diff --git a/.gitignore b/.gitignore
index 1be8bb9955..9841e0daea 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,7 +5,7 @@ obj/
_site/
Tools/NuGet/
.optemp/
-Thumbs.db
+*.db
.DS_Store
*.ini
_themes*/
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 5ba3dde324..3e1c1d1d11 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -1,436 +1,439 @@
-{
- "build_entry_point": "",
- "docsets_to_publish": [
- {
- "docset_name": "education",
- "build_source_folder": "education",
- "build_output_subfolder": "education",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "hololens",
- "build_source_folder": "devices/hololens",
- "build_output_subfolder": "hololens",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "internet-explorer",
- "build_source_folder": "browsers/internet-explorer",
- "build_output_subfolder": "internet-explorer",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "keep-secure",
- "build_source_folder": "windows/keep-secure",
- "build_output_subfolder": "keep-secure",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "microsoft-edge",
- "build_source_folder": "browsers/edge",
- "build_output_subfolder": "microsoft-edge",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "release-information",
- "build_source_folder": "windows/release-information",
- "build_output_subfolder": "release-information",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "smb",
- "build_source_folder": "smb",
- "build_output_subfolder": "smb",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "store-for-business",
- "build_source_folder": "store-for-business",
- "build_output_subfolder": "store-for-business",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-access-protection",
- "build_source_folder": "windows/access-protection",
- "build_output_subfolder": "win-access-protection",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-app-management",
- "build_source_folder": "windows/application-management",
- "build_output_subfolder": "win-app-management",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-client-management",
- "build_source_folder": "windows/client-management",
- "build_output_subfolder": "win-client-management",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-configuration",
- "build_source_folder": "windows/configuration",
- "build_output_subfolder": "win-configuration",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-deployment",
- "build_source_folder": "windows/deployment",
- "build_output_subfolder": "win-deployment",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-device-security",
- "build_source_folder": "windows/device-security",
- "build_output_subfolder": "win-device-security",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "windows-configure",
- "build_source_folder": "windows/configure",
- "build_output_subfolder": "windows-configure",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": false,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "windows-deploy",
- "build_source_folder": "windows/deploy",
- "build_output_subfolder": "windows-deploy",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "windows-hub",
- "build_source_folder": "windows/hub",
- "build_output_subfolder": "windows-hub",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "windows-manage",
- "build_source_folder": "windows/manage",
- "build_output_subfolder": "windows-manage",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "windows-plan",
- "build_source_folder": "windows/plan",
- "build_output_subfolder": "windows-plan",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "windows-privacy",
- "build_source_folder": "windows/privacy",
- "build_output_subfolder": "windows-privacy",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "windows-security",
- "build_source_folder": "windows/security",
- "build_output_subfolder": "windows-security",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "windows-update",
- "build_source_folder": "windows/update",
- "build_output_subfolder": "windows-update",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-threat-protection",
- "build_source_folder": "windows/threat-protection",
- "build_output_subfolder": "win-threat-protection",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
- {
- "docset_name": "win-whats-new",
- "build_source_folder": "windows/whats-new",
- "build_output_subfolder": "win-whats-new",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content",
- "ManagedReference": "Content",
- "RestApi": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- }
- ],
- "notification_subscribers": [
- "elizapo@microsoft.com"
- ],
- "sync_notification_subscribers": [
- "daniha@microsoft.com"
- ],
- "branches_to_filter": [
- ""
- ],
- "git_repository_url_open_to_public_contributors": "https://github.com/MicrosoftDocs/windows-itpro-docs",
- "git_repository_branch_open_to_public_contributors": "public",
- "skip_source_output_uploading": false,
- "need_preview_pull_request": true,
- "resolve_user_profile_using_github": true,
- "contribution_branch_mappings": {},
- "dependent_repositories": [
- {
- "path_to_root": "_themes.pdf",
- "url": "https://github.com/Microsoft/templates.docs.msft.pdf",
- "branch": "master",
- "branch_mapping": {}
- },
- {
- "path_to_root": "_themes",
- "url": "https://github.com/Microsoft/templates.docs.msft",
- "branch": "master",
- "branch_mapping": {}
- }
- ],
- "branch_target_mapping": {
- "live": [
- "Publish",
- "Pdf"
- ],
- "master": [
- "Publish",
- "Pdf"
- ]
- },
- "need_generate_pdf_url_template": true,
- "targets": {
- "Pdf": {
- "template_folder": "_themes.pdf"
- }
- },
- "need_generate_pdf": false,
- "need_generate_intellisense": false
-}
\ No newline at end of file
+{
+ "build_entry_point": "",
+ "docsets_to_publish": [
+ {
+ "docset_name": "education",
+ "build_source_folder": "education",
+ "build_output_subfolder": "education",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "hololens",
+ "build_source_folder": "devices/hololens",
+ "build_output_subfolder": "hololens",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "internet-explorer",
+ "build_source_folder": "browsers/internet-explorer",
+ "build_output_subfolder": "internet-explorer",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "keep-secure",
+ "build_source_folder": "windows/keep-secure",
+ "build_output_subfolder": "keep-secure",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "microsoft-edge",
+ "build_source_folder": "browsers/edge",
+ "build_output_subfolder": "microsoft-edge",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "release-information",
+ "build_source_folder": "windows/release-information",
+ "build_output_subfolder": "release-information",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "smb",
+ "build_source_folder": "smb",
+ "build_output_subfolder": "smb",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "store-for-business",
+ "build_source_folder": "store-for-business",
+ "build_output_subfolder": "store-for-business",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "win-access-protection",
+ "build_source_folder": "windows/access-protection",
+ "build_output_subfolder": "win-access-protection",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "win-app-management",
+ "build_source_folder": "windows/application-management",
+ "build_output_subfolder": "win-app-management",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "win-client-management",
+ "build_source_folder": "windows/client-management",
+ "build_output_subfolder": "win-client-management",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "win-configuration",
+ "build_source_folder": "windows/configuration",
+ "build_output_subfolder": "win-configuration",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "win-deployment",
+ "build_source_folder": "windows/deployment",
+ "build_output_subfolder": "win-deployment",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "win-device-security",
+ "build_source_folder": "windows/device-security",
+ "build_output_subfolder": "win-device-security",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "windows-configure",
+ "build_source_folder": "windows/configure",
+ "build_output_subfolder": "windows-configure",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": false,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "windows-deploy",
+ "build_source_folder": "windows/deploy",
+ "build_output_subfolder": "windows-deploy",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "windows-hub",
+ "build_source_folder": "windows/hub",
+ "build_output_subfolder": "windows-hub",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "windows-manage",
+ "build_source_folder": "windows/manage",
+ "build_output_subfolder": "windows-manage",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "windows-plan",
+ "build_source_folder": "windows/plan",
+ "build_output_subfolder": "windows-plan",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "windows-privacy",
+ "build_source_folder": "windows/privacy",
+ "build_output_subfolder": "windows-privacy",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "windows-security",
+ "build_source_folder": "windows/security",
+ "build_output_subfolder": "windows-security",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "windows-update",
+ "build_source_folder": "windows/update",
+ "build_output_subfolder": "windows-update",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "win-threat-protection",
+ "build_source_folder": "windows/threat-protection",
+ "build_output_subfolder": "win-threat-protection",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ },
+ {
+ "docset_name": "win-whats-new",
+ "build_source_folder": "windows/whats-new",
+ "build_output_subfolder": "win-whats-new",
+ "locale": "en-us",
+ "monikers": [],
+ "moniker_ranges": [],
+ "open_to_public_contributors": true,
+ "type_mapping": {
+ "Conceptual": "Content",
+ "ManagedReference": "Content",
+ "RestApi": "Content"
+ },
+ "build_entry_point": "docs",
+ "template_folder": "_themes"
+ }
+ ],
+ "notification_subscribers": [
+ "elizapo@microsoft.com"
+ ],
+ "sync_notification_subscribers": [
+ "daniha@microsoft.com"
+ ],
+ "branches_to_filter": [
+ ""
+ ],
+ "git_repository_url_open_to_public_contributors": "https://github.com/MicrosoftDocs/windows-itpro-docs",
+ "git_repository_branch_open_to_public_contributors": "public",
+ "skip_source_output_uploading": false,
+ "need_preview_pull_request": true,
+ "resolve_user_profile_using_github": true,
+ "contribution_branch_mappings": {},
+ "dependent_repositories": [
+ {
+ "path_to_root": "_themes.pdf",
+ "url": "https://github.com/Microsoft/templates.docs.msft.pdf",
+ "branch": "master",
+ "branch_mapping": {}
+ },
+ {
+ "path_to_root": "_themes",
+ "url": "https://github.com/Microsoft/templates.docs.msft",
+ "branch": "master",
+ "branch_mapping": {}
+ }
+ ],
+ "branch_target_mapping": {
+ "live": [
+ "Publish",
+ "Pdf"
+ ],
+ "master": [
+ "Publish",
+ "Pdf"
+ ]
+ },
+ "need_generate_pdf_url_template": true,
+ "targets": {
+ "Pdf": {
+ "template_folder": "_themes.pdf"
+ }
+ },
+ "need_generate_pdf": false,
+ "need_generate_intellisense": false,
+ "docs_build_engine": {
+ "name": "docfx_v3"
+ }
+}
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 29d82ddb1c..c806d9395d 100644
Binary files a/.openpublishing.redirection.json and b/.openpublishing.redirection.json differ
diff --git a/images/sc-image402.png b/images/sc-image402.png
new file mode 100644
index 0000000000..8bfe73fd87
Binary files /dev/null and b/images/sc-image402.png differ
diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md
index adcf842841..91ef9b0c48 100644
--- a/windows/application-management/msix-app-packaging-tool.md
+++ b/windows/application-management/msix-app-packaging-tool.md
@@ -30,11 +30,11 @@ You can either run your installer interactively (through the UI) or create a pac
- Windows 10, version 1809 (or later)
- Participation in the Windows Insider Program (if you're using an Insider build)
-- A valid Microsoft account (MSA) alias to access the app from the Microsoft Store
+- A valid Microsoft work or school account to access the app from the Microsoft Store
- Admin privileges on your PC account
### Get the app from the Microsoft Store
-1. Use the MSA login associated with your Windows Insider Program credentials in the [Microsoft Store](https://www.microsoft.com/store/r/9N5LW3JBCXKF).
+1. Use the Microsoft work or school account login associated with your Windows Insider Program credentials in the [Microsoft Store](https://www.microsoft.com/store/r/9N5LW3JBCXKF).
2. Open the product description page.
3. Click the install icon to begin installation.
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index 3a1ecfb0f9..f6cce218b0 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -1072,6 +1072,19 @@ Each server-side recovery key rotation is represented by a request ID. The serve
Value type is string. Supported operation is Execute. Request ID is expected as a parameter.
+> [!TIP]
+> Key rotation feature will only work when:
+>
+> - For Operating system drives:
+> - OSRequireActiveDirectoryBackup_Name is set to 1 ("Required")
+>
+> - For Fixed data drives:
+> - FDVRequireActiveDirectoryBackup_Name is set to 1 = ("Required")
+>
+> Although not required, we recommend configuring:
+> - OSActiveDirectoryBackup_Name to true
+> - FDVActiveDirectoryBackup_Name to true
+
**Status**
Interior node. Supported operation is Get.
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index 9648c1ff7b..2b0f4e8ae8 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -2747,7 +2747,7 @@ The following list shows the CSPs supported in HoloLens devices:
- [Accounts CSP](accounts-csp.md)9 **Note:** Support in Surface Hub is limited to **Domain\ComputerName**.
- [AccountManagement CSP](accountmanagement-csp.md)
- [APPLICATION CSP](application-csp.md)
-- [Bitlocker-csp](bitlocker-csp.md)9
+- [Bitlocker-CSP](bitlocker-csp.md)9
- [CertificateStore CSP](certificatestore-csp.md)
- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md)
- [Defender CSP](defender-csp.md)
@@ -2759,7 +2759,7 @@ The following list shows the CSPs supported in HoloLens devices:
- [DMAcc CSP](dmacc-csp.md)
- [DMClient CSP](dmclient-csp.md)
- [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)
-- [Firewall-csp](firewall-csp.md)9
+- [Firewall-CSP](firewall-csp.md)9
- [HealthAttestation CSP](healthattestation-csp.md)
- [NetworkQoSPolicy CSP](networkqospolicy-csp.md)
- [NodeCache CSP](nodecache-csp.md)
@@ -2771,9 +2771,9 @@ The following list shows the CSPs supported in HoloLens devices:
- [RootCATrustedCertificates CSP](rootcacertificates-csp.md)
- [SurfaceHub CSP](surfacehub-csp.md)
- [UEFI CSP](uefi-csp.md)
-- [Wifi-csp](wifi-csp.md)9
+- [Wifi-CSP](wifi-csp.md)9
- [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)
-- [Wirednetwork-csp](wirednetwork-csp.md)9
+- [Wirednetwork-CSP](wirednetwork-csp.md)9
## CSPs supported in Windows 10 IoT Core
diff --git a/windows/client-management/mdm/policy-csps-supported-by-surface-hub.md b/windows/client-management/mdm/policy-csps-supported-by-surface-hub.md
index f265b57c4e..1d89eb88de 100644
--- a/windows/client-management/mdm/policy-csps-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policy-csps-supported-by-surface-hub.md
@@ -65,7 +65,7 @@ ms.date: 07/22/2020
- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
-- [RestrictedGroups/ConfigureGroupMembership](https://docs.microsoft.com/windows/client-management/https://docs.microsoft.com/windows/client-management/mdm/policy-csp-restrictedgroups)
+- [RestrictedGroups/ConfigureGroupMembership](policy-csp-restrictedgroups.md)
- [TextInput/AllowIMELogging](policy-csp-textinput.md#textinput-allowimelogging)
- [TextInput/AllowIMENetworkAccess](policy-csp-textinput.md#textinput-allowimenetworkaccess)
- [TextInput/AllowInputPanel](policy-csp-textinput.md#textinput-allowinputpanel)
@@ -77,19 +77,20 @@ ms.date: 07/22/2020
- [TextInput/ExcludeJapaneseIMEExceptJIS0208](policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208)
- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208andeudc)
- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](policy-csp-textinput.md#textinput-excludejapaneseimeexceptshiftjis)
-- [Wifi/AllowInternetSharing](https://docs.microsoft.com/windows/client-management/policy-csp-wifi#wifi-allowinternetsharing)
-- [Wifi/AllowManualWiFiConfiguration](https://docs.microsoft.com/windows/client-management/policy-csp-wifi#wifi-allowmanualwificonfiguration)
-- [Wifi/AllowWiFi](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-wifi#wifi-allowwifi)
-- [WiFi/AllowWiFiHotSpotReporting](https://docs.microsoft.com/windows/client-management/policy-csp-wifi.md#wifi-allowwifihotspotreporting)
-- [Wifi/AllowWiFiDirect](https://docs.microsoft.com/windows/client-management/policy-csp-wifi#wifi-allowwifidirect)
-- [WirelessDisplay/AllowMdnsAdvertisement](https://docs.microsoft.com/windows/client-management/policy-csp-wirelessdisplay#wirelessdisplay-allowmdnsadvertisement)
-- [WirelessDisplay/AllowMdnsDiscovery](https://docs.microsoft.com/windows/client-management/policy-csp-wirelessdisplay#wirelessdisplay-allowmdnsdiscovery)
-- [WirelessDisplay/AllowProjectionFromPC](https://docs.microsoft.com/windows/client-management/policy-csp-wirelessdisplay#wirelessdisplay-allowprojectionfrompc)
-- [WirelessDisplay/AllowProjectionFromPCOverInfrastructure](https://docs.microsoft.com/windows/client-management/policy-csp-wirelessdisplay#wirelessdisplay-allowprojectionfrompcoverinfrastructure)
-- [WirelessDisplay/AllowProjectionToPC](https://docs.microsoft.com/windows/client-management/policy-csp-wirelessdisplay#wirelessdisplay-allowprojectiontopc)
-- [WirelessDisplay/AllowProjectionToPCOverInfrastructure](https://docs.microsoft.com/windows/client-management/policy-csp-wirelessdisplay#wirelessdisplay-allowprojectiontopcoverinfrastructure)
-- [WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver](https://docs.microsoft.com/windows/client-management/policy-csp-wirelessdisplay#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver)
-- [WirelessDisplay/RequirePinForPairing](https://docs.microsoft.com/windows/client-management/policy-csp-wirelessdisplay#wirelessdisplay-requirepinforpairing)
+- [Wifi/AllowInternetSharing](policy-csp-wifi.md#wifi-allowinternetsharing)
+- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
+- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi)
+- [WiFi/AllowWiFiHotSpotReporting](policy-csp-wifi.md#wifi-allowwifihotspotreporting)
+- [WiFi/WLANScanMode](policy-csp-wifi.md#wifi-wlanscanmode)
+- [Wifi/AllowWiFiDirect](policy-csp-wifi.md#wifi-allowwifidirect)
+- [WirelessDisplay/AllowMdnsAdvertisement](policy-csp-wirelessdisplay.md#wirelessdisplay-allowmdnsadvertisement)
+- [WirelessDisplay/AllowMdnsDiscovery](policy-csp-wirelessdisplay.md#wirelessdisplay-allowmdnsdiscovery)
+- [WirelessDisplay/AllowProjectionFromPC](policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectionfrompc)
+- [WirelessDisplay/AllowProjectionFromPCOverInfrastructure](policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectionfrompcoverinfrastructure)
+- [WirelessDisplay/AllowProjectionToPC](policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc)
+- [WirelessDisplay/AllowProjectionToPCOverInfrastructure](policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopcoverinfrastructure)
+- [WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver](policy-csp-wirelessdisplay.md#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver)
+- [WirelessDisplay/RequirePinForPairing](policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing)
## Related topics
diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
index 641af623c3..5fe68ff0bd 100644
--- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
@@ -1,6 +1,6 @@
---
-title: Intro to configuration service providers for IT pros (Windows 10)
-description: Configuration service providers (CSPs) expose device configuration settings in Windows 10.
+title: Configuration service providers for IT pros (Windows 10)
+description: Describes how IT pros and system administrators can use configuration service providers (CSPs) to configure devices.
ms.assetid: 25C1FDCA-0E10-42A1-A368-984FFDB2B7B6
ms.reviewer:
manager: dansimp
@@ -14,25 +14,23 @@ ms.localizationpriority: medium
ms.date: 07/27/2017
---
-# Introduction to configuration service providers (CSPs) for IT pros
+# Configuration service providers for IT pros
**Applies to**
- Windows 10
- Windows 10 Mobile
-Configuration service providers (CSPs) expose device configuration settings in Windows 10. This topic is written for people who have no experience with CSPs.
+This article explains how IT pros and system administrators can take advantage of many settings available through configuration service providers (CSPs) to configure devices running Windows 10 and Windows 10 Mobile in their organizations. CSPs expose device configuration settings in Windows 10. The CSPs are used by mobile device management (MDM) service providers and are documented in the [Hardware Dev Center](https://go.microsoft.com/fwlink/p/?LinkId=717390).
-The CSPs are documented on the [Hardware Dev Center](https://go.microsoft.com/fwlink/p/?LinkId=717390) because CSPs are used by mobile device management (MDM) service providers. This topic explains how IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations.
-
->[!NOTE]
->This explanation of CSPs and CSP documentation also applies to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile.
+> [!NOTE]
+> The information provided here about CSPs and CSP documentation also applies to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile.
[See what's new for CSPs in Windows 10, version 1809.](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1809)
## What is a CSP?
-A CSP is an interface in the client operating system, between configuration settings specified in a provisioning document, and configuration settings on the device. CSPs are similar to Group Policy client-side extensions, in that they provide an interface to read, set, modify, or delete configuration settings for a given feature. Typically, these settings map to registry keys, files or permissions. Some of these settings are configurable, and some are read-only.
+In the client operating system, a CSP is the interface between configuration settings that are specified in a provisioning document and configuration settings that are on the device. CSPs are similar to Group Policy client-side extensions in that they provide an interface to read, set, modify, or delete configuration settings for a given feature. Typically, these settings map to registry keys, files, or permissions. Some of these settings are configurable, and some are read-only.
Starting with Windows Mobile 5.0, CSPs were used to manage Windows mobile devices. On the Windows 10 platform, the management approach for both desktop and mobile devices converges, taking advantage of the same CSPs to configure and manage all devices running Windows 10.
@@ -42,15 +40,15 @@ CSPs are behind many of the management tasks and policies for Windows 10, both i
-CSPs receive configuration policies in the XML-based SyncML format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as Microsoft Endpoint Configuration Manager, can also target CSPs, by using a client-side WMI-to-CSP bridge.
+CSPs receive configuration policies in the XML-based Synchronization Markup Language (SyncML) format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as Microsoft Endpoint Configuration Manager, can also target CSPs, by using a client-side Windows Management Instrumentation (WMI)-to-CSP Bridge.
### Synchronization Markup Language (SyncML)
-The Open Mobile Alliance Device Management (OMA-DM) protocol uses the XML-based Synchronization Markup Language (SyncML) for data exchange between compliant servers and clients. SyncML offers an open standard to use as an alternative to vendor-specific management solutions (such as WMI). The value for enterprises adopting industry standard management protocols is that it allows the management of a broader set of vendor devices using a single platform (such as Microsoft Intune). Device policies, including VPN connection profiles, are delivered to client devices formatted as in SyncML. The target CSP reads this information and applies the necessary configurations.
+The Open Mobile Alliance Device Management (OMA-DM) protocol uses the XML-based SyncML for data exchange between compliant servers and clients. SyncML offers an open standard to use as an alternative to vendor-specific management solutions (such as WMI). The value for enterprises adopting industry standard management protocols is that it allows the management of a broader set of vendor devices using a single platform (such as Microsoft Intune). Device policies, including VPN connection profiles, are delivered to client devices formatted as in SyncML. The target CSP reads this information and applies the necessary configurations.
### The WMI-to-CSP Bridge
-The WMI-to-CSP Bridge is a component allowing configuration of Windows 10 CSPs via scripts and traditional enterprise management software, such as Configuration Manager using Windows Management Instrumentation (WMI). The bridge is responsible for reading WMI commands and through a component called the common device configurator pass them to a CSP for application on the device.
+The WMI-to-CSP Bridge is a component allowing configuration of Windows 10 CSPs using scripts and traditional enterprise management software, such as Configuration Manager using WMI. The bridge is responsible for reading WMI commands and through a component called the common device configurator pass them to a CSP for application on the device.
[Learn how to use the WMI Bridge Provider with PowerShell.](https://go.microsoft.com/fwlink/p/?LinkId=761090)
@@ -60,7 +58,7 @@ Generally, enterprises rely on Group Policy or MDM to configure and manage devic
In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management. You may also want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#bkmk-csp-doc) can help you understand the settings that can be configured or queried.
-Some of the topics in the [Windows 10 and Windows 10 Mobile](/windows/windows-10) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](../cortana-at-work/cortana-at-work-overview.md), which links to the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings.
+Some of the articles in the [Windows 10 and Windows 10 Mobile](/windows/windows-10) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](../cortana-at-work/cortana-at-work-overview.md), which links to the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings.
### CSPs in Windows Configuration Designer
@@ -74,7 +72,7 @@ Many settings in Windows Configuration Designer will display documentation for t
### CSPs in MDM
-Most, if not all, CSPs are surfaced through your MDM service. If you see a CSP that provides a capability that you want to make use of and cannot find that capability in your MDM service, contact your MDM provider for assistance. It might simply be named differently than you expected. You can see the CSPs supported by MDM in the [Configuration service provider reference](https://go.microsoft.com/fwlink/p/?LinkId=717390).
+Most, if not all, CSPs are surfaced through your MDM service. If you see a CSP that provides a capability that you want to make use of and cannot find that capability in your MDM service, contact your MDM provider for assistance. It might be named differently than you expected. You can see the CSPs supported by MDM in the [Configuration service provider reference](https://go.microsoft.com/fwlink/p/?LinkId=717390).
When a CSP is available but is not explicitly included in your MDM solution, you may be able to make use of the CSP by using OMA-URI settings. In Intune, for example, you can use [custom policy settings](https://go.microsoft.com/fwlink/p/?LinkID=616316) to deploy settings. Intune documents [a partial list of settings](https://go.microsoft.com/fwlink/p/?LinkID=616317) that you can enter in the **OMA-URI Settings** section of a custom policy, if your MDM service provides that extension. You'll notice that the list doesn't explain the meanings of the allowed and default values, so use the [CSP reference documentation](https://go.microsoft.com/fwlink/p/?LinkId=717390) to locate that information.
@@ -116,13 +114,13 @@ The documentation for most CSPs will also include an XML example.
## CSP examples
-CSPs provide access to a number of settings useful to enterprises. This section introduces two CSPs that an enterprise might find particularly useful.
