
diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
index 4acda64004..c35dbe0630 100644
--- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md
+++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md
@@ -3,7 +3,7 @@ title: Ethernet adapters and Surface deployment (Surface)
description: This article provides guidance and answers to help you perform a network deployment to Surface devices.
ms.assetid: 5273C59E-6039-4E50-96B3-426BB38A64C0
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: ethernet, deploy, removable, network, connectivity, boot, firmware, device, adapter, PXE boot, USB
ms.localizationpriority: medium
ms.prod: w10
diff --git a/devices/surface/ltsb-for-surface.md b/devices/surface/ltsb-for-surface.md
index 9d47e34bb2..c250085467 100644
--- a/devices/surface/ltsb-for-surface.md
+++ b/devices/surface/ltsb-for-surface.md
@@ -9,7 +9,7 @@ author: coveminer
ms.author: v-jokai
ms.topic: article
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.audience: itpro
---
diff --git a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
index 3760d85a4d..36197ca93f 100644
--- a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
+++ b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md
@@ -8,7 +8,7 @@ author: coveminer
ms.author: v-jokai
ms.topic: article
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.audience: itpro
ms.date: 10/28/2019
diff --git a/devices/surface/manage-surface-driver-and-firmware-updates.md b/devices/surface/manage-surface-driver-and-firmware-updates.md
index 827d2c64c5..75ccff3070 100644
--- a/devices/surface/manage-surface-driver-and-firmware-updates.md
+++ b/devices/surface/manage-surface-driver-and-firmware-updates.md
@@ -3,7 +3,7 @@ title: Manage and deploy Surface driver and firmware updates
description: This article describes the available options to manage and deploy firmware and driver updates for Surface devices.
ms.assetid: CD1219BA-8EDE-4BC8-BEEF-99B50C211D73
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: Surface, Surface Pro 3, firmware, update, device, manage, deploy, driver, USB
ms.localizationpriority: medium
ms.prod: w10
diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md
index 224cc16744..c5f41821d3 100644
--- a/devices/surface/manage-surface-uefi-settings.md
+++ b/devices/surface/manage-surface-uefi-settings.md
@@ -11,7 +11,7 @@ author: coveminer
ms.author: v-jokai
ms.topic: article
ms.reviewer:
-manager: dansimp
+manager: laurawi
---
# Manage Surface UEFI settings
diff --git a/devices/surface/microsoft-surface-brightness-control.md b/devices/surface/microsoft-surface-brightness-control.md
index 84ef8a1b9f..f0e6c5d221 100644
--- a/devices/surface/microsoft-surface-brightness-control.md
+++ b/devices/surface/microsoft-surface-brightness-control.md
@@ -9,7 +9,7 @@ author: coveminer
ms.author: v-jokai
ms.topic: article
ms.reviewer: hachidan
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.audience: itpro
---
diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index 4ee475b184..0cbf9dac52 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -3,7 +3,7 @@ title: Microsoft Surface Data Eraser (Surface)
description: Find out how the Microsoft Surface Data Eraser tool can help you securely wipe data from your Surface devices.
ms.assetid: 8DD3F9FE-5458-4467-BE26-E9200341CF10
ms.reviewer: hachidan
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
keywords: tool, USB, data, erase
ms.prod: w10
diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md
index e60688692b..6c25746e2a 100644
--- a/devices/surface/microsoft-surface-deployment-accelerator.md
+++ b/devices/surface/microsoft-surface-deployment-accelerator.md
@@ -3,7 +3,7 @@ title: Microsoft Surface Deployment Accelerator (Surface)
description: Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices.
ms.assetid: E7991E90-4AAE-44B6-8822-58BFDE3EADE4
ms.reviewer: hachidan
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
keywords: deploy, install, tool
ms.prod: w10
diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md
index 42f641271c..e10b8209c9 100644
--- a/devices/surface/step-by-step-surface-deployment-accelerator.md
+++ b/devices/surface/step-by-step-surface-deployment-accelerator.md
@@ -3,7 +3,7 @@ title: Step by step Surface Deployment Accelerator (Surface)
description: This article shows you how to install Microsoft Surface Deployment Accelerator (SDA), configure a deployment share for the deployment of Windows to Surface devices, and perform a deployment to Surface devices.
ms.assetid: A944FB9C-4D81-4868-AFF6-B9D1F5CF1032
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
keywords: deploy, configure
ms.prod: w10
diff --git a/devices/surface/support-solutions-surface.md b/devices/surface/support-solutions-surface.md
index 4fe99f1ebd..a7ef242da7 100644
--- a/devices/surface/support-solutions-surface.md
+++ b/devices/surface/support-solutions-surface.md
@@ -3,7 +3,7 @@ title: Top support solutions for Surface devices
description: Find top solutions for common issues using Surface devices in the enterprise.
ms.assetid: CF58F74D-8077-48C3-981E-FCFDCA34B34A
ms.reviewer:
-manager: dansimp
+manager: laurawi
keywords: Troubleshoot common problems, setup issues
ms.prod: w10
ms.mktglfcycl: support
diff --git a/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md
index 15f3dc33f0..044b0e0437 100644
--- a/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md
+++ b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md
@@ -12,7 +12,7 @@ ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
ms.reviewer: scottmca
-manager: dansimp
+manager: laurawi
---
# Surface device compatibility with Windows 10 Long-Term Servicing Channel (LTSC)
diff --git a/devices/surface/surface-diagnostic-toolkit-business.md b/devices/surface/surface-diagnostic-toolkit-business.md
index 9c71c1cee4..11a032fb45 100644
--- a/devices/surface/surface-diagnostic-toolkit-business.md
+++ b/devices/surface/surface-diagnostic-toolkit-business.md
@@ -10,7 +10,7 @@ ms.author: v-jokai
ms.topic: article
ms.date: 10/31/2019
ms.reviewer: hachidan
-manager: dansimp
+manager: laurawi
ms.audience: itpro
---
diff --git a/devices/surface/surface-diagnostic-toolkit-command-line.md b/devices/surface/surface-diagnostic-toolkit-command-line.md
index 7dca10584e..035eec60da 100644
--- a/devices/surface/surface-diagnostic-toolkit-command-line.md
+++ b/devices/surface/surface-diagnostic-toolkit-command-line.md
@@ -8,7 +8,7 @@ author: coveminer
ms.author: v-jokai
ms.topic: article
ms.reviewer: hachidan
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.audience: itpro
---
diff --git a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md
index 8586cb543a..795bff7f7f 100644
--- a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md
+++ b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md
@@ -8,7 +8,7 @@ author: coveminer
ms.author: v-jokai
ms.topic: article
ms.reviewer: hachidan
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.audience: itpro
---
diff --git a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
index 7c84f5c0e4..2b19282899 100644
--- a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
+++ b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
@@ -8,7 +8,7 @@ author: coveminer
ms.author: v-jokai
ms.topic: article
ms.reviewer: cottmca
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.audience: itpro
---
diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md
index f1fa0e58fa..26264b1509 100644
--- a/devices/surface/surface-dock-firmware-update.md
+++ b/devices/surface/surface-dock-firmware-update.md
@@ -9,7 +9,7 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.reviewer: scottmca
-manager: dansimp
+manager: laurawi
ms.audience: itpro
---
# Microsoft Surface Dock Firmware Update: Technical information for IT administrators
diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md
index 493b04c1ae..fc88993c64 100644
--- a/devices/surface/surface-enterprise-management-mode.md
+++ b/devices/surface/surface-enterprise-management-mode.md
@@ -10,7 +10,7 @@ author: coveminer
ms.author: v-jokai
ms.topic: article
ms.reviewer: scottmca
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.audience: itpro
---
diff --git a/devices/surface/surface-manage-dfci-guide.md b/devices/surface/surface-manage-dfci-guide.md
index 41a2f2f912..f21805f1a7 100644
--- a/devices/surface/surface-manage-dfci-guide.md
+++ b/devices/surface/surface-manage-dfci-guide.md
@@ -10,7 +10,7 @@ ms.author: v-jokai
ms.topic: article
ms.date: 11/13/2019
ms.reviewer: jesko
-manager: dansimp
+manager: laurawi
ms.audience: itpro
---
# Intune management of Surface UEFI settings
diff --git a/devices/surface/surface-pro-arm-app-management.md b/devices/surface/surface-pro-arm-app-management.md
index fb4f9b552d..f3d922c048 100644
--- a/devices/surface/surface-pro-arm-app-management.md
+++ b/devices/surface/surface-pro-arm-app-management.md
@@ -8,8 +8,9 @@ ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.topic: article
+ms.date: 4/15/2020
ms.reviewer: jessko
-manager: dansimp
+manager: laurawi
ms.audience: itpro
---
# Deploying, managing, and servicing Surface Pro X
@@ -43,7 +44,7 @@ Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager
A component of Microsoft Enterprise Mobility + Security, Intune integrates with Azure Active Directory for identity and access control and provides granular management of enrolled Surface Pro X devices. Intune mobile device management (MDM) policies have a number of advantages over older on-premises tools such as Windows Group Policy. This includes faster device login times and a more streamlined catalog of policies enabling full device management from the cloud. For example, you can manage LTE using eSIM profiles to configure data plans and deploy activation codes to multiple devices.
-For more information about setting up Intune, refer to the [Intune documentation](https://docs.microsoft.com/intune/).
+For more information about using Intune, refer to the [Intune documentation](https://docs.microsoft.com/intune/).
### Co-management
@@ -108,9 +109,9 @@ Popular browsers run on Surface Pro X:
## Installing and using Microsoft Office
- Use Office 365 for the best experience on a Windows 10 PC on an ARM-based processor.
-- Office 365 “click-to-run” installs Outlook, Word, Excel, and PowerPoint, optimized to run on a Windows 10 PC on an ARM-based processor.
+- Office 365 "click-to-run" installs Outlook, Word, Excel, and PowerPoint, optimized to run on a Windows 10 PC on an ARM-based processor.
- Microsoft Teams runs great on Surface Pro X.
-- For “perpetual versions” of Office such as Office 2019, install the 32-bit version.
+- For "perpetual versions" of Office such as Office 2019, install the 32-bit version.
## VPN
diff --git a/devices/surface/surface-pro-arm-app-performance.md b/devices/surface/surface-pro-arm-app-performance.md
index 0057104b59..4459d6052b 100644
--- a/devices/surface/surface-pro-arm-app-performance.md
+++ b/devices/surface/surface-pro-arm-app-performance.md
@@ -10,7 +10,7 @@ ms.author: v-jokai
ms.topic: article
ms.date: 10/03/2019
ms.reviewer: jessko
-manager: dansimp
+manager: laurawi
ms.audience: itpro
---
# Surface Pro X app compatibility
diff --git a/devices/surface/surface-system-sku-reference.md b/devices/surface/surface-system-sku-reference.md
index 9c7b32f336..c0de20193f 100644
--- a/devices/surface/surface-system-sku-reference.md
+++ b/devices/surface/surface-system-sku-reference.md
@@ -11,7 +11,7 @@ ms.author: v-jokai
ms.topic: article
ms.date: 03/09/2020
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.audience: itpro
---
diff --git a/devices/surface/surface-wireless-connect.md b/devices/surface/surface-wireless-connect.md
index d30a955dac..24a358065b 100644
--- a/devices/surface/surface-wireless-connect.md
+++ b/devices/surface/surface-wireless-connect.md
@@ -10,7 +10,7 @@ ms.localizationpriority: medium
ms.author: v-jokai
ms.topic: article
ms.reviewer: tokatz
-manager: dansimp
+manager: laurawi
---
# Optimize Wi-Fi connectivity for Surface devices
diff --git a/devices/surface/unenroll-surface-devices-from-semm.md b/devices/surface/unenroll-surface-devices-from-semm.md
index 6174474de7..0caea932ab 100644
--- a/devices/surface/unenroll-surface-devices-from-semm.md
+++ b/devices/surface/unenroll-surface-devices-from-semm.md
@@ -10,7 +10,7 @@ author: coveminer
ms.author: v-jokai
ms.topic: article
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.audience: itpro
---
diff --git a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
index bac99f89bc..f483ed4583 100644
--- a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
+++ b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md
@@ -12,7 +12,7 @@ ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
ms.reviewer:
-manager: dansimp
+manager: laurawi
---
# Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit
diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
index da2a90ea0b..42c6d6f42f 100644
--- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
+++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
@@ -10,7 +10,7 @@ author: coveminer
ms.author: v-jokai
ms.topic: article
ms.reviewer:
-manager: dansimp
+manager: laurawi
ms.localizationpriority: medium
ms.audience: itpro
---
diff --git a/devices/surface/using-the-sda-deployment-share.md b/devices/surface/using-the-sda-deployment-share.md
index 40c991f145..0309d071ec 100644
--- a/devices/surface/using-the-sda-deployment-share.md
+++ b/devices/surface/using-the-sda-deployment-share.md
@@ -12,7 +12,7 @@ ms.topic: article
ms.localizationpriority: medium
ms.audience: itpro
ms.reviewer:
-manager: dansimp
+manager: laurawi
---
# Using the Microsoft Surface Deployment Accelerator deployment share
diff --git a/devices/surface/wake-on-lan-for-surface-devices.md b/devices/surface/wake-on-lan-for-surface-devices.md
index 37cb7a1d1e..a6686dcf69 100644
--- a/devices/surface/wake-on-lan-for-surface-devices.md
+++ b/devices/surface/wake-on-lan-for-surface-devices.md
@@ -11,7 +11,7 @@ author: coveminer
ms.author: v-jokai
ms.topic: article
ms.reviewer: scottmca
-manager: dansimp
+manager: laurawi
ms.audience: itpro
---
diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md
index b008fa625a..0860600d05 100644
--- a/devices/surface/windows-autopilot-and-surface-devices.md
+++ b/devices/surface/windows-autopilot-and-surface-devices.md
@@ -1,7 +1,7 @@
---
title: Windows Autopilot and Surface devices
ms.reviewer:
-manager: dansimp
+manager: laurawi
description: Find out about Windows Autopilot deployment options for Surface devices.
keywords: autopilot, windows 10, surface, deployment
ms.prod: w10
@@ -48,17 +48,14 @@ Select Surface partners can enroll Surface devices in Windows Autopilot for you
Surface partners that are enabled for Windows Autopilot include:
-- [ALSO](https://www.also.com/ec/cms5/de_1010/1010_anbieter/microsoft/windows-autopilot/index.jsp)
-- [Atea](https://www.atea.com/)
-- [Bechtle](https://www.bechtle.com/marken/microsoft/microsoft-windows-autopilot)
-- [Cancom](https://www.cancom.de/)
-- [CDW](https://www.cdw.com/)
-- [Computacenter](https://www.computacenter.com/uk)
-- [Connection](https://www.connection.com/brand/microsoft/microsoft-surface)
-- [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface/windows-autopilot.html)
-- [SHI](https://www.shi.com/Surface)
-- [Synnex](https://www.synnexcorp.com/us/microsoft/surface-autopilot/)
-- [Techdata](https://www.techdata.com/)
+| US partners | Global partners | US distributors |
+|--------------|---------------|-------------------|
+| * [CDW](https://www.cdw.com/) | * [ALSO](https://www.also.com/ec/cms5/de_1010/1010_anbieter/microsoft/windows-autopilot/index.jsp) | * [Synnex](https://www.synnexcorp.com/us/microsoft/surface-autopilot/) |
+| * [Connection](https://www.connection.com/brand/microsoft/microsoft-surface) | * [ATEA](https://www.atea.com/) | * [Techdata](https://www.techdata.com/) |
+| * [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface/windows-autopilot.html) | * [Bechtle](https://www.bechtle.com/marken/microsoft/microsoft-windows-autopilot) | |
+| * [SHI](https://www.shi.com/Surface) | * [Cancom](https://www.cancom.de/) | |
+| * [LDI Connect](https://www.myldi.com/managed-it/) | * [Computacenter](https://www.computacenter.com/uk) | |
+| * [F1](https://www.functiononeit.com/#empower) | |
## Learn more
diff --git a/education/windows/images/edu-districtdeploy-fig1.png b/education/windows/images/edu-districtdeploy-fig1.png
index a9ed962f95..9e9cd6c238 100644
Binary files a/education/windows/images/edu-districtdeploy-fig1.png and b/education/windows/images/edu-districtdeploy-fig1.png differ
diff --git a/education/windows/images/edu-districtdeploy-fig2.png b/education/windows/images/edu-districtdeploy-fig2.png
index 3838c18153..dfa00a0132 100644
Binary files a/education/windows/images/edu-districtdeploy-fig2.png and b/education/windows/images/edu-districtdeploy-fig2.png differ
diff --git a/education/windows/images/edu-districtdeploy-fig4.png b/education/windows/images/edu-districtdeploy-fig4.png
index c55ee20d47..ca07e5a968 100644
Binary files a/education/windows/images/edu-districtdeploy-fig4.png and b/education/windows/images/edu-districtdeploy-fig4.png differ
diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md
index 1eb4d1d50b..7f0c586ed7 100644
--- a/windows/application-management/apps-in-windows-10.md
+++ b/windows/application-management/apps-in-windows-10.md
@@ -31,64 +31,61 @@ The following tables list the system apps, installed Windows apps, and provision
Some of the apps show up in multiple tables - that's because their status changed between versions. Make sure to check the version column for the version you are currently running.
-
## Provisioned Windows apps
-Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 and 1809.
+You can list all provisioned Windows apps with this PowerShell command:
-> [!TIP]
-> You can list all provisioned Windows apps with this PowerShell command:
-> ```
-> Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName
-> ```
+```Powershell
+Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName
+```
-
+Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, and 1909.
