Merge remote-tracking branch 'upstream/master' into Issue#3010

.openpublishing.redirection.json

@@ -6,6 +6,21 @@
 "redirect_document_id": true
 },
 {
+"source_path": "windows/security/threat-protection/windows-security-baselines.md",
+"redirect_url": "/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/security-compliance-toolkit-10.md",
+"redirect_url": "/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/get-support-for-security-baselines.md",
+"redirect_url": "/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines",
+"redirect_document_id": true
+},
+{
 "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md",
 "redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np",
 "redirect_document_id": true

browsers/edge/docfx.json

@@ -19,9 +19,7 @@
         "ROBOTS": "INDEX, FOLLOW",
 		"ms.technology": "microsoft-edge",
 		"ms.topic": "article",
-		"ms.author": "shortpatti",
-		"ms.date": "04/05/2017",
-	    "feedback_system": "GitHub",
+		"feedback_system": "GitHub",
         "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
         "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
 		"_op_documentIdPathDepotMapping": {

browsers/edge/microsoft-edge-faq.md

@@ -1,96 +1,52 @@
 ---
 title: Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros 
 description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems.
-author: shortpatti
-ms.author: pashort
+author: lizap
+ms.author: elizapo
 ms.prod: edge
-ms.topic: reference
+ms.topic: article
 ms.mktglfcycl: general
 ms.sitesec: library
 ms.localizationpriority: medium
-ms.date: 11/05/2018
 ---
 
 # Frequently Asked Questions (FAQs) for IT Pros
 
 >Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile
 
-**Q: Why is the Sync settings option under Settings \> Accounts \> Sync your settings permanently disabled?  
+## How can I get the next major version of Microsoft Edge, based on Chromium?
+In December 2018, Microsoft [announced](https://blogs.windows.com/windowsexperience/2018/12/06/microsoft-edge-making-the-web-better-through-more-open-source-collaboration/#8jv53blDvL6TIKuS.97) our intention to adopt the Chromium open source project in the development of Microsoft Edge on the desktop, to create better web compatibility for our customers and less fragmentation of the web for all web developers. You can get more information at the [Microsoft Edge Insiders site](https://www.microsoftedgeinsider.com/).
 
-**A:** In the Windows 10 Anniversary Update, domain-joined users who connected their Microsoft Account (MSA) could roam settings and data between Windows devices.  A group policy to prevent users from connecting their MSAs exists, but this setting also prevents users from easily accessing their personal Microsoft services.  Enterprises can still enable Enterprise State Roaming with Azure Active Directory. 
+## What’s the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use?
+Microsoft Edge is the default browser for all Windows 10 devices. It’s built to be highly compatible with the modern web. For some enterprise web apps and a small set of sites that were built to work with older technologies like ActiveX, [you can use Enterprise Mode](emie-to-improve-compatibility.md) to automatically send users to Internet Explorer 11.
 
->In a nutshell, any fresh install of Windows 10 Creators Update or higher does not support funtionality if it's under an Active Directory, but works for Azure Active Directory.
+For more information on how Internet Explorer and Microsoft Edge work together to support your legacy web apps, while still defaulting to the higher security and modern experiences enabled by Microsoft Edge, see [Legacy apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#RAbtRvJSYFaKu2BI.97).
 
-**Q: What is the size of the local storage for Microsoft Edge overall and per domain?**  
+## Does Microsoft Edge work with Enterprise Mode?
+[Enterprise Mode](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) helps you run many legacy web applications with better backward compatibility. You can configure both Microsoft Edge and Internet Explorer to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps.
 
-**A:** The limits are 5MB per subdomain, 10MB per domain, and 50MB total.
+## How do I customize Microsoft Edge and related settings for my organization?
+You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/group-policies/) for a list of policies currently available for Microsoft Edge and configuration information. Note that the preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals.  
 
-**Q: What is the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use?**
+## Is Adobe Flash supported in Microsoft Edge?
+Adobe Flash is currently supported as a built-in feature of Microsoft Edge on PCs running Windows 10. In July 2017, Adobe announced that Flash support will end after 2020. With this change to Adobe support, we’ve started to phase Flash out of  Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting group policy](https://docs.microsoft.com/microsoft-edge/deploy/available-policies#configure-the-adobe-flash-click-to-run-setting) - this lets you control which websites can run Adobe Flash content.
 
-**A:** Microsoft Edge is the default browser for all Windows 10 devices. It is built to be highly compatible with the modern web. For some enterprise web apps and a small set of sites on the web that were built to work with older technologies like ActiveX, [you can use Enterprise Mode](https://docs.microsoft.com/microsoft-edge/deploy/emie-to-improve-compatibility) to automatically send users to Internet Explorer 11 for those sites.
+To learn more about Microsoft’s plan for phasing Flash out of Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash](https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article).
 
-For more information on how Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge, see [Legacy apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#RAbtRvJSYFaKu2BI.97).
+## Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java?
+No. Microsoft Edge doesn’t support ActiveX controls and BHOs like Silverlight or Java. If you’re running web apps that use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and standards support.
 
-**Q: Does Microsoft Edge work with Enterprise Mode?**
+## How often will Microsoft Edge be updated?
+In Windows 10, we’re delivering Windows as a service, updated on a cadence driven by quality and the availability of new features. Microsoft Edge security updates are released every two to four weeks, while bigger feature updates are included in the Windows 10 releases on a semi-annual cadence.
 
-**A:** [Enterprise Mode](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) offers better backward compatibility and enables customers to run many legacy web applications. Microsoft Edge and Internet Explorer can be configured to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps. 
+## How can I provide feedback on Microsoft Edge?
+Microsoft Edge is an evergreen browser - we’ll continue to evolve both the web platform and the user interface with regular updates. To send feedback on user experience, or on broken or malicious sites, use the **Send Feedback** option under the ellipses icon (**...**) in the Microsoft Edge toolbar. 
 
+## Will Internet Explorer 11 continue to receive updates?
+We’re committed to keeping Internet Explorer a supported, reliable, and safe browser. Internet Explorer is still a component of Windows and follows the support lifecycle of the OS on which it’s installed. For details, see [Lifecycle FAQ - Internet Explorer](https://support.microsoft.com/help/17454/). While we continue to support and update Internet Explorer, the latest features and platform updates will only be available in Microsoft Edge.
 
-**Q: I have Windows 10, but I don’t seem to have Microsoft Edge. Why?**
-
-**A:** Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016 and Windows Server 2019, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality and can't be supported on systems running LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11.
-
-**Q: How do I get the latest Canary/Beta/Preview version of Microsoft Edge?**
-
-**A:** You can access the latest preview version of Microsoft Edge by updating to the latest Windows 10 preview via the [Windows Insider Program](https://insider.windows.com/). To run the preview version of Microsoft Edge on a stable version of Windows 10 (or any other OS), you can download a [Virtual Machine](https://developer.microsoft.com/microsoft-edge/tools/vms/windows/) that we provide or use the upcoming RemoteEdge service.
-
-**Q: How do I customize Microsoft Edge and related settings for my organization?**
-
-**A:** You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/group-policies/index) for a list of available policies for Microsoft Edge and configuration combinations.
-
-**Q: Is Adobe Flash supported in Microsoft Edge?**
-
-**A:** Currently, Adobe Flash is supported as a built-in feature of Microsoft Edge on devices running the desktop version of Windows 10. In July 2017, Adobe announced that Flash will no longer be supported after 2020. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting](available-policies.md#configure-the-adobe-flash-click-to-run-setting) group policy giving you a way to control the list of websites that have permission to run Adobe Flash content.
-
-
-
-To learn more about Microsoft’s plan for phasing out Flash from Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash]( https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). 
-
-
-**Q: Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java?**  
-
-**A:** No. Microsoft Edge does not support ActiveX controls and BHOs such as Silverlight or Java. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11.  IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support.
-
-
-**Q: How often will Microsoft Edge be updated?**
-
-**A:** In Windows 10, we are delivering Windows as a service, updated on a cadence driven by quality and the availability of new features. Microsoft Edge security updates are released every two to four weeks, and the bigger feature updates are currently pushed out with the Windows 10 releases on a semi-annual cadence.
-
-**Q: How can I provide feedback on Microsoft Edge?**
-
-**A:** Microsoft Edge is an evergreen browser and we will continue to evolve both the web platform and the user interface with regular updates. To send feedback on user experience, or on broken or malicious sites, you can use the **Send Feedback** option under the ellipses icon (**...**) in the Microsoft Edge toolbar. You can also provide feedback through the [Microsoft Edge Dev Twitter](https://twitter.com/MSEdgeDev) account. 
-
-**Q: Will Internet Explorer 11 continue to receive updates?**
-
-**A:** We will continue to deliver security updates to Internet Explorer 11 through its supported lifespan. To ensure consistent behavior across Windows versions, we will evaluate Internet Explorer 11 bugs for servicing on a case by case basis. The latest features and platform updates will only be available in Microsoft Edge. 
-
-**Q: I loaded a web page and Microsoft Edge sent me to Internet Explorer - what happened?**
-
-**A:** In some cases, Internet Explorer loads automatically for sites that still rely on legacy technologies such as ActiveX. For more information, read [Legacy web apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#uHpbs94kAaVsU1qB.97).
-
-**Q: Why is Do Not Track (DNT) off by default in Microsoft Edge?**
-
-**A:** When Microsoft first set the Do Not Track setting to “On” by default in Internet Explorer 10, industry standards had not yet been established. We are now making this default change as the World Wide Web Consortium (W3C) formalizes industry standards to recommend that default settings allow customers to actively indicate whether they want to enable DNT. As a result, DNT will not be enabled by default in upcoming versions of Microsoft’s browsers, but we will provide customers with clear information on how to turn this feature on in the browser settings should you wish to do so.
-
-**Q: How do I find out what version of Microsoft Edge I have?**
-
-**A:** Open Microsoft Edge. In the upper right corner click the ellipses icon (**…**), and then click **Settings**. Look in the **About this app** section to find your version. 
- 
-**Q: What is Microsoft EdgeHTML?**
-
-**A:** Microsoft EdgeHTML is the new web rendering engine that powers the Microsoft Edge web browser and Windows 10 web app platform, and that helps web developers build and maintain a consistent site across all modern browsers. The Microsoft EdgeHTML engine also helps to defend against hacking through support for the W3C standard for [Content Security Policy (CSP)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/content-Security-Policy), which can help web developers defend their sites against cross-site scripting attacks, and support for the [HTTP Strict Transport Security (HSTS)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/HSTS/) security feature (IETF-standard compliant), which helps ensure that connections to important sites, such as to your bank, are always secured.
-
-**Q: Will Windows 7 or Windows 8.1 users get Microsoft Edge or the new Microsoft EdgeHTML rendering engine?**
-
-**A:** No. Microsoft Edge has been designed and built to showcase Windows 10 features like Cortana, and is built on top of the Universal Windows Platform. 
+## How do I find out what version of Microsoft Edge I have?
+In the upper right corner of Microsoft Edge, click the ellipses icon (**...**), and then click **Settings**. Look in the **About Microsoft Edge** section to find your version.
 