+CSPs provide access to a number of settings useful to enterprises. This section introduces the CSPs that an enterprise might find useful.
- [EnterpriseAssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=618601)
- The EnterpriseAssignedAccess configuration service provider allows IT administrators to configure settings on a Windows 10 Mobile device. An enterprise can make use of this CSP to create single-use or limited-use mobile devices, such as a handheld device that only runs a price-checking app.
+ The EnterpriseAssignedAccess CSP lets IT administrators configure settings on a Windows 10 Mobile device. An enterprise can make use of this CSP to create single-use or limited-use mobile devices, such as a handheld device that only runs a price-checking app.
- In addition to lockscreen wallpaper, theme, time zone, and language, the EnterpriseAssignedAccess CSP includes AssignedAccessXml which can be used to lock down the device through the following settings:
+ In addition to lock screen wallpaper, theme, time zone, and language, the EnterpriseAssignedAccess CSP includes AssignedAccessXml that can be used to lock down the device through the following settings:
- Enabling or disabling the Action Center.
- Configuring the number of tile columns in the Start layout.
@@ -132,27 +130,28 @@ CSPs provide access to a number of settings useful to enterprises. This section
- Restricting access to the context menu.
- Enabling or disabling tile manipulation.
- Creating role-specific configurations.
+
- [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244)
- The Policy configuration service provider enables the enterprise to configure policies on Windows 10 and Windows 10 Mobile. Some of these policy settings can also be applied using Group Policy, and the CSP documentation lists the equivalent Group Policy settings.
+ The Policy CSP enables the enterprise to configure policies on Windows 10 and Windows 10 Mobile. Some of these policy settings can also be applied using Group Policy, and the CSP documentation lists the equivalent Group Policy settings.
Some of the settings available in the Policy CSP include the following:
- - **Accounts**, such as whether a non-Microsoft account can be added to the device
- - **Application management**, such as whether only Microsoft Store apps are allowed
- - **Bluetooth**, such as the services allowed to use it
- - **Browser**, such as restricting InPrivate browsing
- - **Connectivity**, such as whether the device can be connected to a computer by USB
- - **Defender** (for desktop only), such as day and time to scan
- - **Device lock**, such as the type of PIN or password required to unlock the device
- - **Experience**, such as allowing Cortana
- - **Security**, such as whether provisioning packages are allowed
- - **Settings**, such as allowing the user to change VPN settings
- - **Start**, such as applying a standard Start layout
- - **System**, such as allowing the user to reset the device
- - **Text input**, such as allowing the device to send anonymized user text input data samples to Microsoft
- - **Update**, such as specifying whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store
- - **WiFi**, such as whether to enable Internet sharing
+ - **Accounts**, such as whether a non-Microsoft account can be added to the device.
+ - **Application management**, such as whether only Microsoft Store apps are allowed.
+ - **Bluetooth**, such as the services allowed to use it.
+ - **Browser**, such as restricting InPrivate browsing.
+ - **Connectivity**, such as whether the device can be connected to a computer by USB.
+ - **Defender** (for desktop only), such as day and time to scan.
+ - **Device lock**, such as the type of PIN or password required to unlock the device.
+ - **Experience**, such as allowing Cortana.
+ - **Security**, such as whether provisioning packages are allowed.
+ - **Settings**, such as enabling the user to change VPN settings.
+ - **Start**, such as applying a standard Start layout.
+ - **System**, such as allowing the user to reset the device.
+ - **Text input**, such as allowing the device to send anonymized user text input data samples to Microsoft.
+ - **Update**, such as whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store.
+ - **WiFi**, such as whether Internet sharing is enabled.
Here is a list of CSPs supported on Windows 10 Enterprise, Windows 10 Mobile Enterprise, or both:
diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml
index 502d036305..4383221147 100644
--- a/windows/deployment/index.yml
+++ b/windows/deployment/index.yml
@@ -73,7 +73,6 @@ landingContent:
- text: Overview of Windows Autopilot
url: windows-autopilot/windows-autopilot.md
-
# Card
- title: Support remote work
linkLists:
diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md
index fba2f6ef1d..e34b68d47e 100644
--- a/windows/deployment/planning/windows-10-deprecated-features.md
+++ b/windows/deployment/planning/windows-10-deprecated-features.md
@@ -45,7 +45,7 @@ The features described below are no longer being actively developed, and might b
|Windows Help Viewer (WinHlp32.exe)|All Windows help information is [available online](https://support.microsoft.com/products/windows?os=windows-10). The Windows Help Viewer is no longer supported in Windows 10. If for any reason you see an error message about "help not supported," possibly when using a non-Microsoft application, read [this support article](https://support.microsoft.com/help/917607/error-opening-help-in-windows-based-programs-feature-not-included-or-h) for additional information and any next steps.| 1803 |
|Contacts feature in File Explorer|We're no longer developing the Contacts feature or the corresponding [Windows Contacts API](https://msdn.microsoft.com/library/ff800913.aspx). Instead, you can use the People app in Windows 10 to maintain your contacts.| 1803 |
|Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.| 1803 |
-|IPv4/6 Transition Technologies (6to4, ISATAP, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.| 1803 |
+|IPv4/6 Transition Technologies (6to4, ISATAP, Teredo, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), Teredo has been disabled since Windows 10, version 1803, and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.| 1803 |
|[Layered Service Providers](https://msdn.microsoft.com/library/windows/desktop/bb513664)|Layered Service Providers has not been developed since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510) instead. When you upgrade from an older version of Windows, any layered service providers you're using aren't migrated; you'll need to re-install them after upgrading.| 1803 |
|Business Scanning| This feature is also called Distributed Scan Management (DSM) **(Added 05/03/2018)**
The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124(v=ws.11)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.| 1803 |
|IIS 6 Management Compatibility* | We recommend that users use alternative scripting tools and a newer management console. | 1709 |
diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md
index 4390f47e44..e992f49cb7 100644
--- a/windows/deployment/update/windows-as-a-service.md
+++ b/windows/deployment/update/windows-as-a-service.md
@@ -114,21 +114,4 @@ Secure your organization's deployment investment.
## Microsoft Ignite 2018
-Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service.
-
-
-[BRK3018: Deploying Windows 10 in the enterprise using traditional and modern techniques](https://myignite.techcommunity.microsoft.com/sessions/64509#ignite-html-anchor)
-
-[BRK3019: Delivery Optimization deep dive: How to reduce internet bandwidth impact on your network](https://myignite.techcommunity.microsoft.com/sessions/64510#ignite-html-anchor)
-
-[BRK3020: Using AI to automate Windows and Office update staging with Windows Update for Business](https://myignite.techcommunity.microsoft.com/sessions/64513#ignite-html-anchor)
-
-[BRK3027: Deploying Windows 10: Making the update experience smooth and seamless](https://myignite.techcommunity.microsoft.com/sessions/64612#ignite-html-anchor)
-
-[BRK3039: Windows 10 and Microsoft Microsoft 365 Apps for enterprise lifecycle and servicing update](https://myignite.techcommunity.microsoft.com/sessions/66763#ignite-html-anchor)
-
-[BRK3211: Ask the Experts: Successfully deploying, servicing, managing Windows 10](https://myignite.techcommunity.microsoft.com/sessions/65963#ignite-html-anchor)
-
-[THR2234: Windows servicing and delivery fundamentals](https://myignite.techcommunity.microsoft.com/sessions/66741#ignite-html-anchor)
-
-[THR3006: The pros and cons of LTSC in the enterprise](https://myignite.techcommunity.microsoft.com/sessions/64512#ignite-html-anchor)
+Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. See [MyIgnite - Session catalog](https://myignite.techcommunity.microsoft.com/sessions).
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
index a71d3bbd39..c1ce8c7759 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
@@ -95,7 +95,6 @@ If the Microsoft Store is not accessible, the Autopilot process will still conti
Intel- https://ekop.intel.com/ekcertservice
Qualcomm- https://ekcert.spserv.microsoft.com/EKCertificate/GetEKCertificate/v1
AMD- https://ftpm.amd.com/pki/aia
-
Infineon- https://pki.infineon.com
## Licensing requirements
diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
index 8d79aa0bbf..61f9a5cf61 100644
--- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md
+++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
@@ -13,6 +13,7 @@ author: DaniHalfin
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
+ms.date: 07/21/2020
---
# Changes to Windows diagnostic data collection
@@ -58,7 +59,6 @@ Additionally, you will see the following policy changes in an upcoming release o
| Group Policy | Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow Telemetry**- **0 - Security**
- **1 - Basic**
- **2 - Enhanced**
- **3 - Full**
| Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow Diagnostic Data**- **Diagnostic data off (not recommended)**
- **Send required diagnostic data**
- **Send optional diagnostic data**
|
| Group Policy |Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Configure telemetry opt-in settings user interface**| Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Configure diagnostic data opt-in settings user interface** |
| Group Policy |Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Configure telemetry opt-in change notifications**| Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Configure diagnostic data opt-in change notifications** |
-| MDM | System/AllowTelemetry |
A final set of changes includes two new policies that can help you fine-tune diagnostic data collection within your organization. These policies let you limit the amount of optional diagnostic data that’s sent back to Microsoft.
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index 130d0e89ac..332e9f1796 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -13,7 +13,7 @@ ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 04/29/2019
+ms.date: 07/21/2020
---
# Configure Windows diagnostic data in your organization
diff --git a/windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md b/windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md
new file mode 100644
index 0000000000..11aacc5fb8
--- /dev/null
+++ b/windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md
@@ -0,0 +1,324 @@
+---
+title: Data processor service for Windows Enterprise public preview terms
+description: Use this article to understand Windows public preview terms of service.
+keywords: privacy, GDPR
+ms.localizationpriority: high
+ROBOTS: NOINDEX, NOFOLLOW
+ms.prod: w10
+ms.topic: article
+f1.keywords:
+- NOCSH
+ms.author: daniha
+author: DaniHalfin
+manager: dansimp
+audience: itpro
+ms.collection:
+- GDPR
+- M365-security-compliance
+---
+
+# Data processor service for Windows Enterprise public preview terms
+
+**These terms (“Terms”) must be read and accepted by a tenant admin with appropriate access rights and authority. By participating in this public preview, you: (a) agree to the following Terms, and (b) represent and warrant that you have such rights and authority.**
+
+These Terms govern your use of the preview described below (“**Preview**”). In order to access the Preview, you must be a current Microsoft Windows customer with an Azure Active Directory (“**AAD**”) subscription. The Preview consists of features and services that are in preview, beta, or other pre-release form for use with Windows and AAD.
+
+ 1. **Definitions**. The following terms have the following meanings:
+
+ 1. "**Customer Data**" means all data, including all text, sound, video, or image files that are provided to Microsoft by, or on behalf of, you through your use of Windows or AAD.
+
+ 2. "**Feedback**" means, collectively, suggestions, comments, feedback, ideas, or know-how, in any form, that you or your users provide to Microsoft about Microsoft’s business, products, or services.
+
+ 3. "**Personal Data**" means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
+
+ 4. "**Preview Data**" means all data, including all text, sound, video, or image files that are provided to Microsoft by, or on behalf of, you through use of the Services.
+
+ 5. "**Subprocessor**" means other processors used by Microsoft to process Personal Data.
+
+2. **Scope of Services**. The Preview is for a service that enables organizations to become controllers of Windows diagnostic data on supported versions of Windows, with Microsoft operating as processor of the data (collectively, the “**_Services_**”). You will collaborate with Microsoft in order to provide Microsoft the ability to enable the Services for you. To access the Services, you will need to configure participating Windows devices; Microsoft will assist you in such configuration via documentation or other communications.
+
+3. **Intellectual Property**.
+
+ 1. **License Grant**. During the term of this Preview (“**Term**”), Microsoft grants you and authorized users in your tenant for Windows a non-exclusive, non-transferable, non-sublicensable right and license to access and use the Services in accordance with these Terms.
+
+ 2. **Use Terms**. These Terms supersede any Microsoft terms and conditions or other agreement. You acknowledge that (i) the Services may not work correctly or in the manner that a commercial service may function; Microsoft may change the Services for the final, commercial version or choose not to release a commercial version; (ii) Microsoft may not provide support for the Services; (iii) the Online Services Terms (OST), including any obligations Microsoft may have regarding Customer Data, do not apply to the Services or Preview Data; (iv) Microsoft has no obligation to hold, export, or return Preview Data, except as described in these Terms; (v) Microsoft has no liability for the deletion of Preview Data, except as described in these Terms; and (vi) you may lose access to the Services and Preview Data after the Term.
+
+ 3. **Acceptable Use**. Neither you, nor those that access the Services through you, may: (a) use the Services: (i) in a way prohibited by law, regulation, governmental order or decree; (ii) to violate the rights of others; (iii) to try to gain unauthorized access to or disrupt any service, device, data, account or network; (iv) to spam or distribute malware; or (v) in a way that could harm the Services or impair anyone else’s use of it; or (b) reverse engineer, decompile, disassemble, or work around any technical limitations in the Services, or use the Services to create a competing product. You are responsible for responding to any third-party request regarding your use of the Services or Preview Data, such as a request to take down Preview Data under the U.S. Digital Millennium Copyright Act or other applicable laws.
+
+ 4. **Data Collection, Use and Location**. The Microsoft Privacy Statement https://privacy.microsoft.com/privacystatement applies to the collection, use and location of Preview Data. In the event of a conflict between Privacy Statement and the terms of these Terms, the terms of these Terms will control.
+
+4. **Confidentiality**. The following confidentiality terms apply to the Preview:
+
+ 1. During the Term plus 5 years, the parties will hold in strictest confidence and not use or disclose to any third party any Confidential Information of the other party. “Confidential Information” means all non-public information a party designates in writing or orally as being confidential, or which under the circumstances of disclosure ought to be treated as confidential. Confidential Information includes information relating to:
+ 1. a party’s released or unreleased software or hardware products;
+ 2. a party’s source code;
+ 3. a party’s product marketing or promotion;
+ 4. a party’s business policies or practices;
+ 5. a party’s customers or suppliers;
+ 6. information received from others that a party must treat as confidential; and
+ 7. information provided, obtained, or created by a party under these Terms, including:
+ * information in reports;
+ * the parties’ electronic or written correspondence, customer lists and customer information, regardless of source;
+ * Personal Data; and
+ * Transactional, sales, and marketing information.
+
+ 2. A party will consult with the other if it questions what comprises Confidential Information. Confidential Information excludes information (i) known to a party before the disclosing party’s disclosure to the receiving party, (ii) information publicly available through no fault of the receiving party, (iii) received from a third party without breach of an obligation owed to the disclosing party, or (iv) independently developed by a party without reference to or use of the disclosing party’s Confidential Information.
+
+ 3. Each party will employ security procedures to prevent disclosure of the other party’s Confidential Information to unauthorized third parties. The receiving party’s security procedures must include risk assessment and controls for:
+ 1. system access;
+ 2. system and application development and maintenance;
+ 3. change management;
+ 4. asset classification and control;
+ 5. incident response, physical and environmental security;
+ 6. disaster recovery/business continuity; and
+ 7. employee training.
+
+5. **Data Protection.**
+
+ **Generally**. To the extent Microsoft is a processor of Personal Data, the General Data Protection Regulation (GDPR) Terms in Attachment 1 govern that processing and the parties also agree to the following terms:
+
+ 1. Processing Details: The parties agree that:
+ * The subject-matter of the processing is limited to Personal Data within the scope of the GDPR;
+ * The duration of the processing shall be for the duration of your right to use the Services and until all Personal Data is deleted or returned in accordance with your instructions or these Terms;
+ * The nature and purpose of the processing shall be to provide the Services pursuant to these Terms;
+ * The types of Personal Data processed by the Services include those expressly identified in Article 4 of the GDPR to the extent included by Preview Data; and
+ * The categories of data subjects are your representatives and end users, such as employees, contractors, collaborators, and customers.
+
+ 2. Data Transfers:
+ * Preview Data and Personal Data that Microsoft processes on your behalf may be transferred to, and stored and processed in, the United States or any other country in which Microsoft or its Subprocessors operate. You appoint Microsoft to perform any such transfer of Preview Data and Personal Data to any such country and to store and process Preview Data and Personal Data to provide the Services.
+ * All transfers of Preview Data and Personal Data out of the European Union, European Economic Area, United Kingdom, and Switzerland to provide the Online Services shall be governed by the Standard Contractual Clauses in Attachment 2.
+ * Microsoft will abide by the requirements of European Economic Area and Swiss data protection law regarding the collection, use, transfer, retention, and other processing of Personal Data from the European Economic Area and Switzerland. All transfers of Personal Data to a third country or an international organization will be subject to appropriate safeguards as described in Article 46 of the GDPR and such transfers and safeguards will be documented according to Article 30(2) of the GDPR.
+ * In addition, Microsoft is certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and the commitments they entail. Microsoft agrees to notify you in the event that it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield principles.
+
+6. **No Support or Incident Response.** Microsoft will have no obligation under these Terms to correct any bugs, defects or errors in the Services or AAD, provide any updates, upgrades or new releases, or otherwise provide any technical support or maintenance for any Services or AAD. You will make reasonable efforts to promptly report to Microsoft any defects you find in the Services, as an aid to creating improved revisions of the Services. Microsoft will have no obligation under these Terms to provide you with incident response as part of the Services.
+
+7. **Term and Termination.** The term of the Preview begins when you accept these Terms and continues until: (a) either party terminates this Preview by providing the other party: (i) 2 days’ notice for any reason (or no reason), or (ii) notice of such party’s breach of these Terms and such party fails to cure within 15 days, or (b) upon the general availability of the Services. When the Term ends, you will no longer have access to the Services, and Microsoft will no longer have the rights to access Customer Data granted herein. Each party will, on request, return or destroy the other’s Confidential Information provided under the Preview.
+
+8. **Feedback.** Providing Feedback is voluntary. Microsoft is under no obligation to post or use any Feedback. By providing Feedback to Microsoft, you (and anyone providing Feedback through your use of the Preview) irrevocably and perpetually grant to Microsoft and its affiliates, under all of its (and their) owned or controlled intellectual property rights, a worldwide, non-exclusive, fully paid-up, royalty-free, transferable, sub-licensable right and license to make, use, reproduce, prepare derivative works based upon, distribute, publicly perform, publicly display, transmit, and otherwise commercialize the Feedback (including by combining or interfacing products, services or technologies that depend on or incorporate Feedback with other products, services or technologies of Microsoft or others), without attribution in any way and for any purpose. You warrant that (a) you will not provide Feedback that is subject to a license requiring Microsoft to license anything to third parties because Microsoft exercises any of the above rights in your Feedback; and (b) you own or otherwise control all of the rights to such Feedback and that no such Feedback is subject to any third-party rights (including any personality or publicity rights).
+
+9. **Representations and Warranties; Limitation of Liability.**
+
+ 1. **By the Parties.** Each party represents and warrants to the other party that (a) it has all necessary rights, title, and authority to enter into and perform under these Terms; (b) its performance under these Terms will not breach any agreement with a third party; and (c) it will comply with any and all laws, rules, and regulations that are applicable to its performance under these Terms.
+
+ 2. **Disclaimer.** EXCEPT AS OTHERWISE PROVIDED IN THESE TERMS AND TO THE EXTENT APPLICABLE LAW PERMITS, MICROSOFT (a) PROVIDES THE SERVICES AS-IS; (b) PROVIDES NO WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE; AND (c) DOES NOT GUARANTEE THAT THE SERVICES WILL BE AVAILABLE, UNINTERRUPTED, OR ERROR-FREE, OR THAT LOSS OF PREVIEW DATA WILL NOT OCCUR.
+
+ 3. **Limitation of Liability.** Except as otherwise described in this Section 9, the only remedy either party has for claims relating to these Terms or participation in the Preview is to terminate these Terms or your participation in the Preview. NEITHER PARTY WILL BE LIABLE TO THE OTHER PARTY FOR ANY DAMAGES, INCLUDING DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, OR DAMAGES FOR LOST REVENUE, LOST PROFIT, LOST BUSINESS INFORMATION, OR BUSINESS INTERRUPTION, EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES. The limitations in this Section 9 do not apply to claims arising from any breach of confidentiality obligations under Section 4.
+
+10. **General.**
+
+ 1. **Non-Exclusivity.** These Terms are nonexclusive. These Terms do not restrict either party from entering into the same or similar arrangement with any third party.
+
+ 2. **Jurisdiction and Governing Law.** The laws of the State of Washington, excluding conflicts of law provisions, govern these Terms. If federal jurisdiction exists, then each party consents to exclusive jurisdiction and venue in the federal courts in King County, Washington. If no federal jurisdiction exists, then each party consents to exclusive jurisdiction and venue in the Superior Court of King County, Washington.
+
+ 3. **Force Majeure.** A party will not be liable for failure to perform an obligation under these Terms to the extent that failure is due to a cause beyond that party’s reasonable control, including natural disaster, war, civil disturbance, or governmental action.
+
+ 4. **Attorneys’ fees.** If a party employs attorneys to enforce any rights arising out of or relating to these Terms, the prevailing party will be entitled to recover its reasonable attorneys’ fees, costs, and other expenses.
+
+ 5. **Assignment**. You may not assign these Terms or delegate any of your rights or obligations under these Terms to a third party without Microsoft’s prior written consent.
+
+ 6. **Entire Agreement.** These Terms are the entire agreement between the parties regarding its subject matter and replaces all prior agreements, communications, and representations between the parties regarding its subject matter.
+
+ 7. **Survival.** Sections 3.b, 4, 7 (with respect to post-termination obligations), and 8-10 will survive these Terms’ expiration or termination.
+
+
+ Attachment 1: GDPR Terms
+
+For purposes of these GDPR Terms, you and Microsoft agree that you are the controller of Personal Data and Microsoft is the processor of such data, except when you act as a processor of Personal Data, in which case Microsoft is a subprocessor. These GDPR Terms apply to the processing of Personal Data, within the scope of the GDPR, by Microsoft on your behalf. These GDPR Terms do not limit or reduce any data protection commitments Microsoft makes to you in other agreement between Microsoft and you. These GDPR Terms do not apply where Microsoft is a controller of Personal Data.
+
+**Relevant GDPR Obligations: Articles 28, 32, and 33**
+
+1. Microsoft shall not engage another processor without prior specific or your general written authorization. In the case of general written authorization, Microsoft shall inform you of any intended changes concerning the addition or replacement of other processors, thereby giving you the opportunity to object to such changes. (Article 28(2))
+2. Processing by Microsoft shall be governed by these GDPR Terms under European Union (hereafter “Union”) or Member State law and are binding on Microsoft with regard to you. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, the categories of data subjects and your obligations and rights are set forth in the Terms above, including these GDPR Terms. In particular, Microsoft shall:
+
+ 1. process the Personal Data only on your documented instructions, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which Microsoft is subject; in such a case, Microsoft shall inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
+
+ 2. ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
+
+ 3. take all measures required pursuant to Article 32 of the GDPR;
+
+ 4. respect the conditions referred to in paragraphs 1 and 3 for engaging another processor;
+
+ 5. taking into account the nature of the processing, assist you by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR;
+
+ 6. assist you in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Microsoft;
+
+ 7. at your choice, delete or return all the Personal Data to you after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data;
+
+ 8. make available to you all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you.
+
+ 9. immediately inform you if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. (Article 28(3))
+
+3. Where Microsoft engages another processor for carrying out specific processing activities on your behalf, the same data protection obligations as set out in these GDPR Terms shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor fails to fulfil its data protection obligations, Microsoft shall remain fully liable to you for the performance of that other processor's obligations. (Article 28(4))
+
+4. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, you and Microsoft shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
+
+ 1. the pseudonymisation and encryption of Personal Data;
+
+ 2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
+
+ 3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
+
+ 4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. (Article 32(1))
+
+5. In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. (Article 32(2))
+
+6. You and Microsoft shall take steps to ensure that any natural person acting under your authority or Microsoft’s who has access to Personal Data does not process them except on instructions from you, unless he or she is required to do so by Union or Member State law. (Article 32(4))
+
+7. Microsoft shall notify you without undue delay after becoming aware of a personal data breach. (Article 33(2)). Such notification will include that information a processor must provide to a controller under Article 33(3) to the extent such information is reasonably available to Microsoft.
+
+
+ Attachment 2 – The Standard Contractual Clauses (Processors)
+
+In countries where regulatory approval is required for use of the Standard Contractual Clauses, the Standard Contractual Clauses cannot be relied upon under European Commission 2010/87/EU (of February 2010) to legitimize export of data from the country, unless Customer has the required regulatory approval.
+Beginning May 25, 2018 and thereafter, references to various Articles from the Directive 95/46/EC in the Standard Contractual Clauses below will be treated as references to the relevant and appropriate Articles in the GDPR.