-| Package name | App name | 1709 | 1803 | 1809 | 1909 | Uninstall through UI? |
-|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:|
-| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | | | | | Yes |
-| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | Yes |
-| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | Via Settings App |
-| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | | x | x | No |
-| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.MicrosoftOfficeHub | [My Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes |
-| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | Yes |
-| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | | x | x | No |
-| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Office.OneNote | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes |
-| Microsoft.OneConnect | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | |
-| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | | x | x | No |
-| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | No |
-| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.VP9VideoExtensions | | | | x | x | No |
-| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | | x | x | x | No |
-| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | | x | x | No |
-| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | No |
-| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Xbox.TCUI | [Xbox TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.XboxApp | [Xbox](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.XboxGameOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.XboxGamingOverlay | [Xbox Gaming Overlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | | x | x | x | No |
-| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | No |
-| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | | x | x | No |
-| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | No |
+| Package name | App name | 1803 | 1809 | 1903 | 1909 | Uninstall through UI? |
+|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:|
+| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | | | | | Yes |
+| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | Yes |
+| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | Via Settings App |
+| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | x | x | x | No |
+| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.MicrosoftOfficeHub | [My Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes |
+| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | Yes |
+| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | x | x | x | No |
+| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.Office.OneNote | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes |
+| Microsoft.OneConnect | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | |
+| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | x | x | x | No |
+| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | No |
+| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.VP9VideoExtensions | | | x | x | x | No |
+| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | x | x | x | No |
+| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | No |
+| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.Xbox.TCUI | [Xbox TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.XboxApp | [Xbox](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.XboxGameOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.XboxGamingOverlay | [Xbox Gaming Overlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | No |
+| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | x | x | x | No |
+| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | No |
+| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | No |
>[!NOTE]
>The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it.
@@ -97,13 +94,11 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an
System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1709, 1803, and 1809.
-> [!TIP]
-> You can list all system apps with this PowerShell command:
-> ```
-> Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation
-> ```
+You can list all system apps with this PowerShell command:
-
+```Powershell
+Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation
+```
| Name | Package Name | 1709 | 1803 | 1809 |Uninstall through UI? |
|----------------------------------|---------------------------------------------|:-----:|:----:|:----:|-----------------------|
diff --git a/windows/client-management/mdm/get-product-packages.md b/windows/client-management/mdm/get-product-packages.md
index 394b64e58c..5ad2851bc5 100644
--- a/windows/client-management/mdm/get-product-packages.md
+++ b/windows/client-management/mdm/get-product-packages.md
@@ -1,6 +1,6 @@
---
title: Get product packages
-description: The Get product packages operation retrieves the information about applications in the Micosoft Store for Business.
+description: The Get product packages operation retrieves the information about applications in the Microsoft Store for Business.
ms.assetid: 039468BF-B9EE-4E1C-810C-9ACDD55C0835
ms.reviewer:
manager: dansimp
@@ -14,7 +14,7 @@ ms.date: 09/18/2017
# Get product packages
-The **Get product packages** operation retrieves the information about applications in the Micosoft Store for Business.
+The **Get product packages** operation retrieves the information about applications in the Microsoft Store for Business.
## Request
diff --git a/windows/client-management/mdm/get-seats.md b/windows/client-management/mdm/get-seats.md
index 21d8f631c1..a510b2460c 100644
--- a/windows/client-management/mdm/get-seats.md
+++ b/windows/client-management/mdm/get-seats.md
@@ -1,6 +1,6 @@
---
title: Get seats
-description: The Get seats operation retrieves the information about active seats in the Micosoft Store for Business.
+description: The Get seats operation retrieves the information about active seats in the Micorsoft Store for Business.
ms.assetid: 32945788-47AC-4259-B616-F359D48F4F2F
ms.reviewer:
manager: dansimp
@@ -14,7 +14,7 @@ ms.date: 09/18/2017
# Get seats
-The **Get seats** operation retrieves the information about active seats in the Micosoft Store for Business.
+The **Get seats** operation retrieves the information about active seats in the Microsoft Store for Business.
## Request
diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
index 2245bcd552..52246fddfd 100644
--- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
@@ -151,7 +151,7 @@ $oulist = Import-csv -Path c:\oulist.txt
ForEach($entry in $oulist){
$ouname = $entry.ouname
$oupath = $entry.oupath
- New-ADOrganizationalUnit -Name $ouname -Path $oupath -WhatIf
+ New-ADOrganizationalUnit -Name $ouname -Path $oupath
Write-Host -ForegroundColor Green "OU $ouname is created in the location $oupath"
}
```
diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
index d54f06dc77..c6400f67e9 100644
--- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
+++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
@@ -31,15 +31,15 @@ To configure your environment for BitLocker, you will need to do the following:
4. Configure the rules (CustomSettings.ini) for BitLocker.
> [!NOTE]
-> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For additional information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://docs.microsoft.com/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds).
+> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For additional information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://docs.microsoft.com/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds).
If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
> [!NOTE]
-> Backing up TMP to Active Directory was supported only on Windows 10 version 1507 and 1511.
+> Backing up TPM to Active Directory was supported only on Windows 10 version 1507 and 1511.
>[!NOTE]
->Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
-
+>Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-7/dd875529(v=ws.10)). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
+
For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
## Configure Active Directory for BitLocker
@@ -95,7 +95,7 @@ Following these steps, you enable the backup of BitLocker and TPM recovery infor
### Set permissions in Active Directory for BitLocker
-In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://go.microsoft.com/fwlink/p/?LinkId=167133) from Microsoft to C:\\Setup\\Scripts on DC01.
+In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://gallery.technet.microsoft.com/ScriptCenter/b4dee016-053e-4aa3-a278-3cebf70d1191) from Microsoft to C:\\Setup\\Scripts on DC01.
1. On DC01, start an elevated PowerShell prompt (run as Administrator).
2. Configure the permissions by running the following command:
diff --git a/windows/deployment/images/configmgr-assets.PNG b/windows/deployment/images/configmgr-assets.PNG
new file mode 100644
index 0000000000..ac315148c5
Binary files /dev/null and b/windows/deployment/images/configmgr-assets.PNG differ
diff --git a/windows/deployment/images/configmgr-assets.png b/windows/deployment/images/configmgr-assets.png
index 264606c2ab..ac315148c5 100644
Binary files a/windows/deployment/images/configmgr-assets.png and b/windows/deployment/images/configmgr-assets.png differ
diff --git a/windows/deployment/images/fig16-contentstatus.png b/windows/deployment/images/fig16-contentstatus.png
new file mode 100644
index 0000000000..f48490b97d
Binary files /dev/null and b/windows/deployment/images/fig16-contentstatus.png differ
diff --git a/windows/deployment/images/fig18-distwindows.png b/windows/deployment/images/fig18-distwindows.png
index 6e696e321d..07ff1b74c6 100644
Binary files a/windows/deployment/images/fig18-distwindows.png and b/windows/deployment/images/fig18-distwindows.png differ
diff --git a/windows/deployment/images/mdt-06-fig06.png b/windows/deployment/images/mdt-06-fig06.png
index 324c8960c1..69e2b89c1e 100644
Binary files a/windows/deployment/images/mdt-06-fig06.png and b/windows/deployment/images/mdt-06-fig06.png differ
diff --git a/windows/deployment/images/mdt-06-fig08.png b/windows/deployment/images/mdt-06-fig08.png
index 086a3961a3..25c8a0a445 100644
Binary files a/windows/deployment/images/mdt-06-fig08.png and b/windows/deployment/images/mdt-06-fig08.png differ
diff --git a/windows/deployment/media/Windows10DeploymentConfigManager.pdf b/windows/deployment/media/Windows10DeploymentConfigManager.pdf
index ac27941579..3a4c5f022e 100644
Binary files a/windows/deployment/media/Windows10DeploymentConfigManager.pdf and b/windows/deployment/media/Windows10DeploymentConfigManager.pdf differ
diff --git a/windows/deployment/media/Windows10DeploymentConfigManager.vsdx b/windows/deployment/media/Windows10DeploymentConfigManager.vsdx
index 5c5328cb5f..8b2db358ff 100644
Binary files a/windows/deployment/media/Windows10DeploymentConfigManager.vsdx and b/windows/deployment/media/Windows10DeploymentConfigManager.vsdx differ
diff --git a/windows/deployment/media/windows10-deployment-config-manager.png b/windows/deployment/media/windows10-deployment-config-manager.png
index 9a3ae2b1f5..509e041741 100644
Binary files a/windows/deployment/media/windows10-deployment-config-manager.png and b/windows/deployment/media/windows10-deployment-config-manager.png differ
diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md
index fd14c25d99..2167039e0c 100644
--- a/windows/deployment/update/update-compliance-configuration-script.md
+++ b/windows/deployment/update/update-compliance-configuration-script.md
@@ -41,7 +41,7 @@ When using the script in the context of troubleshooting, use `Pilot`. Enter `Run
2. Configure `commercialIDValue` to your CommercialID. To get your CommercialID, see [Getting your CommercialID](update-compliance-get-started.md#get-your-commercialid).
3. Run the script. The script must be run in System context.
4. Examine the Logs output for any issues. If there were issues:
- - Compare Logs output with the required settings covered in [Manually Configuring Devices for Update Compliance] (update-compliance-configuration-manual.md).
+ - Compare Logs output with the required settings covered in [Manually Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).
- Examine the script errors and refer to the [script error reference](#script-error-reference) on how to interpret the codes.
- Make the necessary corrections and run the script again.
5. When you no longer have issues, proceed to using the script for more broad deployment with the `Deployment` folder.
diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
index 74b72061a4..102ee54ac9 100644
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@@ -18,9 +18,9 @@ ms.topic: article
# Monitor Windows Updates with Update Compliance
> [!IMPORTANT]
-> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal; however, please note the following updates:
-> As of March 31, 2020, The Windows Defender Antivirus reporting feature of Update Compliance is no longer supported and will soon be retired. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
-> * As of March 31, 2020, The Perspectives feature of Update Compliance is no longer supported and will soon be retired in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
+> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal. A few retirements are planned, noted below, but are placed **on hold** until the current situation stabilizes.
+> * The Windows Defender Antivirus reporting feature of Update Compliance will soon be retired. You can continue to review malware definition status and manage and monitor malware attacks with Microsoft Endpoint Manager's [Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). Configuration Manager customers can monitor Endpoint Protection with [Endpoint Protection in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
+> * As of March 31, 2020, The Perspectives feature of Update Compliance will soon be retired in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
## Introduction
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index 4f273824cb..5a53df6187 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -463,7 +463,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi
11. Edit the task sequence to add the Microsoft NET Framework 3.5, which is required by many applications. To edit the task sequence, double-click **Windows 10 Enterprise x64 Default Image** that was created in the previous step.
-12. Click the **Task Sequence** tab. Under **State Restore** click **Tatto** to highlight it, then click **Add** and choose **New Group**. A new group will be added under Tattoo.
+12. Click the **Task Sequence** tab. Under **State Restore** click **Tattoo** to highlight it, then click **Add** and choose **New Group**. A new group will be added under Tattoo.
13. On the Properties tab of the group that was created in the previous step, change the Name from New Group to **Custom Tasks (Pre-Windows Update)** and then click **Apply**. To see the name change, click **Tattoo**, then click the new group again.
@@ -775,7 +775,7 @@ In this first deployment scenario, we will deploy Windows 10 using PXE. This sce
9. Close the Map Network Drive window, the Explorer window, and the command prompt.
-10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequenc Wizard. Click **Next** to continue with the deployment.
+10. The **Windows 10 Enterprise x64** task sequence is selected in the Task Sequence Wizard. Click **Next** to continue with the deployment.
11. The task sequence will require several minutes to complete. You can monitor progress of the task sequence using the MDT Deployment Workbench under Deployment Shares > MDTProduction > Monitoring. The task sequence will:
- Install Windows 10
@@ -1027,7 +1027,7 @@ In the Configuration Manager console, in the Software Library workspace under Op
### Deploy the new computer
-1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows Powershell prompt on the Hyper-V host:
+1. Start PC4 and press ENTER for a network boot when prompted. To start PC4, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
```
Start-VM PC4
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index d953b17ab2..b1e21372a1 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -79,6 +79,9 @@ The following figure illustrates how deploying Windows 10 has evolved with each
### Windows 10 Enterprise requirements
+> [!NOTE]
+> The following requirements do not apply to general Windows 10 activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](https://docs.microsoft.com/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines).
+
For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following:
- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded.
@@ -191,6 +194,8 @@ When you have the required Azure AD subscription, group-based licensing is the p
If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise.
+Caution: Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE(Out Of Box Experience)
+
If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key.
If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt:
diff --git a/windows/deployment/windows-autopilot/known-issues.md b/windows/deployment/windows-autopilot/known-issues.md
index 162db9fe0e..b85fc9b010 100644
--- a/windows/deployment/windows-autopilot/known-issues.md
+++ b/windows/deployment/windows-autopilot/known-issues.md
@@ -26,6 +26,9 @@ ms.topic: article
| Issue | More information
+ | | Blocking apps specified in a user-targeted Enrollment Status Profile are ignored during device ESP. |
+The services responsible for determining the list of apps that should be blocking during device ESP are not able to determine the correct ESP profile containing the list of apps because they do not know the user identity. As a workaround, enable the default ESP profile (which targets all users and devices) and place the blocking app list there. In the future, it will be possible to instead target the ESP profile to device groups to avoid this issue. |
+
| Windows Autopilot user-driven Hybrid Azure AD deployments do not grant users Administrator rights even when specified in the Windows Autopilot profile. |
This will occur when there is another user on the device that already has Administrator rights. For example, a PowerShell script or policy could create an additional local account that is a member of the Administrators group. To ensure this works properly, do not create an additional account until after the Windows Autopilot process has completed. |
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 03b72907ac..6dd9518dcf 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -10,7 +10,7 @@ ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: medgarmedgar
-ms.author: v-medgar
+ms.author: robsize
manager: robsize
ms.collection: M365-security-compliance
ms.topic: article
@@ -39,8 +39,8 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline]
>[!Note]
>Regarding the Windows Restricted Traffic Limited Functionality Baseline, the 1903 settings (folder) are applicable to 1909 Windows >Enterprise devices. There were no additional settings required for the 1909 release.
->[!Warning]
->If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Keep my files" option (or the >"Remove Everything" option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order >re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline >settings.
+> [!Warning]
+> If a user executes the **Reset this PC** command (Settings -> Update & Security -> Recovery) with the **Keep my files option** (or the **Remove Everything** option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order to re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline settings.
To use Microsoft Intune cloud based device management for restricting traffic please refer to the [Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-mdm)
@@ -1898,4 +1898,3 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre
To learn more, see [Device update management](https://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](https://technet.microsoft.com/library/cc720539.aspx).
-
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index 6bc04cd39f..01dffaef6d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -47,7 +47,8 @@ Windows Hello provides many benefits, including:
## Where is Windows Hello data stored?
The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data from a device, it cannot be converted back into a raw biometric sample that could be recognized by the biometric sensor.
-Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file.
+> [!NOTE]
+>Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file.
## Has Microsoft set any device requirements for Windows Hello?
We've been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements:
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index 0b01799ab2..33a9c450e1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -43,18 +43,20 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se
### Connect Azure Active Directory with the PIN reset service
-1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Azure Active Directory tenant.
-2. After you log in, click **Accept** to give consent for the PIN reset service to access your account.
+1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
+2. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account.
-3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Azure Active Directory tenant.
-4. After you log in, click **Accept** to give consent for the PIN reset client to access your account.
+3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
+4. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account.
+
+> [!NOTE]
+> After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant.
+
+
5. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.
->[!NOTE]
->After you Accept the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN Reset applications are listed for your tenant.
-
### Configure Windows devices to use PIN reset using Group Policy
You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object.
@@ -70,8 +72,8 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10
#### Create a PIN Reset Device configuration profile using Microsoft Intune
-1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account.
-2. You need your tenant ID to complete the following task. You can discovery your tenant ID viewing the **Properties** of your Azure Active Directory from the Azure Portal. It will be listed under Directory ID. You can also use the following command in a command Window on any Azure AD joined or hybrid Azure AD joined computer.
+1. Sign-in to [Azure Portal](https://portal.azure.com) using a Global administrator account.
+2. You need your tenant ID to complete the following task. You can discover your tenant ID by viewing the **Properties** of your Azure Active Directory from the Azure Portal. It will be listed under Directory ID. You can also use the following command in a Command window on any Azure AD-joined or hybrid Azure AD-joined computer.
```
dsregcmd /status | findstr -snip "tenantid"
@@ -86,9 +88,9 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10
#### Assign the PIN Reset Device configuration profile using Microsoft Intune
-1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account.
-2. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. From the list of device configuration profiles, click the profile that contains the PIN reset configuration.
-3. In the device configuration profile, click **Assignments**.
+1. Sign in to the [Azure Portal](https://portal.azure.com) using a Global administrator account.
+2. Navigate to the Microsoft Intune blade. Choose **Device configuration** > **Profiles**. From the list of device configuration profiles, choose the profile that contains the PIN reset configuration.
+3. In the device configuration profile, select **Assignments**.
4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups.
## On-premises Deployments
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index de0d46631b..528c1b6fe8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -18,16 +18,23 @@ ms.reviewer:
# How Windows Hello for Business works
**Applies to**
+
- Windows 10
-Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices.
+Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices.
Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features.
> [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8]
## Technical Deep Dive
+
Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the components and how they support Windows Hello for Business.
+Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning and authentication work.
+
+> [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s]
+> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek]
+
- [Technology and Terminology](hello-how-it-works-technology.md)
- [Device Registration](hello-how-it-works-device-registration.md)
- [Provisioning](hello-how-it-works-provisioning.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 54f37c9b50..1df6239643 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -644,28 +644,28 @@ Sign-in a workstation with access equivalent to a _domain user_.
3. Select **Device Configuration**, and then click **Profiles**.
4. Select **Create Profile**.
-5. Next to **Name**, type **WHFB Certificate Enrollment**.
-6. Next to **Description**, provide a description meaningful for your environment.
-7. Select **Windows 10 and later** from the **Platform** list.
-8. Select **SCEP certificate** from the **Profile** list.
- 
-9. The **SCEP Certificate** blade should open. Configure **Certificate validity period** to match your organization.
+5. Select **Windows 10 and later** from the **Platform** list.
+6. Choose **SCEP certificate** from the **Profile** list, and select **Create**.
+7. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**.
+8. Next to **Description**, provide a description meaningful for your environment, then select **Next**.
+9. Select **User** as a certificate type.
+10. Configure **Certificate validity period** to match your organization.
> [!IMPORTANT]
- > Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity.
+ > Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity.
-10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
-11. Select **Custom** from the **Subject name format** list.
-12. Next to **Custom**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
-13. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** value.