+## What is Microsoft EdgeHTML?
+Microsoft EdgeHTML is the web rendering engine that powers the current Microsoft Edge web browser and Windows 10 web app platform. (As opposed to *Microsoft Edge, based on Chromium*.)

devices/hololens/TOC.md

@@ -12,6 +12,6 @@
 ## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
 ## [Install apps on HoloLens](hololens-install-apps.md)
 ## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md)
-## [Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md)
+## [Restart, reset, or recover HoloLens 2](hololens-recovery.md)
 ## [How HoloLens stores data for spaces](hololens-spaces.md)
 ## [Change history for Microsoft HoloLens documentation](change-history-hololens.md)

devices/hololens/change-history-hololens.md

@@ -19,7 +19,7 @@ This topic lists new and updated topics in the [Microsoft HoloLens documentation
 
 New or changed topic | Description
 --- | ---
-[Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md) | New
+[Restart, reset, or recover HoloLens 2](hololens-recovery.md) | New
 
 ## November 2018
 

devices/hololens/hololens-recovery.md

@@ -1,5 +1,5 @@
 ---
-title: Restore HoloLens 2 using Advanced Recovery Companion 
+title: Restart, reset, or recover HoloLens 2 
 description: How to use Advanced Recovery Companion to flash an image to HoloLens 2.
 ms.prod: hololens
 ms.sitesec: library
@@ -9,7 +9,7 @@ ms.topic: article
 ms.localizationpriority: medium
 ---
 
-# Restore HoloLens 2 using Advanced Recovery Companion
+# Restart, reset, or recover HoloLens 2
 
 >[!TIP]
 >If you're having issues with HoloLens (the first device released), see [Restart, reset, or recover HoloLens](https://support.microsoft.com/help/13452/hololens-restart-reset-or-recover-hololens). Advanced Recovery Companion is only supported for HoloLens 2.
@@ -49,7 +49,7 @@ To reset your HoloLens 2, go to **Settings > Update > Reset** and select **Reset
 
 If the device is still having a problem after reset, you can use Advanced Recovery Companion to flash the device with a new image.
 
-1. On your computer, get [Advanced Recovery Companion](need store link) from Microsoft Store.
+1. On your computer, get [Advanced Recovery Companion](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?activetab=pivot:overviewtab) from Microsoft Store.
 2. Connect HoloLens 2 to your computer.
 3. Start Advanced Recovery Companion.
 4. On the **Welcome** page, select your device.
@@ -57,4 +57,4 @@ If the device is still having a problem after reset, you can use Advanced Recove
 6. Software installation will begin. Do not use the device or disconnect the cable during installation. When you see the **Installation finished** page, you can disconnect and use your device.
 
 >[!NOTE]
->[Learn about FFU image file formats.](https://docs.microsoft.com/windows-hardware/manufacture/desktop/wim-vs-ffu-image-file-formats)
+>[Learn about FFU image file formats.](https://docs.microsoft.com/windows-hardware/manufacture/desktop/wim-vs-ffu-image-file-formats)

devices/surface-hub/TOC.md

@@ -2,6 +2,7 @@
 ## [What's new in Windows 10, version 1703 for Surface Hub?](surfacehub-whats-new-1703.md)
 ## [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md)
 ## [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md)
+### [Surface Hub Site Readiness Guide](surface-hub-site-readiness-guide.md)
 ### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md)
 ### [Create and test a device account](create-and-test-a-device-account-surface-hub.md)
 #### [Online deployment](online-deployment-surface-hub-device-accounts.md)
@@ -41,10 +42,13 @@
 ### [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md)
 ### [Using a room control system](use-room-control-system-with-surface-hub.md)
 ### [Using the Surface Hub Recovery Tool](surface-hub-recovery-tool.md)
+### [Surface Hub SSD replacement](surface-hub-ssd-replacement.md)
 ## [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md)
 ## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)
 ## [Top support solutions for Surface Hub](support-solutions-surface-hub.md)
 ## [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)
 ## [Troubleshoot Miracast on Surface Hub](miracast-troubleshooting.md)
 ## [Useful downloads for Surface Hub administrators](surface-hub-downloads.md)
+## [Technical information for 55” Microsoft Surface Hub](surface-hub-technical-55.md)
+## [Technical information for 84” Microsoft Surface Hub ](surface-hub-technical-84.md)
 ## [Change history for Surface Hub](change-history-surface-hub.md)

devices/surface-hub/admin-group-management-for-surface-hub.md

@@ -64,8 +64,11 @@ Surface Hubs use Azure AD join to:
 - Grant admin rights to the appropriate users in your Azure AD tenant.
 - Backup the device's BitLocker recovery key by storing it under the account that was used to Azure AD join the device. See [Save your BitLocker key](save-bitlocker-key-surface-hub.md) for details.
 
-> [!IMPORTANT]
-> Surface Hub does not currently support automatic enrollment to Microsoft Intune through Azure AD join. If your organization automatically enrolls Azure AD joined devices into Intune, you must disable this policy for Surface Hub before joining the device to Azure AD.
+### Automatic enrollment via Azure Active Directory join
+
+Surface Hub now supports the ability to automatically enroll in Intune by joining the device to Azure Active Directory. 
+
+For more information, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment).
 
 ### Which should I choose?
 

devices/surface-hub/change-history-surface-hub.md

@@ -7,7 +7,6 @@ ms.sitesec: library
 author: jdeckerms
 ms.author: jdecker
 ms.topic: article
-ms.date: 07/12/2018
 ms.localizationpriority: medium
 ---
 
@@ -15,6 +14,15 @@ ms.localizationpriority: medium
 
 This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
 
+## April 2019
+
+New or changed topic | Description
+--- | ---
+[Surface Hub Site Readiness Guide](surface-hub-site-readiness-guide.md) | New; previously available for download only
+[Technical information for 55” Microsoft Surface Hub](surface-hub-technical-55.md) | New; previously available for download and on [Surface Hub Tech Spec](https://support.microsoft.com/help/4483539/surface-hub-tech-spec)
+[Technical information for 84” Microsoft Surface Hub ](surface-hub-technical-84.md) | New; previously available for download and on [Surface Hub Tech Spec](https://support.microsoft.com/help/4483539/surface-hub-tech-spec)
+[Surface Hub SSD replacement](surface-hub-ssd-replacement.md) | New; previously available for download only
+
 ## July 2018
 
 New or changed topic | Description

devices/surface-hub/device-reset-surface-hub.md

@@ -76,7 +76,7 @@ If the device account gets into an unstable state or the Admin account is runnin
 
 On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset or recover the device from [Windows RE](https://technet.microsoft.com/library/cc765966.aspx).
 
-1.  From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide (PDF)](https://download.microsoft.com/download/3/8/8/3883E991-DFDB-4E70-8D28-20B26045FC5B/Surface-Hub-Site-Readiness-Guide_EN.pdf) for help with locating the power switch.
+1.  From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide (PDF)](surface-hub-site-readiness-guide.md) for help with locating the power switch.
 2. The device should automatically boot into Windows RE.
 3. After the Surface Hub enters Windows RE, select **Recover from the cloud**. (Optionally, you can choose **Reset**, however **Recover from the cloud** is the recommended approach.)
 

devices/surface-hub/index.md

@@ -46,7 +46,7 @@ In some ways, adding your new Surface Hub is just like adding any other Microsof
 | [Top support solutions for Surface Hub](support-solutions-surface-hub.md) | These are the top Microsoft Support solutions for common issues experienced using Surface Hub. |
 | [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md) | Troubleshoot common problems, including setup issues, Exchange ActiveSync errors. |
 | [Troubleshoot Miracast on Surface Hub](miracast-troubleshooting.md) | Learn how to resolve Miracast issues. |
-| [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) | This topic provides links to useful Surface Hub documents, such as product datasheets, the site readiness guide, and user's guide. |
+| [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) | This topic provides links to useful Surface Hub documents. |
 | [Change history for Surface Hub](change-history-surface-hub.md) | This topic lists new and updated topics in the Surface Hub documentation library. |
 
 

devices/surface-hub/manage-surface-hub.md

@@ -41,6 +41,7 @@ Learn about managing and updating Surface Hub.
  [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md) | 802.1x Wired Authentication MDM policies have been enabled on Surface Hub devices. 
 | [Using a room control system](https://technet.microsoft.com/itpro/surface-hub/use-room-control-system-with-surface-hub) | Room control systems can be used with your Microsoft Surface Hub.|
 [Using the Surface Hub Recovery Tool](surface-hub-recovery-tool.md) | Use the Surface Hub Recovery Tool to re-image the Surface Hub SSD.
+[Surface Hub SSD replacement](surface-hub-ssd-replacement.md) | Learn how to remove and replace the solid state drive in your Surface Hub.
 
 ## Related topics
 

devices/surface-hub/physically-install-your-surface-hub-device.md

@@ -15,7 +15,7 @@ ms.localizationpriority: medium
 # Physically install Microsoft Surface Hub
 
 
-The Microsoft Surface Hub Readiness Guide will help make sure that your site is ready for the installation. You can download the Guide from the [Microsoft Download Center](https://go.microsoft.com/fwlink/?LinkId=718144). It includes planning information for both the 55" and 84" devices, as well as info on moving the Surface Hub from receiving to the installation location, mounting options, and a list of what's in the box.
+The [Microsoft Surface Hub Readiness Guide](surface-hub-site-readiness-guide.md) will help make sure that your site is ready for the installation. It includes planning information for both the 55" and 84" devices, as well as info on moving the Surface Hub from receiving to the installation location, mounting options, and a list of what's in the box.
 
 You may also want to check out the Unpacking Guide. It will show you how to unpack the devices efficiently and safely. There are two guides, one for the 55" and one for the 84". A printed version of the Unpacking Guide is attached to the outside front of each unit's shipping crate.
 

devices/surface-hub/surface-hub-downloads.md

@@ -12,16 +12,14 @@ ms.localizationpriority: medium
 
 # Useful downloads for Microsoft Surface Hub
 
-This topic provides links to useful Surface Hub documents, such as product datasheets, the site readiness guide, and user's guide.
+This topic provides links to useful Surface Hub documents, such as product datasheets and user's guide.
 
 | Link | Description |
 | --- | --- |
-| [Surface Hub Site Readiness Guide (PDF)](https://download.microsoft.com/download/3/8/8/3883E991-DFDB-4E70-8D28-20B26045FC5B/Surface-Hub-Site-Readiness-Guide_EN.pdf)  | Make sure your site is ready for Surface Hub, including structural and power requirements, and get technical specs for Surface Hub. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov)  |
 | [Surface Hub Setup Guide (English, French, Spanish) (PDF)](https://download.microsoft.com/download/0/1/6/016363A4-8602-4F01-8281-9BE5C814DC78/Setup-Guide_EN-FR-SP.pdf) | Get a quick overview of how to set up the environment for your new Surface Hub. |
 | [Surface Hub Quick Reference Guide (PDF)](https://download.microsoft.com/download/9/E/E/9EE660F8-3FC6-4909-969E-89EA648F06DB/Surface%20Hub%20Quick%20Reference%20Guide_en-us.pdf)  | Use this quick reference guide to get information about key features and functions of the Surface Hub. |
 | [Surface Hub User Guide (PDF)](https://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf) | Learn how to use Surface Hub in scheduled or ad-hoc meetings. Invite remote participants, use the built-in tools, save data from your meeting, and more. |
 | [Surface Hub Replacement PC Drivers](https://www.microsoft.com/download/details.aspx?id=52210) | The Surface Hub Replacement PC driver set is available for those customers who have chosen to disable the Surface Hub’s internal PC and use an external computer with their 84” or 55” Surface Hub. This download is meant to be used with the Surface Hub Admin Guide , which contains further details on configuring a Surface Hub Replacement PC.  |
-| [Surface Hub SSD Replacement Guide (PDF)](https://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf) | Learn how to replace the solid state drive (SSD) for the 55- and 84-inch Surface Hub. |
 | [Microsoft Surface Hub Rollout and Adoption Success Kit (ZIP)](https://download.microsoft.com/download/F/A/3/FA3ADEA4-4966-456B-8BDE-0A594FD52C6C/Surface_Hub_Adoption_Kit_Final_0519.pdf) | Best practices for generating awareness and implementing change management to maximize adoption, usage, and benefits of Microsoft Surface Hub. The Rollout and Adoption Success Kit zip file includes the Rollout and Adoption Success Kit detailed document, Surface Hub presentation, demo guidance, awareness graphics, and more. |
 | [Unpacking Guide for 84-inch Surface Hub (PDF)](https://download.microsoft.com/download/5/2/B/52B4007E-D8C8-4EED-ACA9-FEEF93F6055C/84_Unpacking_Guide_English_French-Spanish.pdf) | Learn how to unpack your 84-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/75/2b/752b73dc-6e9d-4692-8ba1-0f9fc03bff6b.mov?n=04.07.16_installation_video_03_unpacking_84.mov) |
 | [Unpacking Guide for 55-inch Surface Hub (PDF)](https://download.microsoft.com/download/2/E/7/2E7616A2-F936-4512-8052-1E2D92DFD070/55_Unpacking_Guide_English-French-Spanish.PDF) | Learn how to unpack your 55-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/a9/d6/a9d6b4d7-d33f-4e8b-be92-28f7fc2c06d7.mov?n=04.07.16_installation_video_02_unpacking_55.mov) |

devices/surface-hub/surface-hub-recovery-tool.md

@@ -16,7 +16,7 @@ ms.localizationpriority: medium
 
 The [Microsoft Surface Hub Recovery Tool](https://www.microsoft.com/download/details.aspx?id=52210) helps you re-image your Surface Hub Solid State Drive (SSD) using a Windows 10 desktop device, without calling support or replacing the SSD. With this tool, you can reimage an SSD that has an unknown Administrator password, boot errors, was unable to complete a cloud recovery, or for a device that has an older version of the operating system. The tool will not fix physically damaged SSDs.
 