+For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, Customer (as data exporter) and Microsoft Corporation (as data importer, whose signature appears below), each a “party,” together “the parties,” have agreed on the following Contractual Clauses (the “Clauses” or “Standard Contractual Clauses”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
+
+**Clause 1: Definitions**
+
+1. 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
+1. 'the data exporter' means the controller who transfers the personal data;
+1. 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
+1. 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
+1. 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
+1. 'technical and organizational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
+
+**Clause 2: Details of the transfer**
+
+The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 below which forms an integral part of the Clauses.
+
+**Clause 3: Third-party beneficiary clause**
+
+1. The data subject can enforce against the data exporter this Clause, Clause 4(2) to (9), Clause 5(1) to (5), and (7) to (10), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
+2.1.exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
+1. The data subject can enforce against the subprocessor this Clause, Clause 5(1) to (5) and (7), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
+1. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
+
+**Clause 4: Obligations of the data exporter**
+
+The data exporter agrees and warrants:
+
+1. that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
+1. that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
+1. that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 below;
+1. that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
+1. that it will ensure compliance with the security measures;
+1. that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
+1. to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(2) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
+1. to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
+1. that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
+1. that it will ensure compliance with Clause 4(1) to (9).
+
+**Clause 5: Obligations of the data importer**
+
+The data importer agrees and warrants:
+
+1. to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
+1. that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
+1. that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
+1. that it will promptly notify the data exporter about:
+ 1. any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
+ 1. any accidental or unauthorised access, and
+ 1. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
+1. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
+1. at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
+1. to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
+1. that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
+1. that the processing services by the subprocessor will be carried out in accordance with Clause 11; and
+1. to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
+
+**Clause 6: Liability**
+
+1. The parties agree that any data subject who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
+1. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
+The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
+1. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
+
+**Clause 7: Mediation and jurisdiction**
+
+1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
+ 1. to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
+ 1. to refer the dispute to the courts in the Member State in which the data exporter is established.
+1. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
+
+**Clause 8: Cooperation with supervisory authorities**
+
+1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
+1. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
+1. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (2).
+
+**Clause 9: Governing Law**
+
+The Clauses shall be governed by the law of the Member State in which the data exporter is established.
+
+**Clause 10: Variation of the contract**
+
+The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
+
+**Clause 11: Subprocessing**
+
+1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
+1. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
+1. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
+1. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.
+
+**Clause 12: Obligation after the termination of personal data processing services**
+
+1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
+1. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
+
+**Appendix 1 to the Standard Contractual Clauses**
+
+**Data exporter**: Customer is the data exporter. The data exporter is a user of the Services.
+
+**Data importer**: The data importer is MICROSOFT CORPORATION, a global producer of software and services.
+
+**Data subjects**: Data subjects include the data exporter’s representatives and end-users including employees, contractors, collaborators, and customers of the data exporter. Data subjects may also include individuals attempting to communicate or transfer personal information to users of the services provided by data importer. Microsoft acknowledges that, depending on Customer’s use of the Services, Customer may elect to include personal data from any of the following types of data subjects in the personal data:
+
+* Employees, contractors and temporary workers (current, former, prospective) of data exporter;
+* Dependents of the above;
+* Data exporter's collaborators/contact persons (natural persons) or employees, contractors or temporary workers of legal entity collaborators/contact persons (current, prospective, former);
+* Users (e.g., customers, clients, patients, visitors, etc.) and other data subjects that are users of data exporter's services;
+* Partners, stakeholders or individuals who actively collaborate, communicate or otherwise interact with employees of the data exporter and/or use communication tools such as apps and websites provided by the data exporter;
+* Stakeholders or individuals who passively interact with data exporter (e.g., because they are the subject of an investigation, research or mentioned in documents or correspondence from or to the data exporter);
+* Minors; or
+* Professionals with professional privilege (e.g., doctors, lawyers, notaries, religious workers, etc.).
+
+**Categories of data**: The personal data transferred that is included in data processed by the Services. Microsoft acknowledges that, depending on Customer’s use of the Services, Customer may elect to include personal data from any of the following categories in the personal data:
+
+* Basic personal data (for example place of birth, street name and house number (address), postal code, city of residence, country of residence, mobile phone number, first name, last name, initials, email address, gender, date of birth), including basic personal data about family members and children;
+* Authentication data (for example user name, password or PIN code, security question, audit trail);
+* Contact information (for example addresses, email, phone numbers, social media identifiers; emergency contact details);
+* Unique identification numbers and signatures (for example Social Security number, bank account number, passport and ID card number, driver's license number and vehicle registration data, IP addresses, employee number, student number, patient number, signature, unique identifier in tracking cookies or similar technology);
+* Pseudonymous identifiers;
+* Financial and insurance information (for example insurance number, bank account name and number, credit card name and number, invoice number, income, type of assurance, payment behavior, creditworthiness);
+* Commercial Information (for example history of purchases, special offers, subscription information, payment history);
+* Biometric Information (for example DNA, fingerprints and iris scans);
+* Location data (for example, Cell ID, geo-location network data, location by start call/end of the call. Location data derived from use of wifi access points);
+* Photos, video and audio;
+* Internet activity (for example browsing history, search history, reading, television viewing, radio listening activities);
+* Device identification (for example IMEI-number, SIM card number, MAC address);
+* Profiling (for example based on observed criminal or anti-social behavior or pseudonymous profiles based on visited URLs, click streams, browsing logs, IP-addresses, domains, apps installed, or profiles based on marketing preferences);
+* HR and recruitment data (for example declaration of employment status, recruitment information (such as curriculum vitae, employment history, education history details), job and position data, including worked hours, assessments and salary, work permit details, availability, terms of employment, tax details, payment details, insurance details and location and organizations);
+* Education data (for example education history, current education, grades and results, highest degree achieved, learning disability);
+* Citizenship and residency information (for example citizenship, naturalization status, marital status, nationality, immigration status, passport data, details of residency or work permit);
+* Information processed for the performance of a task carried out in the public interest or in the exercise of an official authority;
+* Special categories of data (for example racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation, or data relating to criminal convictions or offences); or
+* Any other personal data identified in Article 4 of the GDPR.
+
+**Processing operations**: The personal data transferred will be subject to the following basic processing activities:
+
+1. **Duration and Object of Data Processing**. The duration of data processing shall be for the term of the Preview. The objective of the data processing is the performance of the Services.
+1. **Scope and Purpose of Data Processing**. The scope and purpose of processing personal data is described in Section 5 of this agreement. The data importer operates a global network of data centers and management/support facilities, and processing may take place in any jurisdiction where data importer or its sub-processors operate such facilities.
+1. **Customer Data and Personal Data Access**. For the term designated under the applicable volume licensing agreement data importer will at its election and as necessary under applicable law implementing Article 12(b) of the EU Data Protection Directive, either: (1) provide data exporter with the ability to correct, delete, or block Customer Data and personal data, or (2) make such corrections, deletions, or blockages on its behalf.
+1. **Data Exporter’s Instructions**. For Online Services and Professional Services, data importer will only act upon data exporter’s instructions as conveyed by Microsoft.
+1. **Preview Data and Personal Data Deletion or Return**. Upon expiration or termination of data exporter’s use of the Services, it may extract Customer Data and personal data and data importer will delete Customer Data and personal data, each in accordance with the terms of this agreement.
+
+**Subcontractors**: In accordance with the DPA, the data importer may hire other companies to provide limited services on data importer’s behalf, such as providing customer support. Any such subcontractors will be permitted to obtain Customer Data and personal data only to deliver the services the data importer has retained them to provide, and they are prohibited from using Customer Data and personal data for any other purpose.
+
+**Appendix 2 to the Standard Contractual Clauses**
+
+Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(4) and 5(3):
+
+1. **Personnel**. Data importer’s personnel will not process Preview Data or personal data without authorization. Personnel are obligated to maintain the confidentiality of any such Preview Data and personal data and this obligation continues even after their engagement ends.
+2. **Data Privacy Contact**. The data privacy officer of the data importer can be reached at the following address: Microsoft Corporation Attn: Chief Privacy Officer1 Microsoft WayRedmond, WA 98052 USA
+3. **Technical and Organization Measures**. The data importer has implemented and will maintain appropriate technical and organizational measures, internal controls, and information security routines intended to protect Preview Data and personal data, as defined in Attachment 1 of this agreement, against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction as follows: The technical and organizational measures, internal controls, and information security routines set forth in Attachment 1 of this agreement are hereby incorporated into this Appendix 2 by this reference and are binding on the data importer as if they were set forth in this Appendix 2 in their entirety.
diff --git a/windows/privacy/data-processor-service-for-windows-public-preview-terms.md b/windows/privacy/data-processor-service-for-windows-public-preview-terms.md
deleted file mode 100644
index 190bf05309..0000000000
--- a/windows/privacy/data-processor-service-for-windows-public-preview-terms.md
+++ /dev/null
@@ -1,170 +0,0 @@
----
-title: Data processor service for Windows public preview terms
-description: Use this article to understand Windows public preview terms of service.
-keywords: privacy, GDPR
-ms.localizationpriority: high
-ROBOTS: NOINDEX, NOFOLLOW
-ms.prod: w10
-ms.topic: article
-f1.keywords:
-- NOCSH
-ms.author: daniha
-author: DaniHalfin
-manager: dansimp
-audience: itpro
-ms.collection:
-- GDPR
-- M365-security-compliance
----
-
-# Data processor service for Windows public preview terms
-
-**These terms (“Terms”) must be read and accepted by a tenant admin with appropriate access rights and authority. By participating in this public preview, you: (a) agree to the following Terms, and (b) represent and warrant that you have such rights and authority.**
-
-These Terms govern your use of the preview described below (“**Preview**”). In order to access the Preview, you must be a current Microsoft Windows customer with an Azure Active Directory (“**AAD**”) subscription. The Preview consists of features and services that are in preview, beta, or other pre-release form for use with Windows and AAD.
-
- 1. **Definitions**. The following terms have the following meanings:
-
- 1. "**Customer Data**" means all data, including all text, sound, video, or image files that are provided to Microsoft by, or on behalf of, you through your use of Windows or AAD.
-
- 2. "**Feedback**" means, collectively, suggestions, comments, feedback, ideas, or know-how, in any form, that you or your users provide to Microsoft about Microsoft’s business, products, or services.
-
- 3. "**Personal Data**" means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
-
- 4. "**Preview Data**" means all data, including all text, sound, video, or image files that are provided to Microsoft by, or on behalf of, you through use of the Services.
-
- 5. "**Subprocessor**" means other processors used by Microsoft to process Personal Data.
-
-2. **Scope of Services**. The Preview is for a service that enables organizations to become controllers of Windows diagnostic data on supported versions of Windows, with Microsoft operating as processor of the data (collectively, the “**_Services_**”). You will collaborate with Microsoft in order to provide Microsoft the ability to enable the Services for you. To access the Services, you will need to configure participating Windows devices; Microsoft will assist you in such configuration via documentation or other communications.
-
-3. **Intellectual Property**.
-
- 1. **License Grant**. During the term of this Preview (“**Term**”), Microsoft grants you and authorized users in your tenant for Windows a non-exclusive, non-transferable, non-sublicensable right and license to access and use the Services in accordance with these Terms.
-
- 2. **Use Terms**. These Terms supersede any Microsoft terms and conditions or other agreement. You acknowledge that (i) the Services may not work correctly or in the manner that a commercial service may function; Microsoft may change the Services for the final, commercial version or choose not to release a commercial version; (ii) Microsoft may not provide support for the Services; (iii) the Online Services Terms (OST), including any obligations Microsoft may have regarding Customer Data, do not apply to the Services or Preview Data; (iv) Microsoft has no obligation to hold, export, or return Preview Data, except as described in these Terms; (v) Microsoft has no liability for the deletion of Preview Data, except as described in these Terms; and (vi) you may lose access to the Services and Preview Data after the Term.
-
- 3. **Acceptable Use**. Neither you, nor those that access the Services through you, may: (a) use the Services: (i) in a way prohibited by law, regulation, governmental order or decree; (ii) to violate the rights of others; (iii) to try to gain unauthorized access to or disrupt any service, device, data, account or network; (iv) to spam or distribute malware; or (v) in a way that could harm the Services or impair anyone else’s use of it; or (b) reverse engineer, decompile, disassemble, or work around any technical limitations in the Services, or use the Services to create a competing product. You are responsible for responding to any third-party request regarding your use of the Services or Preview Data, such as a request to take down Preview Data under the U.S. Digital Millennium Copyright Act or other applicable laws.
-
- 4. **Data Collection, Use and Location**. The Microsoft Privacy Statement https://privacy.microsoft.com/privacystatement applies to the collection, use and location of Preview Data. In the event of a conflict between Privacy Statement and the terms of these Terms, the terms of these Terms will control.
-
-4. **Confidentiality**. The following confidentiality terms apply to the Preview:
-
- 1. During the Term plus 5 years, the parties will hold in strictest confidence and not use or disclose to any third party any Confidential Information of the other party. “Confidential Information” means all non-public information a party designates in writing or orally as being confidential, or which under the circumstances of disclosure ought to be treated as confidential. Confidential Information includes information relating to:
- 1. a party’s released or unreleased software or hardware products;
- 2. a party’s source code;
- 3. a party’s product marketing or promotion;
- 4. a party’s business policies or practices;
- 5. a party’s customers or suppliers;
- 6. information received from others that a party must treat as confidential; and
- 7. information provided, obtained, or created by a party under these Terms, including:
- * information in reports;
- * the parties’ electronic or written correspondence, customer lists and customer information, regardless of source;
- * Personal Data; and
- * Transactional, sales, and marketing information.
-
- 2. A party will consult with the other if it questions what comprises Confidential Information. Confidential Information excludes information (i) known to a party before the disclosing party’s disclosure to the receiving party, (ii) information publicly available through no fault of the receiving party, (iii) received from a third party without breach of an obligation owed to the disclosing party, or (iv) independently developed by a party without reference to or use of the disclosing party’s Confidential Information.
-
- 3. Each party will employ security procedures to prevent disclosure of the other party’s Confidential Information to unauthorized third parties. The receiving party’s security procedures must include risk assessment and controls for:
- 1. system access;
- 2. system and application development and maintenance;
- 3. change management;
- 4. asset classification and control;
- 5. incident response, physical and environmental security;
- 6. disaster recovery/business continuity; and
- 7. employee training.
-
-5. **Data Protection.**
-
- **Generally**. To the extent Microsoft is a processor of Personal Data, the General Data Protection Regulation (GDPR) Terms in Appendix 1 govern that processing and the parties also agree to the following terms:
-
- 1. Processing Details: The parties agree that:
- * The subject-matter of the processing is limited to Personal Data within the scope of the GDPR;
- * The duration of the processing shall be for the duration of your right to use the Services and until all Personal Data is deleted or returned in accordance with your instructions or these Terms;
- * The nature and purpose of the processing shall be to provide the Services pursuant to these Terms;
- * The types of Personal Data processed by the Services include those expressly identified in Article 4 of the GDPR to the extent included by Preview Data; and
- * The categories of data subjects are your representatives and end users, such as employees, contractors, collaborators, and customers.
-
- 2. Data Transfers:
- * Preview Data and Personal Data that Microsoft processes on your behalf may be transferred to, and stored and processed in, the United States or any other country in which Microsoft or its Subprocessors operate. You appoint Microsoft to perform any such transfer of Preview Data and Personal Data to any such country and to store and process Preview Data and Personal Data to provide the Services.
- * Microsoft will abide by the requirements of European Economic Area and Swiss data protection law regarding the collection, use, transfer, retention, and other processing of Personal Data from the European Economic Area and Switzerland. All transfers of Personal Data to a third country or an international organization will be subject to appropriate safeguards as described in Article 46 of the GDPR and such transfers and safeguards will be documented according to Article 30(2) of the GDPR.
- * In addition, Microsoft is certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and the commitments they entail. Microsoft agrees to notify you in the event that it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield principles.
-
-6. **No Support or Incident Response.** Microsoft will have no obligation under these Terms to correct any bugs, defects or errors in the Services or AAD, provide any updates, upgrades or new releases, or otherwise provide any technical support or maintenance for any Services or AAD. You will make reasonable efforts to promptly report to Microsoft any defects you find in the Services, as an aid to creating improved revisions of the Services. Microsoft will have no obligation under these Terms to provide you with incident response as part of the Services.
-
-7. **Term and Termination.** The term of the Preview begins when you accept these Terms and continues until: (a) either party terminates this Preview by providing the other party: (i) 2 days’ notice for any reason (or no reason), or (ii) notice of such party’s breach of these Terms and such party fails to cure within 15 days, or (b) upon the general availability of the Services. When the Term ends, you will no longer have access to the Services, and Microsoft will no longer have the rights to access Customer Data granted herein. Each party will, on request, return or destroy the other’s Confidential Information provided under the Preview.
-
-8. **Feedback.** Providing Feedback is voluntary. Microsoft is under no obligation to post or use any Feedback. By providing Feedback to Microsoft, you (and anyone providing Feedback through your use of the Preview) irrevocably and perpetually grant to Microsoft and its affiliates, under all of its (and their) owned or controlled intellectual property rights, a worldwide, non-exclusive, fully paid-up, royalty-free, transferable, sub-licensable right and license to make, use, reproduce, prepare derivative works based upon, distribute, publicly perform, publicly display, transmit, and otherwise commercialize the Feedback (including by combining or interfacing products, services or technologies that depend on or incorporate Feedback with other products, services or technologies of Microsoft or others), without attribution in any way and for any purpose. You warrant that (a) you will not provide Feedback that is subject to a license requiring Microsoft to license anything to third parties because Microsoft exercises any of the above rights in your Feedback; and (b) you own or otherwise control all of the rights to such Feedback and that no such Feedback is subject to any third-party rights (including any personality or publicity rights).
-
-9. **Representations and Warranties; Limitation of Liability.**
-
- 1. **By the Parties.** Each party represents and warrants to the other party that (a) it has all necessary rights, title, and authority to enter into and perform under these Terms; (b) its performance under these Terms will not breach any agreement with a third party; and (c) it will comply with any and all laws, rules, and regulations that are applicable to its performance under these Terms.
-
- 2. **Disclaimer.** EXCEPT AS OTHERWISE PROVIDED IN THESE TERMS AND TO THE EXTENT APPLICABLE LAW PERMITS, MICROSOFT (a) PROVIDES THE SERVICES AS-IS; (b) PROVIDES NO WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE; AND (c) DOES NOT GUARANTEE THAT THE SERVICES WILL BE AVAILABLE, UNINTERRUPTED, OR ERROR-FREE, OR THAT LOSS OF PREVIEW DATA WILL NOT OCCUR.
-
- 3. **Limitation of Liability.** Except as otherwise described in this Section 9, the only remedy either party has for claims relating to these Terms or participation in the Preview is to terminate these Terms or your participation in the Preview. NEITHER PARTY WILL BE LIABLE TO THE OTHER PARTY FOR ANY DAMAGES, INCLUDING DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, OR DAMAGES FOR LOST REVENUE, LOST PROFIT, LOST BUSINESS INFORMATION, OR BUSINESS INTERRUPTION, EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES. The limitations in this Section 9 do not apply to claims arising from any breach of confidentiality obligations under Section 4.
-
-10. **General.**
-
- 1. **Non-Exclusivity.** These Terms are nonexclusive. These Terms do not restrict either party from entering into the same or similar arrangement with any third party.
-
- 2. **Jurisdiction and Governing Law.** The laws of the State of Washington, excluding conflicts of law provisions, govern these Terms. If federal jurisdiction exists, then each party consents to exclusive jurisdiction and venue in the federal courts in King County, Washington. If no federal jurisdiction exists, then each party consents to exclusive jurisdiction and venue in the Superior Court of King County, Washington.
-
- 3. **Force Majeure.** A party will not be liable for failure to perform an obligation under these Terms to the extent that failure is due to a cause beyond that party’s reasonable control, including natural disaster, war, civil disturbance, or governmental action.
-
- 4. **Attorneys’ fees.** If a party employs attorneys to enforce any rights arising out of or relating to these Terms, the prevailing party will be entitled to recover its reasonable attorneys’ fees, costs, and other expenses.
-
- 5. **Assignment**. You may not assign these Terms or delegate any of your rights or obligations under these Terms to a third party without Microsoft’s prior written consent.
-
- 6. **Entire Agreement.** These Terms are the entire agreement between the parties regarding its subject matter and replaces all prior agreements, communications, and representations between the parties regarding its subject matter.
-
- 7. **Survival.** Sections 3.b, 4, 7 (with respect to post-termination obligations), and 8-10 will survive these Terms’ expiration or termination.
-
-
- Appendix 1: GDPR Terms
-
-For purposes of these GDPR Terms, you and Microsoft agree that you are the controller of Personal Data and Microsoft is the processor of such data, except when you act as a processor of Personal Data, in which case Microsoft is a subprocessor. These GDPR Terms apply to the processing of Personal Data, within the scope of the GDPR, by Microsoft on your behalf. These GDPR Terms do not limit or reduce any data protection commitments Microsoft makes to you in other agreement between Microsoft and you. These GDPR Terms do not apply where Microsoft is a controller of Personal Data.
-
-**Relevant GDPR Obligations: Articles 28, 32, and 33**
-
-1. Microsoft shall not engage another processor without prior specific or your general written authorization. In the case of general written authorization, Microsoft shall inform you of any intended changes concerning the addition or replacement of other processors, thereby giving you the opportunity to object to such changes. (Article 28(2))
-2. Processing by Microsoft shall be governed by these GDPR Terms under European Union (hereafter “Union”) or Member State law and are binding on Microsoft with regard to you. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, the categories of data subjects and your obligations and rights are set forth in the Terms above, including these GDPR Terms. In particular, Microsoft shall:
-
- 1. process the Personal Data only on your documented instructions, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which Microsoft is subject; in such a case, Microsoft shall inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
-
- 2. ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
-
- 3. take all measures required pursuant to Article 32 of the GDPR;
-
- 4. respect the conditions referred to in paragraphs 1 and 3 for engaging another processor;
-
- 5. taking into account the nature of the processing, assist you by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR;
-
- 6. assist you in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Microsoft;
-
- 7. at your choice, delete or return all the Personal Data to you after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data;
-
- 8. make available to you all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you.
-
- 9. immediately inform you if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. (Article 28(3))
-
-3. Where Microsoft engages another processor for carrying out specific processing activities on your behalf, the same data protection obligations as set out in these GDPR Terms shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor fails to fulfil its data protection obligations, Microsoft shall remain fully liable to you for the performance of that other processor's obligations. (Article 28(4))
-
-4. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, you and Microsoft shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
-
- 1. the pseudonymisation and encryption of Personal Data;
-
- 2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
-
- 3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
-
- 4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. (Article 32(1))
-
-5. In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. (Article 32(2))
-
-6. You and Microsoft shall take steps to ensure that any natural person acting under your authority or Microsoft’s who has access to Personal Data does not process them except on instructions from you, unless he or she is required to do so by Union or Member State law. (Article 32(4))
-
-7. Microsoft shall notify you without undue delay after becoming aware of a personal data breach. (Article 33(2)). Such notification will include that information a processor must provide to a controller under Article 33(3) to the extent such information is reasonably available to Microsoft.
-
-
-
-
\ No newline at end of file
diff --git a/windows/privacy/deploy-data-processor-service-windows.md b/windows/privacy/deploy-data-processor-service-windows.md
index b7fbf5e044..66bb8268c7 100644
--- a/windows/privacy/deploy-data-processor-service-windows.md
+++ b/windows/privacy/deploy-data-processor-service-windows.md
@@ -1,6 +1,6 @@
---
-title: Technical Deployment of the data processor service for Windows
-description: Use this article to understand how to deploy and manage the data processor service for Windows.
+title: Technical Deployment of the data processor service for Windows Enterprise
+description: Use this article to understand how to deploy and manage the data processor service for Windows Enterprise.
keywords: privacy, GDPR
ms.localizationpriority: high
ROBOTS: NOINDEX, NOFOLLOW
@@ -17,35 +17,35 @@ ms.collection:
- M365-security-compliance
---
-# Data processor service for Windows Overview
+# Data processor service for Windows Enterprise Overview
>[!NOTE]
->This topic is intended for participants in the data processor service for Windows preview program and requires acceptance of specific terms of use. To learn
-more about the program and agree to the terms of use, see [https://aka.ms/dpswpublicpreview](https://aka.ms/dpswpublicpreview).
+>This topic is intended for participants in the data processor service for Windows Enterprise preview program and requires acceptance of specific terms of use. To learn
+more about the program and agree to the terms of use, see [https://aka.ms/WindowsEnterprisePublicPreview](https://aka.ms/WindowsEnterprisePublicPreview).
The privacy landscape keeps evolving, and with it, we make changes to our services to meet our customers’ needs.
-The data processor service for Windows empowers you to be in control of diagnostic data from Windows devices, and act as data controllers for that data, under the definition of the European Union General Data Protection Regulation (GDPR).