-14. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
-15. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority.
+11. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
+12. Select **Custom** from the **Subject name format** list.
+13. Next to **Custom**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
+14. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** value.
+15. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
+16. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority.
-16. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
-17. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
+17. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
+18. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
-18. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
-19. Click **OK**.
-20. Click **Create**.
+19. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
+20. Click **Next**.
+21. Click **Next** two more times to skip the **Scope tags** and **Assignments** steps of the wizard and click **Create**.
### Assign Group to the WHFB Certificate Enrollment Certificate Profile
Sign-in a workstation with access equivalent to a _domain user_.
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index c9213a887f..18f6f3dbf0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -15,40 +15,42 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 10/18/2017
+ms.date: 4/16/2017
---
# Manage Windows Hello for Business in your organization
**Applies to**
-- Windows 10
+- Windows 10
You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
>[!IMPORTANT]
->The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511.
+>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511.
>
->Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**.
+>Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**.
>
>Use **PIN Complexity** policy settings to manage PINs for Windows Hello for Business.
-
+
## Group Policy settings for Windows Hello for Business
-The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**.
+The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**.
> [!NOTE]
> Starting with Windows 10, version 1709, the location of the PIN complexity section of the Group Policy is: **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity**.
-
+
| Policy |
+Scope |
Options |
| Use Windows Hello for Business |
|
+Computer or user |
- Not configured: Users can provision Windows Hello for Business, which encrypts their domain password.
+Not configured: Device does not provision Windows Hello for Business for any user.
Enabled: Device provisions Windows Hello for Business using keys or certificates for all users.
Disabled: Device does not provision Windows Hello for Business for any user.
|
@@ -56,15 +58,41 @@ The following table lists the Group Policy settings that you can configure for W
| Use a hardware security device |
|
+Computer |
Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.
-Enabled: Windows Hello for Business will only be provisioned using TPM.
+Enabled: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set.
Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.
|
+| Use certificate for on-premises authentication |
+ |
+Computer or user |
+
+ Not configured: Windows Hello for Business enrolls a key that is used for on-premises authentication.
+Enabled: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication.
+Disabled: Windows Hello for Business enrolls a key that is used for on-premises authentication.
+ |
+
+Use PIN recovery |
+ |
+Computer |
+
+ Added in Windows 10, version 1703
+Not configured: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.
+Enabled: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.
+Disabled: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.
+
+
+For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).
+
+ |
+
+
| Use biometrics |
|
+Computer |
Not configured: Biometrics can be used as a gesture in place of a PIN.
Enabled: Biometrics can be used as a gesture in place of a PIN.
@@ -74,6 +102,7 @@ The following table lists the Group Policy settings that you can configure for W
|
| PIN Complexity |
Require digits |
+Computer |
Not configured: Users must include a digit in their PIN.
Enabled: Users must include a digit in their PIN.
@@ -82,6 +111,7 @@ The following table lists the Group Policy settings that you can configure for W
|
| Require lowercase letters |
+Computer |
Not configured: Users cannot use lowercase letters in their PIN.
Enabled: Users must include at least one lowercase letter in their PIN.
@@ -90,6 +120,7 @@ The following table lists the Group Policy settings that you can configure for W
|
| Maximum PIN length |
+Computer |
Not configured: PIN length must be less than or equal to 127.
Enabled: PIN length must be less than or equal to the number you specify.
@@ -98,6 +129,7 @@ The following table lists the Group Policy settings that you can configure for W
|
| Minimum PIN length |
+Computer |
Not configured: PIN length must be greater than or equal to 4.
Enabled: PIN length must be greater than or equal to the number you specify.
@@ -106,6 +138,7 @@ The following table lists the Group Policy settings that you can configure for W
|
| Expiration |
+Computer |
Not configured: PIN does not expire.
Enabled: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.
@@ -114,6 +147,7 @@ The following table lists the Group Policy settings that you can configure for W
|
| History |
+Computer |
Not configured: Previous PINs are not stored.
Enabled: Specify the number of previous PINs that can be associated to a user account that can't be reused.
@@ -124,6 +158,7 @@ The following table lists the Group Policy settings that you can configure for W
|
| Require special characters |
+Computer |
Not configured: Users cannot include a special character in their PIN.
Enabled: Users must include at least one special character in their PIN.
@@ -132,6 +167,7 @@ The following table lists the Group Policy settings that you can configure for W
|
| Require uppercase letters |
+Computer |
Not configured: Users cannot include an uppercase letter in their PIN.
Enabled: Users must include at least one uppercase letter in their PIN.
@@ -139,9 +175,9 @@ The following table lists the Group Policy settings that you can configure for W
|
-| >Phone Sign-in |
-
- Use Phone Sign-in
+ | Phone Sign-in |
+Use Phone Sign-in |
+Computer |
Not currently supported.
@@ -154,7 +190,7 @@ The following table lists the Group Policy settings that you can configure for W
The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkId=692070).
>[!IMPORTANT]
->Starting in Windows 10, version 1607, all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
+>Starting in Windows 10, version 1607, all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
@@ -166,7 +202,7 @@ The following table lists the MDM policy settings that you can configure for Win
| UsePassportForWork |
|
-Device |
+Device or user |
True |
True: Windows Hello for Business will be provisioned for all users on the device.
@@ -178,7 +214,7 @@ The following table lists the MDM policy settings that you can configure for Win
|
| RequireSecurityDevice |
|
-Device |
+Device or user |
False |
True: Windows Hello for Business will only be provisioned using TPM.
@@ -186,6 +222,32 @@ The following table lists the MDM policy settings that you can configure for Win
|
+| ExcludeSecurityDevice |
+TPM12 |
+Device |
+False |
+
+ Added in Windows 10, version 1703
+True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.
+False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.
+ |
+
+
+| EnablePinRecovery |
+ |
+Device or user |
+False |
+
+ Added in Windows 10, version 1703
+True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.
+False: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.
+
+
+For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).
+
+ |
+
+
| Biometrics |
UseBiometrics
@@ -216,19 +278,41 @@ The following table lists the MDM policy settings that you can configure for Win
|
| Digits |
Device or user |
-2 |
+1 |
- 1: Numbers are not allowed.
-2: At least one number is required.
+0: Digits are allowed.
+1: At least one digit is required.
+2: Digits are not allowed.
|
| Lowercase letters |
Device or user |
-1 |
+2 |
- 1: Lowercase letters are not allowed.
-2: At least one lowercase letter is required.
+0: Lowercase letters are allowed.
+1: At least one lowercase letter is required.
+2: Lowercase letters are not allowed.
+ |
+
+
+| Special characters |
+Device or user |
+2 |
+
+ 0: Special characters are allowed.
+1: At least one special character is required.
+2: Special characters are not allowed.
+ |
+
+
+| Uppercase letters |
+Device or user |
+2 |
+
+ 0: Uppercase letters are allowed.
+1: At least one uppercase letter is required.
+2: Uppercase letters are not allowed.
|
@@ -252,7 +336,7 @@ The following table lists the MDM policy settings that you can configure for Win
| Device or user |
0 |
- Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire.
+ Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.
|
@@ -261,29 +345,11 @@ The following table lists the MDM policy settings that you can configure for Win
Device or user |
0 |
- Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.
+ Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.
|
-| Special characters |
-Device or user |
-1 |
-
- 1: Special characters are not allowed.
-2: At least one special character is required.
- |
-
-
-| Uppercase letters |
-Device or user |
-1 |
-
- 1: Uppercase letters are not allowed
-2: At least one uppercase letter is required
- |
-
-
| Remote |
UseRemotePassport
@@ -297,20 +363,53 @@ The following table lists the MDM policy settings that you can configure for Win
|
>[!NOTE]
-> If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN.
-
+> In Windows 10, version 1709 and later, if policy is not configured to explicitly require letters or special characters, users can optionally set an alphanumeric PIN. Prior to version 1709 the user is required to set a numeric PIN.
+
+## Policy conflicts from multiple policy sources
+
+Windows Hello for Business is designed to be managed by Group Policy or MDM but not a combination of both. If policies are set from both sources it can result in a mixed result of what is actually enforced for a user or device.
+
+Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy. All PIN complexity policies are grouped together and enforced from a single policy source.
+
+Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies is enforced on a per policy basis.
+
+>[!NOTE]
+> Windows Hello for Business policy conflict resolution logic does not respect the ControlPolicyConflict/MDMWinsOverGP policy in the Policy CSP.
+
+>Examples
+>
+>The following are configured using computer Group Policy:
+>
+>- Use Windows Hello for Business - Enabled
+>- User certificate for on-premises authentication - Enabled
+>- Require digits - Enabled
+>- Minimum PIN length - 6
+>
+>The following are configured using device MDM Policy:
+>
+>- UsePassportForWork - Disabled
+>- UseCertificateForOnPremAuth - Disabled
+>- MinimumPINLength - 8
+>- Digits - 1
+>- LowercaseLetters - 1
+>- SpecialCharacters - 1
+>
+>Enforced policy set:
+>
+>- Use Windows Hello for Business - Enabled
+>- Use certificate for on-premises authentication - Enabled
+>- Require digits - Enabled
+>- Minimum PIN length - 6d
## How to use Windows Hello for Business with Azure Active Directory
-There are three scenarios for using Windows Hello for Business in Azure AD–only organizations:
+There are three scenarios for using Windows Hello for Business in Azure AD–only organizations:
-- **Organizations that use the version of Azure AD included with Office 365**. For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenant’s directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone.
-- **Organizations that use the free tier of Azure AD**. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won’t be enabled unless and until the organization’s administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered.
+- **Organizations that use the version of Azure AD included with Office 365**. For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenant's directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone.
+- **Organizations that use the free tier of Azure AD**. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won't be enabled unless and until the organization's administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered.
- **Organizations that have subscribed to Azure AD Premium** have access to the full set of Azure AD MDM features. These features include controls to manage Windows Hello for Business. You can set policies to disable or force the use of Windows Hello for Business, require the use of a TPM, and control the length and strength of PINs set on the device.
-If you want to use Windows Hello for Business with certificates, you’ll need a device registration system. That means that you set up Configuration Manager, Microsoft Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates.
-
-
+If you want to use Windows Hello for Business with certificates, you'll need a device registration system. That means that you set up Configuration Manager, Microsoft Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates.
## Related topics
diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md
index d9ecb9798b..00eddf6eee 100644
--- a/windows/security/identity-protection/hello-for-business/hello-videos.md
+++ b/windows/security/identity-protection/hello-for-business/hello-videos.md
@@ -24,14 +24,33 @@ ms.reviewer:
## Overview of Windows Hello for Business and Features
Watch Pieter Wigleven explain Windows Hello for Business, Multi-factor Unlock, and Dynamic Lock
+
> [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8]
+## Why PIN is more secure than a password
+
+Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than a password.
+
+> [!VIDEO https://www.youtube.com/embed/cC24rPBvdhA]
+
## Microsoft's passwordless strategy
Watch Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**
> [!VIDEO https://www.youtube.com/embed/mXJS615IGLM]
+## Windows Hello for Business Provisioning
+
+Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning works.
+
+> [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s]
+
+## Windows Hello for Business Authentication
+
+Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works.
+
+> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek]
+
## Windows Hello for Business user enrollment experience
The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment.
diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index 375f2be134..d74bd61baa 100644
--- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -21,13 +21,18 @@ ms.date: 10/23/2017
# Why a PIN is better than a password
**Applies to**
+
- Windows 10
Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
+Watch Dana Huang explain why a Windows Hello for Business PIN is more secure than a password.
+
+> [!VIDEO https://www.youtube.com/embed/cC24rPBvdhA]
## PIN is tied to the device
+
One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!
Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.
@@ -44,7 +49,7 @@ When the PIN is created, it establishes a trusted relationship with the identity
The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.
-User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetric key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised.
+User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised.
The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
@@ -54,10 +59,11 @@ The Windows Hello for Business PIN is subject to the same set of IT management p
## What if someone steals the laptop or phone?
-To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device.
+To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user's biometrics or guess his or her PIN—and all of this must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device.
You can provide additional protection for laptops that don't have TPM by enabling BitLocker and setting a policy to limit failed sign-ins.
**Configure BitLocker without TPM**
+
1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
**Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup**
@@ -72,7 +78,8 @@ You can provide additional protection for laptops that don't have TPM by enablin
2. Set the number of invalid logon attempts to allow, and then click OK.
## Why do you need a PIN to use biometrics?
-Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
+
+Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you the same level of protection as Hello.
diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
index 22d084bda3..66699d9e0b 100644
--- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
+++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
@@ -595,7 +595,7 @@ $ProfileXML = '
true
- http://webproxy.corp.contsoso.com/proxy.pac
+ http://webproxy.corp.contoso.com/proxy.pac
'
@@ -672,5 +672,5 @@ An example of an [Intune-ready XML file](https://docs.microsoft.com/windows/secu
>This XML is formatted for use with Intune and cannot contain any carriage returns or whitespace.
```xml
-truecorp.contoso.comtruecorp.contoso.comedge1.contoso.comForceTunnelIKEv2Certificate13.107.6.15231true13.107.18.1031true13.107.128.022true23.103.160.020true40.96.0.013true40.104.0.015true52.96.0.014true131.253.33.21532true132.245.0.016true150.171.32.022true191.234.140.022true204.79.197.21532true13.107.136.022true40.108.128.017true52.104.0.014true104.146.128.017true150.171.40.022true13.107.60.132true13.107.64.018true52.112.0.014true52.120.0.014truehttp://webproxy.corp.contsoso.com/proxy.pac
+truecorp.contoso.comtruecorp.contoso.comedge1.contoso.comForceTunnelIKEv2Certificate13.107.6.15231true13.107.18.1031true13.107.128.022true23.103.160.020true40.96.0.013true40.104.0.015true52.96.0.014true131.253.33.21532true132.245.0.016true150.171.32.022true191.234.140.022true204.79.197.21532true13.107.136.022true40.108.128.017true52.104.0.014true104.146.128.017true150.171.40.022true13.107.60.132true13.107.64.018true52.112.0.014true52.120.0.014truehttp://webproxy.corp.contoso.com/proxy.pac
```
diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
deleted file mode 100644
index 684b78d8e2..0000000000
--- a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
+++ /dev/null
@@ -1,122 +0,0 @@
----
-title: How Windows Information Protection (WIP) protects files with a sensitivity label (Windows 10)
-description: Explains how Windows Information Protection works with other Microsoft information protection technologies to protect files that have a sensitivity label.
-keywords: sensitivity, labels, WIP, Windows Information Protection, EDP, Enterprise Data Protection
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: dulcemontemayor
-ms.author: dansimp
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 04/30/2019
-ms.reviewer:
----
-
-# How Windows Information Protection (WIP) protects a file that has a sensitivity label
-
-**Applies to:**
-
-- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-- Windows 10, version 1903
-- Windows 10, version 1809
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-This topic explains how Windows Information Protection works with other Microsoft information protection technologies to protect files that have a sensitivity label.
-Microsoft information protection technologies work together as an integrated solution to help enterprises:
-
-- Discover corporate data on endpoint devices
-- Classify and label information based on its content and context
-- Protect corporate data from unintentionally leaving to non-business environments
-- Enable audit reports of user interactions with corporate data on endpoint devices
-
-Microsoft information protection technologies include:
-
-- [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects local data at rest on endpoint devices, and manages apps to protect local data in use. Data that leaves the endpoint device, such as email attachment, is not protected by WIP.
-
-- [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. Azure Information Protection is applied directly to content, and roams with the content as it's moved between locations and cloud services.
-
-- [Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security) is a cloud access security broker (CASB) solution that allows you to discover, classify, protect, and monitor user data in first-party and third-party Software-as-a-Service (SaaS) apps used by your organization.
-
-## How WIP protects sensitivity labels with endpoint data loss prevention
-
-You can create and manage [sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) in the Microsoft 365 compliance center.
-When you [create a sensitivity label](https://docs.microsoft.com/microsoft-365/compliance/create-sensitivity-labels), you can specify that endpoint data loss prevention applies to content with that label.
-
-
-
-Office app users can choose a sensitivity label from a menu and apply it to a file.
-
-
-
-WIP enforces default endpoint protection as follows:
-
-- If endpoint data loss prevention is enabled, the device enforces work protection for any file with the label
-- If endpoint data loss prevention is not enabled:
- - The device enforces work protection to a file downloaded from a work site
- - The device does not enforce work protection to a file downloaded from a personal site
-
-Here's an example where a file remains protected without any work context beyond the sensitivity label:
-
-1. Sara creates a PDF file on a Mac and labels it as **Confidential**.
-1. She emails the PDF from her Gmail account to Laura.
-1. Laura opens the PDF file on her Windows 10 device.
-1. Windows Defender Advanced Threat Protection (Windows Defender ATP) scans Windows 10 for any file that gets modified or created, including files that were created on a personal site.
-1. Windows Defender ATP triggers WIP policy.
-1. WIP policy protects the file even though it came from a personal site.
-
-## How WIP protects automatically classified files
-
-The next sections cover how Windows Defender ATP extends discovery and protection of sensitive information with improvements in Windows 10 version 1903.
-
-### Discovery
-
-Windows Defender ATP can extract the content of the file itself and evaluate whether it contains sensitive information types such as credit card numbers or employee ID numbers.
-When you create a sensitivity label, you can specify that the label be added to any file that contains a sensitive information type.
-
-
-
-A default set of [sensitive information types](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for) in Microsoft 365 compliance center includes credit card numbers, phone numbers, driver's license numbers, and so on.
-You can also [create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type), which can include any keyword or expression that you want to evaluate.
-
-### Protection
-
-When a file is created or edited on a Windows 10 endpoint, Windows Defender ATP extracts the content and evaluates if it contains any default or custom sensitive information types that have been defined.
-If the file has a match, Windows Defender ATP applies endpoint data loss prevention even if the file had no label previously.
-
-Windows Defender ATP is integrated with Azure Information Protection for data discovery and reports sensitive information types that were discovered.
-Azure Information Protection aggregates the files with sensitivity labels and the sensitive information types they contain across the enterprise.
-
-
-
-You can see sensitive information types in Microsoft 365 compliance under **Classifications**. Default sensitive information types have Microsoft as the publisher. The publisher for custom types is the tenant name.