-To re-image the Surface Hub SSD using the Recovery Tool, you'll need to remove the SSD from the Surface Hub, connect the drive to the USB-to-SATA cable, and then connect the cable to the desktop PC on which the Recovery Tool is installed. For more information on how to remove the existing drive from your Surface Hub, please refer to the [Surface Hub SSD Replacement Guide (PDF)](https://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf).
+To re-image the Surface Hub SSD using the Recovery Tool, you'll need to remove the SSD from the Surface Hub, connect the drive to the USB-to-SATA cable, and then connect the cable to the desktop PC on which the Recovery Tool is installed. For more information on how to remove the existing drive from your Surface Hub, see [Surface Hub SSD replacement](surface-hub-ssd-replacement.md).
 
 >[!IMPORTANT]
 >Do not let the device go to sleep or interrupt the download of the image file.
@@ -73,7 +73,8 @@ Install Surface Hub Recovery Tool on the host PC.
 
     ![Download the image?](images/shrt-download.png)
 
-5. When the download is complete, the tool instructs you to connect an SSD drive. If the tool is unable to locate the attached drive, there is a good chance that the cable being used is not reporting the name of the SSD to Windows.  The imaging tool must find the name of the drive as "LITEON L CH-128V2S USB Device" before it can continue.  For more information on how to remove the existing drive from your Surface Hub, please refer to the [Surface Hub SSD Replacement Guide (PDF)](https://download.microsoft.com/download/1/F/2/1F202254-7156-459F-ABD2-39CF903A25DE/surface-hub-ssd-replacement-guide_en-us.pdf).
+5. When the download is complete, the tool instructs you to connect an SSD drive. If the tool is unable to locate the attached drive, there is a good chance that the cable being used is not reporting the name of the SSD to Windows.  The imaging tool must find the name of the drive as "LITEON L CH-128V2S USB Device" before it can continue.  For more information on how to remove the existing drive from your Surface Hub, see [Surface Hub SSD replacement](surface-hub-ssd-replacement.md).
+
 
     ![Connect SSD](images/shrt-drive.png)
 

devices/surface-hub/surface-hub-site-readiness-guide.md

@@ -0,0 +1,135 @@
+---
+title: Surface Hub Site Readiness Guide  
+description: Use this Site Readiness Guide to help plan your Surface Hub installation. 
+ms.prod: surface-hub
+ms.sitesec: library
+author: jdeckerms
+ms.author: jdecker
+ms.topic: article
+ms.localizationpriority: medium
+---
+
+# Surface Hub Site Readiness Guide 
+
+Use this Site Readiness Guide to help plan your Surface Hub installation. In this guide, you’ll find: 
+- Site readiness topics 
+- Detailed hardware specifications on power, ports, and cables
+- Recommendations for moving and storage 
+- Links to guidance on unpacking and mounting 
+
+## Site readiness planning
+
+The room needs to be large enough to provide good viewing angles, but small enough for the microphones to pick up clear signals from the people in the room. Most rooms that are about 22 feet (seven meters) long will provide a good meeting experience. In the conference area, mount Surface Hub where:
+
+- Everyone in the room can see it.
+- People can reach all four edges of the touchscreen.
+- The screen is not in direct sunlight, which could affect viewing or damage the screen.
+- Ventilation openings are not blocked.
+- Microphones are not affected by noise sources, such as fans or vents.
+You can find more details in the [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md) sections.  For cleaning, care, and safety information, see the mounting guides and user guide at http://www.microsoft.com/surface/support/surface-hub.
+
+### Hardware considerations
+
+Surface Hub arrives with:
+- Two Microsoft Surface Hub pens
+- A Microsoft wireless keyboard, customized for Surface Hub
+- A 9-foot NEMA 5-15P (US Standard) to C13 power cable
+
+You’ll need to provide:
+- Cat-5e or Cat-6 network cables
+- Display cables (optional)
+- Audio cable (optional)
+- Type A to B USB cable (optional)
+
+For details about cable ports, see the [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md) sections. For details about cables, see [Wired Connect](#wired). 
+
+Microsoft Surface Hub has an internal PC and does not require an external computer system. 
+
+For power recommendations, see [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md). For power cable safety warnings, see the mounting guides at http://www.microsoft.com/surface/support/surface-hub.
+
+### Data and other connections
+
+To use Surface Hub, you need an active Ethernet port and a standard power outlet. In addition, you may want to:
+
+- Equip the conference table for Wired Connect.
+- Expand the wall outlet configuration to include:
+    - Additional AC outlets 
+    - Ethernetports 
+    - Audio ports 
+    - Video ports (DisplayPort, HDMI, VGA, etc.) 
+
+
+## When Surface Hub arrives
+
+Surface Hub is large and heavy, so let Receiving know when it will arrive and what they should do to handle it safely. For details on the packing weights and other specifications, see [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md).
+
+Consider the following: 
+- Wait to unpack Surface Hub from the shipping container until you’ve moved it to the conference area where you plan to install it.
+- Make sure your loading dock can accept a shipment on a pallet and hold it securely until it can be installed.
+- Check for local labor union rules that would require you to use union labor to unload or move Surface Hub.   
+- Do not leave Surface Hub in a hot or humid environment. As with any computer-based or display equipment, heat and humidity can damage Surface Hub. The recommended storage temperatures are 32°F to 95°F with a relative humidity of less than 70 percent. 
+
+### Moving Surface Hub
+
+Before you move Surface Hub, make sure that all the doorways, thresholds, hallways, and elevators are big enough to accommodate it. For information on the dimensions and weight of your Surface Hub in its shipping container, see [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md).
+
+### Unpacking Surface Hub
+
+For unpacking information, refer to the unpacking guide included in the shipping container. You can open the unpacking instructions before you open the shipping container.  These instructions can also be found here: http://www.microsoft.com/surface/support/surface-hub
+
+>[!IMPORTANT]
+>Retain and store all Surface Hub shipping materials—including the pallet, container, and screws—in case you need to ship Surface Hub to a new location or send it
+for repairs. For the 84” Surface Hub, retain the lifting handles. 
+
+### Lifting Surface Hub
+
+The 55” Surface Hub requires two people to safely lift and mount. The 84” Surface Hub requires four people to safely lift and mount. Those assisting must be able to lift 70 pounds to waist height. Review the unpacking and mounting guide for details on lifting Surface Hub. You can find it at http://www.microsoft.com/surface/support/surface-hub.
+
+## Mounting and setup
+
+See the [Technical information]() section, or your mounting guide at http://www.microsoft.com/surface/support/surface-hub, for detailed instructions. 
+
+There are three ways to mount your Surface Hub:
+
+- **Wall mount**: Lets you permanently hang Surface Hub on a conference space wall.
+- **Floor support mount**: Supports Surface Hub on the floor while it is permanently anchored to a conference space wall.
+- **Rolling stand**: Supports Surface Hub and lets you move it to other conference locations. For links to guides that provide details about each mounting method, including building requirements, see http://www.microsoft.com/surface/support/surface-hub.
+
+
+## The Connect experience
+
+Connect lets people project their laptop, tablet, or phone to the Surface Hub screen. Connect allows wireless or wired connection types.
+
+#### Wireless connect 
+
+Since wireless connect is based on Miracast, you don’t need cables or additional setup planning to use it. Your users can load Miracast on most Miracast-enabled Windows 8.1 and Windows 10 devices. Then they can project their display from their computer or phone to the Surface Hub screen.
+
+<span id="wired" />
+#### Wired connect
+
+With wired connect, a cable transmits information from computers, tablets, or phones to Surface Hub. There are three video cable options, and they all use the same USB 2.0 cable. The cable bundle can include one or all of these connection options.
+
+- DisplayPort (DisplayPort cable + USB 2.0 cable)
+- HDMI (HDMI cable + USB 2.0 cable)
+- VGA (VGA cable + 3.5mm audio cable + USB 2.0 cable)
+
+For example, to provide audio, video, and touchback capability to all three video options, your Wired Connect cable bundle must include:
+
+- A DisplayPort cable 
+- An HDMI cable
+- A VGA cable
+- A USB 2.0 cable
+- A 3.5mm cable
+
+When you create your wired connect cable bundles, check the [55” Microsoft Surface Hub technical information](surface-hub-technical-55.md) or [84” Microsoft Surface Hub technical information](surface-hub-technical-84.md) sections for specific technical and physical details and port locations for each type of Surface Hub. Make the cables long enough to reach from Surface Hub to where the presenter will sit or stand.
+
+For details on Touchback and Inkback, see the user guide at http://www.microsoft.com/surface/support/surface-hub. 
+
+
+
+## See also
+
+[Watch the video (opens in a pop-up media player)][http://compass.xbox.com/assets/27/aa/27aa7dd7-7cb7-40ea-9bd6-c7de0795f68c.mov?n=04.07.16_installation_video_01_site_readiness.mov)  
+
+
+

devices/surface-hub/surface-hub-ssd-replacement.md

@@ -0,0 +1,52 @@
+---
+title: Surface Hub SSD replacement
+description: Learn how to replace the solid state drive in a Surface Hub.
+ms.prod: surface-hub
+ms.sitesec: library
+author: jdeckerms
+ms.author: jdecker
+ms.topic: article
+ms.localizationpriority: medium
+---
+
+# Surface Hub SSD replacement
+
+You might need to remove the solid state drive (SSD) from your Surface Hub so that you can reimage it using the [Surface Hub Recovery Tool](surface-hub-recovery-tool.md) or because you've been sent a replacement drive. You would reimage your SSD when the operating system is no longer bootable, such as from a Windows update failure, BitLocker issues, reset failure, or hardware failure. 
+
+
+>[!WARNING]
+>Make sure the Surface Hub is turned off at the AC switch.
+
+1. Locate the SSD compartment door on the rear, upper portion of the Surface Hub in the locations illustrated below. The door is identifiable as it doesn't have open ventilation slots.
+
+    ![SSD compartment door](images/ssd-location.png)
+
+    *Surface Hub hard drive locations*
+
+2. Locate the locking tab on the hard drive compartment door. On the Surface Hub 55, the locking tab will be located on the left-hand side of the door. On the Surface Hub 84, it will be on the right-hand side as shown in the illustration.
+
+    ![SSD compartment locking tab](images/ssd-lock-tab.png)
+
+    *Locking tab on hard drive compartment door*
+
+3. Lift open the compartment door to access the hard drive.
+
+    ![Lift](images/ssd-lift-door.png)
+
+    *Lift compartment door*
+
+4. Locate the pull tab, which may be partially hidden under the rear cover. Pull on the tab to eject the hard drive from the compartment.
+
+    ![Pull](images/ssd-pull-tab.png)
+
+    *Pull tab*
+
+5. Slide the replacement drive into place until you hear it click.
+
+    ![Slide in drive](images/ssd-click.png)
+    
+    *Slide replacement drive into place*
+
+6. Close the compartment door.
+
+7. Apply power to the Surface Hub.