+The data processor service for Windows Enterprise empowers you to be in control of diagnostic data from Windows devices, and act as data controllers for that data, under the definition of the European Union General Data Protection Regulation (GDPR).
-The data processor service for Windows will serve as a foundation for other Microsoft services that use Windows diagnostic data.
+The data processor service for Windows Enterprise will serve as a foundation for other Microsoft services that use Windows diagnostic data.
-The data processor service for Windows offering enables you to store and manage your Windows diagnostic data in the cloud, on top of an end-to-end data platform designed and built with compliance in mind, to help you meet your compliance obligations.
+The data processor service for Windows Enterprise offering enables you to store and manage your Windows diagnostic data in the cloud, on top of an end-to-end data platform designed and built with compliance in mind, to help you meet your compliance obligations.
Your data is routed and stored inside an enterprise compliance boundary, operating under a prescriptive and focused set of compliance requirements, in accordance with industry standards.
-The data processor service for Windows provides you with controls that help respond to delete data subject requests (DSRs) on diagnostic data, at user account closure, for a specific Azure AD User ID. Additionally, you’re able to execute an export DSR for a specific Azure AD User ID.
-Should you desire so, Microsoft will accommodate a data processor service for Windows tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for diagnostic data, but still wish to remain an Azure customer.
+The data processor service for Windows Enterprise provides you with controls that help respond to delete data subject requests (DSRs) on diagnostic data, at user account closure, for a specific Azure AD User ID. Additionally, you’re able to execute an export DSR for a specific Azure AD User ID.
+Should you desire so, Microsoft will accommodate a data processor service for Windows Enterprise tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for diagnostic data, but still wish to remain an Azure customer.
>[!Note]
>Tenant account closure will lead to the deletion of all data associated with that tenant.
-## Deployment of data processor service for Windows
-Use the instructions below to easily manage the data processor service for Windows using a single setting, through Group Policy, or an MDM solution, in Windows 10, version 1809 or Windows Server 2019 and newer.
+## Deployment of data processor service for Windows Enterprise
+Use the instructions below to easily manage the data processor service for Windows Enterprise using a single setting, through Group Policy, or an MDM solution, in Windows 10, version 1809 or Windows Server 2019 and newer.
### Prerequisites
#### Versions supported
-The data processor service for Windows is currently supported on Windows 10, version 1809, and newer versions.
+The data processor service for Windows Enterprise is currently supported on Windows 10, version 1809, and newer versions.
#### Network requirements
-The following endpoints need to be reachable from devices enrolled into the data processor service for Windows:
+The following endpoints need to be reachable from devices enrolled into the data processor service for Windows Enterprise:
login.live.com
@@ -61,14 +61,14 @@ For additional information, see the “device authentication” and “diagnosti
[Windows 10, version 1903 endpoints](https://docs.microsoft.com/Windows/privacy/manage-Windows-1903-endpoints)
-### Deploying data processor service for Windows
-You can use either Group Policy or an MDM solution to deploy the data processor service for Windows to your supported devices.
+### Deploying data processor service for Windows Enterprise
+You can use either Group Policy or an MDM solution to deploy the data processor service for Windows Enterprise to your supported devices.
-In Group Policy, to enable data collection through the data processor service for Windows, go to **Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds** and switch the **Allow commercial data pipeline** setting to **enabled**.
+In Group Policy, to enable data collection through the data processor service for Windows Enterprise, go to **Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds** and switch the **Allow commercial data pipeline** setting to **enabled**.
If you wish to disable, at any time, switch the same setting to **disabled**. The default state of the above setting is **disabled**.
-To use an MDM solution, such as [Microsoft Intune](https://docs.microsoft.com/intune/custom-settings-Windows-10), to deploy the data processor service for Windows to your supported devices, use the following custom OMA-URI setting configuration:
+To use an MDM solution, such as [Microsoft Intune](https://docs.microsoft.com/intune/custom-settings-Windows-10), to deploy the data processor service for Windows Enterprise to your supported devices, use the following custom OMA-URI setting configuration:
- **Name:** System/AllowCommercialDataPipeline
- **OMA-URI:** ./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline
@@ -79,11 +79,11 @@ Under **Value**, use **1** to enable the service.
If you wish to disable, at any time, switch the same setting to **0** to disable. The default is **0**.
>[!Note]
->Data collected from a device, before it was enrolled into the data processor service for Windows, will not be moved into the enterprise compliance boundary.
+>Data collected from a device, before it was enrolled into the data processor service for Windows Enterprise, will not be moved into the enterprise compliance boundary.
-## Managing data processor service for Windows
+## Managing data processor service for Windows Enterprise
### Executing user-based data subject requests (DSRs)
-To perform user-based DSRs, the data processor service for Windows requires your organization to be reflected in Azure AD.
+To perform user-based DSRs, the data processor service for Windows Enterprise requires your organization to be reflected in Azure AD.
If your environment is cloud-only and managed in Azure, or all your devices are Azure AD joined - you don’t need to take any further action.
@@ -93,4 +93,4 @@ To learn more, visit [How To: Plan your hybrid Azure Active Directory join imple
Once you have Azure AD join or hybrid Azure AD join in place, you can learn more about executing user-based DSRs, by visiting this [page](https://review.docs.microsoft.com/microsoft-365/compliance/gdpr-dsr-windows?branch=siosulli-wps&view=o365-worldwide).
## Geo-location
-Windows Diagnostic Data collected through the data processor service for Windows is hosted in our datacenter in the United States.
\ No newline at end of file
+Windows Diagnostic Data collected through the data processor service for Windows Enterprise is hosted in our datacenter in the United States.
\ No newline at end of file
diff --git a/windows/privacy/index.yml b/windows/privacy/index.yml
index 8096eb0de3..b9b6ce81fd 100644
--- a/windows/privacy/index.yml
+++ b/windows/privacy/index.yml
@@ -14,7 +14,7 @@ metadata:
author: danihalfin
ms.author: daniha
manager: dansimp
- ms.date: 02/21/2019 #Required; mm/dd/yyyy format.
+ ms.date: 07/21/2020 #Required; mm/dd/yyyy format.
ms.localizationpriority: high
# highlightedContent section (optional)
@@ -55,7 +55,7 @@ productDirectory:
- title: Changes to Windows diagnostic data collection
imageSrc: https://docs.microsoft.com/media/common/i_build.svg
summary: See what changes Windows is making to align to the new data collection taxonomy
- url: windows-diagnostic-data.md
+ url: changes-to-windows-diagnostic-data-collection.md
# conceptualContent section (optional)
# conceptualContent:
@@ -179,4 +179,4 @@ additionalContent:
- text: Support for GDPR Accountability on Service Trust Portal
url: https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted
# footer (optional)
- # footer: "footertext [linktext](https://docs.microsoft.com/footerfile)"
\ No newline at end of file
+ # footer: "footertext [linktext](https://docs.microsoft.com/footerfile)"
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index b73606d090..a8de10ac7f 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -30,6 +30,7 @@ This article describes the network connections that Windows 10 components make t
Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
>[!IMPORTANT]
+> - The downloadable Windows 10, version 1903 scripts/settings can be used on Windows 10, version 1909 devices.
> - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic)
> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
> - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features.
@@ -117,12 +118,12 @@ See the following table for a summary of the management settings for Windows Ser
| Setting | UI | Group Policy | Registry |
| - | :-: | :-: | :-: |
| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | |  |  |
-| [2. Cortana and Search](#bkmk-cortana) |  |  |  |
+| [2. Cortana and Search](#bkmk-cortana) | |  |  |
| [3. Date & Time](#bkmk-datetime) |  |  |  |
| [4. Device metadata retrieval](#bkmk-devinst) | |  |  |
| [6. Font streaming](#font-streaming) | |  |  |
| [7. Insider Preview builds](#bkmk-previewbuilds) |  |  |  |
-| [8. Internet Explorer](#bkmk-ie) |  |  |  |
+| [8. Internet Explorer](#bkmk-ie) | |  |  |
| [10. Live Tiles](#live-tiles) | |  |  |
| [12. Microsoft Account](#bkmk-microsoft-account) | | |  |
| [14. Network Connection Status Indicator](#bkmk-ncsi) | |  |  |
@@ -168,17 +169,17 @@ See the following table for a summary of the management settings for Windows Ser
| Setting | UI | Group Policy | Registry |
| - | :-: | :-: | :-: |
| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | |  |  |
-| [2. Cortana and Search](#bkmk-cortana) |  |  |  |
+| [2. Cortana and Search](#bkmk-cortana) | |  |  |
| [3. Date & Time](#bkmk-datetime) |  |  |  |
| [4. Device metadata retrieval](#bkmk-devinst) | |  |  |
| [5. Find My Device](#find-my-device) |  |  |  |
| [6. Font streaming](#font-streaming) | |  |  |
| [7. Insider Preview builds](#bkmk-previewbuilds) |  |  |  |
-| [8. Internet Explorer](#bkmk-ie) |  |  |  |
+| [8. Internet Explorer](#bkmk-ie) | |  |  |
| [10. Live Tiles](#live-tiles) | |  |  |
| [11. Mail synchronization](#bkmk-mailsync) |  | |  |
| [12. Microsoft Account](#bkmk-microsoft-account) | | |  |
-| [13. Microsoft Edge](#bkmk-edge) |  |  |  |
+| [13. Microsoft Edge](#bkmk-edge) | |  |  |
| [14. Network Connection Status Indicator](#bkmk-ncsi) | |  |  |
| [15. Offline maps](#bkmk-offlinemaps) |  |  |  |
| [16. OneDrive](#bkmk-onedrive) | |  |  |
@@ -437,7 +438,7 @@ There are more Group Policy objects that are used by Internet Explorer:
| Path | Policy | Description |
| - | - | - |
-| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Compatibility View** > **Turn off Compatibility View** | Choose whether employees can configure Compatibility View. | Choose whether an employee can fix website display problems that he or she may encounter while browsing.
**Set to: Enabled** |
+| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Compatibility View** > **Turn off Compatibility View** | Turn off Compatibility View. | Choose whether an employee can fix website display problems that he or she may encounter while browsing.
**Set to: Enabled** |
| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Advanced Page** | Turn off the flip ahead with page prediction feature | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
**Set to: Enabled** |
| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **RSS Feeds** | Turn off background synchronization for feeds and Web Slices | Choose whether to have background synchronization for feeds and Web Slices.
**Set to: Enabled** |
| **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Allow Online Tips** | Allow Online Tips | Enables or disables the retrieval of online tips and help for the Settings app.
**Set to: Disabled** |
@@ -1100,7 +1101,7 @@ To turn off **Choose apps that can access contacts**:
-or-
-- Create a REG_DWORD registry setting named **LetAppsAccessContacts** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+- Create a REG_DWORD registry setting named **LetAppsAccessContacts** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
### 18.9 Calendar
@@ -1116,7 +1117,7 @@ To turn off **Let apps access my calendar**:
-or-
-- Create a REG_DWORD registry setting named **LetAppsAccessCalendar** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+- Create a REG_DWORD registry setting named **LetAppsAccessCalendar** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
To turn off **Choose apps that can access calendar**:
@@ -1622,11 +1623,11 @@ You can stop sending file samples back to Microsoft.
You can stop downloading **Definition Updates**:
-- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**.
+- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**.
-and-
-- **Disable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to **Nothing**.
+- **Disable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates** > **Define file shares for downloading definition updates** and set it to **Nothing**.
-or-
diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md
index 580f8b4425..af34673c47 100644
--- a/windows/privacy/manage-windows-1903-endpoints.md
+++ b/windows/privacy/manage-windows-1903-endpoints.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
-author: obezeajo
+author: linque1
ms.author: obezeajo
manager: robsize
ms.collection: M365-security-compliance
diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md
new file mode 100644
index 0000000000..92f03d2111
--- /dev/null
+++ b/windows/privacy/manage-windows-1909-endpoints.md
@@ -0,0 +1,139 @@
+---
+title: Connection endpoints for Windows 10 Enterprise, version 1909
+description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 1909.
+keywords: privacy, manage connections to Microsoft, Windows 10
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+audience: ITPro
+author: gental-giant
+ms.author: v-hakima
+manager: obezeajo
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.date: 7/22/2020
+---
+# Manage connection endpoints for Windows 10 Enterprise, version 1909
+
+**Applies to**
+
+- Windows 10 Enterprise, version 1909
+
+Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
+
+- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
+- Connecting to email servers to send and receive email.
+- Connecting to the web for every day web browsing.
+- Connecting to the cloud to store and access backups.
+- Using your location to show a weather forecast.
+
+Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
+Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic.
+
+The following methodology was used to derive these network endpoints:
+
+1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
+2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
+3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
+4. Compile reports on traffic going to public IP addresses.
+5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
+6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
+8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
+
+> [!NOTE]
+> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
+
+## Windows 10 1909 Enterprise connection endpoints
+
+|Area|Description|Protocol|Destination|
+|----------------|----------|----------|------------|
+|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
+||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
+|||HTTP|tile-service.weather.microsoft.com/en-us/livetile/preinstall|
+||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/*|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|evoke-windowsservices-tas.msedge.net
+|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+|||HTTP|ctldl.windowsupdate.com|
+|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
+||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com*|
+|||HTTPS|www.bing.com/client/config|
+|||TLS v1.2|fp.msedge.net|
+|Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*|
+|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+|||HTTP|v10.events.data.microsoft.com|
+||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|HTTPS|*.telecommand.telemetry.microsoft.com|
+|||TLS v1.2|watson.*.microsoft.com|
+|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)|
+|||HTTPS|*licensing.mp.microsoft.com|
+|||HTTPS|licensing.mp.microsoft.com/v7.0/licenses/content|
+|Location|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location)|
+||The following endpoints are used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|TLS v1.2|inference.location.live.net|
+|Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)|
+||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTP|*maps.windows.com|
+|| The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTP|fs.microsoft.com*|
+|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)|
+||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLS v1.2|*login.live.com|
+|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
+||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com|
+|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com|
+|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLS v1.2|1storecatalogrevocation.storequality.microsoft.com|
+|||HTTPS|storecatalogrevocation.storequality.microsoft.com|
+||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com|
+||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store.|HTTPS|displaycatalog.mp.microsoft.com/*|
+|||HTTPS|pti.store.microsoft.com/*|
+|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
+||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTP|www.msftconnecttest.com*|
+|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+|||HTTP/ TLS v1.2|v10.events.data.microsoft.com/onecollector/1.0/|
+|||TLS v1.2|*.blob.core.windows.net|
+|||HTTP|officehomeblobs.blob.core.windows.net|
+||The following endpoints are used by Microsoft OfficeHub to get the metadata of Microsoft Office apps |TLS v1.2|c-ring.msedge.net|
+|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)|
+|||TLS v1.2|*g.live.com|
+|||HTTPS|oneclient.sfx.ms|
+|||HTTPS| logincdn.msauth.net|
+|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+|||TLS v1.2|settings-win.data.microsoft.com|
+|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
+|||HTTPS|*.pipe.aria.microsoft.com|
+|||HTTP/TLS v1.2|config.edge.skype.com|
+|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+|||HTTPS|config.teams.microsoft.com|
+|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
+|||HTTPS/TLS v1.2|wdcp.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.|HTTPS/TLS v1.2|*smartscreen-prod.microsoft.com|
+|||HTTPS|checkappexec.microsoft.com|
+|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
+|||HTTPS/TLS v1.2|arc.msn.com|
+|||HTTPS|ris.api.iris.microsoft.com|
+|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)|
+|||HTTPS/TLS v1.2|*.prod.do.dsp.mp.microsoft.com|
+|||HTTP|emdl.ws.microsoft.com|
+||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com|
+|||HTTP|*.windowsupdate.com|
+||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|HTTP|*.delivery.mp.microsoft.com|
+|||HTTPS/TLS v1.2|*.update.microsoft.com|
+||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly.|HTTPS/TLS v1.2|tsfe.trafficshaping.dsp.mp.microsoft.com|
+## Other Windows 10 editions
+
+To view endpoints for other versions of Windows 10 Enterprise, see:
+- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
+
+To view endpoints for non-Enterprise Windows 10 editions, see:
+- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
+- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
+- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
+- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
+
+
+## Related links
+
+- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
+- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune)
diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md
index 14db2c3cc4..01990ccba5 100644
--- a/windows/privacy/manage-windows-2004-endpoints.md
+++ b/windows/privacy/manage-windows-2004-endpoints.md
@@ -28,17 +28,17 @@ Some Windows components, app, and related services transfer data to Microsoft ne
- Connecting to the cloud to store and access backups.
- Using your location to show a weather forecast.
-Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
-Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic.
+Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
+Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic.
The following methodology was used to derive these network endpoints:
-1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
+1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@@ -50,12 +50,13 @@ The following methodology was used to derive these network endpoints:
|Area|Description|Protocol|Destination|
|----------------|----------|----------|------------|
|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
-||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|tile-service.weather.microsoft.com
+||The following endpoints are used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|blob.weather.microsoft.com|
+|||HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/*
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2|evoke-windowsservices-tas.msedge.net|
|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
|||HTTP|ctldl.windowsupdate.com|
-|Cortana and Search|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
+|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2|www.bing.com*|
|Device metadata|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
||The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTPS|dmd.metaservices.microsoft.com|
@@ -64,6 +65,8 @@ The following methodology was used to derive these network endpoints:
|||TLSv1.2|v20.events.data.microsoft.com|
||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|HTTPS|*.telecommand.telemetry.microsoft.com|
|||TLS v1.2|watson.*.microsoft.com|
+|Font Streaming|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)|
+||The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand. |HTTPS|fs.microsoft.com*|
|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)|
|||HTTPS|*licensing.mp.microsoft.com|
|Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)|
@@ -71,13 +74,13 @@ The following methodology was used to derive these network endpoints:
|| The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTP|fs.microsoft.com*|
|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)|
||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2|*login.live.com|
-|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
-||This traffic is related to the Microsoft Edge browser.|TLSv1.2|img-prod-cms-rt-microsoft-com*|
|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com|
|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|TLSv1.2/HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net|
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2|*.wns.windows.com|
||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|TLSv1.2|storecatalogrevocation.storequality.microsoft.com|
-||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store. |HTTP|*.dl.delivery.mp.microsoft.com|
+||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store.|HTTPS|*displaycatalog.mp.microsoft.com|
+|||HTTP|*.dl.delivery.mp.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2|manage.devcenter.microsoft.com|
|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTP|www.msftconnecttest.com*|
@@ -101,6 +104,7 @@ The following methodology was used to derive these network endpoints:
|||TLSv1.2|wdcp.microsoft.com|
|||HTTPS|go.microsoft.com|
||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.|HTTPS|*smartscreen-prod.microsoft.com|
+|||HTTPS|*smartscreen.microsoft.com |
|||HTTPS|checkappexec.microsoft.com|
|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
|||TLSv1.2|arc.msn.com|
@@ -118,12 +122,14 @@ The following methodology was used to derive these network endpoints:
## Other Windows 10 editions
To view endpoints for other versions of Windows 10 Enterprise, see:
+- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
To view endpoints for non-Enterprise Windows 10 editions, see:
+- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md)
- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml
index 7378b77892..6d801ea292 100644
--- a/windows/privacy/toc.yml
+++ b/windows/privacy/toc.yml
@@ -28,7 +28,7 @@
- name: Windows 10, version 1703 required Windows diagnostic events and fields
href: basic-level-windows-diagnostic-events-and-fields-1703.md
- name: Optional Windows diagnostic data events and fields
- items:
+ items:
- name: Windows 10, version 1709 and newer optional diagnostic data
href: windows-diagnostic-data.md
- name: Windows 10, version 1703 optional diagnostic data
@@ -43,6 +43,8 @@
href: manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
- name: Connection endpoints for Windows 10, version 2004
href: manage-windows-2004-endpoints.md
+ - name: Connection endpoints for Windows 10, version 1909
+ href: manage-windows-1909-endpoints.md
- name: Connection endpoints for Windows 10, version 1903
href: manage-windows-1903-endpoints.md
- name: Connection endpoints for Windows 10, version 1809
@@ -53,6 +55,8 @@
href: manage-windows-1709-endpoints.md
- name: Connection endpoints for non-Enterprise editions of Windows 10, version 2004
href: windows-endpoints-2004-non-enterprise-editions.md
+ - name: Connection endpoints for non-Enterprise editions of Windows 10, version 1909
+ href: windows-endpoints-1909-non-enterprise-editions.md
- name: Connection endpoints for non-Enterprise editions of Windows 10, version 1903
href: windows-endpoints-1903-non-enterprise-editions.md
- name: Connection endpoints for non-Enterprise editions of Windows 10, version 1809
diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md
index e285fe5768..08d82afd30 100644
--- a/windows/privacy/windows-10-and-privacy-compliance.md
+++ b/windows/privacy/windows-10-and-privacy-compliance.md
@@ -13,7 +13,7 @@ ms.author: brianlic
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 05/21/2019
+ms.date: 07/21/2020
---
# Windows 10 & Privacy Compliance:
A Guide for IT and Compliance Professionals
diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
new file mode 100644
index 0000000000..357c78dd10
--- /dev/null
+++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
@@ -0,0 +1,203 @@
+---
+title: Windows 10, version 1909, connection endpoints for non-Enterprise editions
+description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1909.
+keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+audience: ITPro
+author: gental-giant
+ms.author: v-hakima
+manager: obezeajo
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.date: 7/22/2020
+---
+# Windows 10, version 1909, connection endpoints for non-Enterprise editions
+
+ **Applies to**
+
+- Windows 10 Home, version 1909
+- Windows 10 Professional, version 1909
+- Windows 10 Education, version 1909
+
+In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-2004-endpoints.md), the following endpoints are available on other non-Enterprise editions of Windows 10, version 1909.
+
+The following methodology was used to derive the network endpoints:
+
+1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
+2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
+3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
+4. Compile reports on traffic going to public IP addresses.
+5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
+6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
+8. These tests were conducted for one week. If you capture traffic for longer you may have different results.
