Merged PR 14779: 3/12 AM Publish

.openpublishing.redirection.json

@@ -13,7 +13,7 @@
 {
 "source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md",
 "redirect_url": "/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure",
-"redirect_document_id": true
+"redirect_document_id": false
 },
 {
 "source_path": "windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md",

windows/client-management/mdm/policy-csp-restrictedgroups.md

@@ -113,8 +113,7 @@ Here is an example:
 
 ```
 <groupmembership>
- <accessgroup desc="Administrators">
-    <member name="Contoso\Alice">
+ <accessgroup desc="Group SID for Administrators"/>
     <member name = "S-188-5-5666-5-688">
   </accessgroup>
 </groupmembership>

windows/deployment/TOC.md

@@ -1,4 +1,5 @@
 # [Deploy and update Windows 10](https://docs.microsoft.com/windows/deployment)
+## [Architectural planning posters for Windows 10](windows-10-architecture-posters.md)
 ## [Deploy Windows 10 with Microsoft 365](deploy-m365.md)
 ## [What's new in Windows 10 deployment](deploy-whats-new.md)
 ## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
@@ -278,8 +279,4 @@
 #### [Get started with Device Health](update/device-health-get-started.md)
 #### [Using Device Health](update/device-health-using.md)
 ### [Enrolling devices in Windows Analytics](update/windows-analytics-get-started.md)
-### [Troubleshooting Windows Analytics and FAQ](update/windows-analytics-FAQ-troubleshooting.md)
-
-## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md)
-
-## [Architectural planning posters for Windows 10](windows-10-architecture-posters.md)
+### [Troubleshooting Windows Analytics and FAQ](update/windows-analytics-FAQ-troubleshooting.md)

windows/deployment/update/fod-and-lang-packs.md

@@ -8,16 +8,16 @@ ms.pagetype: article
 ms.author: elizapo
 author: lizap
 ms.localizationpriority: medium
-ms.date: 10/18/2018
+ms.date: 03/13/2019
 ms.topic: article
 ---
 # How to make Features on Demand and language packs available when you're using WSUS/SCCM
 
 > Applies to: Windows 10
 
-As of Windows 10 version 1709, you cannot use Windows Server Update Services (WSUS) to host [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FOD) and language packs for Windows 10 clients locally. Instead, you can enforce a Group Policy setting that tells the clients to pull them directly from Windows Update. You can also host FOD and language packs on a network share, but starting with Windows 10 version 1809, language packs can only be installed from Windows Update.
+As of Windows 10 version 1709, you cannot use Windows Server Update Services (WSUS) to host [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FOD) and language packs for Windows 10 clients locally. Instead, you can enforce a Group Policy setting that tells the clients to pull them directly from Windows Update. You can also host FOD and language packs on a network share, but starting with Windows 10 version 1809, FOD and language packs can only be installed from Windows Update.
  
-For Windows domain environments running WSUS or SCCM, change the **Specify settings for optional component installation and component repair** policy to enable downloading language and FOD packs from Windows Update. This setting is located in `Computer Configuration\Administrative Templates\System` in the Group Policy Editor.
+For Windows domain environments running WSUS or SCCM, change the **Specify settings for optional component installation and component repair** policy to enable downloading FOD and language packs from Windows Update. This setting is located in `Computer Configuration\Administrative Templates\System` in the Group Policy Editor.
 
 Changing this policy does not affect how other updates are distributed. They continue to come from WSUS or SCCM as you have scheduled them.
 

windows/deployment/update/windows-analytics-get-started.md

@@ -169,7 +169,7 @@ These policies are under Microsoft\Windows\DataCollection:
 | CommercialDataOptIn (in Windows 7 and Windows 8) |	1 is required for Upgrade Readiness, which is the only solution that runs on Windows 7 or Windows 8. |
 
 
-You can set these values by using Group Policy (in Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds) or by using Mobile Device Management (in Provider/ProviderID/CommercialID). For more information about deployment using MDM, see the [DMClient CSP](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp) topic in MDM documentation.
+You can set these values by using Group Policy (in Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds) or by using Mobile Device Management (in Provider/*Provider ID*/CommercialID). (If you are using Microsoft Intune, use `MS DM Server` as the provider ID.) For more information about deployment using MDM, see the [DMClient CSP](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp) topic in MDM documentation.