-
-
-
->[!NOTE]
->Automatic classification does not change the file itself, but it applies protection based on the label.
->WIP protects a file that contains a sensitive information type as a work file.
->Azure Information Protection works differently in that it extends a file with a new attribute so the protection persists if the file is copied.
-
-## Prerequisites
-
-- Endpoint data loss prevention requires Windows 10, version 1809
-- Auto labelling requires Windows 10, version 1903
-- Devices need to be onboarded to [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection), which scans content for a label and applies WIP policy
-- [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in Microsoft 365 compliance center
-- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](overview-create-wip-policy-configmgr.md)
-
-
-
-
-
-
-
-
-
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index e282446cf6..99d33dcb26 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -6,6 +6,7 @@
### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md)
### [Preview features](microsoft-defender-atp/preview.md)
### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md)
+### [Overview of Microsoft Defender Security Center](microsoft-defender-atp/use.md)
### [Portal overview](microsoft-defender-atp/portal-overview.md)
### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md)
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 35ac0e33f0..039851e80d 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -77,7 +77,7 @@ To further reinforce the security perimeter of your network, Microsoft Defender
- [Behavior monitoring](/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
- [Cloud-based protection](/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
- [Machine learning](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
-- [URL Protection](/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md)
+- [URL Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus)
- [Automated sandbox service](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index f1b9737820..da5160567b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -30,9 +30,9 @@ Your attack surface is the total number of places where an attacker could compro
Attack surface reduction rules target software behaviors that are often abused by attackers, such as:
-* Launching executable files and scripts that attempt to download or run files
-* Running obfuscated or otherwise suspicious scripts
-* Performing behaviors that apps don't usually initiate during normal day-to-day work
+- Launching executable files and scripts that attempt to download or run files
+- Running obfuscated or otherwise suspicious scripts
+- Performing behaviors that apps don't usually initiate during normal day-to-day work
These behaviors are sometimes seen in legitimate applications; however, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors and help keep your organization safe.
@@ -44,9 +44,11 @@ For more information about configuring attack surface reduction rules, see [Enab
## Attack surface reduction features across Windows versions
-You can set attack surface reduction rules for computers running Windows 10 versions 1709 and 1803 or later, Windows Server version 1803 (Semi-Annual Channel) or later, and Windows Server 2019.
+You can set attack surface reduction rules for computers running the following versions of Windows:
+- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
+- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) (Semi-Annual Channel) or later
-To use the entire feature-set of attack surface reduction rules, you need a Windows 10 Enterprise license. With a Windows E5 license, you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 security center. These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.
+To use the entire feature-set of attack surface reduction rules, you need a [Windows 10 Enterprise license](https://www.microsoft.com/licensing/product-licensing/windows10). With a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.
## Review attack surface reduction events in the Microsoft Defender Security Center
@@ -77,11 +79,11 @@ You can review the Windows event log to view events generated by attack surface
This will create a custom view that filters events to only show the following, all of which are related to controlled folder access:
-Event ID | Description
--|-
-5007 | Event when settings are changed
-1121 | Event when rule fires in Block-mode
-1122 | Event when rule fires in Audit-mode
+|Event ID | Description |
+|---|---|
+|5007 | Event when settings are changed |
+|1121 | Event when rule fires in Block-mode |
+|1122 | Event when rule fires in Audit-mode |
The "engine version" listed for attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not by the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all devices with Windows 10 installed.
@@ -89,38 +91,42 @@ The "engine version" listed for attack surface reduction events in the event log
The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs:
- Rule name | GUID | File & folder exclusions
--|-|-
-[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported
-[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported
-[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported
-[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported
-[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | D3E037E1-3EB8-44C8-A917-57927947596D | Not supported
-[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported
-[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported
-[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported
-[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported
-[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported
-[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | d1e49aac-8f56-4280-b9ba-993a6d77406c | Supported
-[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported
-[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported
-[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported
-[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | e6db77e5-3df2-4cf1-b95a-636979351e5b | Not supported
+| Rule name | GUID | File & folder exclusions | Minimum OS supported |
+|-----|----|---|---|
+|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Not supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | `26190899-1602-49e8-8b27-eb1d0a1ce869` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
+|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater |
### Block executable content from email client and webmail
This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers:
-* Executable files (such as .exe, .dll, or .scr)
-* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
+- Executable files (such as .exe, .dll, or .scr)
+- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
-This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Microsoft Endpoint Configuration Manager CB 1710
+This rule was introduced in:
+- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Microsoft Endpoint Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)
Microsoft Endpoint Configuration Manager name: Block executable content from email client and webmail
-GUID: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
+GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550`
### Block all Office applications from creating child processes
@@ -128,27 +134,35 @@ This rule blocks Office apps from creating child processes. This includes Word,
Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.
-This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
+This rule was introduced in:
+- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Office apps launching child processes
Configuration Manager name: Block Office application from creating child processes
-GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
+GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A`
### Block Office applications from creating executable content
This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.
- Malware that abuse Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.
+ Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.
-This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
+This rule was introduced in:
+- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [System Center Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates) (SCCM) CB 1710 (SCCM is now Microsoft Endpoint Configuration Manager)
Intune name: Office apps/macros creating executable content
SCCM name: Block Office applications from creating executable content
-GUID: 3B576869-A4EC-4529-8536-B80A7769E899
+GUID: `3B576869-A4EC-4529-8536-B80A7769E899`
### Block Office applications from injecting code into other processes
@@ -160,13 +174,17 @@ There are no known legitimate business purposes for using code injection.
This rule applies to Word, Excel, and PowerPoint.
-This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
+This rule was introduced in:
+- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Office apps injecting code into other processes (no exceptions)
Configuration Manager name: Block Office applications from injecting code into other processes
-GUID: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
+GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84`
### Block JavaScript or VBScript from launching downloaded executable content
@@ -177,13 +195,17 @@ Although not common, line-of-business applications sometimes use scripts to down
> [!IMPORTANT]
> File and folder exclusions don't apply to this attack surface reduction rule.
-This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
+This rule was introduced in:
+- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
Configuration Manager name: Block JavaScript or VBScript from launching downloaded executable content
-GUID: D3E037E1-3EB8-44C8-A917-57927947596D
+GUID: `D3E037E1-3EB8-44C8-A917-57927947596D`
### Block execution of potentially obfuscated scripts
@@ -191,13 +213,17 @@ This rule detects suspicious properties within an obfuscated script.
Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software.
-This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
+This rule was introduced in:
+- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Obfuscated js/vbs/ps/macro code
Configuration Manager name: Block execution of potentially obfuscated scripts.
-GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
+GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC`
### Block Win32 API calls from Office macros
@@ -205,37 +231,42 @@ This rule prevents VBA macros from calling Win32 APIs.
Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.
-This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
+This rule was introduced in:
+- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Win32 imports from Office macro code
Configuration Manager name: Block Win32 API calls from Office macros
-GUID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B`
### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list:
-* Executable files (such as .exe, .dll, or .scr)
+- Executable files (such as .exe, .dll, or .scr)
-Launching untrusted or unknown executable files can be risky, as it may not not be initially clear if the files are malicious.
-
-> [!NOTE]
-> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule.
+Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious.
> [!IMPORTANT]
-> The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
+> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule.
The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
>
>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
-This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802
+This rule was introduced in:
+- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Executables that don't meet a prevalence, age, or trusted list criteria.
Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
-GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25
+GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25`
### Use advanced protection against ransomware
@@ -244,13 +275,17 @@ This rule provides an extra layer of protection against ransomware. It scans exe
> [!NOTE]
> You must [enable cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) to use this rule.
-This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802
+This rule was introduced in:
+- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Advanced ransomware protection
Configuration Manager name: Use advanced protection against ransomware
-GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
+GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35`
### Block credential stealing from the Windows local security authority subsystem
@@ -261,13 +296,17 @@ LSASS authenticates users who log in to a Windows computer. Microsoft Defender C
> [!NOTE]
> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
-This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802
+This rule was introduced in:
+- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Flag credential stealing from the Windows local security authority subsystem
Configuration Manager name: Block credential stealing from the Windows local security authority subsystem
-GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
+GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2`
### Block process creations originating from PSExec and WMI commands
@@ -276,13 +315,16 @@ This rule blocks processes created through [PsExec](https://docs.microsoft.com/s
> [!WARNING]
> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
-This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019
+This rule was introduced in:
+- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
Intune name: Process creation from PSExec and WMI commands
Configuration Manager name: Not applicable
-GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c
+GUID: `d1e49aac-8f56-4280-b9ba-993a6d77406c`
### Block untrusted and unsigned processes that run from USB
@@ -291,13 +333,17 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
* Executable files (such as .exe, .dll, or .scr)
* Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
-This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1802
+This rule was introduced in:
+- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
Intune name: Untrusted and unsigned processes that run from USB
Configuration Manager name: Block untrusted and unsigned processes that run from USB
-GUID: b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
+GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4`
### Block Office communication application from creating child processes
@@ -308,13 +354,16 @@ This protects against social engineering attacks and prevents exploit code from
> [!NOTE]
> This rule applies to Outlook and Outlook.com only.
-This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
+This rule was introduced in:
+- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
Intune name: Process creation from Office communication products (beta)
Configuration Manager name: Not yet available
-GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
+GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869`
### Block Adobe Reader from creating child processes
@@ -322,13 +371,16 @@ This rule prevents attacks by blocking Adobe Reader from creating additional pro
Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.
-This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
+This rule was introduced in:
+- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
+- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
Intune name: Process creation from Adobe Reader (beta)
Configuration Manager name: Not yet available
-GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
+GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`
### Block persistence through WMI event subscription
@@ -336,17 +388,22 @@ This rule prevents malware from abusing WMI to attain persistence on a device.
Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
-This rule was introduced in: Windows 10 1903, Windows Server 1903
+This rule was introduced in:
+- [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903)
+- [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909)
Intune name: Block persistence through WMI event subscription
Configuration Manager name: Not yet available
-GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b
+GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b`
## Related topics
-* [Attack surface reduction FAQ](attack-surface-reduction.md)
-* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
-* [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
+- [Attack surface reduction FAQ](attack-surface-reduction.md)
+
+- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+
+- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
+
+- [Compatibility of Microsoft Defender with other antivirus/antimalware](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
index fdb2c392fa..eceb1d2833 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
@@ -18,7 +18,9 @@ ms.topic: article
# View details and results of automated investigations
-Pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) are listed in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)).
+During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP) is configured for your organization, some remediation actions are taken automatically.
+
+If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation.
>[!NOTE]
>If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation.
@@ -27,12 +29,13 @@ Pending and completed [remediation actions](manage-auto-investigation.md#remedia
-The action center consists of two main tabs, as described in the following table.
-
-|Tab |Description |
-|---------|---------|
-|Pending actions |Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject.
**NOTE**: The Pending tab appears only if there are pending actions to be approved (or rejected). |
-|History |Acts as an audit log for all of the following:
- All actions taken by automated investigation and remediation in Microsoft Defender ATP
Actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone)
- All commands ran and remediation actions that were applied in Live Response sessions (some actions can be undone)
- Remediation actions that were applied by Windows Defender Antivirus (some actions can be undone) |
+The action center consists of two main tabs: **Pending actions** and **History**.
+- **Pending actions** Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject. The Pending tab appears only if there are pending actions to be approved (or rejected).
+- **History** Acts as an audit log for all of the following items:
+ - Remediation actions that were taken as a result of an automated investigation
+ - Remediation actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone)
+ - Commands that were run and remediation actions that were applied in Live Response sessions (some actions can be undone)
+ - Remediation actions that were applied by Windows Defender Antivirus (some actions can be undone)
Use the **Customize columns** menu to select columns that you'd like to show or hide.
@@ -58,29 +61,30 @@ On the **Investigations** page, you can view details and use filters to focus on
|---------|---------|
|**Status** |(See [Automated investigation status](#automated-investigation-status)) |
|**Triggering alert** | The alert that initiated the automated investigation |
-|**Detection source** |The source of the alert that initiated the automated investigation. |
-|**Entities** | These can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that you might have created. |
-|**Threat** |The category of threat detected during the automated investigation. |
-|**Tags** |Filter using manually added tags that capture the context of an automated investigation.|
-|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't.|
+|**Detection source** |The source of the alert that initiated the automated investigation |
+|**Entities** | Entities can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that were created. |
+|**Threat** |The category of threat detected during the automated investigation |
+|**Tags** |Filter using manually added tags that capture the context of an automated investigation|
+|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't|
## Automated investigation status
-An automated investigation can be have one of the following status values:
+An automated investigation can have one of the following status values:
|Status |Description |
|---------|---------|
-| No threats found | No malicious entities found during the investigation. |
-| Failed | A problem has interrupted the investigation, preventing it from completing. |
-| Partially remediated | A problem prevented the remediation of some malicious entities. |
-| Pending action | Remediation actions require review and approval. |
+| Running | The investigation process has started and is underway. Malicious artifacts that are found are remediated. |
+| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for specific details. |
+| No threats found | The investigation has finished and no threats were identified.
If you suspect something was missed (such as a false negative), you can use [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). |
+| Pending action | The investigation has found a threat, and an action to remediate that threat is awaiting approval. The Pending Action state is triggered when any threat with a corresponding action is found. However, the list of pending actions can increase as an investigation runs. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to see if other items are still pending completion. |
+| Remediated | The investigation finished and all actions were approved (fully remediated). |
+| Partially remediated | The investigation resulted in remediation actions, and some were approved and completed. Other actions are still pending. |
+| Terminated by system | The investigation stopped. An investigation can stop for several reasons:
- The investigation's pending actions expired. Pending actions can time out after awaiting approval for an extended period of time.
- There are too many actions in the list.
Visit the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) to view and approve any pending actions. |
+| Failed | At least one investigation analyzer ran into a problem where it could not complete properly.
If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for detailed results. |
+| Queued | An investigation is being held in a queue. When other investigations complete, queued investigations begin. |
| Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. |
-| Queued | Investigation has been queued and will resume as soon as other remediation activities are completed. |
-| Running | Investigation ongoing. Malicious entities found will be remediated. |
-| Remediated | Malicious entities found were successfully remediated. |
-| Terminated by system | Investigation was stopped by the system. |
| Terminated by user | A user stopped the investigation before it could complete. |
-| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. |
+
## View details about an automated investigation
@@ -92,7 +96,7 @@ In this view, you'll see the name of the investigation, when it started and ende
### Investigation graph
-The investigation graph provides a graphical representation of an automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
+The investigation graph provides a graphical representation of an automated investigation. All investigation-related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
A progress ring shows two status indicators:
- Orange ring - shows the pending portion of the investigation
@@ -108,7 +112,7 @@ From this view, you can also view and add comments and tags about the investigat
### Alerts
-The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to.
+The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and to whom the investigation is assigned.
Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is ongoing.
@@ -124,7 +128,7 @@ Machines that show the same threat can be added to an ongoing investigation and
Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users.
-Clicking on an machine name brings you the machine page.
+Clicking on a machine name brings you the machine page.
### Evidence
@@ -146,7 +150,7 @@ You can also click on an action to bring up the details pane where you'll see in
### Pending actions
-If there are pending actions on an automated investigation, you'll see a pop up similar to the following image.
+If there are pending actions on an automated investigation, you'll see a pop-up similar to the following image.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
index 2830d49f18..de0e22cee2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
@@ -77,7 +77,6 @@ Not currently available.
## Integrations
Integrations with the following Microsoft products are not currently available:
-- Azure Security Center
- Azure Advanced Threat Protection
- Azure Information Protection
- Office 365 Advanced Threat Protection
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
index 09cd520b12..c5d535a96e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
@@ -34,7 +34,7 @@ For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedTh
## Before you begin
If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings will not be applied successfully.
-For more information on enabling MDM with Microsoft Intune, see [Setup Windows Device Management](https://docs.microsoft.com/intune-classic/deploy-use/set-up-windows-device-management-with-microsoft-intune).
+For more information on enabling MDM with Microsoft Intune, see [Device enrollment (Microsoft Intune)](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment).
## Onboard machines using Microsoft Intune
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
index 449dd5010c..2c8c2b2f66 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 04/24/2018
+ms.date: 04/16/2020
---
# Onboard non-persistent virtual desktop infrastructure (VDI) machines
@@ -23,7 +23,8 @@ ms.date: 04/24/2018
**Applies to:**
- Virtual desktop infrastructure (VDI) machines
-
+>[!WARNING]
+> Micrsosoft Defender ATP currently does not support Windows Virtual Desktop multi-user session.
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configvdi-abovefoldlink)
@@ -80,26 +81,62 @@ The following steps will guide you through onboarding VDI machines and will high
6. Test your solution:
- a. Create a pool with one machine.
+ a. Create a pool with one machine.
- b. Logon to machine.
+ b. Logon to machine.
- c. Logoff from machine.
+ c. Logoff from machine.
- d. Logon to machine with another user.
+ d. Logon to machine with another user.
- e. **For single entry for each machine**: Check only one entry in Microsoft Defender Security Center.
+ e. **For single entry for each machine**: Check only one entry in Microsoft Defender Security Center.
**For multiple entries for each machine**: Check multiple entries in Microsoft Defender Security Center.
7. Click **Machines list** on the Navigation pane.
8. Use the search function by entering the machine name and select **Machine** as search type.
+## Updating non-persistent virtual desktop infrastructure (VDI) images
+As a best practice, we recommend using offline servicing tools to patch golden/master images.
+For example, you can use the below commands to install an update while the image remains offline:
+
+```
+DISM /Mount-image /ImageFile:"D:\Win10-1909.vhdx" /index:1 /MountDir:"C:\Temp\OfflineServicing"
+DISM /Image:"C:\Temp\OfflineServicing" /Add-Package /Packagepath:"C:\temp\patch\windows10.0-kb4541338-x64.msu"
+DISM /Unmount-Image /MountDir:"C:\Temp\OfflineServicing" /commit
+```
+
+For more information on DISM commands and offline servicing, please refer to the articles below:
+- [Modify a Windows image using DISM](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism)
+- [DISM Image Management Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14)
+- [Reduce the Size of the Component Store in an Offline Windows Image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reduce-the-size-of-the-component-store-in-an-offline-windows-image)
+
+If offline servicing is not a viable option for your non-persistent VDI environment, the following steps should be taken to ensure consistency and sensor health:
+
+1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Microsoft Defender ATP sensor. For more information, see [Offboard machines using a local script](configure-endpoints-script.md#offboard-machines-using-a-local-script).