+
+> [!NOTE]
+> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
+
+## Windows 10 Family
+
+| **Destination** | **Protocol** | **Description** |
+| --- | --- | --- |
+|arc.msn.com|HTTP/TLS v1.2|Windows Spotlight
+|api.asm.skype.com|TLS v1.2|Used to retrieve Skype configuration values
+|browser.pipe.aria.microsoft.com|HTTPS|Used to retrieve Skype configuration values
+|ctldl.windowsupdate.com/*|HTTP|Certificate Trust List
+|client.wns.windows.com|HTTP|Used for the Windows Push Notification Service(WNS)
+|config.edge.skype.com|HTTP/TLS v1.2|Used to retrieve Skype configuration values
+|dmd.metaservices.microsoft.com|HTTP|Device metadata
+|config.teams.microsoft.com|HTTPS|Used for Microsoft Teams application
+|*dl.delivery.mp.microsoft.com|HTTP|Used to download operating system patches, updates, and apps from Microsoft Store
+|*.tlu.dl.delivery.mp.microsoft.com|HTTP|Used to download operating system patches, updates, and apps from Microsoft Store
+|displaycatalog.mp.microsoft.com/*|HTTP/TLS v1.2|Used to communicate with Microsoft Store
+|evoke-windowsservices-tas.msedge.net|HTTP/TLS v1.2|Used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser
+|fe2cr.update.microsoft.com|HTTPS/TLS v1.2|Enables connections to Windows Update, Microsoft Update, and the online services of the Store
+|fe3cr.delivery.mp.microsoft.com|HTTPS/TLS v1.2|Used to download operating system patches, updates, and apps from Microsoft Store
+|go.microsoft.com|HTTP|Windows Defender and/or Microsoft forward link redirection service (FWLink)
+|g.live.com|HTTP|OneDrive
+|checkappexec.microsoft.com|HTTPS|Used for Windows Defender Smartscreen reporting and notifications
+|emdl.ws.microsoft.com|HTTP|Windows Update
+|*.prod.do.dsp.mp.microsoft.com|HTTP/TLS v1.2|Windows Update
+|*.au.download.windowsupdate.com|HTTP|Windows Update
+|download.windowsupdate.com|HTTP|Windows Update
+|inference.location.live.net|TLS v1.2|Used for Location Data
+|iecvlist.microsoft.com|HTTP|This endpoint is related to Microsoft Edge
+|login.live.com|HTTPS/TLS v1.2|Device Authentication
+|logincdn.msauth.net|HTTPS|OneDrive
+|licensing.mp.microsoft.com|HTTP/TLS v1.2|Licensing
+|maps.windows.com|TLS v1.2|Used to check for updates to maps that have been downloaded for offline use
+|mobile.pipe.aria.microsoft.com|HTTP|Office Telemetry
+|nav.smartscreen.microsoft.com|HTTP|Used for Windows Defender SmartScreen reporting and notifications
+|outlook.office365.com|HTTP|Used to connect to the Microsoft 365 admin center's shared infrastructure, including Office in a browser
+|ocsp.digicert.com|HTTP|Used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available
+|oneclient.sfx.ms|HTTPS|Used by OneDrive for Business to download and verify app updates
+|pti.store.microsoft.com/*|HTTP|Used to communicate with Microsoft Store
+|img-prod-cms-rt-microsoft-com.akamaized.net|HTTP|Used to communicate with Microsoft Store
+|manage.devcenter.microsoft.com|HTTP/TLS v1.2|Used to get Microsoft Store analytics
+|ris.api.iris.microsoft.com|HTTPS|Used to retrieve Windows Spotlight metadata that describes content
+|settings-win.data.microsoft.com|HTTPS/TLS v1.2|Used for Windows apps to dynamically update their configuration
+|smartscreen-prod.microsoft.com|HTTP|Used for Windows Defender SmartScreen reporting and notifications
+|*.blob.core.windows.net|HTTP/TLS v1.2|Windows Telemetry
+|storage.live.com|HTTP/TLS v1.2|OneDrive
+|skydrivesync.policies.live.net|TLS v1.2|OneDrive
+|slscr.update.microsoft.com|HTTPS/TLS V1.2|Windows Update
+|tile-service.weather.microsoft.com|HTTP|Used for the Weather app
+|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTP|This endpoint is used for content regulation
+|watson.telemetry.microsoft.com*|HTTPS/TLS v1.2|Diagnostic Data
+|v10.events.data.microsoft.com/onecollector/1.0/|HTTPS|Microsoft Office
+|v10.events.data.microsoft.com|HTTPS/TLS v1.2|Used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service
+|www.bing.com|HTTPS/TLS v1.2|Cortana and Live Tiles
+|www.msftconnecttest.com|HTTP|Network Connection Status Indicator (NCSI)
+|wdcp.microsoft.com|HTTPS|Used for Windows Defender when Cloud-based Protection is enabled
+
+## Windows 10 Pro
+
+| **Destination** | **Protocol** | **Description** |
+| --- | --- | --- |
+|*.prod.do.dsp.mp.microsoft.com|HTTP/TLS v1.2|Windows Update
+|api.onedrive.com|HTTP|One Drive
+|smartscreen-prod.microsoft.com|HTTP|Used for Windows Defender SmartScreen reporting and notifications
+|nav.smartscreen.microsoft.com|HTTPS/TLS v1.2|Windows Defender
+|*.update.microsoft.com|HTTP|Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store
+|browser.pipe.aria.microsoft.com|HTTPS|Used to retrieve Skype configuration values
+|*.windowsupdate.com|HTTP|Used to download operating system patches and updates
+|*.wns.windows.com|TLS v1.2|Used for the Windows Push Notification Services (WNS)
+|*dl.delivery.mp.microsoft.com|HTTP|Used to download operating system patches, updates, and apps from Microsoft Store
+|c-ring.msedge.net|TLS v1.2|Cortana and Live Tiles
+|a-ring.msedge.net|TLS v1.2|Cortana and Live Tiles
+|*storecatalogrevocation.storequality.microsoft.com|HTTP/TLS v1.2|Used to revoke licenses for malicious apps on the Microsoft Store
+|arc.msn.com|HTTP/TLS v1.2|Windows Spotlight
+|*.blob.core.windows.net|HTTP/TLS v1.2|Windows Telemetry
+|cdn.onenote.net|HTTPS/TLS v1.2|OneNote Live Tile
+|checkappexec.microsoft.com|HTTPS|Used for Windows Defender SmartScreen reporting and notifications
+|config.edge.skype.com|HTTP/TLS v1.2|Used to retrieve Skype configuration values
+|config.teams.microsoft.com|HTTPS|Used for Microsoft Teams application
+|ctldl.windowsupdate.com|HTTP|Used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available
+|displaycatalog.mp.microsoft.com*|HTTP/TLS v1.2|Microsoft Store
+|emdl.ws.microsoft.com|HTTP|Windows Update
+|fe2cr.update.microsoft.com|HTTPS/TLS v1.2|Windows Update
+|fe3cr.delivery.mp.microsoft.com|HTTPS/TLS v1.2|Windows Update
+|slscr.update.microsoft.com|HTTPS/TLS v1.2|Windows Update
+|evoke-windowsservices-tas.msedge.net|HTTPS/TLS v1.2|Used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser
+|fp.msedge.net|HTTPS/TLS v1.2|Cortana and Live Tiles
+|fp-vp.azureedge.net|TLS v1.2|Cortana and Live Tiles
+|g.live.com|TLS v1.2|OneDrive
+|go.microsoft.com|HTTP|Windows Defender and/or Microsoft forward link redirection service (FWLink)
+|iecvlist.microsoft.com|HTTP|Microsoft Edge
+|inference.location.live.net|TLS v1.2|Used for Location Data
+|img-prod-cms-rt-microsoft-com.akamaized.net|HTTP|Used to communicate with Microsoft Store
+|licensing.mp.microsoft.com*|HTTP/TLS v1.2|Licensing
+|login.live.com|HTTPS/TLS v1.2|Device Authentication
+|logincdn.msauth.net|HTTPS|Used for Microsoft accounts to sign in
+|manage.devcenter.microsoft.com|HTTP/TLS v1.2|Microsoft Store analytics
+|maps.windows.com|TLS v1.2|Related to Maps application
+|ocsp.digicert.com|HTTP|Used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available
+|ocsp.msocsp.com|HTTP|Used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available
+|oneclient.sfx.ms|HTTPS|Used by OneDrive for Business to download and verify app updates
+|mobile.pipe.aria.microsoft.com|HTTP|Office Telemetry
+|pti.store.microsoft.com/*|HTTP|Used to communicate with Microsoft Store
+|ris.api.iris.microsoft.com|TLS v1.2|Windows Spotlight
+|settings-win.data.microsoft.com|HTTPS/TLS v1.2|Used for Windows apps to dynamically update their configuration
+|spo-ring.msedge.net|TLSv1.2|Cortana and Live Tiles
+|telecommand.telemetry.microsoft.com|TLS v1.2|Used by Windows Error Reporting ||tile-service.weather.microsoft.com|HTTP|Used for the Weather app
+|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTPS|Used for content regulation
+|v10.events.data.microsoft.com/onecollector/1.0/|HTTPS/TLS v1.2|Diagnostic Data
+|v10.events.data.microsoft.com|HTTPS/TLS v1.2|Used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service
+|watson.telemetry.microsoft.com*|HTTPS/TLS v1.2|Used by Windows Error Reporting
+|wdcp.microsoft.com|HTTPS|Used for Windows Defender when Cloud-based Protection is enabled
+|www.bing.com|HTTPS/TLS v1.2|Cortana and Live Tiles
+|www.msftconnecttest.com|HTTP|Network Connection Status Indicator (NCSI)
+|outlook.office365.com|HTTP|Microsoft Office
+|storage.live.com|HTTP/TLS v1.2|One Drive
+|skydrivesync.policies.live.net|TLS v1.2|One Drive
+
+## Windows 10 Education
+
+| **Destination** | **Protocol** | **Description** |
+| --- | --- | --- |
+|arc.msn.com|HTTPS/TLS v1.2|Windows Spotlight
+|*.dl.delivery.mp.microsoft.com|HTTP|Used to download operating system patches, updates, and apps from Microsoft
+|client.wns.windows.com|TLS v1.2|Used for the Windows Push Notification Services (WNS)
+|*storecatalogrevocation.storequality.microsoft.com|TLS v1.2|Used to revoke licenses for malicious apps on the Microsoft Store
+|ctldl.windowsupdate.com|HTTP|Certificate Trust List
+|dmd.metaservices.microsoft.com|HTTP|Device metadata
+|Inference.location.live.net|TLS v1.2|Location
+|oneclient.sfx.ms|HTTPS|OneDrive
+|storage.live.com|HTTP/TLS v1.2|One Drive
+|skydrivesync.policies.live.net|TLS v1.2|OneDrive
+|slscr.update.microsoft.com|HTTPS/TLS v1.2|Windows Update
+|fe2cr.update.microsoft.com|HTTPS/TLS v1.2|Windows Update
+|fe3cr.delivery.mp.microsoft.com|HTTPS/TLS v1.2|Windows Update
+|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTP/TLS v1.2|Windows Update
+|officehomeblobs.blob.core.windows.net|HTTP|Windows Telemetry
+|displaycatalog.mp.microsoft.com/*|HTTP/TLS v1.2|Microsoft Store
+|img-prod-cms-rt-microsoft-com.akamaized.net|HTTP|Used to communicate with Microsoft Store
+|config.teams.microsoft.com|HTTPS|Teams
+|api.asm.skype.com|TLS v1.2|Used to retrieve Skype configuration values
+|config.edge.skype.com|HTTP/TLS v1.2|Used to retrieve Skype configuration values
+|logincdn.msauth.net|HTTPS|OneDrive
+|iecvlist.microsoft.com|HTTP|Microsoft Edge
+|download.windowsupdate.com|HTTP|Windows Update
+|checkappexec.microsoft.com|HTTPS|Windows Defender
+|pti.store.microsoft.com/*|HTTP|Microsoft Store
+|emdl.ws.microsoft.com|HTTP|Windows Update
+|evoke-windowsservices-tas.msedge.net|HTTPS/TLS v1.2|Photos app
+|g.live.com|TLS v1.2|OneDrive
+|go.microsoft.com|HTTP|Windows Defender
+|licensing.mp.microsoft.com|HTTP/TLS v1.2|Licensing
+|login.live.com|HTTPS/TLS v1.2|Device Authentication
+|manage.devcenter.microsoft.com|TLS v1.2|Microsoft Store analytics
+|ocsp.digicert.com|HTTP|CRL and OCSP checks to the issuing certificate authorities
+|ris.api.iris.microsoft.com|TLS v1.2|Windows spotlight
+|telecommand.telemetry.microsoft.com|TLS v1.2|Used by Windows Error Reporting
+|tile-service.weather.microsoft.com|HTTP|Used to download updates to the Weather app Live Tile
+|v10.events.data.microsoft.com|HTTPS/TLS v1.2|Diagnostic Data
+|V10.events.data.microsoft.com/onecollector/1.0/|HTTPS|Diagnostic Data
+|Watson.telemetry.microsoft.com/telemetry.request|HTTPS|Diagnostic Data
+|watson.telemetry.microsoft.com|HTTPS|Diagnostic Data
+|outlook.office365.com|HTTP|Microsoft Office
+|www.bing.com|TLS v1.2|Used for updates for Cortana, apps, and Live Tiles
+|www.msftconnecttest.com|HTTP|Network Connection (NCSI)
diff --git a/windows/release-information/resolved-issues-windows-10-1903.yml b/windows/release-information/resolved-issues-windows-10-1903.yml
index b398ac1bc9..e0375fb086 100644
--- a/windows/release-information/resolved-issues-windows-10-1903.yml
+++ b/windows/release-information/resolved-issues-windows-10-1903.yml
@@ -104,7 +104,7 @@ sections:
| Details | Originating update | Status | History |
| dGPU occasionally disappear from device manager on Surface Book 2 Microsoft has identified a compatibility issue on some Surface Book 2 devices configured with Nvidia discrete graphics processing units (dGPUs). After updating to Windows 10, version 1903 (the May 2019 Update), some apps or games that needs to perform graphics intensive operations may close or fail to open. To safeguard your update experience, we have applied a compatibility hold on Surface Book 2 devices with Nvidia dGPU from being offered Windows 10, version 1903 until this issue is resolved. Affected platforms: - Client: Windows 10, version 1903
Resolved: To resolve this issue, you will need to update the firmware of your Surface Book 2 device. Please see the Surface Book 2 update history page for instructions on how to install the October 2019 updates on your device. There is no update for Windows needed for this issue. The safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903.
Back to top | OS Build 18362.145
May 29, 2019
KB4497935 | Resolved
| Resolved:
October 18, 2019
04:33 PM PT
Opened:
July 12, 2019
04:20 PM PT |
Domain connected devices that use MIT Kerberos realms will not start upDevices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4497935. Devices that are domain controllers or domain members are both affected.
To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.
Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
-
Affected platforms: - Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512941 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903.
Back to top | OS Build 18362.145
May 29, 2019
KB4497935 | Resolved
KB4512941 | Resolved:
August 30, 2019
10:00 AM PT
Opened:
July 25, 2019
06:10 PM PT |
+
Affected platforms:
- Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in
KB4512941 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903.
Back to topOS Build 18362.145
May 29, 2019
KB4497935 | Resolved
KB4512941 | Resolved:
August 30, 2019
10:00 AM PT
Opened:
July 25, 2019
06:10 PM PT |
| Issues updating when certain versions of Intel storage drivers are installed Intel and Microsoft have found incompatibility issues with certain versions of the Intel Rapid Storage Technology (Intel RST) drivers and the Windows 10 May 2019 Update (Windows 10, version 1903).
To safeguard your update experience, we have applied a compatibility hold on devices with Intel RST drivers, versions 15.1.0.1002 through version 15.5.2.1053 installed from installing or being offered Windows 10, version 1903 or Windows Server, version 1903, until the driver has been updated.
Versions 15.5.2.1054 or later are compatible, and a device that has these drivers installed can install the Windows 10 May 2019 Update. For affected devices, the recommended version is 15.9.8.1050.
Affected platforms: - Client: Windows 10, version 1903
- Server: Windows Server, version 1903
Resolution: This issue was resolved in KB4512941 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.
Back to top | OS Build 18362.145
May 29, 2019
KB4497935 | Resolved
KB4512941 | Resolved:
August 30, 2019
10:00 AM PT
Opened:
July 25, 2019
06:10 PM PT |
| Initiating a Remote Desktop connection may result in black screen When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen. Any version of Windows may encounter this issue when initiating a Remote Desktop connection to a Windows 10, version 1903 device which is running an affected display driver, including the drivers for the Intel 4 series chipset integrated GPU (iGPU).
Affected platforms: - Client: Windows 10, version 1903
- Server: Windows Server, version 1903
Resolution: This issue was resolved in KB4512941.
Back to top | OS Build 18362.145
May 29, 2019
KB4497935 | Resolved
KB4512941 | Resolved:
August 30, 2019
10:00 AM PT
Opened:
July 12, 2019
04:42 PM PT |
Devices starting using PXE from a WDS or Configuration Manager servers may fail to startDevices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager might fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503293 on a WDS server.
Affected platforms: - Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Resolution: This issue was resolved in KB4512941.
Back to top | OS Build 18362.175
June 11, 2019
KB4503293 | Resolved
KB4512941 | Resolved:
August 30, 2019
10:00 AM PT
Opened:
July 10, 2019
02:51 PM PT |
diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml
index 1baf22a6b0..a4aa84810e 100644
--- a/windows/release-information/status-windows-10-1803.yml
+++ b/windows/release-information/status-windows-10-1803.yml
@@ -20,9 +20,9 @@ sections:
text: "
Find information on known issues for Windows 10, version 1803. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
-
-Current status as of November 12, 2019: Windows 10, version 1803 (the April 2018 Update) Home and Pro editions have reached end of service. For Windows 10 devices that are at, or within several months of reaching end of service, Windows Update will automatically initiate a feature update (with users having the ability to choose a convenient time); keeping those devices supported and receiving the monthly updates that are critical to device security and ecosystem health.
- |
+
+ Current status as of November 12, 2019: Windows 10, version 1803 (the April 2018 Update) Home and Pro editions have reached end of service. For Windows 10 devices that are at, or within several months of reaching end of service, Windows Update will automatically initiate a feature update (with users having the ability to choose a convenient time); keeping those devices supported and receiving the monthly updates that are critical to device security and ecosystem health.
+ |
"
diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
index a684f5350f..1260d1f9d9 100644
--- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
+++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
@@ -20,9 +20,9 @@ sections:
text: "
Find information on known issues for Windows 10, version 1809 and Windows Server 2019. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
-
-Current status as of November 12, 2019: Windows 10, version 1809 is designated for broad deployment. The recommended servicing status is Semi-Annual Channel.
- |
+
+ Current status as of November 12, 2019: Windows 10, version 1809 is designated for broad deployment. The recommended servicing status is Semi-Annual Channel.
+ |
"
diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml
index 4fe4e28478..e52c2bd1fe 100644
--- a/windows/release-information/status-windows-10-1903.yml
+++ b/windows/release-information/status-windows-10-1903.yml
@@ -20,9 +20,9 @@ sections:
text: "
Find information on known issues and the status of the rollout for Windows 10, version 1903 and Windows Server, version 1903. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
-
-Current status as of November 12, 2019: Windows 10, version 1903 (the May 2019 Update) is designated ready for broad deployment for all users via Windows Update.
We recommend commercial customers running earlier versions of Windows 10 begin broad deployments of Windows 10, version 1903 in their organizations.
Note Follow @WindowsUpdate to find out when new content is published to the release information dashboard.
- |
+
+ Current status as of November 12, 2019: Windows 10, version 1903 (the May 2019 Update) is designated ready for broad deployment for all users via Windows Update.
We recommend commercial customers running earlier versions of Windows 10 begin broad deployments of Windows 10, version 1903 in their organizations.
Note Follow @WindowsUpdate to find out when new content is published to the release information dashboard.
+ |
"
diff --git a/windows/release-information/status-windows-10-1909.yml b/windows/release-information/status-windows-10-1909.yml
index 6029fe13f7..54406eaa62 100644
--- a/windows/release-information/status-windows-10-1909.yml
+++ b/windows/release-information/status-windows-10-1909.yml
@@ -20,9 +20,9 @@ sections:
text: "
Find information on known issues and the status of the rollout for Windows 10, version 1909 and Windows Server, version 1909. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s).
-
-Current status as of January 21, 2020: Windows 10, version 1909 is available for any user on a recent version of Windows 10 who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel. We are starting the next phase in our controlled approach to automatically initiate a feature update for an increased number of devices running the October 2018 Update (Windows 10, version 1809) Home and Pro editions, keeping those devices supported and receiving the monthly updates that are critical to device security and ecosystem health. Our rollout process starts several months in advance of the end of service date to provide adequate time for a smooth update process.
For information on how users running Windows 10, version 1903 can update to Windows 10, version 1909 in a new, streamlined way, see this post. Note follow @WindowsUpdate on Twitter to find out when new content is published to the release information dashboard.
- |
+
+ Current status as of January 21, 2020: Windows 10, version 1909 is available for any user on a recent version of Windows 10 who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel. We are starting the next phase in our controlled approach to automatically initiate a feature update for an increased number of devices running the October 2018 Update (Windows 10, version 1809) Home and Pro editions, keeping those devices supported and receiving the monthly updates that are critical to device security and ecosystem health. Our rollout process starts several months in advance of the end of service date to provide adequate time for a smooth update process.
For information on how users running Windows 10, version 1903 can update to Windows 10, version 1909 in a new, streamlined way, see this post. Note follow @WindowsUpdate on Twitter to find out when new content is published to the release information dashboard.
+ |
"
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
index bb1cf1508f..a979d2b781 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
@@ -35,7 +35,7 @@ The Create command sets up new virtual smart cards on the user’s system. It re
| Parameter | Description |
|-----------|-------------|
| /name | Required. Indicates the name of the new virtual smart card. |
-| /AdminKey | Indicates the desired administrator key that can be used to reset the PIN of the card if the user forgets the PIN.
**DEFAULT** Specifies the default value of 010203040506070801020304050607080102030405060708.
**PROMPT** Prompts the user to enter a value for the administrator key.
**RANDOM** Results in a random setting for the administrator key for a card that is not returned to the user. This creates a card that might not be manageable by using smart card management tools. When generated with RANDOM, the administrator key must be entered as 48 hexadecimal characters. |
+| /AdminKey | Indicates the desired administrator key that can be used to reset the PIN of the card if the user forgets the PIN.
**DEFAULT** Specifies the default value of 010203040506070801020304050607080102030405060708.
**PROMPT** Prompts the user to enter a value for the administrator key.
**RANDOM** Results in a random setting for the administrator key for a card that is not returned to the user. This creates a card that might not be manageable by using smart card management tools. When generated with RANDOM, the administrator key is set as 48 hexadecimal characters. |
| /PIN | Indicates desired user PIN value.
**DEFAULT** Specifies the default PIN of 12345678.
**PROMPT** Prompts the user to enter a PIN at the command line. The PIN must be a minimum of eight characters, and it can contain numerals, characters, and special characters. |
| /PUK | Indicates the desired PIN Unlock Key (PUK) value. The PUK value must be a minimum of eight characters, and it can contain numerals, characters, and special characters. If the parameter is omitted, the card is created without a PUK.
**DEFAULT** Specifies the default PUK of 12345678.
**PROMPT** Prompts the user to enter a PUK at the command line. |
| /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it is equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft Endpoint Configuration Manager. |
diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index a162e20e45..0b6ff85b21 100644
--- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -16,38 +16,38 @@ ms.author: dansimp
This topic explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. The scenario is:
-- You connect to a network using Wi-Fi or VPN.
-- You want to use the credentials that you use for the WiFi or VPN authentication to also authenticate requests to access a domain resource you are connecting to, without being prompted for your domain credentials separately.
+- You connect to a network using Wi-Fi or VPN.
+- You want to use the credentials that you use for the WiFi or VPN authentication to also authenticate requests to access a domain resource you are connecting to, without being prompted for your domain credentials separately.
For example, you want to connect to a corporate network and access an internal website that requires Windows integrated authentication.
-At a high level, the way this works is that the credentials that are used for the connection authentication are put in Credential Manager as the default credentials for the logon session.
-Credential Manager is a place where credentials in the OS are can be stored for specific domain resources based on the targetname of the resource.
-For VPN, the VPN stack saves its credential as the session default.
-For WiFi, EAP does it.
+At a high level, the way this works is that the credentials that are used for the connection authentication are put in Credential Manager as the default credentials for the logon session.
+Credential Manager is a place where credentials in the OS are can be stored for specific domain resources based on the targetname of the resource.
+For VPN, the VPN stack saves its credential as the session default.
+For WiFi, EAP does it.
-The credentials are put in Credential Manager as a "\*Session" credential.
-A "\*Session" credential implies that it is valid for the current user session.
-The credentials are also cleaned up when the WiFi or VPN connection is disconnected.
+The credentials are put in Credential Manager as a "\*Session" credential.
+A "\*Session" credential implies that it is valid for the current user session.
+The credentials are also cleaned up when the WiFi or VPN connection is disconnected.
-When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](https://msdn.microsoft.com/library/windows/desktop/aa385483.aspx) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it.
-For more information about the Enterprise Authentication capability, see [App capability declarations](https://msdn.microsoft.com/windows/uwp/packaging/app-capability-declarations).
+When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](https://msdn.microsoft.com/library/windows/desktop/aa385483.aspx) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it.
+For more information about the Enterprise Authentication capability, see [App capability declarations](https://msdn.microsoft.com/windows/uwp/packaging/app-capability-declarations).
-The local security authority will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability.
-If the app is not UWP, it does not matter.
-But if it is a UWP app, it will look at the device capability for Enterprise Authentication.
+The local security authority will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability.
+If the app is not UWP, it does not matter.
+But if it is a UWP app, it will look at the device capability for Enterprise Authentication.
If it does have that capability and if the resource that you are trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released.
-This behavior helps prevent credentials from being misused by untrusted third parties.
+This behavior helps prevent credentials from being misused by untrusted third parties.
## Intranet zone
-For the Intranet zone, by default it only allows single-label names, such as Http://finance.
-If the resource that needs to be accessed has multiple domain labels, then the workaround is to use the [Registry CSP](https://msdn.microsoft.com/library/windows/hardware/dn904964.aspx).
+For the Intranet zone, by default it only allows single-label names, such as Http://finance.
+If the resource that needs to be accessed has multiple domain labels, then the workaround is to use the [Registry CSP](https://msdn.microsoft.com/library/windows/hardware/dn904964.aspx).
### Setting the ZoneMap
-The ZoneMap is controlled using a registry that can be set through MDM.
-By default, single-label names such as http://finance are already in the intranet zone.
+The ZoneMap is controlled using a registry that can be set through MDM.
+By default, single-label names such as http://finance are already in the intranet zone.
For multi-label names, such as http://finance.net, the ZoneMap needs to be updated.
## MDM Policy
@@ -56,9 +56,9 @@ OMA URI example:
./Vendor/MSFT/Registry/HKU/S-1-5-21-2702878673-795188819-444038987-2781/Software/Microsoft/Windows/CurrentVersion/Internet%20Settings/ZoneMap/Domains/``/* as an Integer Value of 1 for each of the domains that you want to SSO into from your device. This adds the specified domains to the Intranet Zone of the Edge browser.