devices/surface-hub/surface-hub-technical-55.md

@@ -0,0 +1,151 @@
+---
+title: Technical information for 55" Surface Hub   
+description: Specifications for the 55" Surface Hub
+ms.prod: surface-hub
+ms.sitesec: library
+author: jdeckerms
+ms.author: jdecker
+ms.topic: article
+ms.localizationpriority: medium
+---
+
+# Technical information for 55" Surface Hub
+
+## Measurements 
+
+|
+--- | ---
+Pricing	| Starting at $8,999 
+Size |	31.75” x 59.62” x 3.38” (806.4mm x 1514.3mm x 85.8mm)
+Storage/RAM	| SSD 128GB with 8GB RAM
+Processor |	4th Generation Intel® Core™ i5 
+Graphics |	Intel® HD 4600 
+Ports |	**Internal PC**<br>• (1) USB 3.0 (bottom) + (1) USB 3.0 (side access) <br>• (2) USB 2.0<br>• Ethernet 1000 Base-T<br>• DisplayPort <br>• Video Output<br>• 3.5mm Stereo Out<br>• RJ11 Connector for system-level control<br>**Alternate PC**<br>• (2) USB 2.0 type B output<br>• Connection for Camera, Sensors, Microphone, Speakers<br>• (1) DisplayPort Video Input<br>**Guest PC**<br>• DisplayPort Video Input<br>• HDMI Video Input<br>• VGA Video Input<br>• 3.5mm Stereo Input<br>• (1) USB 2.0 type B Touchback™ Output
+Sensors |	(2) Passive Infrared Presence Sensors, Ambient Light Sensors 
+Speakers |	(2) Front-facing stereo speakers 
+Microphone |	High-Performance, 4-Element Array 
+Camera |	(2) Wide angle HD cameras 1080p @ 30fps 
+Pen	 | (2) Powered, active, subpixel accuracy 
+Physical side buttons |	Power, Input Select, Volume, Brightness 
+Software |	Windows 10 + Office (Word, PowerPoint, Excel) 
+What’s in the box |	• Surface Hub 55”<br>• (2) Surface Hub Pens<br>• Power Cable<br>• Setup Guide<br>• Start Guide<br>• Safety and Warranty documents<br>• Wireless All-in-One Keyboard
+Mounting features	| 4X VESA standard, 400mm x 400mm plus 1150mm x 400mm pattern, 8X M6 X 1.0 threaded mounting locations
+Display height from floor	| Recommended height of 55 inches (139.7 cm) to center of screen
+Product weight |	Approx. 105 lb. (47.6 kg) without accessories
+Product shipping weight	 | Approx. 150 lb. (68 kg)
+Product dimensions HxWxD | 	31.63 x 59.62 x 3.2 inches (80.34 x 151.44 x 8.14 cm)
+Product shipping dimensions HxWxD |	43 x 65 x 20 inches (109 x 165 x 51 cm)
+Product thickness	| Touch surface to mounting surface: ≤ 2.4 inches (6 cm)
+Orientation	 | Landscape only. Display cannot be used in a portrait orientation.
+BTU	 | 1706 BTU/h
+Image resolution |	1920 x 1080
+Frame rate |	120Hz
+EDID preferred timing, replacement PC |	1920 x 1080, 120Hz vertical refresh
+EDID preferred timing, wired connect |	1920 x 1080, 60Hz vertical refresh
+Input voltage | (50/60Hz)	110/230v nominal, 90-265v max
+Input power, operating |	500W max
+Input power, standby    |  	5W nominal
+
+
+## Replacement PC connections 
+
+Connector and location | Label | Description
+--- | --- | ---
+Switch, bottom I/O | ![](images/switch.png) | Switches the function between using internal PC or external PC.
+Display port, bottom I/O | ![](images/dport.png) | Provides input for replacement PC.
+USB type B, bottom I/O | ![](images/usb.png) | Provides USB connection for replacement PC to internal peripherals. 
+USB type B, bottom I/O | ![](images/usb.png) | Provides USB connection for integrated hub.
+
+
+## Wired connect connections
+
+Connector and location | Label | Description
+--- | --- | ---
+Display port, bottom I/O | ![](images/dportio.png) | Provides input for wired connect PC.
+HDMI, bottom I/O | ![](images/hdmi.png) | Provides HDMI input for wired connect PC.
+VGA, bottom I/O | ![](images/vga.png) | Provides VGA input for wired connect PC.
+3.5mm, bottom I/O | ![](images/35mm.png) | Provides analog audio input.
+USB type B, bottom I/O | ![](images/usb.png) | Provides USB connection for video ingest touchback.
+
+## Additional connections
+
+Connector and location | Label | Description
+--- | --- | ---
+USB type A, side I/O | ![](images/usb.png) | Provides 1 USB 3.0 connection for USB devices. Wake-on USB capable.
+USB type A, bottom I/O with blue insulator | ![](images/usb.png) | Provides USB 3.0 connection.
+3.5mm, bottom I/O | ![](images/analog.png) | Provides analog audio out.
+Display port, bottom I/O | ![](images/dportout.png) | Provides mirrored video out function to another display.
+IEC/EN60320-C13 receptable with hard switch | ![](images/iec.png) | Provides AC input and compliance with EU power requirements.
+RJ45, bottom I/O | ![](images/rj45.png) | Connects to Ethernet.
+RJ11, bottom I/O | ![](images/rj11.png) | Connects to room control systems.
+
+
+
+
+
+
+
+## Diagrams of ports and clearances
+
+***Top view of 55" Surface Hub***
+
+![](images/sh-55-top.png)
+
+---
+
+
+***Front view of 55" Surface Hub***
+
+![](images/sh-55-front.png)
+
+
+---
+
+***Bottom view of 55" Surface Hub***
+
+![](images/sh-55-bottom.png)
+
+
+---
+
+***Replacement PC ports on 55" Surface Hub***
+
+![](images/sh-55-rpc-ports.png)
+
+
+---
+
+***Keypad on right side of 55" Surface Hub***
+
+![](images/key-55.png)
+
+
+---
+
+***Rear view of 55" Surface Hub***
+
+![](images/sh-55-rear.png)
+
+
+---
+
+***Clearances for 55" Surface Hub***
+
+![](images/sh-55-clearance.png)
+
+---
+
+
+***Front and bottom handholds and clearances for 55" Surface Hub***
+
+![](images/sh-55-hand.png)
+
+
+---
+
+
+***Rear handholds and clearances for 55" Surface Hub***
+
+![](images/sh-55-hand-rear.png)
+
+

devices/surface-hub/surface-hub-technical-84.md

@@ -0,0 +1,157 @@
+---
+title: Technical information for 84" Surface Hub  
+description: Specifications for the 84" Surface Hub
+ms.prod: surface-hub
+ms.sitesec: library
+author: jdeckerms
+ms.author: jdecker
+ms.topic: article
+ms.localizationpriority: medium
+---
+
+# Technical information for 84" Surface Hub
+
+## Measurements 
+
+|
+--- | ---
+Pricing	| Starting at $21,999 
+Size |	46.12” x 86.7” x 4.15” (1171.5mm x 2202.9mm x 105.4mm)
+Storage/RAM	| SSD 128GB with 8GB RAM
+Processor	| 4th Generation Intel® Core™ i7 
+Graphics |	NVIDIA Quadro K2200 
+Ports |	**Internal PC**<br>• (1) USB 3.0 (bottom) + (1) USB 3.0 (side access)<br>• (4) USB 2.0<br>•  Ethernet 1000 Base-T<br>• DisplayPort Video Output<br>• 3.5mm Stereo Out<br>• RJ11 Connector for system-level control<br>**Alternate PC**<br>• (2) USB 2.0 type B output<br>•  connection for Camera, Sensors, Microphone, Speakers<br>• (2) DisplayPort Video Input<br>**Guest PC**<br>• DisplayPort Video Input<br>• HDMI Video Input<br>• VGA Video Input<br>• 3.5mm Stereo Input<br>• (1) USB 2.0 type B Touchback™ Output
+Sensors	 | (2) Passive Infrared Presence Sensors, Ambient Light Sensors 
+Speakers |	(2) Front-facing stereo speakers 
+Microphone |	High-Performance, 4-Element Array 
+Camera |	(2) Wide angle HD cameras 1080p @ 30fps 
+Pen |	(2) Powered, active, subpixel accuracy 
+Physical side buttons |	Power, Input Select, Volume, Brightness 
+Software |	Windows 10 + Office (Word, PowerPoint, Excel) 
+What’s in the box |	• Surface Hub 84”<br>• (2) Surface Hub Pens<br>• Power Cable<br>• Setup Guide<br>• Safety and Warranty documents<br>• Wireless All-in-One Keyboard
+Mounting features	| 4X VESA standard, 1200mm x 600mm pattern, 8X M8 X 1.25 threaded mounting locations
+Display height from floor	| Recommended height of 54 inches (139.7 cm) to center of screen
+Product weight |	Approx. 280 lb. (127 kg.)
+Product shipping weight	 | Approx. 580 lb. (263 kg.)
+Product dimensions HxWxD | 	46 x 86.9 x 4.1 inches (116.8 x 220.6 x 10.4 cm)
+Product shipping dimensions HxWxD |	66.14 x 88.19 x 24.4 inches (168 x 224 x 62 cm)
+Product thickness	| Touch surface to mounting surface: ≤ 3.1 inches (7.8 cm)
+Orientation	 | Landscape only. Display cannot be used in a portrait orientation.
+BTU	 | 3070.8 BTU/h
+Image resolution |	3840 x 2160
+Frame rate |	120Hz
+Contrast Ratio | 1400:1
+EDID preferred timing, replacement PC |	3840 x 2140, 120Hz vertical refresh
+EDID preferred timing, wired connect |	1920 x 1080, 60Hz vertical refresh
+Input voltage | 110/230v nominal, 90-265v max
+Input power, operating |	900W max
+Input power, standby    |  	5W nominal, 1-10W max
+
+
+## Replacement PC connections 
+
+Connector and location | Label | Description
+--- | --- | ---
+Switch, bottom I/O | ![](images/switch.png) | Switches the function between using internal PC or external PC.
+Display port, bottom I/O | ![](images/dport.png) | Provides input for replacement PC.
+Display port, bottom I/O | ![](images/dport.png) | Provides second input for replacement PC.
+USB type B, bottom I/O | ![](images/usb.png) | Provides USB connection for replacement PC to internal peripherals. 
+USB type B, bottom I/O | ![](images/usb.png) | Provides USB connection for integrated hub.
+
+
+## Wired connect connections
+
+Connector and location | Label | Description
+--- | --- | ---
+Display port, bottom I/O | ![](images/dportio.png) | Provides input for wired connect PC.
+HDMI, bottom I/O | ![](images/hdmi.png) | Provides HDMI input for wired connect PC.
+VGA, bottom I/O | ![](images/vga.png) | Provides VGA input for wired connect PC.
+3.5mm, bottom I/O | ![](images/35mm.png) | Provides analog audio input.
+USB type B, bottom I/O | ![](images/usb.png) | Provides USB connection for video ingest touchback.
+
+## Additional connections
+
+Connector and location | Label | Description
+--- | --- | ---
+USB type A, side I/O | ![](images/usb.png) | Provides 1 USB 3.0 connection for USB devices. Wake-on USB capable.
+USB type A, bottom I/O with blue insulator | ![](images/usb.png) | Provides USB 3.0 connection.
+3.5mm, bottom I/O | ![](images/analog.png) | Provides analog audio out.
+Display port, bottom I/O | ![](images/dportout.png) | Provides mirrored video out function to another display.
+IEC/EN60320-C13 receptable with hard switch | ![](images/iec.png) | Provides AC input and compliance with EU power requirements.
+RJ45, bottom I/O | ![](images/rj45.png) | Connects to Ethernet.
+RJ11, bottom I/O | ![](images/rj11.png) | Connects to room control systems.
+
+
+
+
+
+
+
+## Diagrams of ports and clearances
+
+***Top view of 84" Surface Hub***
+
+![](images/sh-84-top.png)
+
+---
+
+
+***Front view of 84" Surface Hub***
+
+![](images/sh-84-front.png)
+
+
+---
+
+***Bottom view of 84" Surface Hub***
+
+![](images/sh-84-bottom.png)
+
+
+---
+
+***Replacement PC ports on 84" Surface Hub***
+
+![](images/sh-84-rpc-ports.png)
+
+
+
+---
+
+***Rear view of 84" Surface Hub***
+
+![](images/sh-84-rear.png)
+
+
+---
+
+***Clearances for 84" Surface Hub***
+
+![](images/sh-84-clearance.png)
+
+---
+
+
+***Removable lifting handles on 84” Surface Hub ***
+
+![](images/sh-84-hand.png)
+
+
+---
+
+
+***Wall mount threads on back of 84” Surface Hub ***
+
+![](images/sh-84-wall.png)
+
+---
+***Lifting handles in top view of 84” Surface Hub***
+
+![](images/sh-84-hand-top.png)
+
+---
+***Side view of 84” Surface Hub***
+
+![](images/sh-84-side.png)
+
+