 
 The corresponding preference registry values are available in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** and can be configured by the deployment script. If a given setting is configured by both preference registry settings and policy, the policy values will override. However, the **IEDataOptIn** setting is different--you can only set this with the preference registry keys:
 

windows/deployment/update/windows-update-troubleshooting.md

@@ -103,6 +103,7 @@ netsh winhttp set proxy ProxyServerName:PortNumber
 If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_MISMATCH error, or if you notice high CPU usage while updates are downloading, check the proxy configuration to permit HTTP RANGE requests to run.  
  
 You may choose to apply a rule to permit HTTP RANGE requests for the following URLs: 
+
 *.download.windowsupdate.com  
 *.dl.delivery.mp.microsoft.com  
 *.emdl.ws.microsoft.com

windows/deployment/volume-activation/install-vamt.md

@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 04/25/2018
+ms.date: 03/11/2019
 ms.topic: article
 ---
 
@@ -18,7 +18,7 @@ This topic describes how to install the Volume Activation Management Tool (VAMT)
 
 ## Install VAMT
 
-You can install VAMT as part of the [Windows Assessment and Deployment Kit (ADK)](https://go.microsoft.com/fwlink/p/?LinkId=526740) for Windows 10.
+You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
 
 >[!IMPORTANT]  
 >VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products’ license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator. 
@@ -26,24 +26,46 @@ You can install VAMT as part of the [Windows Assessment and Deployment Kit (ADK)
 >[!NOTE]  
 >The VAMT Microsoft Management Console snap-in ships as an x86 package. 
 
-To install SQL Server Express:
-1.  Install the Windows ADK.
-2.  Ensure that **Volume Activation Management Tool** is selected to be installed.
-3.  Click **Install**.
+### Requirements
+
+- [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access and all updates applied
+- [Windows 10, version 1809 ADK](https://go.microsoft.com/fwlink/?linkid=2026036)
+- [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express)
+
+### Install SQL Server 2017 Express
+
+1. Download and open the [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package.
+2. Select **Basic**.
+3. Accept the license terms.
+4. Enter an install location or use the default path, and then select **Install**.
+5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**. 
+    ![In this example, the instance name is SQLEXPRESS01](images/sql-instance.png)
+
+### Install VAMT using the ADK
+
+1. Download and open the [Windows 10, version 1809 ADK](https://go.microsoft.com/fwlink/?linkid=2026036) package.
+2. Enter an install location or use the default path, and then select **Next**.
+3. Select a privacy setting, and then select **Next**.
+4. Accept the license terms.
+5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.)
+6. On the completion page, select **Close**.
+
+### Configure VAMT to connect to SQL Server 2017 Express
+
+1. Open **Volume Active Management Tool 3.1** from the Start menu.
+2. Enter the server instance name and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example.
+
+    ![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png)
 
-## Select a Database
 
-VAMT requires a SQL database. After you install VAMT, if you have a computer information list (CIL) that was created in a previous version of VAMT, you must import the list into a SQL database. If you do not have SQL installed, you can [download a free copy of Microsoft SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) and create a new database into which you can import the CIL. 
 
-You must configure SQL installation to allow remote connections and you must provide the corresponding server name in the format: *Machine Name\\SQL Server Name*. If a new VAMT database needs to be created, provide a name for the new database.
 
 ## Uninstall VAMT
 
-To uninstall VAMT via the **Programs and Features** Control Panel:
-1.  Open the **Control Panel** and select **Programs and Features**.
+To uninstall VAMT using the **Programs and Features** Control Panel:
+1.  Open **Control Panel** and select **Programs and Features**.
 2.  Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT.
 
-## Related topics
-- [Install and Configure VAMT](install-configure-vamt.md)
+
  
  

windows/security/information-protection/TOC.md

@@ -34,7 +34,8 @@
 #### [Create a WIP policy with MDM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md)
 ##### [Deploy your WIP policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md)
 ##### [Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)
-#### [Create a WIP policy with MAM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-mam-intune-azure.md)
+#### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)
+#### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md)
 ### [Create a WIP policy using System Center Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md)
 #### [Create and deploy a WIP policy using System Center Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md)
 #### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)

windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md

@@ -105,12 +105,12 @@ The following table contains the default BCD validation profile used by BitLocke
 
 This following is a full list of BCD settings with friendly names which are ignored by default. These settings are not part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLocker–protected operating system drive to be unlocked.
 > **Note:**  Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list.