+
+2. Ensure the sensor is stopped by running the command below in a CMD window:
+
+ ```
+ sc query sense
+ ```
+
+3. Service the image as needed.
+
+4. Run the below commands using PsExec.exe (which can be downloaded from https://download.sysinternals.com/files/PSTools.zip) to cleanup the cyber folder contents that the sensor may have accumulated since boot:
+
+ ```
+ PsExec.exe -s cmd.exe
+ cd "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber"
+ del *.* /f /s /q
+ exit
+ ```
+
+5. Re-seal the golden/master image as you normally would.
+
## Related topics
- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md)
- [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md)
- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index 371aa16ecd..e7da43acc6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -31,7 +31,7 @@ ms.topic: article
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink)
-Microsoft Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Microsoft Defender Security Center console.
+Microsoft Defender ATP extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console.
The service supports the onboarding of the following servers:
- Windows Server 2008 R2 SP1
@@ -46,7 +46,7 @@ For a practical guidance on what needs to be in place for licensing and infrastr
> [!NOTE]
> An Azure Security Center Standard license is required, per node, to enroll Microsoft Defender ATP on a supported Windows Server platform, see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services)
-## Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows Server 2016
+## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016
There are two options to onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP:
@@ -77,7 +77,7 @@ You'll need to take the following steps if you choose to onboard servers through
> This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2.
- Turn on server monitoring from Microsoft Defender Security Center.
-- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), simply attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
+- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
> [!TIP]
@@ -87,7 +87,7 @@ You'll need to take the following steps if you choose to onboard servers through
> [!IMPORTANT]
> This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2.
-Microsoft Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
+Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
The following steps are required to enable this integration:
- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie)
@@ -100,7 +100,7 @@ The following steps are required to enable this integration:
2. Select Windows Server 2012 R2 and 2016 as the operating system.
-3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
+3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment setup. When the setup completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
@@ -126,7 +126,7 @@ Once completed, you should see onboarded servers in the portal within an hour.
## Windows Server, version 1803 and Windows Server 2019
-To onboard Windows Server, version 1803 or Windows Server 2019, please refer to the supported methods and versions below.
+To onboard Windows Server, version 1803 or Windows Server 2019, refer to the supported methods and versions below.
> [!NOTE]
> The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs).
@@ -140,11 +140,11 @@ Supported tools include:
For more information, see [Onboard Windows 10 machines](configure-endpoints.md).
-Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
+Support for Windows Server, provide deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md).
-2. If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
+2. If you're running a third-party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings. Verify that it was configured correctly:
a. Set the following registry entry:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
@@ -165,17 +165,17 @@ Support for Windows Server, version 1803 and Windows 2019 provides deeper insigh
```sc query Windefend```
- If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
+ If the result is 'The specified service does not exist as an installed service', then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
## Integration with Azure Security Center
-Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers.
+Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration, Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers.
The following capabilities are included in this integration:
- Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
> [!NOTE]
- > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016.
+ > Automated onboarding is only applicable for Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016.
- Servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console.
- Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
index a1d4579881..0786bb44f2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
@@ -76,6 +76,9 @@ See the [attack surface reduction](attack-surface-reduction.md) topic for detail
4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
+> [!WARNING]
+> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.
+
### Use PowerShell to exclude files and folders
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
index 655d13f73e..9b5990bdb7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@@ -131,10 +131,13 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
+> [!WARNING]
+> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.
+
## PowerShell
->[!WARNING]
->If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
+> [!WARNING]
+> If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup.
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
index a003bd5a09..f408e29140 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
@@ -67,6 +67,8 @@ Enable security information and event management (SIEM) integration so you can p
> [!NOTE]
> You'll need to generate a new Refresh token every 90 days.
+6. Follow the instructions for [creating an Azure AD app registration for Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp) and assign the correct permissions to it to read alerts.
+
You can now proceed with configuring your SIEM solution or connecting to the detections REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive detections from Microsoft Defender Security Center.
## Integrate Microsoft Defender ATP with IBM QRadar
diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
index da28a46770..1d9da1a791 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
@@ -58,6 +58,9 @@ Event ID | Description
1124 | Audited controlled folder access event
1123 | Blocked controlled folder access event
+> [!TIP]
+> You can configure a [Windows Event Forwarding subscription](https://docs.microsoft.com/windows/win32/wec/setting-up-a-source-initiated-subscription) to collect the logs centrally.
+
## Customize protected folders and apps
During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-dashboard.png
new file mode 100644
index 0000000000..94df3bad5b
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-dashboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png
index 6d49c8b659..ef831f2c25 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png
index 39b714cdd4..ef12c4002b 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-portal-overview.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-portal-overview.png
new file mode 100644
index 0000000000..a08711f23f
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-portal-overview.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/rules-indicators.png b/windows/security/threat-protection/microsoft-defender-atp/images/rules-indicators.png
index 570609f803..6062d5248d 100644
Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/rules-indicators.png and b/windows/security/threat-protection/microsoft-defender-atp/images/rules-indicators.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
index 174242a934..95806be4e6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md
@@ -21,11 +21,11 @@ manager: dansimp
**Applies to:**
-* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](microsoft-defender-advanced-threat-protection.md)
Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
-Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are now included in exploit protection.
+Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/help/2458544/) are now included in exploit protection.
You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings.
@@ -33,7 +33,7 @@ You can also convert and import an existing EMET configuration XML file into an
This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration.
-The [Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic.
+The [Evaluation Package](https://demo.wd.microsoft.com/Page/EP) contains a sample configuration file (name *ProcessMitigation.xml* (Selfhost v4) that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic.
## Create and export a configuration file
@@ -53,27 +53,28 @@ When you have configured exploit protection to your desired state (including bot
3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved.
-> [!IMPORTANT]
-> If you want to use Default configuration, use the settings "On by default" instead of "Use Default (On)" to get the settings exported correctly on the XML file.
+ > [!IMPORTANT]
+ > If you want to use Default configuration, use the settings "On by default" instead of "Use Default (On)" to get the settings exported correctly on the XML file.
-
+ 
-> [!NOTE]
-> When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
+ > [!NOTE]
+ > When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections—either section will export all settings.
### Use PowerShell to export a configuration file
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
2. Enter the following cmdlet:
```PowerShell
Get-ProcessMitigation -RegistryConfigFilePath filename.xml
```
-Change `filename` to any name or location of your choosing.
+ Change `filename` to any name or location of your choosing.
-Example command
-**Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml**
+ Example command:
+
+ **Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml**
> [!IMPORTANT]
> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location.
@@ -86,17 +87,18 @@ After importing, the settings will be instantly applied and can be reviewed in t
### Use PowerShell to import a configuration file
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
2. Enter the following cmdlet:
```PowerShell
Set-ProcessMitigation -PolicyFilePath filename.xml
```
-Change `filename` to the location and name of the exploit protection XML file.
+ Change `filename` to the location and name of the exploit protection XML file.
-Example command
-**Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml**
+ Example command:
+
+ **Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml**
> [!IMPORTANT]
>
@@ -116,14 +118,14 @@ You can only do this conversion in PowerShell.
>
> You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit protection.
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
2. Enter the following cmdlet:
```PowerShell
ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml
```
-Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use.
+ Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use.
> [!IMPORTANT]
>
@@ -141,7 +143,7 @@ You can use Group Policy to deploy the configuration you've created to multiple
### Use Group Policy to distribute the configuration
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
@@ -151,14 +153,14 @@ You can use Group Policy to deploy the configuration you've created to multiple
4. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**.
-5. In the **Options::** section, enter the location and filename of the Exploit protection configuration file that you want to use, such as in the following examples:
+5. In the **Options::** section, enter the location and file name of the Exploit protection configuration file that you want to use, such as in the following examples:
* C:\MitigationSettings\Config.XML
* \\\Server\Share\Config.xml
* https://localhost:8080/Config.xml
* C:\ExploitConfigfile.xml
-6. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+6. Click **OK** and [Deploy the updated GPO as you normally do](https://docs.microsoft.com/windows/win32/srvnodes/group-policy).
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
index 308e1695b1..4a25d355bf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
@@ -64,6 +64,9 @@ $ curl -x http://proxy_address:port -w ' %{url_effective}\n' 'https://x.cp.wd.mi
Ensure that you use the same proxy address and port as configured in the `/lib/system/system/mdatp.service` file. Check your proxy configuration if there are errors from the above commands.
+> [!WARNING]
+> The static proxy cannot be configured through a system-wide `HTTPS_PROXY` environment variable. Instead, ensure that `HTTPS_PROXY` is properly set in the `/lib/system/system/mdatp.service` file.
+
To use a static proxy, the `mdatp.service` file must be modified. Ensure the leading `#` is removed to uncomment the following line from `/lib/systemd/system/mdatp.service`:
```bash
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
index 9ebc453a7a..4c49223e78 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
@@ -21,6 +21,9 @@ ms.topic: conceptual
## 100.90.70
+> [!WARNING]
+> When upgrading the installed package from a product version earlier than 100.90.70, the update may fail on Red Hat-based and SLES distributions. This is because of a major change in a file path. A temporary solution is to remove the older package, and then install the newer one. This issue does not exist in newer versions.
+
- Antivirus [exclusions now support wildcards](linux-exclusions.md#supported-exclusion-types)
- Added the ability to [troubleshoot performance issues](linux-support-perf.md) through the `mdatp` command-line tool
- Improvements to make the package installation more robust
diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
index aa9058cedb..c965ddd359 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
@@ -59,6 +59,9 @@ You'll need to enable the live response capability in the [Advanced features set
>[!NOTE]
>Only users with manage security or global admin roles can edit these settings.
+
+- **Ensure that the machine has an Automation Remediation level assigned to it**
+You'll need to enable, at least, the minimum Remdiation Level for a given Machine Group. Otherwise you won't be able to establish a Live Response session to a member of that group.
- **Enable live response unsigned script execution** (optional)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
index 9a7563b95c..1daa3a12b2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
@@ -24,15 +24,29 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
This topic describes how to deploy Microsoft Defender ATP for Mac through Intune. A successful deployment requires the completion of all of the following steps:
-- [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
-- [Client device setup](#client-device-setup)
-- [Create System Configuration profiles](#create-system-configuration-profiles)
-- [Publish application](#publish-application)
+
+1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
+1. [Client device setup](#client-device-setup)
+1. [Create System Configuration profiles](#create-system-configuration-profiles)
+1. [Publish application](#publish-application)
## Prerequisites and system requirements
Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
+## Overview
+
+The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender ATP for Macs, via Intune. More detailed steps are available below.
+
+| Step | Sample file names | BundleIdentifier |
+|-|-|-|
+| [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp |
+| [Approve Kernel Extension for Microsoft Defender ATP](#download-installation-and-onboarding-packages) | MDATP_KExt.xml | N/A |
+| [Grant full disk access to Microsoft Defender ATP](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc |
+| [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 |
+| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)
**Note:** If you are planning to run a 3rd party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav |
+| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-9) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdavtray |
+
## Download installation and onboarding packages
Download the installation and onboarding packages from Microsoft Defender Security Center:
@@ -86,23 +100,23 @@ Download the installation and onboarding packages from Microsoft Defender Securi
## Client device setup
-You need no special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp).
+You do not need any special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp).
-1. You are asked to confirm device management.
+1. Confirm device management.
- 
+
- Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**:
+Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**:
- 
+
2. Select **Continue** and complete the enrollment.
- You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
+You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed:
- 
+
## Create System Configuration profiles
@@ -116,7 +130,7 @@ You need no special provisioning for a Mac device beyond a standard [Company Por
5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
6. Repeat steps 1 through 5 for more profiles.
7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file.
-8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it.
+8. Create tcc.xml file with content below. Create another profile, give it any name and upload this file to it.
> [!CAUTION]
> macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
@@ -187,7 +201,7 @@ You need no special provisioning for a Mac device beyond a standard [Company Por
```
-9. To whitelist Defender and Auto Update for displaying notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload:
+9. To whitelist Defender and Auto Update for displaying notifications in UI on macOS 10.15 (Catalina), import the following .mobileconfig as a custom payload:
```xml
@@ -284,9 +298,9 @@ You need no special provisioning for a Mac device beyond a standard [Company Por
10. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
- Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**:
+Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**:
- 
+
## Publish application
@@ -294,11 +308,13 @@ You need no special provisioning for a Mac device beyond a standard [Company Por
2. Select **App type=Other/Line-of-business app**.
3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload.
4. Select **Configure** and add the required information.
-5. Use **macOS High Sierra 10.13** as the minimum OS.
+5. Use **macOS High Sierra 10.13** as the minimum OS.
6. Set *Ignore app version* to **Yes**. Other settings can be any arbitrary value.
> [!CAUTION]
- > Setting *Ignore app version* to **No** impacts the ability of the application to receive updates through Microsoft AutoUpdate. If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client machine, then uninstall Defender and push the updated policy.
+ > Setting *Ignore app version* to **No** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated.
+ >
+ > If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client machine, then uninstall Defender and push the updated policy.
@@ -311,7 +327,7 @@ You need no special provisioning for a Mac device beyond a standard [Company Por
9. Change **Assignment type** to **Required**.
-10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Click **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
+10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
@@ -341,7 +357,7 @@ Solution: Follow the steps above to create a device profile using WindowsDefende
## Logging installation issues
-For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Logging installation issues](mac-resources.md#logging-installation-issues) .
+For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Logging installation issues](mac-resources.md#logging-installation-issues).
## Uninstallation
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
index 2e8c52861f..da29d3b4a2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
@@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/03/2020
+ms.date: 04/10/2020
---
# JAMF-based deployment for Microsoft Defender ATP for Mac
@@ -25,11 +25,12 @@ ms.date: 04/03/2020
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
This topic describes how to deploy Microsoft Defender ATP for Mac through JAMF. A successful deployment requires the completion of all of the following steps:
-- [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
-- [Create JAMF policies](#create-jamf-policies)
-- [Client device setup](#client-device-setup)
-- [Deployment](#deployment)
-- [Check onboarding status](#check-onboarding-status)
+
+1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
+1. [Create JAMF policies](#create-jamf-policies)
+1. [Client device setup](#client-device-setup)
+1. [Deployment](#deployment)
+1. [Check onboarding status](#check-onboarding-status)
## Prerequisites and system requirements
@@ -37,6 +38,19 @@ Before you get started, please see [the main Microsoft Defender ATP for Mac page
In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow.
+## Overview
+
+The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender ATP for Macs, via JAMF. More detailed steps are available below.
+
+| Step | Sample file names | BundleIdentifier |
+|-|-|-|
+| [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp |
+| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#property-list-for-jamf-configuration-profile-1)
**Note:** If you are planning to run a 3rd party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.plist | com.microsoft.wdav |
+| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#notification-settings) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.wdavtray |
+| [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#jamf) | MDATP_Microsoft_AutoUpdate.mobileconfig | com.microsoft.autoupdate2 |
+| [Grant Full Disk Access to Microsoft Defender ATP](#privacy-preferences-policy-control) | Note: If there was one, MDATP_tcc_Catalina_or_newer.plist | com.microsoft.wdav.tcc |
+| [Approve Kernel Extension for Microsoft Defender ATP](#approved-kernel-extension) | Note: If there was one, MDATP_KExt.plist | N/A |
+
## Download installation and onboarding packages
Download the installation and onboarding packages from Microsoft Defender Security Center:
@@ -44,16 +58,16 @@ Download the installation and onboarding packages from Microsoft Defender Securi
1. In Microsoft Defender Security Center, go to **Settings > Machine management > Onboarding**.
2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS or Android**.
3. Set the deployment method to **Mobile Device Management / Microsoft Intune**.
-
- >[!NOTE]
- >Jamf falls under **Mobile Device Management**.
-
+
+ > [!NOTE]
+ > Jamf falls under **Mobile Device Management**.
+
4. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
5. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
-5. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so:
+6. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so:
```bash
$ ls -l
@@ -81,6 +95,7 @@ The configuration profile contains a custom settings payload that includes the f
To set the onboarding information, add a property list file that is named **jamf/WindowsDefenderATPOnboarding.plist** as a custom setting. To do this, select **Computers** > **Configuration Profiles** > **New**, and then select **Application & Custom Settings** > **Configure**. From there, you can upload the property list.
+
>[!IMPORTANT]
> You have to set the **Preference Domain** to **com.microsoft.wdav.atp**. There are some changes to the Custom Payloads and also to the Jamf Pro user interface in version 10.18 and later versions. For more information about the changes, see [Configuration Profile Payload Settings Specific to Jamf Pro](https://www.jamf.com/jamf-nation/articles/217/configuration-profile-payload-settings-specific-to-jamf-pro).
@@ -231,6 +246,7 @@ $ mdatp --health healthy
The above command prints "1" if the product is onboarded and functioning as expected.
If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem:
+
- 0 if the device is not yet onboarded
- 3 if the connection to the daemon cannot be established—for example, if the daemon is not running
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
index a9250abb97..8ae4bbb815 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
@@ -21,39 +21,39 @@ ms.topic: conceptual
## Remediation actions
-When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *Clean*. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organization’s security operations team. For example, some actions, such as removing malware, are taken automatically. Other actions require review and approval to proceed.
+When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organization’s security operations team. For example, some actions, such as removing malware, are taken automatically. Other actions require review and approval to proceed.
When a verdict of *Malicious* is reached for a piece of evidence, Microsoft Defender Advanced Threat Protection takes one of the following remediation actions automatically:
-- Quarantine file
-- Remove registry key
-- Kill process
-- Stop service
-- Remove registry key
-- Disable driver
-- Remove scheduled task
+- Quarantine a file
+- Remove a registry key
+- Kill a process
+- Stop a service
+- Remove a registry key
+- Disable a driver
+- Remove a scheduled task
-Evidence determined as *Suspicious* results in pending actions that require approval. As a best practice, make sure to [approve (or reject) pending actions](#review-pending-actions) as soon as possible. This helps your automated investigations complete in a timely manner.