devices/surface-hub/surface-hub.yml

@@ -34,7 +34,7 @@ sections:
   - type: markdown
     text: "
       Prepare to deploy Surface Hub in your organization. Explore site readiness, assembly, configuration, and Exchange and ActiveSync policies. <br> 
-      <table><tr><td><img src='images/plan1.png' width='192' height='192'><br>**Get ready for Surface Hub**<br>Explore the steps you'll need to take to set up Surface Hub.<br><a href='https://download.microsoft.com/download/3/8/8/3883E991-DFDB-4E70-8D28-20B26045FC5B/Surface-Hub-Site-Readiness-Guide_EN.pdf'>Surface Hub Site Readiness Guide</a> (PDF, 1.48 MB)<br><a href='https://docs.microsoft.com/surface-hub/surface-hub-downloads'>Unpacking guides</a></td><td><img src='images/plan2.png' width='192' height='192'><br>**Assembly for Surface Hub**<br>Learn how to assemble your Surface Hub.<br><a href='https://download.microsoft.com/download/0/1/6/016363A4-8602-4F01-8281-9BE5C814DC78/Setup-Guide_EN-FR-SP.pdf'>Surface Hub Setup Guide</a> (PDF, 1.43 MB)<br><a href='https://docs.microsoft.com/surface-hub/surface-hub-downloads'>Mounting and assembling guides</a></td><td><img src='images/plan3.png' width='192' height='192'><br>**Prepare your environment**<br>Learn about setup dependencies and account requirements.<br><a href='https://docs.microsoft.com/surface-hub/prepare-your-environment-for-surface-hub'>Prepare your environment</a><br><a href='https://docs.microsoft.com/surface-hub/create-and-test-a-device-account-surface-hub'>Create and test a device account</a></td></tr>
+      <table><tr><td><img src='images/plan1.png' width='192' height='192'><br>**Get ready for Surface Hub**<br>Explore the steps you'll need to take to set up Surface Hub.<br><a href='https://docs.microsoft.com/surface-hub/surface-hub-site-readiness.guide'>Surface Hub Site Readiness Guide</a> (PDF, 1.48 MB)<br><a href='https://docs.microsoft.com/surface-hub/surface-hub-downloads'>Unpacking guides</a></td><td><img src='images/plan2.png' width='192' height='192'><br>**Assembly for Surface Hub**<br>Learn how to assemble your Surface Hub.<br><a href='https://download.microsoft.com/download/0/1/6/016363A4-8602-4F01-8281-9BE5C814DC78/Setup-Guide_EN-FR-SP.pdf'>Surface Hub Setup Guide</a> (PDF, 1.43 MB)<br><a href='https://docs.microsoft.com/surface-hub/surface-hub-downloads'>Mounting and assembling guides</a></td><td><img src='images/plan3.png' width='192' height='192'><br>**Prepare your environment**<br>Learn about setup dependencies and account requirements.<br><a href='https://docs.microsoft.com/surface-hub/prepare-your-environment-for-surface-hub'>Prepare your environment</a><br><a href='https://docs.microsoft.com/surface-hub/create-and-test-a-device-account-surface-hub'>Create and test a device account</a></td></tr>
       </table>
       "
 - title: Deploy

store-for-business/distribute-offline-apps.md

@@ -63,9 +63,12 @@ There are several items to download or create for offline-licensed apps. The app
 **To download an offline-licensed app**
 
 1.  Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com).
-2.  Click **Manage**, and then choose **Apps & software**.
-3.  Refine results by **License type** to show apps with offline licenses.
-4.  Find the app you want to download, click the ellipses under **Actions**, and then choose **Download for offline use**.
+2.  Click **Manage**.
+3.  Under **Shopping Experience**, set **Show offline apps** to **On**.
+4.  Click **Shop for my group**. Search for the required inbox-app, select it, change the License type to **Offline**, and click  **Get the app**, which will add the app to your inventory.
+5.  Click **Manage**. You now have access to download the appx bundle package metadata and license file.
+6.  Go to **Products & services**, and select **Apps & software**. (The list may be empty, but it will auto-populate after some time.)
+
     - **To download app metadata**: Choose the language for the app metadata, and then click **Download**. Save the downloaded app metadata. This is optional.
     - **To download app package**: Click to expand the package details information, choose the Platform and Architecture combination that you need for your organization, and then click **Download**. Save the downloaded app package. This is required.
     - **To download an app license**: Choose either **Encoded**, or **Unencoded**, and then click **Generate license**. Save the downloaded license. This is required.

windows/application-management/apps-in-windows-10.md

@@ -61,7 +61,7 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an
 | Microsoft.OneConnect                   | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe)                            | x    | x    | x    | x    | No                    |
 | Microsoft.People                       | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe)                                     | x    | x    | x    | x    | No                    |
 | Microsoft.Print3D                      | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe)                                            |      | x    | x    | x    | No                    |
-| Microsoft.SkreenSketch                 | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe)                                  |      |      |      | x    | No                    |
+| Microsoft.ScreenSketch                 | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe)                                  |      |      |      | x    | No                    |
 | Microsoft.SkypeApp                     | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c)                                              | x    | x    | x    | x    | No                    |
 | Microsoft.StorePurchaseApp             | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe)                         | x    | x    | x    | x    | No                    |
 | Microsoft.VP9VideoExtensions           |                                                                                                                    |      |      |      | x    | No                    |
@@ -181,4 +181,4 @@ Here are the typical installed Windows apps in Windows 10 versions 1709, 1803, a
 |                    | Microsoft.VCLibs.140.00                  | x    | x    | x    | Yes                  |
 |                    | Microsoft.VCLibs.120.00.Universal        | x    |      |      | Yes                  |
 |                    | Microsoft.VCLibs.140.00.UWPDesktop       |      | x    |      | Yes                  |
----
+---

windows/client-management/mdm/policy-csp-userrights.md

@@ -66,6 +66,15 @@ Here are examples of data fields. The encoded 0xF000 is the standard delimiter/s
     ```
     <Data></Data>
     ```
+If you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag (`<![CDATA[...]]>`) to wrap the data fields. You can specify one or more user groups within the CDATA tag by using 0xF000 as the delimiter/separator.
+
+> [!Note]
+> `&#xF000;` is the entity encoding of 0xF000.
+
+For example, the following syntax grants user rights to Authenticated Users and Replicator user groups:
+```
+<![CDATA[Authenticated Users&#xF000;Replicator]]>
+```
 
 <hr/>
 

windows/client-management/mdm/windowssecurityauditing-csp.md

@@ -13,7 +13,7 @@ ms.date: 06/26/2017
 # WindowsSecurityAuditing CSP
 
 
-The WindowsSecurityAuditing configuration service provider (CSP) is used to enable logging of security audit events. This CSP was added in Windows 10, version 1511.
+The WindowsSecurityAuditing configuration service provider (CSP) is used to enable logging of security audit events. This CSP was added in Windows 10, version 1511 for Mobile and Mobile Enterprise. Make sure to consult the [Configuration service provider reference](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference) to see if this CSP and others are supported on your Windows installation.
 
 The following diagram shows the WindowsSecurityAuditing configuration service provider in tree format.
 

windows/configuration/change-history-for-configure-windows-10.md

@@ -10,13 +10,18 @@ ms.localizationpriority: medium
 author: jdeckerms
 ms.author: jdecker
 ms.topic: article
-ms.date: 11/07/2018
 ---
 
 # Change history for Configure Windows 10
 
 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
 
+## April 2019
+
+New or changed topic | Description
+--- | ---
+[Prepare a device for kiosk configuration](kiosk-prepare.md) | Added new recommendations for policies to manage updates.
+
 ## February 2019
 
 New or changed topic | Description

windows/configuration/kiosk-prepare.md

@@ -8,7 +8,6 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 01/09/2019
 ms.topic: article
 ---
 
@@ -31,12 +30,14 @@ ms.topic: article
 
 ## Configuration recommendations
 
-For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk:
+For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: 
 
 Recommendation | How to
 --- | ---
-Hide update notifications<br>(New in Windows 10, version 1809)   | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**<br>-or-<br>Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)<br>-or-<br>Add the following registry keys as DWORD (32-bit) type:</br>`HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetUpdateNotificationLevel` with a value of `1`, and `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\UpdateNotificationLevel` with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings.
-Replace "blue screen" with blank screen for OS errors   | Add the following registry key as DWORD (32-bit) type with a value of `1`:</br></br>`HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`
+Hide update notifications<br>(New in Windows 10, version 1809)   | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**<br>-or-<br>Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)<br>-or-<br>Add the following registry keys as type DWORD (32-bit) in the path of **HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate**:<br>**\SetUpdateNotificationLevel** with a value of `1`, and **\UpdateNotificationLevel** with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings.
+Enable and schedule automatic updates | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates**, and select `option 4 (Auto download and schedule the install)`<br>-or-<br>Use the MDM setting **Update/AllowAutoUpdate** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate), and select `option 3 (Auto install and restart at a specified time)`<br><br>**Note:** Installations can take from between 30 minutes and 2 hours, depending on the device, so you should schedule updates to occur when a block of 3-4 hours is available.<br><br>To schedule the automatic update, configure **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**.
+Enable automatic restart at the scheduled time | Go to **Group Policy Editor** &gt; **Computer Configuration** &gt; **Administrative Templates\\Windows Components\\Windows Update\\Always automatically restart at the scheduled time**
+Replace "blue screen" with blank screen for OS errors   | Add the following registry key as DWORD (32-bit) type with a value of `1`:</br></br>**HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled**
 Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** &gt; **System** &gt; **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign.
 Hide **Ease of access** feature on the sign-in screen. |     See [how to disable the Ease of Access button in the registry.](https://docs.microsoft.com/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen)
 Disable the hardware power button. |     Go to **Power Options** &gt; **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
@@ -67,7 +68,7 @@ In addition to the settings in the table, you may want to set up **automatic log
     >[!NOTE]  
     >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).
   