- 
+
 | Hex Value | Prefix | Friendly Name |
 | - | - | - |
-| 0x12000004 | all| description| 
-| 0x12000005| all| locale|
-| 0x12000016| all| targetname| 
+| 0x12000004 | all | description | 
+| 0x12000005 | all | locale | 
+| 0x12000016 | all | targetname | 
 | 0x12000019| all| busparams| 
 | 0x1200001d| all| key| 
 | 0x1200004a| all| fontpath| 
@@ -182,7 +182,7 @@ This following is a full list of BCD settings with friendly names which are igno
 | 0x25000061 | winload| numproc| 
 | 0x25000063 | winload| configflags|
 | 0x25000066| winload| groupsize|
-| 0x25000071 | winload| msi| 
+| 0x25000071 | winload| msi|
 | 0x25000072 | winload| pciexpress| 
 | 0x25000080 | winload| safeboot| 
 | 0x250000a6 | winload| tscsyncpolicy| 

windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md

@@ -109,6 +109,9 @@ If you don't know the Store app publisher or product name, you can find them by
     >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.<br><br>For example:<br>
     <code>{<br>"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",<br>}</code>
 
+<!-- Go Kamatsu says the following info about Windows Mobile can be removed after Windows Mobile EOL at end of 2019
+-->
+
 If you need to add Windows 10 mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
 
 >**Note**<br>Your PC and phone must be on the same wireless network.
@@ -588,7 +591,7 @@ WIP can integrate with Microsoft Azure Rights Management to enable secure sharin
 
 To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703.
 
-Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. 
+Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. This template will be applied to the protected data that is copied to a removable drive.
 
 >[!IMPORTANT]
 >Curly braces -- {} -- are required around the RMS Template ID.

windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md

@@ -63,7 +63,7 @@ This section covers how WIP works with sensitivity labels in specific use cases.
 
 ### User downloads from or creates a document on a work site
 
-If WIP policy is deployed, any document that is downloaded from a work site, or created on a work site, will have WIP protection regradless of whether the document has a sensitivity label.
+If WIP policy is deployed, any document that is downloaded from a work site, or created on a work site, will have WIP protection regardless of whether the document has a sensitivity label.
 
 If the document also has a sensitivity label, which can be Office or PDF files, WIP protection is applied according to the label. 
 

windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md

@@ -5,7 +5,7 @@ keywords: security, malware, av-comparatives, av-test, av, antivirus, windows, d
 ms.prod: w10
 ms.mktglfcycl: secure
 ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: high
 ms.author: ellevin
 author: levinec
 manager: dansimp

windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md

@@ -107,7 +107,7 @@ The following steps assume that you have completed all the required steps in [Be
      <td>Browse to the location of the *wdatp-connector.properties* file. The name must match the file provided in the .zip that you downloaded.</td>
      <tr>
      <td>Refresh Token</td>
-     <td>You can obtain a refresh token in two ways: by generating a refresh token from the **SIEM settings** page or using the restutil tool. <br><br> For more information on generating a refresh token from the **Preferences setup** , see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). </br> </br>**Get your refresh token using the restutil tool:** </br> a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool. </br></br> b. Type: `arcsight restutil token -config` from the bin directory. A Web browser window will open. </br> </br>c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. </br> </br>d.	A refresh token is shown in the command prompt. </br></br> e. Copy and paste it into the **Refresh Token** field.
+     <td>You can obtain a refresh token in two ways: by generating a refresh token from the **SIEM settings** page or using the restutil tool. <br><br> For more information on generating a refresh token from the **Preferences setup** , see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). </br> </br>**Get your refresh token using the restutil tool:** </br> a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool. </br></br> b. Type: `arcsight restutil token -config` from the bin directory.For example: **arcsight restutil boxtoken -proxy proxy.location.hp.com:8080** A Web browser window will open. </br> </br>c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. </br> </br>d.	A refresh token is shown in the command prompt. </br></br> e. Copy and paste it into the **Refresh Token** field.
      </td>
      </tr>
      </tr>

windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md

@@ -26,7 +26,7 @@ ms.topic: article
 
 The threat protection report provides high-level information about alerts generated in your organization. The report includes trending information showing the detection sources, categories, severities, statuses, classifications, and determinations of alerts across time.
 
-The dashboard is structured into two columns:
+The dashboard is structured into two sections:
 
 ![Image of the threat protection report](images/atp-threat-protection-reports.png)
 
@@ -43,7 +43,7 @@ By default, the alert trends display alert information from the 30-day period en
 - 6 months
 - Custom
 
-While the alerts trends shows trending information alerts, the alert summary shows alert information scoped to 6 months.
+While the alerts trends shows trending information alerts, the alert summary shows alert information scoped to the current day.
 
  The alert summary allows you to drill down to a particular alert queue with the corresponding filter applied to it. For example, clicking on the EDR bar in the Detection sources card will bring you the alerts queue with results showing only alerts generated from EDR detections.