+Evidence determined as *Suspicious* results in pending actions that require approval. As a best practice, make sure to [approve (or reject) pending actions](#review-pending-actions) as soon as possible so that you automated investigations complete in a timely manner.
-No actions are taken when evidence is determined to be *Clean*.
+No actions are taken when a verdict of *No threats found* is reached for a piece of evidence.
In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and viewable in the Microsoft Defender Security Center](#review-completed-actions).
## Review pending actions
-1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. This takes you to your Security dashboard.
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the Security dashboard.
2. On the Security dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**.
3. Review any items on the **Pending** tab.
- Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can click on the **Open investigation page** link to see the investigation details.
+ Select an investigation from any of the categories to open a panel where you can approve or reject remediation actions. Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can click on the **Open investigation page** link to see the investigation details.
You can also select multiple investigations to approve or reject actions on multiple investigations.
## Review completed actions
-1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. This takes you to your Security dashboard.
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the Security dashboard.
2. On the Security dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**.
@@ -61,6 +61,12 @@ In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and
4. Select an item to view more details about that remediation action.
+## Next steps
+
+- [View details and results of automated investigations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center)
+
+- [Get an overview of live response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/live-response)
+
## Related articles
- [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
index ed7b91f290..76908992e4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
@@ -1,7 +1,7 @@
----
+---
title: Manage indicators
ms.reviewer:
-description: Create indicators for a file hash, IP address, URLs or domains that define the detection, prevention, and exclusion of entities.
+description: Create indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities.
keywords: manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -26,7 +26,7 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
-Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Microsoft Defender ATP and gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response).
+Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response).
Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to.
@@ -54,7 +54,7 @@ You can create an indicator for:
- URLs/domains
>[!NOTE]
->There is a limit of 5000 indicators per tenant.
+>There is a limit of 15,000 indicators per tenant.
@@ -103,17 +103,17 @@ One of the options when taking [response actions on a file](respond-file-alerts.
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in your organization attempts to run it.
-Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue.
+Files automatically blocked by an indicator won't show up in the file's Action center, but the alerts will still be visible in the Alerts queue.
## Create indicators for IPs and URLs/domains (preview)
Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser.
The threat intelligence data set for this has been managed by Microsoft.
-By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs or domains based on your own threat intelligence. You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others.
+By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others.
### Before you begin
-It's important to understand the following prerequisites prior to creating indicators for IPS, URLs or domains:
+It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains:
- URL/IP allow and block relies on the Microsoft Defender ATP component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Protect your network](network-protection.md).
- The Antimalware client version must be 4.18.1906.x or later.
- Supported on machines on Windows 10, version 1709 or later.
@@ -132,7 +132,7 @@ It's important to understand the following prerequisites prior to creating indic
>[!NOTE]
>There may be up to 2 hours latency (usually less) between the time the action is taken, and the URL and IP being blocked.
-### Create an indicator for IPs, URLs or domains from the settings page
+### Create an indicator for IPs, URLs, or domains from the settings page
1. In the navigation pane, select **Settings** > **Indicators**.
@@ -163,8 +163,33 @@ You can also choose to upload a CSV file that defines the attributes of indicato
Download the sample CSV to know the supported column attributes.
+1. In the navigation pane, select **Settings** > **Indicators**.
+
+2. Select the tab of the entity type you'd like to import indicators for.
+
+3. Select **Import** > **Choose file**.
+
+4. Select **Import**. Do this for all the files you'd like to import.
+
+5. Select **Done**.
+
+The following table shows the supported parameters.
+
+Parameter | Type | Description
+:---|:---|:---
+indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required**
+indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity. **Required**
+action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required**
+title | String | Indicator alert title. **Required**
+description | String | Description of the indicator. **Required**
+expirationTime | DateTimeOffset | The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. **Optional**
+severity | Enum | The severity of the indicator. Possible values are: "Informational", "Low", "Medium" and "High". **Optional**
+recommendedActions | String | TI indicator alert recommended actions. **Optional**
+rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional**
+
+
+
## Related topic
- [Create contextual IoC](respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
- [Use the Microsoft Defender ATP indicators API](ti-indicator.md)
- [Use partner integrated solutions](partner-applications.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
index 03f09902ea..b84dce1ebe 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
@@ -85,6 +85,9 @@ If you experience any installation failures, refer to [Troubleshooting installat
- Minimum kernel version 2.6.38
- The `fanotify` kernel option must be enabled
+ > [!CAUTION]
+ > Running Microsoft Defender ATP for Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system.
+
- Disk space: 650 MB
- The solution currently provides real-time protection for the following file system types:
@@ -111,7 +114,7 @@ The following table lists the services and their associated URLs that your netwo
| United States | unitedstates.x.cp.wd.microsoft.com
us-v20.events.data.microsoft.com
ussus1eastprod.blob.core.windows.net
ussus1westprod.blob.core.windows.net |
> [!NOTE]
-> For a more specific URL list, see [Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server)
+> For a more specific URL list, see [Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
- Transparent proxy
@@ -124,7 +127,7 @@ If a proxy or firewall is blocking anonymous traffic, make sure that anonymous t
>
> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
-For troubleshooting steps, see the [Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux](linux-support-connectivity.md) page.
+For troubleshooting steps, see [Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux](linux-support-connectivity.md).
## How to update Microsoft Defender ATP for Linux
@@ -136,4 +139,4 @@ Guidance for how to configure the product in enterprise environments is availabl
## Resources
-- For more information about logging, uninstalling, or other topics, see the [Resources](linux-resources.md) page.
+- For more information about logging, uninstalling, or other topics, see [Resources](linux-resources.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index eed0fc1ca1..baef5fe6ab 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -13,7 +13,7 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: conceptual
---
@@ -24,12 +24,12 @@ ms.topic: conceptual
There are some minimum requirements for onboarding machines to the service. Learn about the licensing, hardware and software requirements, and other configuration settings to onboard devices to the service.
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-minreqs-abovefoldlink)
+> Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-minreqs-abovefoldlink).
->[!TIP]
->- Learn about the latest enhancements in Microsoft Defender ATP:[Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced).
->- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
+> [!TIP]
+> - Learn about the latest enhancements in Microsoft Defender ATP:[Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced).
+> - Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
## Licensing requirements
Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
@@ -40,7 +40,7 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr
- Microsoft 365 E5 Security
- Microsoft 365 A5 (M365 A5)
-For detailed licensing information, see the [Product terms page](https://www.microsoft.com/en-us/licensing/product-licensing/products) and work with your account team to learn the detailed terms and conditions for the product.
+For detailed licensing information, see the [Product terms page](https://www.microsoft.com/licensing/product-licensing/products) and work with your account team to learn the detailed terms and conditions for the product.
For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare).
@@ -53,13 +53,14 @@ For more information about licensing requirements for Microsoft Defender ATP pla
Access to Microsoft Defender ATP is done through a browser, supporting the following browsers:
- Microsoft Edge
- Internet Explorer version 11
-- Google Chrome
+- Google Chrome
->[!NOTE]
->While other browsers might work, the mentioned browsers are the ones supported.
+> [!NOTE]
+> While other browsers might work, the mentioned browsers are the ones supported.
## Hardware and software requirements
+
### Supported Windows versions
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro
@@ -67,6 +68,7 @@ Access to Microsoft Defender ATP is done through a browser, supporting the follo
- Windows 8.1 Pro
- Windows 10, version 1607 or later
- Windows 10 Enterprise
+ - [Windows 10 Enterprise LTSC](https://docs.microsoft.com/windows/whats-new/ltsc/)
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
@@ -82,24 +84,25 @@ Machines on your network must be running one of these editions.
The hardware requirements for Microsoft Defender ATP on machines is the same as those for the supported editions.
> [!NOTE]
-> Machines that are running mobile versions of Windows are not supported.
+> Machines running mobile versions of Windows are not supported.
### Other supported operating systems
-- macOSX
-- Linux
-- Android
+- macOSX
+- Linux (currently, Microsoft Defender ATP is only available in the Public Preview Edition for Linux)
->[!NOTE]
->You'll need to know the exact Linux distros, Android, and macOS versions that are compatible with Microsoft Defender ATP for the integration to work.
+> [!NOTE]
+> You'll need to know the exact Linux distros, Android, and macOS versions that are compatible with Microsoft Defender ATP for the integration to work.
+>
+> Also note that Microsoft Defender ATP is currently only available in the Public Preview Edition for Linux.
### Network and data storage and configuration requirements
When you run the onboarding wizard for the first time, you must choose where your Microsoft Defender Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States datacenter.
> [!NOTE]
-> - You cannot change your data storage location after the first-time setup.
-> - Review the [Microsoft Defender ATP data storage and privacy](data-storage-privacy.md) for more information on where and how Microsoft stores your data.
+> - You cannot change your data storage location after the first-time setup.
+> - Review the [Microsoft Defender ATP data storage and privacy](data-storage-privacy.md) for more information on where and how Microsoft stores your data.
### Diagnostic data settings
@@ -131,12 +134,11 @@ By default, this service is enabled, but it's good practice to check to ensu
If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.
-
**Use the command line to set the Windows 10 diagnostic data service to automatically start:**
1. Open an elevated command-line prompt on the endpoint:
- a. Go to **Start** and type **cmd**.
+ a. Go to **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
@@ -153,22 +155,18 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the
```
-
#### Internet connectivity
Internet connectivity on machines is required either directly or through proxy.
The Microsoft Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Microsoft Defender ATP cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth.
-For more information on additional proxy configuration settings see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md) .
+For more information on additional proxy configuration settings, see [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md).
Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10.
-
-
-
## Windows Defender Antivirus configuration requirement
-The Microsoft Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them.
+The Microsoft Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them.
You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).
@@ -177,7 +175,7 @@ When Windows Defender Antivirus is not the active antimalware in your organizati
If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md).
> [!NOTE]
-> Your regular group policy doesn’t apply to Tamper Protection, and changes to Windows Defender Antivirus settings will be ignored when Tamper Protection is on.
+> Your regular group policy doesn't apply to Tamper Protection, and changes to Windows Defender Antivirus settings will be ignored when Tamper Protection is on.
For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
@@ -188,9 +186,6 @@ If you're running Windows Defender Antivirus as the primary antimalware product
If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Configuration Manager (current branch), you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
-
-
-
-## Related topic
+## Related topics
- [Validate licensing and complete setup](licensing.md)
- [Onboard machines](onboard-configure.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
index 6b17eb0031..5f38878dec 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
@@ -66,7 +66,7 @@ Threat & Vulnerability Management helps customers prioritize and focus on those
Microsoft Defender ATP's Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues.
-- Remediation requests to IT. Through Microsoft Defender ATP's integration with Microsoft Intune and Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms.
+- Remediation requests to IT. Through Microsoft Defender ATP's integration with Microsoft Intune and Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms.
- Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities.
- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization.
@@ -84,10 +84,10 @@ Ensure that your machines:
> Release | Security update KB number and link
> :---|:---
-> RS3 customers | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
-> RS4 customers| [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
-> RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
-> 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
+> Windows 10 Version 1709 | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
+> Windows 10 Version 1803 | [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
+> Windows 10 Version 1809 | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
+> Windows 10 Version 1903 | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
- Are onboarded to Microsoft Intune and Microsoft Endpoint Configuration Manager. If you are using Configuration Manager, update your console to the latest version.
- Have at least one security recommendation that can be viewed in the machine page
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
index 3a1e55ca42..e3d22ad134 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
@@ -123,7 +123,7 @@ Manager and deploy that policy to Windows 10 devices.
-3. Select **Download package**.
+3. Select **Download package**.
@@ -184,11 +184,11 @@ Before the systems can be onboarded into the workspace, the deployment scripts n
Edit the InstallMMA.cmd with a text editor, such as notepad and update the
following lines and save the file:
- 
+ 
Edit the ConfiguerOMSAgent.vbs with a text editor, such as notepad, and update the following lines and save the file:
- 
+ 
Microsoft Monitoring Agent (MMA) is currently (as of January 2019) supported on the following Windows Operating
Systems:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
index ceb8637a40..db2e81192e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
@@ -22,25 +22,24 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-Enterprise security teams can use Microsoft Defender Security Center to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches.
+Enterprise security teams can use Microsoft Defender Security Center to monitor and assist in responding to alerts of potential advanced persistent threat activity or data breaches.
You can use [Microsoft Defender Security Center](https://securitycenter.windows.com/) to:
+
- View, sort, and triage alerts from your endpoints
- Search for more information on observed indicators such as files and IP Addresses
-- Change Microsoft Defender ATP settings, including time zone and review licensing information.
+- Change Microsoft Defender ATP settings, including time zone and review licensing information
## Microsoft Defender Security Center
-When you open the portal, you’ll see the main areas of the application:
- 
+When you open the portal, you'll see:
-- (1) Navigation pane
-- (2) Main portal
-- (3) Search, Community center, Time settings, Help and support, Feedback
+- (1) Navigation pane (select the horizontal lines at the top of the navigation pane to show or hide it)
+- (2) Search, Community center, Localization, Help and support, Feedback
+
+ 
> [!NOTE]
> Malware related detections will only appear if your machines are using Windows Defender Antivirus as the default real-time protection antimalware product.
@@ -49,27 +48,27 @@ You can navigate through the portal using the menu options available in all sect
Area | Description
:---|:---
-**(1) Navigation pane** | Use the navigation pane to move between **Dashboards**, **Incidents**, **Machines list**, **Alerts queue**, **Automated investigations**, **Advanced hunting**, **Reports**, **Interoperability**, **Threat & vulnerability management**, **Evaluation and tutorials**, **Service health**, **Configuration management**, and **Settings**.
-**Dashboards** | Access the Security operations, the Secure Score, or Threat analytics dashboard.
+**(1) Navigation pane** | Use the navigation pane to move between **Dashboards**, **Incidents**, **Machines list**, **Alerts queue**, **Automated investigations**, **Advanced hunting**, **Reports**, **Partners & APIs**, **Threat & Vulnerability Management**, **Evaluation and tutorials**, **Service health**, **Configuration management**, and **Settings**. Select the horizontal lines at the top of the navigation pane to show or hide it.
+**Dashboards** | Access the active automated investigations, active alerts, automated investigations statistics, machines at risk, users at risk, machines with sensor issues, service health, detection sources, and daily machines reporting dashboards.
**Incidents** | View alerts that have been aggregated as incidents.
-**Machines list** | Displays the list of machines that are onboarded to Microsoft Defender ATP, some information about them, and the corresponding number of alerts.
+**Machines list** | Displays the list of machines that are onboarded to Microsoft Defender ATP, some information about them, and their exposure and risk levels.
**Alerts queue** | View alerts generated from machines in your organizations.
-**Automated investigations** | Displays a list of automated investigations that's been conducted in the network, the status of each investigation and other details such as when the investigation started and the duration of the investigation.
+**Automated investigations** | Displays automated investigations that have been conducted in the network, triggering alert, the status of each investigation and other details such as when the investigation started and the duration of the investigation.
**Advanced hunting** | Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool.
-**Reports** | View graphs detailing alert trends over time, and alert summary charts categorizing threats by severity, status, and attack approach
-**Interoperability** | Lists supported partner applications that can work together with Microsoft Defender, as well as applications that are already connected to Microsoft Defender.
+**Reports** | View graphs detailing threat protection, machine health and compliance, web protection, and vulnerability.
+**Partners & APIs** | View supported partner connections, which enhance the detection, investigation, and threat intelligence capabilities of the platform. You can also view connected applications, the API explorer, API usage overview, and data export settings.
**Threat & Vulnerability management** | View your configuration score, exposure score, exposed machines, vulnerable software, and take action on top security recommendations.
-**Evaluation and tutorials** | Manage test machines, attack simulations, and reports. Learn and experience the Microsoft Defender ATP capabilities through a guided walkthrough in a trial environment.
-**Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues.
-**Configuration management** | Displays on-boarded machines, your organizations' security baseline, predictive analysis, and allows you to perform attack surface management on your machines.
-**Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as email notifications, activate the preview experience, enable or turn off advanced features, SIEM integration, threat intel API, build Power BI reports, and set baselines for the Secure Score dashboard.
-**(2) Main portal** | Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list.
-**(3) Community center, Localization, Help and support, Feedback** | **Community center** -Access the Community center to learn, collaborate, and share experiences about the product. **Time settings** - Gives you access to the configuration settings where you can set time zones and view license information. **Help and support** - Gives you access to the Microsoft Defender ATP guide, Microsoft support, and Premier support. **Feedback** - Access the feedback button to provide comments about the portal.
+**Evaluation and tutorials** | Manage test machines, attack simulations, and reports. Learn and experience the Microsoft Defender ATP capabilities through a guided walk-through in a trial environment.
+**Service health** | Provides information on the current status of the Microsoft Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues.
+**Configuration management** | Displays on-boarded machines, your organizations' security baseline, predictive analysis, web protection coverage, and allows you to perform attack surface management on your machines.
+**Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as permissions, APIs, rules, machine management, IT service management, and network assessments.
+**(2) Search, Community center, Localization, Help and support, Feedback** | **Search** - search by machine, file, user, URL, IP, vulnerability, software, and recommendation. **Community center** - Access the Community center to learn, collaborate, and share experiences about the product. **Localization** - Set time zones. **Help and support** - Access the Microsoft Defender ATP guide, Microsoft and Microsoft Premier support, license information, simulations & tutorials, Microsoft Defender ATP evaluation lab, consult a threat expert. **Feedback** - Provide comments about what you like or what we can do better.
> [!NOTE]
> For devices with high resolution DPI scaling issues, please see [Windows scaling issues for high-DPI devices](https://support.microsoft.com/help/3025083/windows-scaling-issues-for-high-dpi-devices) for possible solutions.