-
+ 
 2.  Go to
 
     **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon**

windows/configuration/kiosk-single-app.md

@@ -42,6 +42,8 @@ Method | Description
 
 >[!TIP]
 >You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile).  
+>
+>Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
 
 
 

windows/configuration/lock-down-windows-10-to-specific-apps.md

@@ -39,7 +39,8 @@ New features and improvements | In update
 
 You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision).
 
-
+>[!TIP]
+>Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
 
 
 <span id="intune"/>

windows/configuration/setup-digital-signage.md

@@ -25,6 +25,8 @@ For digital signage, simply select a digital sign player as your kiosk app. You
 
 >[!TIP]
 >Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). 
+>
+>Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
 
 Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 10, version 1803.
 

windows/deployment/deploy-m365.md

@@ -52,7 +52,7 @@ Examples of these two deployment advisors are shown below.
 ![Microsoft 365 deployment advisor](images/m365da.png)
 
 ## Windows Analytics deployment advisor example
-![Windows Analytics deployment advisor](images/wada.png)
+
 
 ## M365 Enterprise poster
 

windows/deployment/update/windows-analytics-FAQ-troubleshooting.md

@@ -53,7 +53,7 @@ If you've followed the steps in the [Enrolling devices in Windows Analytics](win
 
 In Log Analytics, go to **Settings > Connected sources > Windows telemetry** and verify that you are subscribed to the Windows Analytics solutions you intend to use.
 
-Even though devices can take 2-3 days after enrollment to show up due to latency in the system, you can now verify the status of your devices with a few hours of running the deployment script as described in [You can now check on the status of your computers within hours of running the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/05/12/wheres-my-data/) on the Windows Analytics blog.
+Even though devices can take 2-3 days after enrollment to show up due to latency in the system, you can now verify the status of your devices within a few hours of running the deployment script as described in [You can now check on the status of your computers within hours of running the deployment script](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/You-can-now-check-on-the-status-of-your-computers-within-hours/ba-p/187213) on the Tech Community Blog.
 
 >[!NOTE]
 > If you generate the status report and get an error message saying "Sorry! We’re not recognizing your Commercial Id," go to **Settings > Connected sources > Windows telemetry** remove the Upgrade Readiness solution, and then re-add it.

windows/deployment/update/windows-analytics-azure-portal.md

@@ -29,7 +29,7 @@ Go to the [Azure portal](https://portal.azure.com), select **All services**, and
 
 It's important to understand the difference between Azure Active Directory and an Azure subscription:
 
-**Azure Active Directory** is the directory that Azure uses. Azure Active Directory (AD) is a separate service which sits by itself and is used by all of Azure and also Office 365.
+**Azure Active Directory** is the directory that Azure uses. Azure Active Directory (Azure AD) is a separate service which sits by itself and is used by all of Azure and also Office 365.
  
 An **Azure subscription** is a container for billing, but also acts as a security boundary. Every Azure subscription has a trust relationship with at least one Azure AD instance. This means that a subscription trusts that directory to authenticate users, services, and devices.
 

windows/deployment/upgrade/log-files.md

@@ -55,7 +55,7 @@ Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.</td>
 
 ## Log entry structure
 
-A setupact.log or setuperr.log (files are located at C:\Windows) entry includes the following elements:
+A setupact.log or setuperr.log entry (files are located at C:\Windows) includes the following elements:
 
 <ol>
 <LI><B>The date and time</B> - 2016-09-08 09:20:05.

windows/deployment/windows-autopilot/windows-autopilot-requirements.md

@@ -22,16 +22,26 @@ Windows Autopilot depends on specific capabilities available in Windows 10, Azur
 
 - Windows 10 version 1703 (semi-annual channel) or higher is required. 
 - The following editions are supported:
-    -   Pro
-    -   Pro Education
-    -   Pro for Workstations
-    -   Enterprise
-    -   Education
+    -   Windows 10 Pro
+    -   Windows 10 Pro Education
+    -   Windows 10 Pro for Workstations
+    -   Windows 10 Enterprise
+    -   Windows 10 Education
+    -   Windows 10 Enterprise 2019 LTSC
+    
+ - If you're using Autopilot for Surface devices, note that only the following Surface devices support Autopilot:
+    - Surface Go
+    - Surface Go with LTE Advanced
+    - Surface Pro (5th gen) 
+    - Surface Pro with LTE Advanced (5th gen) 
+    - Surface Pro 6
+    - Surface Laptop (1st gen)
+    - Surface Laptop 2
+    - Surface Studio (1st gen)
+    - Surface Studio 2
+    - Surface Book 2
 
-- Windows 10 Enterprise 2019 LTSC is also supported.
-
-See the following topics for details on licensing, network, and configuration requirements:
-- [Licensing requirements](windows-autopilot-requirements-licensing.md)
+See the following topics for details on network and configuration requirements:
 - [Networking requirements](windows-autopilot-requirements-network.md)
 - [Configuration requirements](windows-autopilot-requirements-configuration.md)
     - For details about specific configuration requirements to enable user-driven Hybrid Azure Active Directory join for Windows Autopilot, see [Intune Connector (preview) language requirements](intune-connector.md). This requirement is a temporary workaround, and will be removed in the next release of Intune Connector. 

windows/security/identity-protection/credential-guard/credential-guard-manage.md

@@ -43,6 +43,14 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will
 
 To enforce processing of the group policy, you can run ```gpupdate /force```.
 
+### Enable Windows Defender Credential Guard by using Intune
+
+1.  From **Home** click **Microsoft Intune**
+2.  Click **Device configuration**
+3.  Click **Profiles** > **Create Profile** > **Endpoint protection** > **Windows Defender Credential Guard**.
+
+> [!NOTE]
+> It will enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock.
 
 ### Enable Windows Defender Credential Guard by using the registry
 

windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md

@@ -35,9 +35,9 @@ On-premises certificate-based deployments of Windows Hello for Business needs th
 
 ## Enable Windows Hello for Business Group Policy
 
-The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business.  A user will only attempt enrollment if this policy setting is configured to enabled.  
+The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users.
 
-You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment.  Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
+If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business.
 
 ## Use certificate for on-premises authentication
 

windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md

@@ -187,7 +187,7 @@ Joining a device is an extension to registering a device. This means, it provide
 
 [Return to Top](hello-how-it-works-technology.md)
 ## Key Trust
-The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory.  The certificate trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers.
+The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory.  The key trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers.
 
 ### Related topics
 [Certificate Trust](#certificate-trust), [Deployment Type](#deployment-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Hybrid Deployment](#hybrid-deployment), [On-premises Deployment](#on-premises-deployment), [Trust Type](#trust-type)

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md

@@ -59,7 +59,7 @@ The remainder of the provisioning includes Windows Hello for Business requesting
 > Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
 
 > [!NOTE]
-> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning.  With this update, users no longer need to wait for Azure AD Connect to sync their  public key on-premises.  Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completeling the provisioning. 
+> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning.  With this update, users no longer need to wait for Azure AD Connect to sync their  public key on-premises.  Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completeling the provisioning. The update needs to be installed on the federation servers.
   
 After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate.  Windows send the certificate request to the AD FS server for certificate enrollment.
   

windows/security/identity-protection/hello-for-business/hello-identity-verification.md

@@ -50,7 +50,7 @@ The table shows the minimum requirements for each deployment. For key trust in a
 | Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**<br>  *Minimum:* Windows 10, version 1703<br>  *Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).</br>**Azure AD Joined:**<br>  Windows 10, version 1511 or later| Windows 10, version 1511 or later | Windows 10, version 1511 or later |
 | Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema |
 | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level| Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level |
-| Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | 
+| Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | 
 | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
 | N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients),<br> and</br>Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service |
 | Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter| Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or</br>AD FS w/Azure MFA adapter, or</br>AD FS w/Azure MFA Server adapter, or</br>AD FS w/3rd Party MFA Adapter |
@@ -67,7 +67,7 @@ The table shows the minimum requirements for each deployment.
 | Windows 10, version 1703 or later | Windows 10, version 1703 or later |
 | Windows Server 2016 Schema | Windows Server 2016 Schema|
 | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |
-| Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
+| Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
 | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
 | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) |
 | AD FS with Azure MFA Server, or</br>AD FS with 3rd Party MFA Adapter | AD FS with Azure MFA Server, or</br>AD FS with 3rd Party MFA Adapter |

windows/security/identity-protection/remote-credential-guard.md

@@ -89,7 +89,7 @@ To use Windows Defender Remote Credential Guard, the Remote Desktop client and r
 
 The Remote Desktop client device:
 
--  Must be running at least Windows 10, version 1703 to be able to supply credentials.
+-  Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine. 
 -  Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user’s signed-in credentials. This requires the user’s account be able to sign in to both the client device and the remote host.
 -  Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard.
 -  Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk.
@@ -176,4 +176,4 @@ mstsc.exe /remoteGuard
 
 - No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own.
 
-- The server and client must authenticate using Kerberos.
+- The server and client must authenticate using Kerberos.

windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md

@@ -11,7 +11,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 03/25/2019
+ms.date: 04/11/2019
 ---
 
 # Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune
@@ -23,12 +23,19 @@ ms.date: 03/25/2019
 
 Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune only manages the apps on a user's personal device.
 
->[!NOTE]
->If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**). the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. MAM supports only one user per device.  
+## Differences between MDM and MAM for WIP
+
+- If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. 
+- MAM supports only one user per device.  
+- MAM can only manage [enlightened apps](enlightened-microsoft-apps-and-wip.md) 
+- MAM has additional **Access** settings for Windows Hello for Business
+- MAM can [selectively wipe company data](https://docs.microsoft.com/intune/apps-selective-wipe) from a user's personal device
+- MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses)
+- An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. 
 
 ## Prerequisites
 
-Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. 
+Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). 
 
 ## Configure the MDM or MAM provider
 
@@ -602,6 +609,70 @@ Optionally, if you don’t want everyone in your organization to be able to shar
 >[!NOTE]
 >For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic.
 