-## Credential requirements
+## Credential requirements
-For VPN, the following types of credentials will be added to credential manager after authentication:
+For VPN, the following types of credentials will be added to credential manager after authentication:
- Username and password
- Certificate-based authentication:
@@ -67,7 +67,7 @@ For VPN, the following types of credentials will be added to credential manager
- Smart Card Certificate
- Windows Hello for Business Certificate
-The username should also include a domain that can be reached over the connection (VPN or WiFi).
+The username should also include a domain that can be reached over the connection (VPN or WiFi).
## User certificate templates
@@ -82,17 +82,17 @@ If the credentials are certificate-based, then the elements in the following tab
## NDES server configuration
-The NDES server is required to be configured so that incoming SCEP requests can be mapped to the correct template to be used.
-For more information, see [Configure certificate infrastructure for SCEP](https://docs.microsoft.com/intune/deploy-use/Configure-certificate-infrastructure-for-scep).
+The NDES server is required to be configured so that incoming SCEP requests can be mapped to the correct template to be used.
+For more information, see [Configure certificate infrastructure for SCEP](https://docs.microsoft.com/mem/intune/protect/certificates-scep-configure).
## Active Directory requirements
-You need IP connectivity to a DNS server and domain controller over the network interface so that authentication can succeed as well.
+You need IP connectivity to a DNS server and domain controller over the network interface so that authentication can succeed as well.
The domain controllers will need to have appropriate KDC certificates for the client to trust them as domain controllers, and since phones are not domain-joined, the root CA of the KDC’s certificate must be in the Third-Party Root CA or Smart Card Trusted Roots store.
-The domain controllers must be using certificates based on the updated KDC certificate template Kerberos Authentication.
-This is because Windows 10 Mobile requires strict KDC validation to be enabled.
-This requires that all authenticating domain controllers run Windows Server 2016, or you'll need to enable strict KDC validation on domain controllers that run previous versions of Windows Server.
-For more information, see [Enabling Strict KDC Validation in Windows Kerberos](https://www.microsoft.com/download/details.aspx?id=6382).
+The domain controllers must be using certificates based on the updated KDC certificate template Kerberos Authentication.
+This is because Windows 10 Mobile requires strict KDC validation to be enabled.
+This requires that all authenticating domain controllers run Windows Server 2016, or you'll need to enable strict KDC validation on domain controllers that run previous versions of Windows Server.
+For more information, see [Enabling Strict KDC Validation in Windows Kerberos](https://www.microsoft.com/download/details.aspx?id=6382).
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 26ef59254e..345cc172da 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -601,6 +601,7 @@
##### [Configure Micro Focus ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md)
##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md)
##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
+##### [Fetch alerts from customer tenant](microsoft-defender-atp/fetch-alerts-mssp.md)
##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
#### [Partners & APIs]()
@@ -615,7 +616,12 @@
###### [Using device groups](microsoft-defender-atp/machine-groups.md)
###### [Create and manage device tags](microsoft-defender-atp/machine-tags.md)
-#### [Configure managed security service provider (MSSP) integration](microsoft-defender-atp/configure-mssp-support.md)
+#### [Managed security service provider (MSSP) integration]()
+##### [Configure managed security service provider integration](microsoft-defender-atp/configure-mssp-support.md)
+##### [Grant MSSP access to the portal](microsoft-defender-atp/grant-mssp-access.md)
+##### [Access the MSSP customer portal](microsoft-defender-atp/access-mssp-portal.md)
+##### [Configure alert notifications](microsoft-defender-atp/configure-mssp-notifications.md)
+##### [Get partner application access](microsoft-defender-atp/exposed-apis-create-app-partners.md)
### [Partner integration scenarios]()
#### [Technical partner opportunities](microsoft-defender-atp/partner-integration.md)
@@ -842,6 +848,8 @@
####### [Event 4689 S: A process has exited.](auditing/event-4689.md)
###### [Audit RPC Events](auditing/audit-rpc-events.md)
####### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](auditing/event-5712.md)
+###### [Audit Token Right Adjusted](auditing/audit-token-right-adjusted.md)
+####### [Event 4703 S: A user right was adjusted.](auditing/event-4703.md)
###### [Audit Detailed Directory Service Replication](auditing/audit-detailed-directory-service-replication.md)
####### [Event 4928 S, F: An Active Directory replica source naming context was established.](auditing/event-4928.md)
####### [Event 4929 S, F: An Active Directory replica source naming context was removed.](auditing/event-4929.md)
diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
index b099911afd..d8e637e093 100644
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 07/23/2020
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -226,6 +226,6 @@ For 4771(F): Kerberos pre-authentication failed.
| **Pre-Authentication Type** | Value is **not 15** when account must use a smart card for authentication. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). |
| **Pre-Authentication Type** | Value is **not 2** when only standard password authentication is in use in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). |
| **Pre-Authentication Type** | Value is **not 138** when Kerberos Armoring is enabled for all Kerberos communications in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). |
-| **Result Code** | **0x10** (KDC has no support for PADATA type (pre-authentication data)). This error can help you to more quickly identify smart-card related problems with Kerberos authentication. |
-| **Result Code** | **0x18** ((Pre-authentication information was invalid), if you see, for example N events in last N minutes. This can be an indicator of brute-force attack on the account password, especially for highly critical accounts. |
+| **Failure Code** | **0x10** (KDC has no support for PADATA type (pre-authentication data)). This error can help you to more quickly identify smart-card related problems with Kerberos authentication. |
+| **Failure Code** | **0x18** ((Pre-authentication information was invalid), if you see, for example N events in last N minutes. This can be an indicator of brute-force attack on the account password, especially for highly critical accounts. |
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
index 840b26d06e..876f707fc7 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
@@ -25,6 +25,9 @@ manager: dansimp
This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV.
+> [!NOTE]
+> As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices).
+
On at least two devices that are experiencing the same issue, obtain the .cab diagnostic file by taking the following steps:
1. Open an administrator-level version of the command prompt as follows:
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
index bbdf9fc0e5..7be3761332 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
@@ -18,9 +18,10 @@ manager: dansimp
# Common mistakes to avoid when defining exclusions
You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. Such excluded items could contain threats that make your device vulnerable.
-See [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) for more information.
-Also, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
+This topic describes some common mistake that you should avoid when defining exclusions.
+
+Before defining your exclusion lists, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions).
## Excluding certain trusted items
There are certain files, file types, folders, or processes that you should not exclude from scanning even though you trust them to be not malicious. Refer to the following section for items that you should not exclude from scanning.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
index d0b737f37f..0e81659418 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
@@ -25,22 +25,25 @@ manager: dansimp
You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection.
-## Recommendations for defining exclusions
+## Configure and validate exclusions
+
+To configure and validate exclusions, see the following:
+
+- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location.
+
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from scans that have been opened by a specific process.
+
+## Recommendations for defining exclusions
+
Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
The following is a list of recommendations that you should keep in mind when defining exclusions:
+
- Exclusions are technically a protection gap—always consider additional mitigations when defining exclusions. Additional mitigations could be as simple as making sure the excluded location has the appropriate access-control lists (ACLs), audit policy, is processed by an up-to-date software, etc.
- Review the exclusions periodically. Re-check and re-enforce the mitigations as part of the review process.
- Ideally, avoid defining proactive exclusions. For instance, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issues—mostly around performance, or sometimes around application compatibility that exclusions could mitigate.
- Audit the exclusion list changes. The security admin should preserve enough context around why a certain exclusion was added. You should be able to provide answer with specific reasoning as to why a certain path was excluded.
-## Configure and validate exclusions
-
-To configure and validate exclusions, see the following:
-- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location.
-
-- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from scans that have been opened by a specific process.
-
## Related articles
- [Microsoft Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
index de3c6cfb93..6c5cb6074b 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 02/24/2020
+ms.date: 07/23/2020
ms.reviewer:
manager: dansimp
---
@@ -59,3 +59,4 @@ Omit the `-online` parameter to get locally cached help.
- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus Cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
new file mode 100644
index 0000000000..647939803c
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
@@ -0,0 +1,56 @@
+---
+title: Access the Microsoft Defender Security Center MSSP customer portal
+description: Access the Microsoft Defender Security Center MSSP customer portal
+keywords: managed security service provider, mssp, configure, integration
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Access the Microsoft Defender Security Center MSSP customer portal
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
+
+
+
+
+>[!NOTE]
+>These set of steps are directed towards the MSSP.
+
+By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
+
+
+MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal.
+
+In general, MSSPs will need to be added to each of the MSSP customer's Azure AD that they intend to manage.
+
+
+Use the following steps to obtain the MSSP customer tenant ID and then use the ID to access the tenant-specific URL:
+
+1. As an MSSP, login to Azure AD with your credentials.
+
+2. Switch directory to the MSSP customer's tenant.
+
+3. Select **Azure Active Directory > Properties**. You'll find the tenant ID in the Directory ID field.
+
+4. Access the MSSP customer portal by replacing the `customer_tenant_id` value in the following URL: `https://securitycenter.windows.com?tid=customer_tenant_id`.
+
+
+## Related topics
+- [Grant MSSP access to the portal](grant-mssp-access.md)
+- [Configure alert notifications](configure-mssp-notifications.md)
+- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
index e520b394a2..07fcff8c6f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
@@ -28,7 +28,7 @@ Adds or remove tag to a specific [Machine](machine.md).
## Limitations
-1. You can post on machines last seen in the past 30 days.
+1. You can post on machines last seen according to your configured retention period.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
@@ -50,7 +50,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
## HTTP request
-```
+```http
POST https://api.securitycenter.windows.com/api/machines/{id}/tags
```
@@ -83,12 +83,13 @@ Here is an example of a request that adds machine tag.
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-```
+```http
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags
Content-type: application/json
{
"Value" : "test Tag 2",
"Action": "Add"
}
+```
-- To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.
\ No newline at end of file
+- To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
index 4c9046ca63..dc28afd7dc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
@@ -43,7 +43,7 @@ Microsoft Defender ATP for Android enables admins to configure custom indicators
## Configure web protection
Microsoft Defender ATP for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center.
-For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#configure-web-protection-on-devices-that-run-android).
+For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-manage-android).
## Related topics
- [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
index cb62aaa586..42d75ed3b8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
@@ -136,7 +136,7 @@ Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll) .
As Microsoft Defender ATP for Android is deployed via managed Google Play,
updates to the app are automatic via Google Play.
-Currently only Work Profile enrolled devices are supported for deployment.
+Currently only Personal devices with Work Profile enrolled are supported for deployment.
>[!NOTE]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
index 546c64449d..a7f95c1789 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
@@ -123,7 +123,7 @@ The first example demonstrates how to connect Power BI to Advanced Hunting API a
## Power BI dashboard samples in GitHub
-For more information see the [Power BI report templates](https://github.com/microsoft/MDATP-PowerBI-Templates).
+For more information see the [Power BI report templates](https://github.com/microsoft/MicrosoftDefenderATP-PowerBI).
## Sample reports
View the Microsoft Defender ATP Power BI report samples. For more information, see [Browse code samples](https://docs.microsoft.com/samples/browse/?products=mdatp).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
index dab80159ea..cb7648e275 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
@@ -158,4 +158,7 @@ When you click on the pending actions link, you'll be taken to the Action center
## Next steps
-[View and approve remediation actions](manage-auto-investigation.md)
+- [View and approve remediation actions](manage-auto-investigation.md)
+
+- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 81ce65baaa..f0292e125f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -82,10 +82,12 @@ The default device group is configured for semi-automatic remediation. This mean
When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation.
-## Next step
+## Next steps
- [Learn about the automated investigations dashboard](manage-auto-investigation.md)
+- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)
+
## Related articles
- [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md
new file mode 100644
index 0000000000..b7c4bf19d6
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md
@@ -0,0 +1,46 @@
+---
+title: Configure alert notifications that are sent to MSSPs
+description: Configure alert notifications that are sent to MSSPs
+keywords: managed security service provider, mssp, configure, integration
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Configure alert notifications that are sent to MSSPs
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
+
+
+>[!NOTE]
+>This step can be done by either the MSSP customer or MSSP. MSSPs must be granted the appropriate permissions to configure this on behalf of the MSSP customer.
+
+After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met.
+
+
+For more information, see [Create rules for alert notifications](configure-email-notifications.md#create-rules-for-alert-notifications).
+
+
+These check boxes must be checked:
+- **Include organization name** - The customer name will be added to email notifications
+- **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal
+
+
+## Related topics
+- [Grant MSSP access to the portal](grant-mssp-access.md)
+- [Access the MSSP customer portal](access-mssp-portal.md)
+- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
index 852f5ff3b8..98599b9d18 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
@@ -1,8 +1,6 @@
---
title: Configure managed security service provider support
-
description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP
-
keywords: managed security service provider, mssp, configure, integration
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -17,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 09/03/2018
---
# Configure managed security service provider integration
@@ -67,249 +64,11 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts in SIEM tools.
This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
-## Grant the MSSP access to the portal
->[!NOTE]
-> These set of steps are directed towards the MSSP customer.
-> Access to the portal can only be done by the MSSP customer.
-
-As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Microsoft Defender Security Center.
-
-
-Authentication and authorization of the MSSP user is built on top of Azure Active Directory (Azure AD) B2B functionality.
-
-You'll need to take the following 2 steps:
-- Add MSSP user to your tenant as a guest user
-
-- Grant MSSP user access to Microsoft Defender Security Center
-
-
-### Add MSSP user to your tenant as a guest user
-Add a user who is a member of the MSSP tenant to your tenant as a guest user.
-
-To grant portal access to the MSSP, you must add the MSSP user to your Azure AD as a guest user. For more information, see [Add Azure Active Directory B2B collaboration users in the Azure portal](https://docs.microsoft.com/azure/active-directory/b2b/add-users-administrator).
-
-### Grant MSSP user access to Microsoft Defender Security Center
-Grant the guest user access and permissions to your Microsoft Defender Security Center tenant.
-
-Granting access to guest user is done the same way as granting access to a user who is a member of your tenant.
-
-If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role in **your** tenant. For more information, see [Use basic permissions to access the portal](basic-permissions.md).
-
-If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Microsoft Defender ATP, see [Manage portal access using RBAC](rbac.md).
-
-
->[!NOTE]
->There is no difference between the Member user and Guest user roles from RBAC perspective.
-
-It is recommended that groups are created for MSSPs to make authorization access more manageable.
-
-As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the Azure AD user groups.
-
-
-## Access the Microsoft Defender Security Center MSSP customer portal
-
->[!NOTE]
->These set of steps are directed towards the MSSP.
-
-By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
-
-
-MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal.
-
-In general, MSSPs will need to be added to each of the MSSP customer's Azure AD that they intend to manage.
-
-
-Use the following steps to obtain the MSSP customer tenant ID and then use the ID to access the tenant-specific URL:
-
-1. As an MSSP, login to Azure AD with your credentials.
-
-2. Switch directory to the MSSP customer's tenant.
-
-3. Select **Azure Active Directory > Properties**. You'll find the tenant ID in the Directory ID field.
-
-4. Access the MSSP customer portal by replacing the `customer_tenant_id` value in the following URL: `https://securitycenter.windows.com?tid=customer_tenant_id`.
-
-## Configure alert notifications that are sent to MSSPs
-
->[!NOTE]
->This step can be done by either the MSSP customer or MSSP. MSSPs must be granted the appropriate permissions to configure this on behalf of the MSSP customer.
-
-After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met.
-
-
-For more information, see [Create rules for alert notifications](configure-email-notifications.md#create-rules-for-alert-notifications).
-
-
-These check boxes must be checked:
-- **Include organization name** - The customer name will be added to email notifications
-- **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal
-
-
-## Fetch alerts from MSSP customer's tenant into the SIEM system
-
->[!NOTE]
->This action is taken by the MSSP.
-
-
-To fetch alerts into your SIEM system you'll need to take the following steps:
-
-Step 1: Create a third-party application
-
-Step 2: Get access and refresh tokens from your customer's tenant
-
-Step 3: allow your application on Microsoft Defender Security Center
-
-
-
-
-### Step 1: Create an application in Azure Active Directory (Azure AD)
-
-You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender ATP tenant.
-
-
-1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/).
-
-2. Select **Azure Active Directory** > **App registrations**.
-
-
-3. Click **New registration**.
-
-
-4. Specify the following values:
-
- - Name: \ SIEM MSSP Connector (replace Tenant_name with the tenant display name)
-
- - Supported account types: Account in this organizational directory only
- - Redirect URI: Select Web and type `https:///SiemMsspConnector`(replace with the tenant name)
-
-5. Click **Register**. The application is displayed in the list of applications you own.
-
-6. Select the application, then click **Overview**.
-
-7. Copy the value from the **Application (client) ID** field to a safe place, you will need this in the next step.
-
-8. Select **Certificate & secrets** in the new application panel.
-
-9. Click **New client secret**.
-
-
- - Description: Enter a description for the key.
- - Expires: Select **In 1 year**
-
-
-10. Click **Add**, copy the value of the client secret to a safe place, you will need this in the next step.
-
-
-### Step 2: Get access and refresh tokens from your customer's tenant
-This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow.
-
-After providing your credentials, you'll need to grant consent to the application so that the application is provisioned in the customer's tenant.
-
-
-1. Create a new folder and name it: `MsspTokensAcquisition`.
-
-2. Download the [LoginBrowser.psm1 module](https://github.com/shawntabrizi/Microsoft-Authentication-with-PowerShell-and-MSAL/blob/master/Authorization%20Code%20Grant%20Flow/LoginBrowser.psm1) and save it in the `MsspTokensAcquisition` folder.
-
- >[!NOTE]
- >In line 30, replace `authorzationUrl` with `authorizationUrl`.
-
-3. Create a file with the following content and save it with the name `MsspTokensAcquisition.ps1` in the folder:
- ```
- param (
- [Parameter(Mandatory=$true)][string]$clientId,
- [Parameter(Mandatory=$true)][string]$secret,
- [Parameter(Mandatory=$true)][string]$tenantId
- )
- [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-
- # Load our Login Browser Function
- Import-Module .\LoginBrowser.psm1
-
- # Configuration parameters
- $login = "https://login.microsoftonline.com"
- $redirectUri = "https://SiemMsspConnector"
- $resourceId = "https://graph.windows.net"
-
- Write-Host 'Prompt the user for his credentials, to get an authorization code'
- $authorizationUrl = ("{0}/{1}/oauth2/authorize?prompt=select_account&response_type=code&client_id={2}&redirect_uri={3}&resource={4}" -f
- $login, $tenantId, $clientId, $redirectUri, $resourceId)
- Write-Host "authorzationUrl: $authorizationUrl"
-
- # Fake a proper endpoint for the Redirect URI
- $code = LoginBrowser $authorizationUrl $redirectUri
-
- # Acquire token using the authorization code
-
- $Body = @{
- grant_type = 'authorization_code'
- client_id = $clientId
- code = $code
- redirect_uri = $redirectUri
- resource = $resourceId
- client_secret = $secret
- }
-
- $tokenEndpoint = "$login/$tenantId/oauth2/token?"
- $Response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $Body
- $token = $Response.access_token
- $refreshToken= $Response.refresh_token
-
- Write-Host " ----------------------------------- TOKEN ---------------------------------- "
- Write-Host $token
-
- Write-Host " ----------------------------------- REFRESH TOKEN ---------------------------------- "
- Write-Host $refreshToken
- ```
-4. Open an elevated PowerShell command prompt in the `MsspTokensAcquisition` folder.
-
-5. Run the following command:
- `Set-ExecutionPolicy -ExecutionPolicy Bypass`
-
-6. Enter the following commands: `.\MsspTokensAcquisition.ps1 -clientId -secret -tenantId `
-
- - Replace \ with the **Application (client) ID** you got from the previous step.
- - Replace \ with the **Client Secret** you created from the previous step.
- - Replace \ with your customer's **Tenant ID**.
-
-
-7. You'll be asked to provide your credentials and consent. Ignore the page redirect.
-
-8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector.
-
-
-### Step 3: Allow your application on Microsoft Defender Security Center
-You'll need to allow the application you created in Microsoft Defender Security Center.
-
-
-You'll need to have **Manage portal system settings** permission to allow the application. Otherwise, you'll need to request your customer to allow the application for you.
-
-1. Go to `https://securitycenter.windows.com?tid=` (replace \ with the customer's tenant ID.
-
-2. Click **Settings** > **SIEM**.
-
-3. Select the **MSSP** tab.
-
-4. Enter the **Application ID** from the first step and your **Tenant ID**.
-
-5. Click **Authorize application**.
-
-
-You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md).
-
-
-- In the ArcSight configuration file / Splunk Authentication Properties file you will have to write your application key manually by settings the secret value.
-- Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means).
-
-## Fetch alerts from MSSP customer's tenant using APIs
-
-For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api.md).
-
## Related topics
-- [Use basic permissions to access the portal](basic-permissions.md)
-- [Manage portal access using RBAC](rbac.md)
-- [Pull alerts to your SIEM tools](configure-siem.md)
-- [Pull alerts using REST API](pull-alerts-using-rest-api.md)
-
+- [Grant MSSP access to the portal](grant-mssp-access.md)
+- [Access the MSSP customer portal](access-mssp-portal.md)
+- [Configure alert notifications](configure-mssp-notifications.md)
+- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md b/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md
new file mode 100644
index 0000000000..f0ccb1577e
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md
@@ -0,0 +1,196 @@
+---
+title: Fetch alerts from MSSP customer tenant
+description: Learn how to fetch alerts from a customer tenant
+keywords: managed security service provider, mssp, configure, integration
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Fetch alerts from MSSP customer tenant
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
+
+
+>[!NOTE]
+>This action is taken by the MSSP.
+
+
+There are two ways you can fetch alerts:
+- Using the SIEM method
+- Using APIs
+
+## Fetch alerts into your SIEM
+
+To fetch alerts into your SIEM system you'll need to take the following steps:
+
+Step 1: Create a third-party application
+
+Step 2: Get access and refresh tokens from your customer's tenant
+
+Step 3: allow your application on Microsoft Defender Security Center
+
+
+
+
+### Step 1: Create an application in Azure Active Directory (Azure AD)
+
+You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender ATP tenant.
+
+
+1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/).
+
+2. Select **Azure Active Directory** > **App registrations**.
+
+
+3. Click **New registration**.
+
+
+4. Specify the following values:
+
+ - Name: \ SIEM MSSP Connector (replace Tenant_name with the tenant display name)
+
+ - Supported account types: Account in this organizational directory only
+ - Redirect URI: Select Web and type `https:///SiemMsspConnector`(replace with the tenant name)
+
+5. Click **Register**. The application is displayed in the list of applications you own.
+
+6. Select the application, then click **Overview**.
+
+7. Copy the value from the **Application (client) ID** field to a safe place, you will need this in the next step.
+
+8. Select **Certificate & secrets** in the new application panel.
+
+9. Click **New client secret**.
+
+
+ - Description: Enter a description for the key.
+ - Expires: Select **In 1 year**
+
+
+10. Click **Add**, copy the value of the client secret to a safe place, you will need this in the next step.
+
+
+### Step 2: Get access and refresh tokens from your customer's tenant
+This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow.
+
+After providing your credentials, you'll need to grant consent to the application so that the application is provisioned in the customer's tenant.
+
+
+1. Create a new folder and name it: `MsspTokensAcquisition`.
+
+2. Download the [LoginBrowser.psm1 module](https://github.com/shawntabrizi/Microsoft-Authentication-with-PowerShell-and-MSAL/blob/master/Authorization%20Code%20Grant%20Flow/LoginBrowser.psm1) and save it in the `MsspTokensAcquisition` folder.
+
+ >[!NOTE]
+ >In line 30, replace `authorzationUrl` with `authorizationUrl`.
+
+3. Create a file with the following content and save it with the name `MsspTokensAcquisition.ps1` in the folder:
+ ```
+ param (
+ [Parameter(Mandatory=$true)][string]$clientId,
+ [Parameter(Mandatory=$true)][string]$secret,
+ [Parameter(Mandatory=$true)][string]$tenantId
+ )
+ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+
+ # Load our Login Browser Function
+ Import-Module .\LoginBrowser.psm1
+
+ # Configuration parameters
+ $login = "https://login.microsoftonline.com"
+ $redirectUri = "https://SiemMsspConnector"
+ $resourceId = "https://graph.windows.net"
+
+ Write-Host 'Prompt the user for his credentials, to get an authorization code'
+ $authorizationUrl = ("{0}/{1}/oauth2/authorize?prompt=select_account&response_type=code&client_id={2}&redirect_uri={3}&resource={4}" -f
+ $login, $tenantId, $clientId, $redirectUri, $resourceId)
+ Write-Host "authorzationUrl: $authorizationUrl"
+
+ # Fake a proper endpoint for the Redirect URI
+ $code = LoginBrowser $authorizationUrl $redirectUri
+
+ # Acquire token using the authorization code
+
+ $Body = @{
+ grant_type = 'authorization_code'
+ client_id = $clientId
+ code = $code
+ redirect_uri = $redirectUri
+ resource = $resourceId
+ client_secret = $secret
+ }
+
+ $tokenEndpoint = "$login/$tenantId/oauth2/token?"