## Microsoft Defender ATP icons
+
The following table provides information on the icons used all throughout the portal:
Icon | Description
@@ -105,22 +104,23 @@ Icon | Description
| Memory allocation
| Process injection
| Powershell command run
- | Community center
+ | Community center
 | Notifications
 | Automated investigation - no threats found
 | Automated investigation - failed
 | Automated investigation - partially investigated
- | Automated investigation - terminated by system
+ | Automated investigation - terminated by system
 | Automated investigation - pending
 | Automated investigation - running
- | Automated investigation - remediated
+ | Automated investigation - remediated
 | Automated investigation - partially remediated
 | Threat & Vulnerability Management - threat insights
- | Threat & Vulnerability Management - possible active alert
+ | Threat & Vulnerability Management - possible active alert
 | Threat & Vulnerability Management - recommendation insights
## Related topics
-- [Understand the Microsoft Defender Advanced Threat Protection portal](use.md)
+
+- [Overview of Microsoft Defender Security Center](use.md)
- [View the Security operations dashboard](security-operations-dashboard.md)
- [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
index b865033486..b02f9d6f58 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
@@ -71,6 +71,7 @@ description | String | Description of the indicator. **Required**
expirationTime | DateTimeOffset | The expiration time of the indicator. **Optional**
severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". **Optional**
recommendedActions | String | TI indicator alert recommended actions. **Optional**
+rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional**
## Response
@@ -87,16 +88,18 @@ Here is an example of the request.
POST https://api.securitycenter.windows.com/api/indicators
Content-type: application/json
{
- "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f",
- "indicatorType": "FileSha1",
- "title": "test",
- "application": "demo-test",
- "expirationTime": "2020-12-12T00:00:00Z",
- "action": "AlertAndBlock",
- "severity": "Informational",
- "description": "test",
- "recommendedActions": "nothing"
+ "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f",
+ "indicatorType": "FileSha1",
+ "title": "test",
+ "application": "demo-test",
+ "expirationTime": "2020-12-12T00:00:00Z",
+ "action": "AlertAndBlock",
+ "severity": "Informational",
+ "description": "test",
+ "recommendedActions": "nothing",
+ “rbacGroupNames": [“group1”, “group2”]
}
+```
## Related topic
- [Manage indicators](manage-indicators.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
index 2436a0642e..83b69c2140 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
@@ -170,12 +170,12 @@ how the endpoint security suite should be enabled.
| Component | Description | Adoption Order Rank |
|-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
-| Endpoint Detection & Response (EDR) | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 |
-| Next Generation Protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. Windows Defender Antivirus includes: | 2 |
-| Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in the organization from new and emerging threats. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 3 |
-| Threat & Vulnerability Management (TVM) | Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: | 4 |
-| Auto Investigation & Remediation (AIR) | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable |
-| Microsoft Threat Experts (MTE) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts) | Not applicable |
+| Endpoint Detection & Response (EDR) | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 |
+|Threat & Vulnerability Management (TVM)|Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Invaluable machine vulnerability context during incident investigations
- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager
[Learn more](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845).| 2 |
+| Next Generation Protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. Windows Defender Antivirus includes:
-Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Windows Defender Antivirus.
- Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").
- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research.
[Learn more](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). |3 |
+| Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in the organization from new and emerging threats.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 4 |
+| Auto Investigation & Remediation (AIR) | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable |
+| Microsoft Threat Experts (MTE) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts) | Not applicable |
## Next step
|||
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index c55fe2642d..e4676f46b6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -46,8 +46,6 @@ Turn on the preview experience setting to be among the first to try upcoming fea
The following features are included in the preview release:
- [Microsoft Defender ATP for Linux](microsoft-defender-atp-linux.md)
Microsoft Defender ATP now adds support for Linux. Learn how to install, configure, update, and use Microsoft Defender ATP for Linux.
-- [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list)
Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information.
-
- [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os)
Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019. See [Secure Configuration Assessment (SCA) for Windows Server now in public preview](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/secure-configuration-assessment-sca-for-windows-server-now-in/ba-p/1243885) and [Reducing risk with new Threat & Vulnerability Management capabilities](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/reducing-risk-with-new-threat-amp-vulnerability-management/ba-p/978145) blogs for more information.
- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
index 4fabe73b03..0c0a59b197 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
@@ -57,7 +57,7 @@ In this deployment scenario, you'll be guided through the steps on:
>[!NOTE]
->For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Microsoft Defnder ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
+>For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Microsoft Defender ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
## Check license state
diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
index e52e94be42..f2c30ec2e4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
@@ -175,7 +175,7 @@ Here is an example return value:
## Code examples
### Get access token
-The following code example demonstrates how to obtain an access token and call the Microsoft Defender ATP API.
+The following code examples demonstrate how to obtain an access token for calling the Microsoft Defender ATP SIEM API.
```csharp
AuthenticationContext context = new AuthenticationContext(string.Format("https://login.windows.net/{0}", tenantId));
@@ -183,19 +183,114 @@ ClientCredential clientCredentials = new ClientCredential(clientId, clientSecret
AuthenticationResult authenticationResult = context.AcquireTokenAsync(detectionsResource, clientCredentials).GetAwaiter().GetResult();
```
-### Use token to connect to the detections endpoint
+```PowerShell
+#Get current working directory
+$scriptDir = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
+#Paste below your Tenant ID, App ID and App Secret (App key).
+$tenantId = '' ### Paste your tenant ID here
+$appId = '' ### Paste your Application ID here
+$appSecret = '' ### Paste your Application secret here
+
+$resourceAppIdUri = 'https://graph.windows.net'
+$oAuthUri = "https://login.windows.net/$tenantId/oauth2/token"
+$authBody = [Ordered] @{
+ resource = "$resourceAppIdUri"
+ client_id = "$appId"
+ client_secret = "$appSecret"
+ grant_type = 'client_credentials'
+}
+
+#call API
+$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
+$authResponse
+Out-File -FilePath "$scriptDir\LatestSIEM-token.txt" -InputObject $authResponse.access_token
```
+
+```Bash
+tenantId='' ### Paste your tenant ID here
+appId='' ### Paste your Application ID here
+appSecret='' ### Paste your Application secret here
+resourceAppIdUri='https://graph.windows.net'
+oAuthUri="https://login.windows.net/$tenantId/oauth2/token"
+scriptDir=$(pwd)
+
+apiResponse=$(curl -s X POST "$oAuthUri" -d "resource=$resourceAppIdUri&client_id=$appId&client_secret=$appSecret&\
+ grant_type=client_credentials" | cut -d "{" -f2 | cut -d "}" -f1)
+IFS=","
+apiResponseArr=($apiResponse)
+IFS=":"
+tokenArr=(${apiResponseArr[6]})
+echo ${tokenArr[1]} | cut -d "\"" -f2 | cut -d "\"" -f1 >> $scriptDir/LatestSIEM-token.txt
+```
+
+### Use token to connect to the detections endpoint
+The following code examples demonstrate how to use an access token for calling the Microsoft Defender ATP SIEM API to get alerts.
+
+```csharp
HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(authenticationResult.AccessTokenType, authenticationResult.AccessToken);
HttpResponseMessage response = httpClient.GetAsync("https://wdatp-alertexporter-eu.windows.com/api/alert").GetAwaiter().GetResult();
string detectionsJson = response.Content.ReadAsStringAsync().Result;
Console.WriteLine("Got detections list: {0}", detectionsJson);
-
```
+```PowerShell
+#Get current working directory
+$scriptDir = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
+#run the script Get-Token.ps1 - make sure you are running this script from the same folder of Get-SIEMToken.ps1
+$token = Get-Content "$scriptDir\LatestSIEM-token.txt"
+#Get Alert from the last xx hours 200 in this example. Make sure you have alerts in that time frame.
+$dateTime = (Get-Date).ToUniversalTime().AddHours(-200).ToString("o")
+
+#test SIEM API
+$url = 'https://wdatp-alertexporter-us.windows.com/api/alerts?limit=20&sinceTimeUtc=2020-01-01T00:00:00.000'
+
+#Set the WebRequest headers
+$headers = @{
+ 'Content-Type' = 'application/json'
+ Accept = 'application/json'
+ Authorization = "Bearer $token"
+}
+
+#Send the webrequest and get the results.
+$response = Invoke-WebRequest -Method Get -Uri $url -Headers $headers -ErrorAction Stop
+$response
+Write-Host
+
+#Extract the alerts from the results. This works for SIEM API:
+$alerts = $response.Content | ConvertFrom-Json | ConvertTo-Json
+
+#Get string with the execution time. We concatenate that string to the output file to avoid overwrite the file
+$dateTimeForFileName = Get-Date -Format o | foreach {$_ -replace ":", "."}
+
+#Save the result as json and as csv
+$outputJsonPath = "$scriptDir\Latest Alerts $dateTimeForFileName.json"
+$outputCsvPath = "$scriptDir\Latest Alerts $dateTimeForFileName.csv"
+
+Out-File -FilePath $outputJsonPath -InputObject $alerts
+Get-Content -Path $outputJsonPath -Raw | ConvertFrom-Json | Select-Object -ExpandProperty value | Export-CSV $outputCsvPath -NoTypeInformation
+```
+
+```Bash
+#Get current working directory
+scriptDir=$(pwd)
+
+#get the token
+token=$(<$scriptDir/LatestSIEM-token.txt)
+
+#test the SIEM API, get alerts since 1/1/2020
+url='https://wdatp-alertexporter-us.windows.com/api/alerts?limit=20&sinceTimeUtc=2020-01-01T00:00:00.000'
+
+#send web requst to API and echo JSON content
+apiResponse=$(curl -s X GET "$url" -H "Content-Type: application/json" -H "Accept: application/json"\
+ -H "Authorization: Bearer $token" | cut -d "[" -f2 | cut -d "]" -f1)
+echo "If you see Alert info in JSON format, congratulations you accessed the MDATP SIEM API!"
+echo
+echo $apiResponse
+```
## Error codes
The Microsoft Defender ATP REST API returns the following error codes caused by an invalid request.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
index d69c963e40..d5491f5b3c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -29,7 +29,8 @@ ms.topic: article
## APIs
-Threat and Vulnerability Management supports multiple APIs. Microsoft Defender Advanced Threat Protection (ATP) Threat & Vulnerability Management APIs are soon to be generally available. See the following topics for related APIs:
+Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
+See the following topics for related APIs:
- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
- [Machine APIs](machine.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
index 3078eee09f..0305625c65 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
@@ -51,20 +51,20 @@ You can remediate the issues based on prioritized [security recommendations](tvm
To lower your threat and vulnerability exposure, follow these steps.
-1. Review the **Top security recommendations** from your [**Threat & Vulnerability Management dashboard**](tvm-dashboard-insights.md) , and select the first item on the list. The **Security recommendation** page opens.
+1. Review the **Top security recommendations** from your [**Threat & Vulnerability Management dashboard**](tvm-dashboard-insights.md) and select an item on the list.
- Always prioritize recommendations that are associated with ongoing threats:
+ 
- -  Threat insight icon
- -  Active alert icon
+ Always prioritize recommendations that are associated with ongoing threats:
- 
+ -  Threat insight icon
+ -  Active alert icon
-2. The **Security recommendations** page shows the list of items to remediate. Select the security recommendation that you need to investigate. When you select a recommendation from the list, a fly-out panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Click **Open software page** option from the flyout panel. 
+2. The **Security recommendations** page will open, and a flyout for the recommendation you selected will open. The flyout panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Select **Open software page** option from the flyout panel. 
-3. Select **Installed machines** and then the affected machine from the list. A flyout panel will open with the relevant machine details, exposure and risk levels, alert and incident activities. 
+3. Select **Installed machines** and then the affected machine from the list. A flyout panel will open with the relevant machine details, exposure and risk levels, alert and incident activities. 
-4. Click **Open machine page** to connect to the machine and apply the selected recommendation. See [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) for details. 
+4. Click **Open machine page** to connect to the machine and apply the selected recommendation. See [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) for details. 
5. Allow a few hours for the changes to propagate in the system.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
index 96d0ba1377..239b7afd31 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
@@ -45,14 +45,14 @@ Go to the Threat & Vulnerability Management navigation menu and select **Remedia
View **Top remediation activities** in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md). Select any of the entries to go to the **Remediation** page. You can mark the remediation activity as completed after the IT admin team remediates the task.
-
+
## Remediation activities
When you [submit a remediation request](tvm-security-recommendation.md#request-remediation) from the [Security recommendations page](tvm-security-recommendation.md), it kicks-off a remediation activity. A security task is created which will be tracked in the Threat & Vulnerability Management **Remediation** page, and a remediation ticket is created in Microsoft Intune.
Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete.
-
+
## Exceptions
@@ -60,7 +60,7 @@ When you [file for an exception](tvm-security-recommendation.md#file-for-excepti
The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab. You can filter your view based on exception justification, type, and status.
-
+
### Exception actions and statuses
@@ -85,13 +85,13 @@ Creating an exception can potentially affect the Exposure Score (for both types
The exception impact shows on both the Security recommendations page column and in the flyout pane.
-
+
### View exceptions in other places
Select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard to open a filtered view in the **Security recommendations** page of recommendations with an "Exception" status.
-
+
## Related topics
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
index 4859488e84..c3e900103b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -71,17 +71,17 @@ View recommendations, the number of weaknesses found, related components, threat
The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the number of exposed machines, the color of the graph will change into green.
-
+
### Icons
-Useful icons also quickly calls your attention to: -  possible active alerts
-  associated public exploits
-  recommendation insights
+Useful icons also quickly calls your attention to: -  possible active alerts
-  associated public exploits
-  recommendation insights
### Investigate
Select the security recommendation that you want to investigate or process.
-
+
From the flyout, you can do any of the following:
@@ -130,7 +130,7 @@ Exceptions can be created for both Security update and Configuration change reco
When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list.
1. Select a security recommendation you would like create an exception for, and then **Exception options**.
-
+
2. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
@@ -154,13 +154,12 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
2. Select the three dots beside the security recommendation that you want to report, then select **Report inaccuracy**.
-
+
3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy.
4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts.
-
## Related topics
- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
index 689a9fe3d1..2d474782f2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
@@ -30,6 +30,10 @@ For more information preview features, see [Preview features](https://docs.micro
RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:
`https://docs.microsoft.com/api/search/rss?search=%22Lists+the+new+features+and+functionality+in+Microsoft+Defender+ATP%22&locale=en-us`
+## April 2020
+
+- [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list)
Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
+
## November-December 2019
- [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md)
Microsoft Defender ATP for Mac brings the next-generation protection to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices, including [endpoint detection and response](endpoint-detection-response-mac-preview.md).
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
index e1d64c8cfd..84ae5e963d 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md
@@ -2,7 +2,7 @@
title: Interactive logon Don't display username at sign-in (Windows 10)
description: Describes the best practices, location, values, and security considerations for the Interactive logon Don't display username at sign-in security policy setting.
ms.assetid: 98b24b03-95fe-4edc-8e97-cbdaa8e314fd
-ms.reviewer:
+ms.reviewer:
ms.author: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
@@ -20,9 +20,9 @@ ms.date: 04/19/2017
# Interactive logon: Don't display username at sign-in
**Applies to**
-- Windows Server 2003, Windows Vista, Windows XP, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8, Windows 10
+- Windows 10, Windows Server 2019
-Describes the best practices, location, values, and security considerations for the **Interactive logon: Don't display username at sign-in** security policy setting.
+Describes the best practices, location, values, and security considerations for the **Interactive logon: Don't display username at sign-in** security policy setting.
## Reference
@@ -56,7 +56,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Domain controller effective default settings | Not defined|
| Member server effective default settings | Not defined|
| Effective GPO default settings on client computers | Not defined|
-
+
## Policy management
This section describes features and tools that are available to help you manage this policy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index c8e505e884..ab45f10ade 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -129,9 +129,9 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard
## Windows Defender Application Control filename rules
-File name rule levels provide administrators to specify the file attributes off which to base a file name rule. File name rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. Specification of the file name level occurs when creating new policy rules. In addition, to combine file name levels found in multiple policies, you can merge multiple policies.
+File name rule levels provide administrators to specify the file attributes off which to base a file name rule. File name rules provide the same security guarantees that explicit signer rules do, as they are based on non-mutable file attributes. Specification of the file name level occurs when creating new policy rules. In addition, to combine file name levels found in multiple policies, you can merge multiple policies.
-Use Table 3 to select the appropriate file name level for your available administrative resources and Windows Defender Application Control deployment scenario.
+Use Table 3 to select the appropriate file name level for your available administrative resources and Windows Defender Application Control deployment scenario. For instance, an LOB or production application and its binaries (eg. DLLs) may all share the same product name. This allows users to easily create targeted policies based on the Product Name filename rule level.
**Table 3. Windows Defender Application Control policy - filename levels**
diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
index 5c81b7eb36..ca449ea92c 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
@@ -42,4 +42,3 @@ Your environment needs the following software to run Windows Defender Applicatio
|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with WDAG for Professional editions. |
|Browser|Microsoft Edge and Internet Explorer|
|Management system
(only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)
**-OR-**
[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/)
**-OR-**
[Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)
**-OR-**
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
-|Windows Defender Exploit Protection settings|The following settings should be configured or verified in the **Windows Security** app under **App & browser control** > **Exploit protection** > **Exploit protection settings** > **System Settings**.
**Control flow guard (CFG)** must be set to **Use default (On)** or **Off by default**. If set to **On by default**, [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard) will not launch.
**Randomize memory allocations (Bottom-up ASLR)** must be set to **Use default (On)** or **Off by default**. If set to "On by default", the `Vmmem` process will have high CPU utilization while a Windows Defender Application Guard window is open.|
diff --git a/windows/security/threat-protection/windows-defender-smartscreen/images/Microsoft-Defender-Smartscreen-submission.png b/windows/security/threat-protection/windows-defender-smartscreen/images/Microsoft-Defender-Smartscreen-submission.png
new file mode 100644
index 0000000000..74f9fb15ed
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-smartscreen/images/Microsoft-Defender-Smartscreen-submission.png differ
diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
index 150df52cc5..8181c99856 100644
--- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
+++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
@@ -1,7 +1,7 @@
---
-title: Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings (Windows 10)
-description: A list of all available settings for Windows Defender SmartScreen using Group Policy and mobile device management (MDM) settings.
-keywords: SmartScreen Filter, Windows SmartScreen, Windows Defender SmartScreen
+title: Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings (Windows 10)
+description: A list of all available settings for Microsoft Defender SmartScreen using Group Policy and mobile device management (MDM) settings.
+keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -13,13 +13,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
---
-# Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings
+# Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings
**Applies to:**
- Windows 10
- Windows 10 Mobile
-Windows Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Windows Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely.
+Microsoft Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Microsoft Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely.
See [Windows 10 (and later) settings to protect devices using Intune](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune.
@@ -35,7 +35,7 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor
|
Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreenWindows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen |
At least Windows Server 2012, Windows 8 or Windows RT |
-This policy setting turns on Windows Defender SmartScreen. If you enable this setting, it turns on Windows Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Windows Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site). If you disable this setting, it turns off Windows Defender SmartScreen and your employees are unable to turn it on. If you don't configure this setting, your employees can decide whether to use Windows Defender SmartScreen. |
+This policy setting turns on Microsoft Defender SmartScreen. If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site). If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on. If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen. |
| Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control |
@@ -45,38 +45,38 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor
Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreenWindows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen |
Microsoft Edge on Windows 10 or later |
-This policy setting turns on Windows Defender SmartScreen. If you enable this setting, it turns on Windows Defender SmartScreen and your employees are unable to turn it off. If you disable this setting, it turns off Windows Defender SmartScreen and your employees are unable to turn it on. If you don't configure this setting, your employees can decide whether to use Windows Defender SmartScreen. |
+This policy setting turns on Microsoft Defender SmartScreen. If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on. If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen. |
Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for filesWindows 10, Version 1511 and 1607:
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files |
Microsoft Edge on Windows 10, version 1511 or later |
-This policy setting stops employees from bypassing the Windows Defender SmartScreen warnings about potentially malicious files. If you enable this setting, it stops employees from bypassing the warning, stopping the file download. If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files. |
+This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files. If you enable this setting, it stops employees from bypassing the warning, stopping the file download. If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files. |
Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sitesWindows 10, Version 1511 and 1607:
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites |
Microsoft Edge on Windows 10, version 1511 or later |
-This policy setting stops employees from bypassing the Windows Defender SmartScreen warnings about potentially malicious sites. If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site. If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site. |
+This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites. If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site. If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site. |
| Administrative Templates\Windows Components\Internet Explorer\Prevent managing SmartScreen Filter |
Internet Explorer 9 or later |
-This policy setting prevents the employee from managing Windows Defender SmartScreen. If you enable this policy setting, the employee isn't prompted to turn on Windows Defender SmartScreen. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the employee. If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on Windows Defender SmartScreen during the first-run experience. |
+This policy setting prevents the employee from managing Microsoft Defender SmartScreen. If you enable this policy setting, the employee isn't prompted to turn on Microsoft Defender SmartScreen. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the employee. If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on Microsoft Defender SmartScreen during the first-run experience. |
| Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings |
Internet Explorer 8 or later |
-This policy setting determines whether an employee can bypass warnings from Windows Defender SmartScreen. If you enable this policy setting, Windows Defender SmartScreen warnings block the employee. If you disable or don't configure this policy setting, the employee can bypass Windows Defender SmartScreen warnings. |
+This policy setting determines whether an employee can bypass warnings from Microsoft Defender SmartScreen. If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee. If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings. |
| Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet |
Internet Explorer 9 or later |
-This policy setting determines whether the employee can bypass warnings from Windows Defender SmartScreen. Windows Defender SmartScreen warns the employee about executable files that Internet Explorer users do not commonly download from the Internet. If you enable this policy setting, Windows Defender SmartScreen warnings block the employee. If you disable or don't configure this policy setting, the employee can bypass Windows Defender SmartScreen warnings. |
+This policy setting determines whether the employee can bypass warnings from Microsoft Defender SmartScreen. Microsoft Defender SmartScreen warns the employee about executable files that Internet Explorer users do not commonly download from the Internet. If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee. If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings. |
## MDM settings
If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune) and Windows 10 Mobile devices.
-For Windows Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP - InternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer).
+For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP - InternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer).
| Setting |
@@ -91,8 +91,8 @@ For Windows Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP
URI full path. ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
Data type. Integer
Allowed values:
-- 0 . Turns off Windows Defender SmartScreen in Edge.
-- 1. Turns on Windows Defender SmartScreen in Edge.
+0 . Turns off Microsoft Defender SmartScreen in Edge.
+1. Turns on Microsoft Defender SmartScreen in Edge.
@@ -115,8 +115,8 @@ For Windows Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP
URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
Data type. Integer
Allowed values:
-- 0 . Turns off Windows Defender SmartScreen in Windows for app and file execution.
-- 1. Turns on Windows Defender SmartScreen in Windows for app and file execution.
+0 . Turns off Microsoft Defender SmartScreen in Windows for app and file execution.
+1. Turns on Microsoft Defender SmartScreen in Windows for app and file execution.
@@ -127,8 +127,8 @@ For Windows Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP
URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
Data type. Integer
Allowed values:
-- 0 . Employees can ignore Windows Defender SmartScreen warnings and run malicious files.
-- 1. Employees can't ignore Windows Defender SmartScreen warnings and run malicious files.
+0 . Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.
+1. Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.
@@ -139,8 +139,8 @@ For Windows Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP
URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
Data type. Integer
Allowed values:
-- 0 . Employees can ignore Windows Defender SmartScreen warnings.
-- 1. Employees can't ignore Windows Defender SmartScreen warnings.
+0 . Employees can ignore Microsoft Defender SmartScreen warnings.
+1. Employees can't ignore Microsoft Defender SmartScreen warnings.
@@ -151,16 +151,16 @@ For Windows Defender SmartScreen Internet Explorer MDM policies, see [Policy CSP
URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
Data type. Integer
Allowed values:
-- 0 . Employees can ignore Windows Defender SmartScreen warnings for files.
-- 1. Employees can't ignore Windows Defender SmartScreen warnings for files.
+0 . Employees can ignore Microsoft Defender SmartScreen warnings for files.
+1. Employees can't ignore Microsoft Defender SmartScreen warnings for files.
## Recommended Group Policy and MDM settings for your organization
-By default, Windows Defender SmartScreen lets employees bypass warnings. Unfortunately, this can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Windows Defender SmartScreen to block high-risk interactions instead of providing just a warning.
+By default, Microsoft Defender SmartScreen lets employees bypass warnings. Unfortunately, this can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Microsoft Defender SmartScreen to block high-risk interactions instead of providing just a warning.
-To better help you protect your organization, we recommend turning on and using these specific Windows Defender SmartScreen Group Policy and MDM settings.
+To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings.
| Group Policy setting |
@@ -168,7 +168,7 @@ To better help you protect your organization, we recommend turning on and using
| Administrative Templates\Windows Components\Microsoft Edge\Configure Windows Defender SmartScreen |
-Enable. Turns on Windows Defender SmartScreen. |
+Enable. Turns on Microsoft Defender SmartScreen. |
| Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites |
@@ -191,7 +191,7 @@ To better help you protect your organization, we recommend turning on and using
| Browser/AllowSmartScreen |
-1. Turns on Windows Defender SmartScreen. |
+1. Turns on Microsoft Defender SmartScreen. |
| Browser/PreventSmartScreenPromptOverride |
@@ -203,7 +203,7 @@ To better help you protect your organization, we recommend turning on and using
| SmartScreen/EnableSmartScreenInShell |
-1. Turns on Windows Defender SmartScreen in Windows. Requires at least Windows 10, version 1703. |
+1. Turns on Microsoft Defender SmartScreen in Windows. Requires at least Windows 10, version 1703. |
| SmartScreen/PreventOverrideForFilesInShell |
@@ -214,7 +214,7 @@ To better help you protect your organization, we recommend turning on and using
## Related topics
- [Threat protection](../index.md)
-- [Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md)
+- [Microsoft Defender SmartScreen overview](windows-defender-smartscreen-overview.md)
- [Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies)
diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
index 176974ae38..56b4084b8b 100644
--- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md
@@ -1,7 +1,7 @@
---
-title: Windows Defender SmartScreen overview (Windows 10)
-description: Conceptual info about Windows Defender SmartScreen.
-keywords: SmartScreen Filter, Windows SmartScreen, Windows Defender SmartScreen
+title: Microsoft Defender SmartScreen overview (Windows 10)
+description: Conceptual info about Microsoft Defender SmartScreen.
+keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -15,7 +15,7 @@ ms.reviewer:
manager: dansimp
---
-# Windows Defender SmartScreen
+# Microsoft Defender SmartScreen
**Applies to:**
@@ -23,45 +23,53 @@ manager: dansimp
- Windows 10 Mobile
- Microsoft Edge
-Windows Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
+Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
-**Windows Defender SmartScreen determines whether a site is potentially malicious by:**
+**Microsoft Defender SmartScreen determines whether a site is potentially malicious by:**
-- Analyzing visited webpages looking for indications of suspicious behavior. If Windows Defender SmartScreen determines that a page is suspicious, it will show a warning page to advise caution.
+- Analyzing visited webpages looking for indications of suspicious behavior. If Microsoft Defender SmartScreen determines that a page is suspicious, it will show a warning page to advise caution.
-- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Windows Defender SmartScreen shows a warning to let the user know that the site might be malicious.
+- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious.
-**Windows Defender SmartScreen determines whether a downloaded app or app installer is potentially malicious by:**
+**Microsoft Defender SmartScreen determines whether a downloaded app or app installer is potentially malicious by:**
-- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, Windows Defender SmartScreen shows a warning to let the user know that the site might be malicious.
+- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious.
-- Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, Windows Defender SmartScreen shows a warning, advising caution.
+- Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, Microsoft Defender SmartScreen shows a warning, advising caution.
-## Benefits of Windows Defender SmartScreen
+## Benefits of Microsoft Defender SmartScreen
-Windows Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are:
+Microsoft Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are:
-- **Anti-phishing and anti-malware support.** Windows Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Windows Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97)
+- **Anti-phishing and anti-malware support.** Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97)
-- **Reputation-based URL and app protection.** Windows Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If, however, there's no reputation, the item is marked as a higher risk and presents a warning to the user.
+- **Reputation-based URL and app protection.** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If, however, there's no reputation, the item is marked as a higher risk and presents a warning to the user.
-- **Operating system integration.** Windows Defender SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run.
+- **Operating system integration.** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run.
-- **Improved heuristics and diagnostic data.** Windows Defender SmartScreen is constantly learning and endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files.
+- **Improved heuristics and diagnostic data.** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files.
-- **Management through Group Policy and Microsoft Intune.** Windows Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md).
+- **Management through Group Policy and Microsoft Intune.** Microsoft Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md).
- **Blocking URLs associated with potentially unwanted applications.** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md).
> [!IMPORTANT]
> SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares.
-## Viewing Windows Defender SmartScreen anti-phishing events
+## Submit files to Microsoft Defender SmartScreen for review
-When Windows Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx).
+If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more info, see [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide).
-## Viewing Windows event logs for Windows Defender SmartScreen
-Windows Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event Viewer.
+When submitting Microsoft Defender Smartscreen products, make sure to select **Microsoft Defender SmartScreen** from the product menu.
+
+
+
+## Viewing Microsoft Defender SmartScreen anti-phishing events
+
+When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx).
+
+## Viewing Windows event logs for Microsoft Defender SmartScreen
+Microsoft Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event Viewer.
Windows event log for SmartScreen is disabled by default, users can use Event Viewer UI to enable the log or use the command line to enable it:
@@ -81,4 +89,4 @@ EventID | Description
## Related topics
- [Threat protection](../index.md)
-- [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings)
+- [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings)
diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
index 1bdb879cd4..dd2eb47e6c 100644
--- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
+++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
@@ -1,7 +1,7 @@
---
-title: Set up and use Windows Defender SmartScreen on individual devices (Windows 10)
-description: Learn how employees can use Windows Security to set up Windows Defender SmartScreen. Windows Defender SmartScreen protects users from running malicious apps.
-keywords: SmartScreen Filter, Windows SmartScreen, Windows Defender SmartScreen
+title: Set up and use Microsoft Defender SmartScreen on individual devices (Windows 10)
+description: Learn how employees can use Windows Security to set up Microsoft Defender SmartScreen. Microsoft Defender SmartScreen protects users from running malicious apps.
+keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -14,22 +14,22 @@ manager: dansimp
ms.author: macapara
---
-# Set up and use Windows Defender SmartScreen on individual devices
+# Set up and use Microsoft Defender SmartScreen on individual devices
**Applies to:**
- Windows 10, version 1703
- Windows 10 Mobile
- Microsoft Edge
-Windows Defender SmartScreen helps to protect users if they try to visit sites previously reported as phishing or malware websites, or if a user tries to download potentially malicious files.
+Microsoft Defender SmartScreen helps to protect users if they try to visit sites previously reported as phishing or malware websites, or if a user tries to download potentially malicious files.
-## How users can use Windows Security to set up Windows Defender SmartScreen
-Starting with Windows 10, version 1703, users can use Windows Security to set up Windows Defender SmartScreen for an individual device; unless and administrator has used Group Policy or Microsoft Intune to prevent it.
+## How users can use Windows Security to set up Microsoft Defender SmartScreen
+Starting with Windows 10, version 1703, users can use Windows Security to set up Microsoft Defender SmartScreen for an individual device; unless an administrator has used Group Policy or Microsoft Intune to prevent it.
>[!NOTE]
>If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee.
-**To use Windows Security to set up Windows Defender SmartScreen on a device**
+**To use Windows Security to set up Microsoft Defender SmartScreen on a device**
1. Open the Windows Security app, and then select **App & browser control** > **Reputation-based protection settings**.
2. In the **Reputation-based protection** screen, choose from the following options:
@@ -38,13 +38,13 @@ Starting with Windows 10, version 1703, users can use Windows Security to set up
- **On.** Warns users that the apps and files being downloaded from the web are potentially dangerous but allows the action to continue.
- - **Off.** Turns off Windows Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files.
+ - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files.
- - In the **Windows Defender SmartScreen for Microsoft Edge** area:
+ - In the **Microsoft Defender SmartScreen for Microsoft Edge** area:
- **On.** Warns users that sites and downloads are potentially dangerous but allows the action to continue while running in Microsoft Edge.
- - **Off.** Turns off Windows Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files.
+ - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files.
- In the **Potentially unwanted app blocking** area:
- **On.** Turns on both the 'Block apps' and 'Block downloads settings. To learn more, see [How Microsoft identifies malware and potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/intelligence/criteria#potentially-unwanted-application-pua).
@@ -54,21 +54,21 @@ Starting with Windows 10, version 1703, users can use Windows Security to set up
- **Off.** Turns off Potentially unwanted app blocking, so a user isn't alerted or stopped from downloading or installing potentially unwanted apps.
- - In the **Windows Defender SmartScreen from Microsoft Store apps** area:
+ - In the **Microsoft Defender SmartScreen from Microsoft Store apps** area:
- **On.** Warns users that the sites and downloads used by Microsoft Store apps are potentially dangerous but allows the action to continue.
- - **Off.** Turns off Windows Defender SmartScreen, so a user isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files.
+ - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files.
- 
+ 
-## How Windows Defender SmartScreen works when a user tries to run an app
-Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Windows Defender SmartScreen can warn the user or block the app from running entirely, depending on how you've configured the feature to run in your organization.
+## How Microsoft Defender SmartScreen works when a user tries to run an app
+Microsoft Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Microsoft Defender SmartScreen can warn the user or block the app from running entirely, depending on how you've configured the feature to run in your organization.
-By default, users can bypass Windows Defender SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block your employees from using unrecognized apps, or to entirely turn off Windows Defender SmartScreen (not recommended).
+By default, users can bypass Microsoft Defender SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block your employees from using unrecognized apps, or to entirely turn off Microsoft Defender SmartScreen (not recommended).
## How users can report websites as safe or unsafe
-Windows Defender SmartScreen can be configured to warn users from going to a potentially dangerous site. Users can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11.
+Microsoft Defender SmartScreen can be configured to warn users from going to a potentially dangerous site. Users can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11.
**To report a website as safe from the warning message**
- On the warning screen for the site, click **More Information**, and then click **Report that this site does not contain threats**. The site info is sent to the Microsoft feedback site, which provides further instructions.
@@ -82,7 +82,7 @@ Windows Defender SmartScreen can be configured to warn users from going to a pot
## Related topics
- [Threat protection](../index.md)
-- [Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md)
+- [Microsoft Defender SmartScreen overview](windows-defender-smartscreen-overview.md)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
index f46696402c..c141b00025 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@@ -59,9 +59,6 @@ Click **Start** > **Settings** > **Update & Security** > **Windows Security** >
-> [!IMPORTANT]
-> If System Guard is enabled with a registry key, standard hardware security is not available for the Intel i5 7200U processor.
-
## How to verify System Guard Secure Launch is configured and running
To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**.
diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md
index 48bfb00d06..535af777d7 100644
--- a/windows/security/threat-protection/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-baselines.md
@@ -64,7 +64,7 @@ The security baselines are included in the [Security Compliance Toolkit (SCT)](s
## Community
-[](https://blogs.technet.microsoft.com/secguide/)
+[](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bd-p/Security-Baselines)
## Related Videos
@@ -73,9 +73,9 @@ You may also be interested in this msdn channel 9 video:
## See Also
-- [Microsoft Endpoint Configuration Manager](https://www.microsoft.com/cloud-platform/system-center-configuration-manager)
-- [Operations Management Suite](https://www.microsoft.com/cloud-platform/operations-management-suite)
-- [Configuration Management for Nano Server](https://blogs.technet.microsoft.com/grouppolicy/2016/05/09/configuration-management-on-servers/)
-- [Microsoft Security Guidance Blog](https://blogs.technet.microsoft.com/secguide/)
-- [Microsoft Security Compliance Toolkit Download](https://www.microsoft.com/download/details.aspx?id=55319)
-- [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319)
+- [Microsoft Endpoint Configuration Manager](https://www.microsoft.com/cloud-platform/system-center-configuration-manager)
+- [Operations Management Suite](https://www.microsoft.com/cloud-platform/operations-management-suite)
+- [Configuration Management for Nano Server](https://docs.microsoft.com/archive/blogs/grouppolicy/configuration-management-on-servers/)
+- [Microsoft Security Guidance Blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines)
+- [Microsoft Security Compliance Toolkit Download](https://www.microsoft.com/download/details.aspx?id=55319)
+- [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319)