+### Configure Windows Hello for Business for MAM
+If you created a WIP policy for MAM, you can turn on Windows Hello for Business, letting your employees use it as a sign-in method for their devices.
+
+**To turn on and configure Windows Hello for Business**
+
+1.	From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
+
+    The **Advanced settings** blade appears.
+
+2.	Choose to turn on and configure the Windows Hello for Business settings:
+
+    ![Microsoft Intune, Choose to use Windows Hello for Business](images/wip-azure-access-options.png)
+
+    - **Use Windows Hello for Business as a method for signing into Windows.** Turns on Windows Hello for Business. The options are:
+    
+        - **On.** Turns on Windows Hello For Business for anyone assigned to this policy.
+     
+        - **Off.** Turns off Windows Hello for Business.
+    
+    - **Set the minimum number of characters required for the PIN.** Enter a numerical value (4-127 characters) for how many characters must be used to create a valid PIN. Default is 4 characters.
+    
+    - **Configure the use of uppercase letters in the Windows Hello for Business PIN.** Lets you decide whether uppercase letters can be used in a valid PIN. The options are:
+
+        - **Allow the use of uppercase letters in PIN.** Lets an employee use uppercase letters in a valid PIN.
+        
+        - **Require the use of at least one uppercase letter in PIN.** Requires an employee to use at least 1 uppercase letter in a valid PIN.
+        
+        - **Do not allow the use of uppercase letters in PIN.** Prevents an employee from using uppercase letters in a valid PIN.
+
+    - **Configure the use of lowercase letters in the Windows Hello for Business PIN.** Lets you decide whether lowercase letters can be used in a valid PIN. The options are:
+        
+        - **Allow the use of lowercase letters in PIN.** Lets an employee use lowercase letters in a valid PIN.
+        
+        - **Require the use of at least one lowercase letter in PIN.** Requires an employee to use at least 1 lowercase letter in a valid PIN.
+        
+        - **Do not allow the use of lowercase letters in PIN.** Prevents an employee from using lowercase letters in a valid PIN.
+
+    - **Configure the use of special characters in the Windows Hello for Business PIN.** Lets you decide whether special characters can be used in a valid PIN. The options are:
+
+        - **Allow the use of special characters in PIN.** Lets an employee use special characters in a valid PIN.
+        
+        - **Require the use of at least one special character in PIN.** Requires an employee to use at least 1 special character in a valid PIN.
+        
+        - **Do not allow the use of special characters in PIN.** Prevents an employee from using special characters in a valid PIN.
+
+    - **Specify the period of time (in days) that a PIN can be used before the system requires the user to change it.** Enter a numerical value (0-730 days) for how many days can pass before a PIN must be changed. If you enter a value of 0, the PIN never expires.
+
+    - **Specify the number of past PINs that can be associated to a user account that can't be reused.** Enter a numerical value (0-50 days) for how many days can pass before an employee can reuse a previous PIN. If you enter a value of 0, a PINs can be reused immediately and past PINs aren't stored.
+        
+        >[!NOTE]
+        >PIN history is not preserved through a PIN reset.
+
+    - **Number of authentication failures allowed before the device will be wiped.** Enter a numerical value for how many times the PIN can be incorrectly entered before wiping the device of corporate data. If you enter a value of 0, the device is never wiped, regardless of the number of incorrect PIN entries.<p>This setting has different behavior for mobile devices and desktops.
+
+        - **On mobile devices.** When an employee reaches the value set here, the device is wiped of corporate data.
+
+        - **On desktop devices.** When an employee reaches the value set here, the desktop is put into BitLocker recovery mode, instead of being wiped. You must have BitLocker installed on the device or this setting is ignored.
+
+    - **Maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked.** Enter a numerical value for how many days can pass before a PIN must be changed. If you enter a value of 0, the device never becomes PIN or password locked while idle.
+
+        >[!NOTE]
+        >You can set this value to be anything; however, it can't be longer than the time specified by the **Settings** app. If you exceed the maximum timeout value, this setting is ignored.
+
+
 ## Related topics
 
 - [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)

windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md

@@ -14,7 +14,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 02/26/2019
+ms.date: 04/05/2019
 ---
 
 # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
@@ -95,7 +95,7 @@ If you don't know the publisher or product name, you can find them for both desk
 
 **To find the Publisher and Product Name values for Store apps without installing them**
 
-1.	Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
+1.	Go to the [Microsoft Store for Business](https://businessstore.microsoft.com/store) website, and find your app. For example, Microsoft OneNote.
 
     >[!NOTE]
 
@@ -505,16 +505,11 @@ After you've finished configuring your policy, you can review all of your info o
 After you’ve created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
 - [Operations and Maintenance for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708224)
 
-- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708225)
+- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708225)
 
-- [How to Deploy Configuration Baselines in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708226)
+- [How to Deploy Configuration Baselines in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708226)
 
 ## Related topics
-- [System Center Configuration Manager and Endpoint Protection (Version 1606)](https://go.microsoft.com/fwlink/p/?LinkId=717372)
-
-- [TechNet documentation for Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=691623)
-
-- [Manage mobile devices with Configuration Manager and Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=691624)
 
 - [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
 

windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md

@@ -13,7 +13,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 02/26/2019
+ms.date: 04/11/2019
 ---
 
 # How Windows Information Protection (WIP) protects a file that has a sensitivity label 
@@ -34,8 +34,6 @@ Microsoft information protection technologies include:
 
 - [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects local data at rest on endpoint devices, and manages apps to protect local data in use. Data that leaves the endpoint device, such as email attachment, is not protected by WIP. 
 
-- [Office 365 Information Protection](https://docs.microsoft.com/office365/securitycompliance/office-365-info-protection-for-gdpr-overview) is a solution to classify, protect, and monitor personal data in Office 365.
-
 - [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. Azure Information Protection is applied directly to content, and roams with the content as it's moved between locations and cloud services.
 
 - [Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security) is a cloud access security broker (CASB) solution that allows you to discover, classify, protect, and monitor user data in first-party and third-party Software-as-a-Service (SaaS) apps used by your organization.

windows/security/information-protection/windows-information-protection/limitations-with-wip.md

@@ -12,7 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/05/2019
+ms.date: 04/10/2019
 ms.localizationpriority: medium
 ---
 
@@ -125,7 +125,7 @@ This table provides info about the most common problems you might encounter whil
         </td>
     </tr>
     <tr>
-        <td>By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encypted by one user, other users can't access it.  
+        <td>By design, files in the Windows directory tree (%windir% or C:\Windows) cannot be encrypted because they need to be accessed by the system even when no user is signed in. If a file in the Windows directory gets encrypted by one user, the system and other users can't access it.  
         </td>
         <td>Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner. 
         </td>

windows/security/threat-protection/TOC.md

@@ -1018,10 +1018,17 @@
 ###### [Synchronize directory service data](security-policy-settings/synchronize-directory-service-data.md)
 ###### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md)
 
+### [Windows security guidance for enterprises](windows-security-configuration-framework/windows-security-compliance.md)
 
-### [Windows security baselines](windows-security-baselines.md)
-#### [Security Compliance Toolkit](security-compliance-toolkit-10.md)
-#### [Get support](get-support-for-security-baselines.md)
+#### [Windows security baselines](windows-security-configuration-framework/windows-security-baselines.md)
+##### [Security Compliance Toolkit](windows-security-configuration-framework/security-compliance-toolkit-10.md)
+##### [Get support](windows-security-configuration-framework/get-support-for-security-baselines.md)
+#### [Windows security configuration framework](windows-security-configuration-framework/windows-security-configuration-framework.md)
+##### [Level 5 enterprise security](windows-security-configuration-framework/level-5-enterprise-security.md)
+##### [Level 4 enterprise high security](windows-security-configuration-framework/level-4-enterprise-high-security.md)
+##### [Level 3 enterprise VIP security](windows-security-configuration-framework/level-3-enterprise-vip-security.md)
+##### [Level 2 enterprise dev/ops workstation](windows-security-configuration-framework/level-2-enterprise-devops-security.md)
+##### [Level 1 enterprise administrator workstation](windows-security-configuration-framework/level-1-enterprise-administrator-security.md)
 
 ### [MBSA removal and alternatives](mbsa-removal-and-guidance.md)
 

windows/security/threat-protection/auditing/event-4716.md

@@ -132,7 +132,7 @@ This event is generated only on domain controllers.
 | 0x8   | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE                       | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.<br>Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater.                   |
 | 0x10  | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION                      | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/library/cc223991.aspx).<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater.                                                                                                                                        |
 | 0x20  | TRUST\_ATTRIBUTE\_WITHIN\_FOREST                           | If this bit is set, then the trusted domain is within the same forest.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
-| 0x40  | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL                      | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are [more stringently filtered](https://docs.microsoft.com/openspecs/windows_protocols/ms-adts/e9a2d23c-c31e-4a6f-88a0-6646fdb51a3c) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Only evaluated if SID Filtering is used.<br>Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
+| 0x40  | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL                      | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are [more stringently filtered](https://docs.microsoft.com/openspecs/windows_protocols/ms-adts/e9a2d23c-c31e-4a6f-88a0-6646fdb51a3c) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Only evaluated if SID Filtering is used.<br>Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
 | 0x80  | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION                    | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](https://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/library/cc223782.aspx).<br>Only evaluated on TRUST\_TYPE\_MIT                                                                                                                                                                                                                                          |
 | 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section 3.3.5.7.5.<br>Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
 | 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST                               | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.<br>Evaluated only on Windows Server 2016<br>Evaluated only if SID Filtering is used.<br>Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater.                                                                                                                                                                                                                                                                                                                                   |

windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md

@@ -24,7 +24,7 @@ Describes the best practices, location, values, management, and security conside
 
 ## Reference
 
-Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver. This policy setting allows you to control the locking time by using Group Policy.
+Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver (screen saver should be active on the destination machine). This policy setting allows you to control the locking time by using Group Policy.
 
 ### Possible values
 
@@ -40,6 +40,8 @@ Set the time for elapsed user-input inactivity based on the device’s usage and
 
 Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
 
+Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options (While creating and linking group policy on server)
+
 ### Default values
 
 The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.

windows/security/threat-protection/security-policy-settings/profile-system-performance.md

@@ -44,7 +44,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use
 
 ### Default values
 
-By default this setting is Administrators on domain controllers and on stand-alone servers.
+By default, this setting is Administrators and NT SERVICE\WdiServiceHost on domain controllers and on stand-alone servers.
 
 The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
 

windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md

@@ -14,7 +14,8 @@ ms.localizationpriority: medium
 # Use Windows Event Forwarding to help with intrusion detection
 
 **Applies to**
--   Windows 10
+-   Windows 10
+-   Windows Server
 
 Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected.
 

windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md

@@ -24,6 +24,9 @@ You can exclude certain files from Windows Defender Antivirus scans by modifying
 
 Generally, you shouldn't need to apply exclusions. Windows Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
 
+> [!NOTE]
+> Automatic exclusions apply only to Windows Server 2016 and above. 
+
 >[!TIP]
 >The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default.
 

windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md

@@ -56,14 +56,11 @@ SIP is a built-in macOS security feature that prevents low-level tampering with
 ## Installation and configuration overview
 There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. 
 In general you'll need to take the following steps:
-  - [Register macOS devices](#register-macos-devices) with Windows Defender ATP
-  - Deploy Microsoft Defender ATP for Mac using any of the following deployment methods and tools:
-  - [Microsoft Intune based deployment](#microsoft-intune-based-deployment)
-  - [JAMF based deployment](#jamf-based-deployment)
-  - [Manual deployment](#manual-deployment)
-
-## Deploy Microsoft Defender ATP for Mac
-Use any of the supported methods to deploy Microsoft Defender ATP for Mac
+  - Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal
+  - Deploy Microsoft Defender ATP for Mac using one of the following deployment methods:
+    * [Microsoft Intune based deployment](#microsoft-intune-based-deployment)
+    * [JAMF based deployment](#jamf-based-deployment)
+    * [Manual deployment](#manual-deployment)
 
 ## Microsoft Intune based deployment
 
@@ -293,7 +290,6 @@ After some time, the machine's User Approved MDM status will change to Yes.
 
 You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned.
 
-
 ### Deployment
 Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected.
 
@@ -329,7 +325,7 @@ Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found.
 