+ $Response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $Body
+ $token = $Response.access_token
+ $refreshToken= $Response.refresh_token
+
+ Write-Host " ----------------------------------- TOKEN ---------------------------------- "
+ Write-Host $token
+
+ Write-Host " ----------------------------------- REFRESH TOKEN ---------------------------------- "
+ Write-Host $refreshToken
+ ```
+4. Open an elevated PowerShell command prompt in the `MsspTokensAcquisition` folder.
+
+5. Run the following command:
+ `Set-ExecutionPolicy -ExecutionPolicy Bypass`
+
+6. Enter the following commands: `.\MsspTokensAcquisition.ps1 -clientId -secret -tenantId `
+
+ - Replace \ with the **Application (client) ID** you got from the previous step.
+ - Replace \ with the **Client Secret** you created from the previous step.
+ - Replace \ with your customer's **Tenant ID**.
+
+
+7. You'll be asked to provide your credentials and consent. Ignore the page redirect.
+
+8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector.
+
+
+### Step 3: Allow your application on Microsoft Defender Security Center
+You'll need to allow the application you created in Microsoft Defender Security Center.
+
+
+You'll need to have **Manage portal system settings** permission to allow the application. Otherwise, you'll need to request your customer to allow the application for you.
+
+1. Go to `https://securitycenter.windows.com?tid=` (replace \ with the customer's tenant ID.
+
+2. Click **Settings** > **SIEM**.
+
+3. Select the **MSSP** tab.
+
+4. Enter the **Application ID** from the first step and your **Tenant ID**.
+
+5. Click **Authorize application**.
+
+
+You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md).
+
+
+- In the ArcSight configuration file / Splunk Authentication Properties file you will have to write your application key manually by settings the secret value.
+- Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means).
+
+## Fetch alerts from MSSP customer's tenant using APIs
+
+For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api.md).
+
+
+## Related topics
+- [Grant MSSP access to the portal](grant-mssp-access.md)
+- [Access the MSSP customer portal](access-mssp-portal.md)
+- [Configure alert notifications](configure-mssp-notifications.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
index 2f61ccb373..e4ecad3ffa 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
@@ -28,7 +28,7 @@ Retrieves specific [Alert](alerts.md) by its ID.
## Limitations
-1. You can get alerts last updated in the past 30 days.
+1. You can get alerts last updated according to your configured retention period.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
index c9c257c1e1..ac7cf2410a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
@@ -28,7 +28,7 @@ Retrieves all domains related to a specific alert.
## Limitations
-1. You can query on alerts last updated in the past 30 days.
+1. You can query on alerts last updated according to your configured retention period.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
index d99712033f..519afaa0e3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
@@ -28,7 +28,7 @@ Retrieves all files related to a specific alert.
## Limitations
-1. You can query on alerts last updated in the past 30 days.
+1. You can query on alerts last updated according to your configured retention period.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
index 812e285986..cf783ffeda 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
@@ -28,7 +28,7 @@ Retrieves all IPs related to a specific alert.
## Limitations
-1. You can query on alerts last updated in the past 30 days.
+1. You can query on alerts last updated according to your configured retention period.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
index b3e69abaa7..2b030497a2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
@@ -28,7 +28,7 @@ Retrieves [Device](machine.md) related to a specific alert.
## Limitations
-1. You can query on alerts last updated in the past 30 days.
+1. You can query on alerts last updated according to your configured retention period.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
index f51040eab2..982e2a2585 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
@@ -28,7 +28,7 @@ Retrieves the User related to a specific alert.
## Limitations
-1. You can query on alerts last updated in the past 30 days.
+1. You can query on alerts last updated according to your configured retention period.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
index b86855ce76..f13f6270fd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
@@ -35,7 +35,7 @@ Retrieves a collection of Alerts.
## Limitations
-1. You can get alerts last updated in the past 30 days.
+1. You can get alerts last updated according to your configured retention period.
2. Maximum page size is 10,000.
3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
index bdb1c4b423..0aa06444da 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
@@ -28,7 +28,7 @@ Retrieves a collection of [Alerts](alerts.md) related to a given domain address.
## Limitations
-1. You can query on alerts last updated in the past 30 days.
+1. You can query on alerts last updated according to your configured retention period.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
@@ -48,7 +48,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
>- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+```http
GET /api/domains/{domain}/alerts
```
@@ -73,6 +73,6 @@ Here is an example of the request.
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-```
+```http
GET https://api.securitycenter.windows.com/api/domains/client.wns.windows.com/alerts
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md
index 8413a10a82..6b4dee50f5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md
@@ -28,7 +28,7 @@ Retrieves a collection of [Machines](machine.md) that have communicated to or fr
## Limitations
-1. You can query on devices last seen in the past 30 days.
+1. You can query on devices last updated according to your configured retention period.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
@@ -48,7 +48,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
>- Response will include only devices that the user can access, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+```http
GET /api/domains/{domain}/machines
```
@@ -75,6 +75,6 @@ Here is an example of the request.
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-```
+```http
GET https://api.securitycenter.windows.com/api/domains/api.securitycenter.windows.com/machines
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
index 0348f58dbf..91b44caf50 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
@@ -28,7 +28,7 @@ Retrieves specific [Machine](machine.md) by its device ID or computer name.
## Limitations
-1. You can get devices last seen in the past 30 days.
+1. You can get devices last seen according to your configured retention policy.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
@@ -49,7 +49,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
## HTTP request
-```
+```http
GET /api/machines/{id}
```
@@ -65,7 +65,7 @@ Empty
## Response
If successful and device exists - 200 OK with the [machine](machine.md) entity in the body.
-If machine with the specified id was not found - 404 Not Found.
+If machine with the specified ID was not found - 404 Not Found.
## Example
@@ -76,7 +76,7 @@ Here is an example of the request.
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-```
+```http
GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07
```
@@ -85,7 +85,7 @@ GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932
Here is an example of the response.
-```
+```http
HTTP/1.1 200 OK
Content-type: application/json
{
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
index f5cb6a8948..fc56069b04 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
@@ -28,7 +28,7 @@ Retrieves a collection of logged on users on a specific device.
## Limitations
-1. You can query on devices last seen in the past 30 days.
+1. You can query on alerts last updated according to your configured retention period.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
@@ -46,7 +46,7 @@ Delegated (work or school account) | User.Read.All | 'Read user profiles'
>- Response will include users only if the device is visible to the user, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+```http
GET /api/machines/{id}/logonusers
```
@@ -72,7 +72,7 @@ Here is an example of the request.
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-```
+```http
GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers
```
@@ -81,7 +81,7 @@ GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932
Here is an example of the response.
-```
+```http
HTTP/1.1 200 OK
Content-type: application/json
{
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
index 0d100248f0..e8fb105671 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
@@ -28,7 +28,7 @@ Retrieves all [Alerts](alerts.md) related to a specific device.
## Limitations
-1. You can query on devices last seen in the past 30 days.
+1. You can query on devices last updated according to your configured retention period.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
@@ -45,7 +45,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
>- User needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+```http
GET /api/machines/{id}/alerts
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
index 74c8253d5d..93303b75fa 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
@@ -24,14 +24,14 @@ ms.topic: article
## API description
-Retrieves a collection of [Machines](machine.md) that have communicated with Microsoft Defender ATP cloud on the last 30 days.
+Retrieves a collection of [Machines](machine.md) that have communicated with Microsoft Defender ATP cloud.
Supports [OData V4 queries](https://www.odata.org/documentation/).
-
The OData's ```$filter``` query is supported on: ```computerDnsName```, ```lastSeen```, ```healthStatus```, ```osPlatform```, ```riskScore``` and ```rbacGroupId```.
+
The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`.
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
## Limitations
-1. You can get devices last seen in the past 30 days.
+1. You can get devices last seen according to your configured retention period.
2. Maximum page size is 10,000.
3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
@@ -51,7 +51,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
>- Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+
+```http
GET https://api.securitycenter.windows.com/api/machines
```
@@ -77,7 +78,8 @@ Here is an example of the request.
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-```
+
+```http
GET https://api.securitycenter.windows.com/api/machines
```
@@ -85,8 +87,7 @@ GET https://api.securitycenter.windows.com/api/machines
Here is an example of the response.
-
-```
+```http
HTTP/1.1 200 OK
Content-type: application/json
{
diff --git a/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md b/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md
new file mode 100644
index 0000000000..fc801373b0
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md
@@ -0,0 +1,136 @@
+---
+title: Grant access to managed security service provider (MSSP)
+description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP
+keywords: managed security service provider, mssp, configure, integration
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+# Grant managed security service provider (MSSP) access (preview)
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+To implement a multi-tenant delegated access solution, take the following steps:
+
+1. Enable [role-based access control](rbac.md) in Microsoft Defender ATP and connect with Active Directory (AD) groups.
+
+2. Configure [Governance Access Packages](https://docs.microsoft.com/azure/active-directory/governance/identity-governance-overview) for access request and provisioning.
+
+3. Manage access requests and audits in [Microsoft Myaccess](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-request-approve).
+
+## Enable role-based access controls in Microsoft Defender ATP
+
+1. **Create access groups for MSSP resources in Customer AAD: Groups**
+
+ These groups will be linked to the Roles you create in Microsoft Defender ATP. To do so, in the customer AD tenant, create three groups. In our example approach, we create the following groups:
+
+ - Tier 1 Analyst
+ - Tier 2 Analyst
+ - MSSP Analyst Approvers
+
+
+2. Create Microsoft Defender ATP roles for appropriate access levels in Customer Microsoft Defender ATP.
+
+ To enable RBAC in the customer Microsoft Defender Security Center, access **Settings > Permissions > Roles** and "Turn on roles", from a user account with Global Administrator or Security Administrator rights.
+
+ 
+
+ Then, create RBAC roles to meet MSSP SOC Tier needs. Link these roles to the created user groups via “Assigned user groups”.
+
+ Two possible roles:
+
+ - **Tier 1 Analysts**
+ Perform all actions except for live response and manage security settings.
+
+ - **Tier 2 Analysts**
+ Tier 1 capabilities with the addition to [live response](live-response.md)
+
+ For more information, see [Use role-based access control](rbac.md).
+
+
+
+## Configure Governance Access Packages
+
+1. **Add MSSP as Connected Organization in Customer AAD: Identity Governance**
+
+ Adding the MSSP as a connected organization will allow the MSSP to request and have accesses provisioned.
+
+ To do so, in the customer AD tenant, access Identity Governance: Connected organization. Add a new organization and search for your MSSP Analyst tenant via Tenant ID or Domain. We suggest creating a separate AD tenant for your MSSP Analysts.
+
+2. **Create a resource catalog in Customer AAD: Identity Governance**
+
+ Resource catalogs are a logical collection of access packages, created in the customer AD tenant.
+
+ To do so, in the customer AD tenant, access Identity Governance: Catalogs, and add **New Catalog**. In our example, we will call it **MSSP Accesses**.
+
+ 
+
+ Further more information, see [Create a catalog of resources](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-catalog-create).
+
+
+3. **Create access packages for MSSP resources Customer AAD: Identity Governance**
+
+ Access packages are the collection of rights and accesses that a requestor will be granted upon approval.
+
+ To do so, in the customer AD tenant, access Identity Governance: Access Packages, and add **New Access Package**. Create an access package for the MSSP approvers and each analyst tier. For example, the following Tier 1 Analyst configuration creates an access package that:
+
+ - Requires a member of the AD group **MSSP Analyst Approvers** to authorize new requests
+ - Has annual access reviews, where the SOC analysts can request an access extension
+ - Can only be requested by users in the MSSP SOC Tenant
+ - Access auto expires after 365 days
+
+ 
+
+ For more information, see [Create a new access package](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-access-package-create).
+
+
+4. **Provide access request link to MSSP resources from Customer AAD: Identity Governance**
+
+ The My Access portal link is used by MSSP SOC analysts to request access via the access packages created. The link is durable, meaning the same link may be used over time for new analysts. The analyst request goes into a queue for approval by the **MSSP Analyst Approvers**.
+
+
+ 
+
+ The link is located on the overview page of each access package.
+
+## Manage access
+
+1. Review and authorize access requests in Customer and/or MSSP myaccess.
+
+ Access requests are managed in the customer My Access, by members of the MSSP Analyst Approvers group.
+
+ To do so, access the customer’s myaccess using:
+ `https://myaccess.microsoft.com/@`.
+
+ Example: `https://myaccess.microsoft.com/@M365x440XXX.onmicrosoft.com#/`
+2. Approve or deny requests in the **Approvals** section of the UI.
+
+ At this point, analyst access has been provisioned, and each analyst should be able to access the customer’s Microsoft Defender Security Center: `https://securitycenter.Microsoft.com/?tid=`
+
+## Related topics
+- [Access the MSSP customer portal](access-mssp-portal.md)
+- [Configure alert notifications](configure-mssp-notifications.md)
+- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
+
+
+
+
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/access-properties.png b/windows/security/threat-protection/microsoft-defender-atp/images/access-properties.png
new file mode 100644
index 0000000000..aa284279f9
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/access-properties.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/goverance-catalog.png b/windows/security/threat-protection/microsoft-defender-atp/images/goverance-catalog.png
new file mode 100644
index 0000000000..e670575f6d
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/goverance-catalog.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mssp-access.png b/windows/security/threat-protection/microsoft-defender-atp/images/mssp-access.png
new file mode 100644
index 0000000000..57dce4b5c1
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mssp-access.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/new-access-package.png b/windows/security/threat-protection/microsoft-defender-atp/images/new-access-package.png
new file mode 100644
index 0000000000..f2a7a81250
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/new-access-package.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
index 5fd56526b0..bd6a081f9a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
@@ -27,6 +27,9 @@ ms.topic: article
Investigate the details of an alert raised on a specific device to identify other behaviors or events that might be related to the alert or the potential scope of the breach.
+> [!NOTE]
+> As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices).
+
You can click on affected devices whenever you see them in the portal to open a detailed report about that device. Affected devices are identified in the following areas:
- [Devices list](investigate-machines.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
index d2a63d964c..a35d6e6d1a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md
@@ -19,6 +19,10 @@ ms.topic: conceptual
# What's new in Microsoft Defender Advanced Threat Protection for Linux
+## 101.03.48
+
+- Bug fixes
+
## 101.02.55
- Fixed an issue where the product sometimes does not start following a reboot / upgrade
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
index 61b9edd8cd..667852eb82 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@@ -86,7 +86,7 @@ ms.topic: conceptual
- Fixed an issue where Microsoft Defender ATP for Mac was sometimes interfering with Time Machine
- Added a new switch to the command-line utility for testing the connectivity with the backend service
```bash
- $ mdatp --connectivity-test
+ mdatp --connectivity-test
```
- Added ability to view the full threat history in the user interface (can be accessed from the **Protection history** view)
- Performance improvements & bug fixes
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
index d1823bc880..913a4d215c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
@@ -63,6 +63,8 @@ In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and
## Next steps
+- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)
+
- [View details and results of automated investigations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center)
- [Get an overview of live response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/live-response)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
index 0b8a773d75..ae6569fd45 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
@@ -80,8 +80,8 @@ The following downloadable spreadsheet lists the services and their associated U
Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
-- Proxy auto-config (PAC)
-- Web Proxy Auto-discovery Protocol (WPAD)
+- Proxy autoconfig (PAC)
+- Web Proxy Autodiscovery Protocol (WPAD)
- Manual static proxy configuration
If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs.
@@ -96,7 +96,7 @@ To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/ap
If you prefer the command line, you can also check the connection by running the following command in Terminal:
```bash
-$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
+curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
```
The output from this command should be similar to the following:
@@ -110,7 +110,7 @@ The output from this command should be similar to the following:
Once Microsoft Defender ATP is installed, connectivity can be validated by running the following command in Terminal:
```bash
-$ mdatp --connectivity-test
+mdatp --connectivity-test
```
## How to update Microsoft Defender ATP for Mac
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index a36d89c45a..2586120da8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -49,9 +49,6 @@ Turn on the preview experience setting to be among the first to try upcoming fea
The following features are included in the preview release:
- [Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)
Microsoft Defender ATP now adds support for Android. Learn how to install, configure, and use Microsoft Defender ATP for Android.
-- [Create indicators for certificates](manage-indicators.md)
Create indicators to allow or block certificates.
-
-
- [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os)
Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019.
- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
You can now see a comprehensive set of details on the vulnerabilities found in your device to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
index db1b08907f..1fdb856b5d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
@@ -100,11 +100,11 @@ You can view the overall number of automated investigations from the last 30 day
## Automated investigations statistics
-This tile shows statistics related to automated investigations in the last 30 days. It shows the number of investigations completed, the number of successfully remediated investigations, the average pending time it takes for an investigation to be initiated, the average time it takes to remediate an alert, the number of alerts investigated, and the number of hours of automation saved from a typical manual investigation.
+This tile shows statistics related to automated investigations in the last seven days. It shows the number of investigations completed, the number of successfully remediated investigations, the average pending time it takes for an investigation to be initiated, the average time it takes to remediate an alert, the number of alerts investigated, and the number of hours of automation saved from a typical manual investigation.
-You can click on **Automated investigations**, **Remidated investigations**, and **Alerts investigated** to navigate to the **Investigations** page, filtered by the appropriate category. This lets you see a detailed breakdown of investigations in context.
+You can click on **Automated investigations**, **Remediated investigations**, and **Alerts investigated** to navigate to the **Investigations** page, filtered by the appropriate category. This lets you see a detailed breakdown of investigations in context.
## Users at risk
The tile shows you a list of user accounts with the most active alerts and the number of alerts seen on high, medium, or low alerts.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
index fa8115f0cb..d00f9c4634 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
@@ -96,4 +96,4 @@ To do this, visit the Microsoft Defender ATP demo scenarios site ([https://demo.
- [Visit your security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
-- To learn more about Microsoft Defender ATP and how to configure or adjust various features and capabilities, see [Microsoft Defender ATP documentation](https://docs.microsoft.com/windows/security/threat-protection).
\ No newline at end of file
+- To learn more about Microsoft Defender ATP and how to configure or adjust various features and capabilities, see [Microsoft Defender ATP documentation](https://docs.microsoft.com/windows/security/threat-protection).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
index 7c19cb82ea..906f92f4f8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
@@ -36,6 +36,9 @@ For more information preview features, see [Preview features](https://docs.micro
> ```
+## July 2020
+- [Create indicators for certificates](manage-indicators.md)
Create indicators to allow or block certificates.
+
## June 2020
- [Microsoft Defender ATP for Linux](microsoft-defender-atp-linux.md)
Microsoft Defender ATP now adds support for Linux. Learn how to install, configure, update, and use Microsoft Defender ATP for Linux.
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index 0ac210bfc0..cea2e3c915 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -26,44 +26,50 @@ The SCT enables administrators to effectively manage their enterprise’s Group
The Security Compliance Toolkit consists of:
-- Windows 10 security baselines
- - Windows 10 Version 1909 (November 2019 Update)
- - Windows 10 Version 1903 (May 2019 Update)
- - Windows 10 Version 1809 (October 2018 Update)
- - Windows 10 Version 1803 (April 2018 Update)
- - Windows 10 Version 1709 (Fall Creators Update)
- - Windows 10 Version 1607 (Anniversary Update)
- - Windows 10 Version 1507
+- Windows 10 security baselines
+ - Windows 10 Version 1909 (November 2019 Update)
+ - Windows 10 Version 1903 (May 2019 Update)
+ - Windows 10 Version 1809 (October 2018 Update)
+ - Windows 10 Version 1803 (April 2018 Update)
+ - Windows 10 Version 1709 (Fall Creators Update)
+ - Windows 10 Version 1607 (Anniversary Update)
+ - Windows 10 Version 1507
-- Windows Server security baselines
- - Windows Server 2019
- - Windows Server 2016
- - Windows Server 2012 R2
+- Windows Server security baselines
+ - Windows Server 2019
+ - Windows Server 2016
+ - Windows Server 2012 R2
-- Microsoft Office security baseline
- - Microsoft 365 Apps for enterprise (Sept 2019)
+- Microsoft Office security baseline
+ - Microsoft 365 Apps for enterprise (Sept 2019)
-- Microsoft Edge security baseline
- - Version 80
+- Microsoft Edge security baseline
+ - Version 80
-- Tools
- - Policy Analyzer tool
- - Local Group Policy Object (LGPO) tool
+- Tools
+ - Policy Analyzer tool
+ - Local Group Policy Object (LGPO) tool
+
+- Scripts
+ - Baseline-ADImport.ps1
+ - Baseline-LocalInstall.ps1
+ - Remove-EPBaselineSettings.ps1
+ - MapGuidsToGpoNames.ps1
-You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/bg-p/Microsoft-Security-Baselines).
+You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/bg-p/Microsoft-Security-Baselines).
## What is the Policy Analyzer tool?
The Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). Its main features include:
-- Highlight when a set of Group Policies has redundant settings or internal inconsistencies
-- Highlight the differences between versions or sets of Group Policies
-- Compare GPOs against current local policy and local registry settings
-- Export results to a Microsoft Excel spreadsheet
+- Highlight when a set of Group Policies has redundant settings or internal inconsistencies
+- Highlight the differences between versions or sets of Group Policies
+- Compare GPOs against current local policy and local registry settings
+- Export results to a Microsoft Excel spreadsheet
Policy Analyzer lets you treat a set of GPOs as a single unit. This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set.
-More information on the Policy Analyzer tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/22/new-tool-policy-analyzer/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+More information on the Policy Analyzer tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-tool-policy-analyzer/ba-p/701049) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
## What is the Local Group Policy Object (LGPO) tool?
@@ -73,4 +79,64 @@ LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files
It can export local policy to a GPO backup.
It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.
-Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+Documentation for the LGPO tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/lgpo-exe-local-group-policy-object-utility-v1-0/ba-p/701045) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+
+## List of PowerShell scripts
+
+This list of PowerShell script names, divided into categories by the name of the ZIP file containing those scripts, is based on the download page content listing of the full package download (12 files).
+
+1. **Windows 10 Version 1909 and Windows Server Version 1909 Security Baseline.zip**
+
+ - Baseline-ADImport.ps1
+ - Baseline-LocalInstall.ps1
+ - Remove-EPBaselineSettings.ps1
+ - MapGuidsToGpoNames.ps1
+
+2. **LGPO.zip**
+ - (none)
+
+3. **Microsoft Edge v80.zip**
+
+ - Baseline-ADImport.ps1
+ - Baseline-LocalInstall.ps1
+ - MapGuidsToGpoNames.ps1
+
+4. **Office365-ProPlus-Sept2019-FINAL.zip**
+
+ - Baseline-ADImport.ps1
+ - Baseline-LocalInstall.ps1
+ - MapGuidsToGpoNames.ps1
+
+5. **PolicyAnalyzer.zip**
+
+ - Merge-PolicyRules.ps1
+ - Split-PolicyRules.ps1
+
+6. **Windows 10 Version 1507 Security Baseline.zip**
+ - (none)
+
+7. **Windows 10 Version 1607 and Windows Server 2016 Security Baseline.zip**
+
+ - MapGuidsToGpoNames.ps1
+
+8. **Windows 10 Version 1709 Security Baseline.zip**
+
+ - MapGuidsToGpoNames.ps1
+
+9. **Windows 10 Version 1803 Security Baseline.zip**
+
+ - MapGuidsToGpoNames.ps1
+
+10. **Windows 10 Version 1809 and Windows Server 2019 Security Baseline.zip**
+
+ - BaselineLocalInstall.ps1
+ - MapGuidsToGpoNames.ps1
+
+11. **Windows 10 Version 1903 and Windows Server Version 1903 Security Baseline - Sept2019Update.zip**
+
+ - Baseline-ADImport.ps1
+ - Baseline-LocalInstall.ps1
+ - MapGuidsToGpoNames.ps1
+
+12. **Windows Server 2012 R2 Security Baseline.zip**
+ - (none)
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
index 72bdb507cf..7210da90bf 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
@@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 04/30/2018
+ms.date: 07/23/2020
ms.reviewer:
manager: dansimp
---
@@ -53,7 +53,7 @@ This can only be done in Group Policy.
>[!IMPORTANT]
>
-> Requirement: You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> Requirement: You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. Download the latest [Administrative Templates (.admx) for Windows 10, v2004](https://www.microsoft.com/download/101445).
@@ -76,7 +76,7 @@ This can only be done in Group Policy.
>[!IMPORTANT]
>
-> Requirement: You must have Windows 10, version 1903. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+> Requirement: You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -89,17 +89,16 @@ This can only be done in Group Policy.
6. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.
-7. Use the following registry key and DWORD value to **Hide all notifications**.
-
- **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]**
+7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+
+> [!NOTE]
+> You can use the following registry key and DWORD value to **Hide all notifications**.