 You can also check the onboarding status:
 ```
-mavel-mojave:~ testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
+mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
 uuid            : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
 orgid           : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
 orgid managed   : 79109c9d-83bb-4f3e-9152-8d75ee59ae22
@@ -351,13 +347,13 @@ For example, this script removes Microsoft Defender ATP from the /Applications d
 
 ```
 echo "Is WDAV installed?"
-ls -ld '/Applications/Microsoft Defender.app' 2>/dev/null
+ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
 
 echo "Uninstalling WDAV..."
-rm -rf '/Applications/Microsoft Defender.app'
+rm -rf '/Applications/Microsoft Defender ATP.app'
 
 echo "Is WDAV still installed?"
-ls -ld '/Applications/Microsoft Defender.app' 2>/dev/null
+ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
 
 echo "Done!"
 ```
@@ -374,7 +370,7 @@ Configure the appropriate scope in the **Scope** tab to specify the machines tha
 You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded:
 
 ```
-/Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+'
+sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+'
 ```
 
 This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered.
@@ -435,7 +431,7 @@ The installation will proceed.
     The client machine is not associated with orgId.  Note that the orgid is blank.
 
     ```
-    mavel-mojave:wdavconfig testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
+    mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
     uuid  : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
     orgid :
     ```
@@ -449,7 +445,7 @@ The installation will proceed.
 3.  Verify that the machine is now associated with orgId:
 
     ```
-    mavel-mojave:wdavconfig testuser$ /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
+    mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py
     uuid  : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6
     orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8
     ```

windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md

@@ -12,7 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 10/16/2017
+ms.date: 04/10/2019
 ---
 
 # AppLocker
@@ -92,7 +92,7 @@ AppLocker is included with enterprise-level editions of Windows. You can author
  
 ### Using AppLocker on Server Core
 
-AppLocker on Server Core installations is not supported.
+AppLocker on Server Core installations is not supported. This applies to all versions of Windows Server. 
 
 ### Virtualization considerations
 

windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md

@@ -12,7 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 03/11/2019
 ---
 
 # Requirements to use AppLocker
@@ -31,14 +31,15 @@ To use AppLocker, you need:
 -   For Group Policy deployment, at least one device with the Group Policy Management Console (GPMC) or Remote Server Administration Tools (RSAT) installed to host the AppLocker rules.
 -   Devices running a supported operating system to enforce the AppLocker rules that you create.
 
->**Note:**  You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md).
+>[!NOTE]
+>You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md).
  
 ## Operating system requirements
 
-The following table show the on which operating systems AppLocker features are supported.
+The following table shows AppLocker features supported by different versions of Windows.
 
 | Version | Can be configured | Can be enforced | Available rules | Notes |
-| - | - | - | - | - |
+|---|---|---|---|---|
 | Windows 10| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| You can use the [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. |
 | Windows Server 2016<br/>Windows Server 2012 R2<br/>Windows Server 2012| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| |
 | Windows 8.1 Pro| Yes| No| N/A||
@@ -55,8 +56,7 @@ The following table show the on which operating systems AppLocker features are s
 | Windows 7 Enterprise| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules will not be enforced.|
 | Windows 7 Professional| Yes| No| Executable<br/>Windows Installer<br/>Script<br/>DLL| No AppLocker rules are enforced.|
  
-
-AppLocker is not supported on versions of the Windows operating system not listed above. Software Restriction Policies can be used with those versions. However, the SRP Basic User feature is not supported on the above operating systems.
+Previous versions of Windows can use Software Restriction Policies.
 
 ## See also
 - [Administer AppLocker](administer-applocker.md)

windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md

@@ -61,7 +61,7 @@ AppLocker uses path variables for well-known directories in Windows. Path variab
 | Windows directory or drive | AppLocker path variable | Windows environment variable |
 | - | - | - |
 | Windows | %WINDIR% | %SystemRoot% | 
-| System32 | %SYSTEM32%| %SystemDirectory%| 
+| System32 and sysWOW64 | %SYSTEM32%| %SystemDirectory%| 
 | Windows installation directory | %OSDRIVE%|%SystemDrive%| 
 | Program Files | %PROGRAMFILES%| %ProgramFiles% and %ProgramFiles(x86)%| 
 | Removable media (for example, CD or DVD) | %REMOVABLE%| |

windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md

@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 author: jsuther1974
-ms.date: 08/31/2018
+ms.date: 04/09/2019
 ---
 
 # Microsoft recommended block rules
@@ -60,6 +60,8 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 |Lee Christensen|@tifkin_|
 |Vladas Bulavas | Kaspersky Lab |
 |Lasse Trolle Borup | Langkjaer Cyber Defence |
+|Jimmy Bayne | @bohops |
+|Philip Tsukerman | @PhilipTsukerman |
 
 <br />
 
@@ -76,7 +78,13 @@ These modules cannot be blocked by name or version, and therefore must be blocke
 
 For October 2017, we are announcing an update to system.management.automation.dll in which we are revoking older versions by hash values, instead of version rules.
 
-Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet:
+Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet. Beginning with the March 2019 quality update, each version of Windows requires blocking a specific version of the following files:
+
+- msxml3.dll
+- msxml6.dll
+- jscript9.dll
+
+Pick the correct version of each .dll for the Windows release you plan to support, and remove the other versions.
 
 ```xml
 <?xml version="1.0" encoding="utf-8" ?> 
@@ -137,7 +145,35 @@ Microsoft recommends that you block the following Microsoft-signed applications
   <Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="65535.65535.65535.65535"/>
   <Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="65535.65535.65535.65535" /> 
   <Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="65535.65535.65535.65535" />   
-  <Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="65535.65535.65535.65535" />   
+  <Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="65535.65535.65535.65535" />  
+  <! -- msxml3.dll pick correct version based on release you are supporting -->
+  <! -- msxml6.dll pick correct version based on release you are supporting -->     
+  <! -- jscript9.dll pick correct version based on release you are supporting -->
+  <! -- RS1 Windows 1607
+  <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.14393.2550"/>
+  <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.14393.2550"/>
+  <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.14393.2607"/>
+  -->
+  <! -- RS2 Windows 1703
+  <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.15063.1386"/>
+  <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.15063.1386"/>
+  <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.15063.1445"/>
+  -->
+  <! -- RS3 Windows 1709
+  <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.16299.725"/>
+  <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.16299.725"/>
+  <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.16299.785"/>
+  -->
+  <! -- RS4 Windows 1803
+  <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.17134.344"/>
+  <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.17134.344"/>
+  <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.17134.406"/>
+  -->
+  <! -- RS5 Windows 1809
+  <Deny  ID="ID_DENY_MSXML3"        FriendlyName="msxml3.dll"         FileName="msxml3.dll" MinimumFileVersion ="8.110.17763.54"/>
+  <Deny  ID="ID_DENY_MSXML6"        FriendlyName="msxml6.dll"         FileName="msxml6.dll" MinimumFileVersion ="6.30.17763.54"/>
+  <Deny  ID="ID_DENY_JSCRIPT9"      FriendlyName="jscript9.dll"       FileName="jscript9.dll" MinimumFileVersion ="11.0.17763.133"/>
+  -->
   <Deny ID="ID_DENY_D_1" FriendlyName="Powershell 1" Hash="02BE82F63EE962BCD4B8303E60F806F6613759C6"/> 
   <Deny ID="ID_DENY_D_2" FriendlyName="Powershell 2" Hash="13765D9A16CC46B2113766822627F026A68431DF"/> 
   <Deny ID="ID_DENY_D_3" FriendlyName="Powershell 3" Hash="148972F670E18790D62D753E01ED8D22B351A57E45544D88ACE380FEDAF24A40"/> 
@@ -842,8 +878,11 @@ Microsoft recommends that you block the following Microsoft-signed applications
   <FileRuleRef RuleID="ID_DENY_KILL"/> 
   <FileRuleRef RuleID="ID_DENY_WMIC"/>
   <FileRuleRef RuleID="ID_DENY_MWFC" /> 
-  <FileRuleRef RuleID="ID_DENY_WFC" />   
-  <FileRuleRef RuleID="ID_DENY_D_1"/> 
+  <FileRuleRef RuleID="ID_DENY_WFC" /> 
+  <FileRuleRef RuleID="ID_DENY_MSXML3" /> 
+  <FileRuleRef RuleID="ID_DENY_MSXML6" /> 
+  <FileRuleRef RuleID="ID_DENY_JSCRIPT9" />
+  <FileRuleRef RuleID="ID_DENY_D_1"/>
   <FileRuleRef RuleID="ID_DENY_D_2"/> 
   <FileRuleRef RuleID="ID_DENY_D_3"/> 
   <FileRuleRef RuleID="ID_DENY_D_4"/> 

windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md

@@ -42,6 +42,8 @@ To effectively build queries that span multiple tables, you need to understand t
 | AdditionalFields | string | Additional information about the event in JSON array format |
 | AlertId | string | Unique identifier for the alert |
 | AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+| Category | string | Type of threat indicator or breach activity identified by the alert |
+| ClientVersion | string | Version of the endpoint agent or sensor running on the machine |
 | ComputerName | string | Fully qualified domain name (FQDN) of the machine |
 | ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it’s connected publicly to the internet. |
 | DefaultGateways | string | Default gateway addresses in JSON array format |
@@ -73,6 +75,8 @@ To effectively build queries that span multiple tables, you need to understand t
 | Ipv4Dhcp | string | IPv4 address of DHCP server |
 | Ipv6Dhcp | string | IPv6 address of DHCP server |
 | IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
+| IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection |
+| IsWindowsInfoProtectionApplied | boolean | Indicates whether Windows Information Protection (WIP) policies apply to the file |
 | LocalIP | string | IP address assigned to the local machine used during communication |
 | LocalPort | int | TCP port on the local machine used during communication |
 | LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
@@ -89,6 +93,7 @@ To effectively build queries that span multiple tables, you need to understand t
 | OSArchitecture | string | Architecture of the operating system running on the machine |
 | OSBuild | string | Build version of the operating system running on the machine |
 | OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
+| OsVersion | string | Version of the operating system running on the machine |
 | PreviousRegistryKey | string | Original registry key of the registry value before it was modified |
 | PreviousRegistryValueData | string | Original data of the registry value before it was modified |
 | PreviousRegistryValueName | string | Original name of the registry value before it was modified |
@@ -110,8 +115,12 @@ To effectively build queries that span multiple tables, you need to understand t
 | RemotePort | int | TCP port on the remote device that was being connected to |
 | RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
 | ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. |
+| Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
+| SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection |
+| SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
 | SHA1 | string | SHA-1 of the file that the recorded action was applied to |
 | SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
+| RegistryMachineTag | string | Machine tag added through the registry |
 | Table | string | Table that contains the details of the event |
 | TunnelingType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
 

windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md

@@ -37,12 +37,9 @@ You can define the conditions for when entities are identified as malicious or s
 ## Create an allowed or blocked list
 1. In the navigation pane, select **Settings** > **Automation allowed/blocked list**.  
 
-2. Select the tab of the type of entity you'd like to create an exclusion for. You can choose any of the following entities: 
-   - File hash
-   - Certificate
-   - IP address
-  
-3. Click **Add system exclusion**.
+2. Select the tab of the type of entity you'd like to create an exclusion for. Currently, you can add a rule for certificates. 
+
+3. Select **Add allowed/blocked list rule**.
 
 4. For each attribute specify the exclusion type, details, and their corresponding required values.
     

windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md

@@ -108,10 +108,12 @@ Icon | Description
 ![Running icon](images\running.png) | Automated investigation - running
 ![Remediated icon](images\remediated.png) | Automated investigation - remediated 
 ![Partially investigated icon](images\partially_remediated.png) | Automated investigation - partially remediated
-
+![Threat insights icon](images\tvm_bug_icon.png) | Threat & Vulnerability Management - threat insights
+![Possible active alert icon](images\tvm_alert_icon.png) | Threat & Vulnerability Management - possible active alert 
+![Recommendation insights icon](images\tvm_insight_icon.png) | Threat & Vulnerability Management - recommendation insights
 
 ## Related topics
 - [Understand the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md)
 - [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
 - [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
-- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md

@@ -17,7 +17,7 @@ ms.author: v-anbic
 
 [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) help prevent actions and apps that malware often uses to infect computers. You can set attack surface reduction rules for computers running Windows 10 or Windows Server 2019. 
 
-To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjuction with ASR rules.
+To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Windows Defender Advanced Threat Protection (Windows Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
 
 ## Exclude files and folders from ASR rules