+> **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]**
**"DisableNotifications"=dword:00000001**
-
-8. Use the following registry key and DWORD value to **Hide not-critical notifications**.
-
- **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]**
+> You can use the following registry key and DWORD value to **Hide not-critical notifications**.
+>**[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]**
**"DisableEnhancedNotifications"=dword:00000001**
-
-9. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+
## Notifications
diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md
index d1d4e94a38..3dece2757f 100644
--- a/windows/security/threat-protection/windows-platform-common-criteria.md
+++ b/windows/security/threat-protection/windows-platform-common-criteria.md
@@ -15,159 +15,227 @@ ms.reviewer:
# Common Criteria Certifications
-Microsoft is committed to optimizing the security of its products and services. As part of that commitment, Microsoft supports the Common Criteria certification program, continues to ensure that products incorporate the features and functions required by relevant Common Criteria protection profiles, and completes Common Criteria certifications of Microsoft Windows products.
+Microsoft is committed to optimizing the security of its products and services. As part of that commitment, Microsoft supports the Common Criteria certification program, ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles, and completes Common Criteria certifications of Microsoft Windows products. This topic lists the current and archived certified Windows products, together with relevant documentation from each certification.
-## Common Criteria Security Targets
+## Certified Products
-### Information for Systems Integrators and Accreditors
+The product releases below are currently certified against the cited Protection Profile, as listed on the [Common Criteria Portal](https://www.commoncriteriaportal.org/products/). The Security Target describes the product edition(s) in scope, the security functionality in the product, and the assurance measures from the Protection Profile used as part of the evaluation. The Administrative Guide provides guidance on configuring the product to match the evaluated configuration. The Certification Report or Validation Report documents the results of the evaluation by the validation team, with the Assurance Activity Report providing details on the evaluator's actions.
-The Security Target describes security functionality and assurance measures used to evaluate Windows.
+### Microsoft Windows 10 and Windows Server (November 2019 Update, version 1909)
+Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients.
-- [Microsoft Windows 10 (November 2019 Update)](https://download.microsoft.com/download/b/3/7/b37981cf-040a-4b02-a93c-a3d3a93986bf/Windows%2010%201909%20GP%20OS%20Security%20Target.pdf)
-- [Microsoft Windows 10 (May 2019 Update)](https://download.microsoft.com/download/c/6/9/c6903621-901e-4603-b9cb-fbfe5d6aa691/Windows%2010%201903%20GP%20OS%20Security%20Target.pdf)
-- [Microsoft Windows 10 (October 2018 Update)](https://download.microsoft.com/download/3/f/e/3fe6938d-2c2d-4ef1-85d5-1d42dc68ea89/Windows%2010%20version%201809%20GP%20OS%20Security%20Target.pdf)
-- [Microsoft Windows 10 (April 2018 Update)](https://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf)
-- [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf)
-- [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf)
-- [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf)
-- [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx)
-- [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx)
-- [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20\(december%2029%202016\)%20\(clean\).docx)
-- [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf)
-- [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20\(june%2022%202016\)\(final\).docx)
-- [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10677-st.pdf)
-- [Windows 10 and Windows Server 2012 R2](https://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf)
-- [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-st.pdf)
-- [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-st.pdf)
-- [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-st.pdf)
-- [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-st.pdf)
-- [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-st.pdf)
-- [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-st.pdf)
-- [Windows 8 and Windows Server 2012 BitLocker](https://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf)
-- [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](https://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf)
-- [Windows 7 and Windows Server 2008 R2](https://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf)
-- [Microsoft Windows Server 2008 R2 Hyper-V Role](https://www.microsoft.com/download/en/details.aspx?id=29305)
-- [Windows Vista and Windows Server 2008 at EAL4+](https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf)
-- [Microsoft Windows Server 2008 Hyper-V Role](https://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf)
-- [Windows Vista and Windows Server 2008 at EAL1](https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf)
-- [Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and Windows XP Embedded SP2](https://www.commoncriteriaportal.org/files/epfiles/st_vid10184-st.pdf)
-- [Windows Server 2003 Certificate Server](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf)
-- [Windows Rights Management Services (RMS) 1.0 SP2](https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf)
+- [Security Target](https://download.microsoft.com/download/b/3/7/b37981cf-040a-4b02-a93c-a3d3a93986bf/Windows%2010%201909%20GP%20OS%20Security%20Target.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/7/7/3/77303254-05fb-4009-8a39-bf5fe7484a41/Windows%2010%201909%20GP%20OS%20Administrative%20Guide.pdf)
+- [Certification Report](https://download.microsoft.com/download/9/f/3/9f350b73-1790-4dcb-97f7-a0e65a00b55f/Windows%2010%201909%20GP%20OS%20Certification%20Report.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/0/0/d/00d26b48-a051-4e9a-8036-850d825f8ef9/Windows%2010%201909%20GP%20OS%20Assurance%20Activity%20Report.pdf)
-## Common Criteria Deployment and Administration
+### Microsoft Windows 10 and Windows Server (May 2019 Update, version 1903)
+Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients.
-### Information for IT Administrators
+- [Security Target](https://download.microsoft.com/download/c/6/9/c6903621-901e-4603-b9cb-fbfe5d6aa691/Windows%2010%201903%20GP%20OS%20Security%20Target.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/0/b/b/0bb1c6b7-499a-458e-a5f8-e9cf972dfa8d/Windows%2010%201903%20GP%20OS%20Administrative%20Guide.pdf)
+- [Certification Report](https://download.microsoft.com/download/2/1/9/219909ad-2f2a-44cc-8fcb-126f28c74d36/Windows%2010%201903%20GP%20OS%20Certification%20Report.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/2/a/1/2a103b68-cd12-4476-8945-873746b5f432/Windows%2010%201903%20GP%20OS%20Assurance%20Activity%20Report.pdf)
-These documents describe how to configure Windows to replicate the configuration used during the Common Criteria evaluation.
+### Microsoft Windows 10 and Windows Server (October 2018 Update, version 1809)
+Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients.
-**Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2**
+- [Security Target](https://download.microsoft.com/download/3/f/e/3fe6938d-2c2d-4ef1-85d5-1d42dc68ea89/Windows%2010%20version%201809%20GP%20OS%20Security%20Target.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/f/f/1/ff186e32-35cf-47db-98b0-91ff11763d74/Windows%2010%20version%201809%20GP%20OS%20Administrative%20Guide.pdf)
+- [Certification Report](https://download.microsoft.com/download/9/4/0/940ac551-7757-486d-9da1-7aa0300ebac0/Windows%2010%20version%201809%20GP%20OS%20Certification%20Report%20-%202018-61-INF-2795.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/a/6/6/a66bfcf1-f6ef-4991-ab06-5b1c01f91983/Windows%2010%201809%20GP%20OS%20Assurance%20Activity%20Report.pdf)
-- [Microsoft Windows 10 (November 2019 Update)](https://download.microsoft.com/download/7/7/3/77303254-05fb-4009-8a39-bf5fe7484a41/Windows%2010%201909%20GP%20OS%20Administrative%20Guide.pdf)
-- [Microsoft Windows 10 (May 2019 Update)](https://download.microsoft.com/download/0/b/b/0bb1c6b7-499a-458e-a5f8-e9cf972dfa8d/Windows%2010%201903%20GP%20OS%20Administrative%20Guide.pdf)
-- [Microsoft Windows 10 (October 2018 Update)](https://download.microsoft.com/download/f/f/1/ff186e32-35cf-47db-98b0-91ff11763d74/Windows%2010%20version%201809%20GP%20OS%20Administrative%20Guide.pdf)
-- [Microsoft Windows 10 (April 2018 Update)](https://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf)
-- [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf)
-- [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf)
-- [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf)
-- [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx)
-- [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20\(final\).docx)
-- [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client Operational Guidance](https://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20\(21%20dec%202016\)%20\(public\).docx)
-- [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/3/f/33fa01dd-b380-46e1-833f-fd85854b4022/st_vid10746-agd.pdf)
-- [Microsoft Windows 10 November 2015 Update with Surface Book Administrative Guide](https://download.microsoft.com/download/3/2/c/32c6fa02-b194-478f-a0f6-0215b47d0f40/windows%2010%20mdf3%20mobile%20device%20pp%20operational%20guidance%20\(may%2027,%202016\)\(public\).docx)
-- [Microsoft Windows 10 Mobile and Windows 10 Administrative Guide](https://download.microsoft.com/download/2/d/c/2dce3435-9328-48e2-9813-c2559a8d39fa/microsoft%20windows%2010%20and%20windows%2010%20mobile%20guidance.pdf)
-- [Windows 10 and Windows Server 2012 R2 Administrative Guide](https://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf)
-- [Windows 10 Common Criteria Operational Guidance](https://download.microsoft.com/download/d/6/f/d6fb4cec-f0f2-4d00-ab2e-63bde3713f44/windows%2010%20mobile%20device%20operational%20guidance.pdf)
+### Microsoft Windows 10 and Windows Server (April 2018 Update, version 1803)
+Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients.
-**Windows 8.1 and Windows Phone 8.1**
+- [Security Target](https://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf)
+- [Certification Report](https://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/b/3/d/b3da41b6-6ebc-4a26-a581-2d2ad8d8d1ac/Windows%2010%201803%20GP%20OS%20Assurance%20Activity%20Report.pdf)
-- [Microsoft Surface Pro 3 Common Criteria Mobile Operational Guidance](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx)
-- [Windows 8.1 and Windows Phone 8.1 CC Supplemental Admin Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx)
+### Microsoft Windows 10 and Windows Server (Fall Creators Update, version 1709)
+Certified against the Protection Profile for General Purpose Operating Systems.
-**Windows 8, Windows RT, and Windows Server 2012**
+- [Security Target](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf)
+- [Certification Report](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/e/7/6/e7644e3c-1e59-4754-b071-aec491c71849/Windows%2010%201709%20GP%20OS%20Assurance%20Activity%20Report.pdf)
-- [Windows 8 and Windows Server 2012](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx)
-- [Windows 8 and Windows RT](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx)
-- [Windows 8 and Windows Server 2012 BitLocker](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf)
-- [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx)
+### Microsoft Windows 10 (Creators Update, version 1703)
+Certified against the Protection Profile for General Purpose Operating Systems.
-**Windows 7 and Windows Server 2008 R2**
+- [Security Target](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf)
+- [Administrative Guide](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf)
+- [Certification Report](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/a/e/9/ae9a2235-e1cd-4869-964d-c8260f604367/Windows%2010%201703%20GP%20OS%20Assurance%20Activity%20Report.pdf)
-- [Windows 7 and Windows Server 2008 R2 Supplemental CC Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00)
-- [Windows Server 2008 R2 Hyper-V Common Criteria Configuration Guide](https://www.microsoft.com/download/en/details.aspx?id=29308)
+### Microsoft Windows 10 (Anniversary Update, version 1607) and Windows Server 2016
+Certified against the Protection Profile for General Purpose Operating Systems.
-**Windows Vista and Windows Server 2008**
+- [Security Target](https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx)
+- [Administrative Guide](https://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20\(final\).docx)
+- [Validation Report](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/a/5/f/a5f08a43-75f9-4433-bd77-aeb14276e587/Windows%2010%201607%20GP%20OS%20Assurance%20Activity%20Report.pdf)
-- [Windows Vista and Windows Server 2008 Supplemental CC Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567)
-- [Windows Server 2008 Hyper-V Role Common Criteria Administrator Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08)
+### Microsoft Windows 10 (version 1507) and Windows Server 2012 R2
+Certified against the Protection Profile for General Purpose Operating Systems.
-**Windows Server 2003 SP2 including R2, x64, and Itanium**
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf)
+- [Certification Report](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/7/e/5/7e5575c9-10f9-4f3d-9871-bd7cf7422e3b/Windows%2010%20(1507),%20Windows%20Server%202012%20R2%20GPOS%20Assurance%20Activity%20Report.pdf)
-- [Windows Server 2003 SP2 R2 Common Criteria Administrator Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=39598841-e693-4891-9234-cfd1550f3949)
-- [Windows Server 2003 SP2 R2 Common Criteria Configuration Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=4f7b6a93-0307-480f-a5af-a20268cbd7cc)
+## Archived Certified Products
-**Windows Server 2003 SP1(x86), x64, and IA64**
+The product releases below were certified against the cited Protection Profile and are now archived, as listed on the [Common Criteria Portal](https://www.commoncriteriaportal.org/products/index.cfm?archived=1). The Security Target describes the product edition(s) in scope, the security functionality in the product, and the assurance measures from the Protection Profile used as part of the evaluation. The Administrative Guide provides guidance on configuring the product to match the evaluated configuration. The Validation Report documents the results of the evaluation by the validation team, with the Assurance Activity Report, where available, providing details on the evaluator's actions.
+### Microsoft Windows Server 2016, Windows Server 2012 R2, and Windows 10
+Certified against the Protection Profile for Server Virtualization.
+
+- [Security Target](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf)
+- [Validation Report](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/3/f/c/3fcc76e1-d471-4b44-9a19-29e69b6ab899/Windows%2010%20Hyper-V,%20Server%202016,%20Server%202012%20R2%20Virtualization%20Assurance%20Activity%20Report.pdf)
+
+### Microsoft Windows 10 and Windows 10 Mobile (Anniversary Update, version 1607)
+Certified against the Protection Profile for Mobile Device Fundamentals.
+
+- [Security Target](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx)
+- [Administrative Guide](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx)
+- [Validation Report](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/9/3/9/939b44a8-5755-4d4c-b020-d5e8b89690ab/Windows%2010%20and%20Windows%2010%20Mobile%201607%20MDF%20Assurance%20Activity%20Report.pdf)
+
+### Microsoft Windows 10 (Anniversary Update, version 1607) and Windows Server 2016
+Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients.
+
+- [Security Target](https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20\(december%2029%202016\)%20\(clean\).docx)
+- [Administrative Guide](https://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20\(21%20dec%202016\)%20\(public\).docx)
+- [Validation Report](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/b/8/d/b8ddc36a-408a-4d64-a31c-d41c9c1e9d9e/Windows%2010%201607,%20Windows%20Server%202016%20IPsec%20VPN%20Client%20Assurance%20Activity%20Report.pdf)
+
+### Microsoft Windows 10 (November 2015 Update, version 1511)
+Certified against the Protection Profile for Mobile Device Fundamentals.
+
+- [Security Target](https://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20\(june%2022%202016\)\(final\).docx)
+- [Administrative Guide](https://download.microsoft.com/download/3/2/c/32c6fa02-b194-478f-a0f6-0215b47d0f40/windows%2010%20mdf3%20mobile%20device%20pp%20operational%20guidance%20\(may%2027,%202016\)\(public\).docx)
+- [Validation Report](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/1/f/1/1f12ed80-6d73-4a16-806f-d5116814bd7c/Windows%2010%20November%202015%20Update%20(1511)%20MDF%20Assurance%20Activity%20Report.pdf)
+
+### Microsoft Windows 10 and Windows 10 Mobile (version 1507)
+Certified against the Protection Profile for Mobile Device Fundamentals.
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10677-st.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/2/d/c/2dce3435-9328-48e2-9813-c2559a8d39fa/microsoft%20windows%2010%20and%20windows%2010%20mobile%20guidance.pdf)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10694-vr.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/a/1/3/a1365491-0a53-42cd-bd73-ca4067c43d86/Windows%2010,%20Windows%2010%20Mobile%20(1507)%20MDF%20Assurance%20Activity%20Report.pdf)
+
+### Microsoft Windows 10 (version 1507)
+Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients.
+
+- [Security Target](https://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/3/3/f/33fa01dd-b380-46e1-833f-fd85854b4022/st_vid10746-agd.pdf)
+- [Validation Report](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf)
+- [Assurance Activity Report](https://download.microsoft.com/download/9/3/6/93630ffb-5c06-4fea-af36-164da3e359c9/Windows%2010%20IPsec%20VPN%20Client%20Assurance%20Activity%20Report.pdf)
+
+### Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830
+Certified against the Protection Profile for Mobile Device Fundamentals.
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10635-st.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10635-vr.pdf)
+
+### Microsoft Surface Pro 3 and Windows 8.1
+Certified against the Protection Profile for Mobile Device Fundamentals.
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10632-st.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10632-vr.pdf)
+
+### Windows 8.1 and Windows Phone 8.1
+Certified against the Protection Profile for Mobile Device Fundamentals.
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10592-st.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10592-vr.pdf)
+
+### Windows 8 and Windows Server 2012
+Certified against the Protection Profile for General Purpose Operating Systems.
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10520-st.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10520-vr.pdf)
+
+### Windows 8 and Windows RT
+Certified against the Protection Profile for General Purpose Operating Systems.
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10620-st.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10620-vr.pdf)
+
+### Windows 8 and Windows Server 2012 BitLocker
+Certified against the Protection Profile for Full Disk Encryption.
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf)
+
+### Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client
+Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients.
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf)
+- [Administrative Guide](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf)
+
+### Windows 7 and Windows Server 2008 R2
+Certified against the Protection Profile for General Purpose Operating Systems.
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf)
+- [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf)
+
+### Microsoft Windows Server 2008 R2 Hyper-V Role
+
+- [Security Target](https://www.microsoft.com/download/en/details.aspx?id=29305)
+- [Administrative Guide](https://www.microsoft.com/download/en/details.aspx?id=29308)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf)
+
+### Windows Vista and Windows Server 2008 at EAL4+
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf)
+- [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf)
+
+### Windows Vista and Windows Server 2008 at EAL1
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf)
+- [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567)
+- [Certification Report](https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf)
+
+### Microsoft Windows Server 2008 Hyper-V Role
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf)
+- [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08)
+- [Certification Report](http://www.commoncriteriaportal.org:80/files/epfiles/0570a_pdf.pdf)
+
+### Windows XP and Windows Server 2003
+
+- [Security Target - Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and Windows XP Embedded SP2](https://www.commoncriteriaportal.org/files/epfiles/st_vid10184-st.pdf)
+- [Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST Special Publication 800-53](https://download.microsoft.com/download/a/9/6/a96d1dfc-2bd4-408d-8d93-e0ede7529691/xpws03_ccto800-53.doc)
+- [Windows Server 2003 SP2 R2 Administrator Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=39598841-e693-4891-9234-cfd1550f3949)
+- [Windows Server 2003 SP2 R2 Configuration Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=4f7b6a93-0307-480f-a5af-a20268cbd7cc)
+- [Windows Server 2003 SP1 Administrator's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=75736009-59e9-4a71-879e-cf581817b8cc)
+- [Windows Server 2003 SP1 Configuration Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=a0ad1856-beb7-4285-b47c-381e8a210c38)
- [Windows Server 2003 with x64 Hardware Administrator's Guide](https://www.microsoft.com/downloads/details.aspx?familyid=8a26829f-c177-4b79-913a-4135fb7b96ef)
- [Windows Server 2003 with x64 Hardware Configuration Guide](https://www.microsoft.com/downloads/details.aspx?familyid=3f9ecd0a-74dd-4d23-a4e5-d7b63fed70e8)
-
-**Windows Server 2003 SP1**
-
-- [Windows Server 2003 Administrator's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=75736009-59e9-4a71-879e-cf581817b8cc)
-- [Windows Server 2003 Configuration Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=a0ad1856-beb7-4285-b47c-381e8a210c38)
-
-**Windows XP Professional SP2 (x86) and x64 Edition**
-
-- [Windows XP Common Criteria Administrator Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=9a7f0b16-72ce-4675-aec8-58785c4e37ee)
-- [Windows XP Common Criteria Configuration Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=165da57d-f066-4ddf-9462-cbecfcd68694)
-- [Windows XP Common Criteria User Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=7c1a4761-9b9e-429c-84eb-cd7b034c5779)
+- [Windows XP Administrator Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=9a7f0b16-72ce-4675-aec8-58785c4e37ee)
+- [Windows XP Configuration Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=165da57d-f066-4ddf-9462-cbecfcd68694)
+- [Windows XP User Guide 3.0](https://www.microsoft.com/downloads/details.aspx?familyid=7c1a4761-9b9e-429c-84eb-cd7b034c5779)
- [Windows XP Professional with x64 Hardware Administrator's Guide](https://www.microsoft.com/downloads/details.aspx?familyid=346f041e-d641-4af7-bdea-c5a3246d0431)
- [Windows XP Professional with x64 Hardware Configuration Guide](https://www.microsoft.com/downloads/details.aspx?familyid=a7075319-cc3d-4420-a00b-8c9a7068ad54)
- [Windows XP Professional with x64 Hardware User’s Guide](https://www.microsoft.com/downloads/details.aspx?familyid=26c49cf5-6159-4197-97ce-bf1fdfc54569)
-
-**Windows XP Professional SP2, and XP Embedded SP2**
-
- [Windows XP Professional Administrator's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=9bcac470-a0b3-4d34-a561-fa8308c0ff60)
- [Windows XP Professional Configuration Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=9f04915e-571a-422d-8ffa-5797051e81de)
- [Windows XP Professional User's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=d39d0028-7093-495c-80da-2b5b29a54bd8)
-
-**Windows Server 2003 Certificate Server**
-
-- [Windows Server 2003 Certificate Server Administrator's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d)
-- [Windows Server 2003 Certificate Server Configuration Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2)
-- [Windows Server 2003 Certificate Server User's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e)
-
-## Common Criteria Evaluation Technical Reports and Certification / Validation Reports
-
-### Information for Systems Integrators and Accreditors
-
-An Evaluation Technical Report (ETR) is a report submitted to the Common Criteria certification authority for how Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the results of the evaluation by the validation team.
-
-- [Microsoft Windows 10 (November 2019 Update)](https://download.microsoft.com/download/9/f/3/9f350b73-1790-4dcb-97f7-a0e65a00b55f/Windows%2010%201909%20GP%20OS%20Certification%20Report.pdf)
-- [Microsoft Windows 10 (May 2019 Update)](https://download.microsoft.com/download/2/1/9/219909ad-2f2a-44cc-8fcb-126f28c74d36/Windows%2010%201903%20GP%20OS%20Certification%20Report.pdf)
-- [Microsoft Windows 10 (October 2018 Update)](https://download.microsoft.com/download/9/4/0/940ac551-7757-486d-9da1-7aa0300ebac0/Windows%2010%20version%201809%20GP%20OS%20Certification%20Report%20-%202018-61-INF-2795.pdf)
-- [Microsoft Windows 10 (April 2018 Update)](https://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf)
-- [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf)
-- [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf)
-- [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf)
-- [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf)
-- [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf)
-- [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf)
-- [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf)
-- [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf)
-- [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10694-vr.pdf)
-- [Windows 10 and Windows Server 2012 R2](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf)
-- [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-vr.pdf)
-- [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-vr.pdf)
-- [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-vr.pdf)
-- [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-vr.pdf)
-- [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-vr.pdf)
-- [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-vr.pdf)
-- [Windows 8 and Windows Server 2012 BitLocker](https://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf)
-- [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](https://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf)
-- [Windows 7 and Windows Server 2008 R2 Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf)
-- [Windows Vista and Windows Server 2008 Validation Report at EAL4+](https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf)
-- [Windows Server 2008 Hyper-V Role Certification Report](https://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf)
-- [Windows Vista and Windows Server 2008 Certification Report at EAL1](https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf)
- [Windows XP / Windows Server 2003 with x64 Hardware ETR](https://www.microsoft.com/downloads/details.aspx?familyid=6e8d98f9-25b9-4c85-9bd9-24d91ea3c9ef)
- [Windows XP / Windows Server 2003 with x64 Hardware ETR, Part II](https://www.microsoft.com/downloads/details.aspx?familyid=0c35e7d8-9c56-4686-b902-d5ffb9915658)
- [Windows Server 2003 SP2 including R2, Standard, Enterprise, Datacenter, x64, and Itanium Editions Validation Report](https://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
@@ -175,10 +243,17 @@ An Evaluation Technical Report (ETR) is a report submitted to the Common Criteri
- [Windows XP Embedded SP2 Validation Report](https://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf)
- [Windows XP and Windows Server 2003 ETR](https://www.microsoft.com/downloads/details.aspx?familyid=63cf2a1e-f578-4bb5-9245-d411f0f64265)
- [Windows XP and Windows Server 2003 Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid9506-vr.pdf)
-- [Windows Server 2003 Certificate Server ETR](https://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314)
-- [Windows Server 2003 Certificate Server Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf)
-- [Microsoft Windows Rights Management Services (RMS) 1.0 SP2 Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf)
-## Other Common Criteria Related Documents
+### Windows Server 2003 Certificate Server
-- [Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST Special Publication 800-53](https://download.microsoft.com/download/a/9/6/a96d1dfc-2bd4-408d-8d93-e0ede7529691/xpws03_ccto800-53.doc)
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf)
+- [Administrator's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d)
+- [Configuration Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2)
+- [User's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e)
+- [Evaluation Technical Report](https://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf)
+
+### Windows Rights Management Services
+
+- [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf)
+- [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf)