Merge pull request #4950 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)

windows/client-management/mdm/euiccs-csp.md

@@ -25,6 +25,10 @@ eUICCs
 --------IsActive
 --------PPR1Allowed
 --------PPR1AlreadySet
+--------DownloadServers
+------------ServerName
+----------------DiscoveryState
+----------------AutoEnable
 --------Profiles
 ------------ICCID
 ----------------ServerName

windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md

@@ -81,7 +81,13 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
 The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list.  However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
 
 > [!NOTE]
-> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.
+> The certificate for the CA issuing the domain controller certificate must be included in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a multi-tier CA hierarchy or a third-party CA, this may not be done by default. If the Domain Controller certificate does not directly chain to a CA certificate in the NTAuth store, user authentication will fail.
+
+The following PowerShell command can be used to check all certificates in the NTAuth store:
+
+```powershell
+Certutil -viewstore -enterprise NTAuth
+```
 
 ### Publish Certificate Templates to a Certificate Authority
 

windows/security/threat-protection/auditing/audit-file-system.md

@@ -21,6 +21,8 @@ ms.technology: mde
 -   Windows 10
 -   Windows Server 2016
 
+> [!NOTE]
+> For more details about applicability on older operating system versions, read the article [Audit File System](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319068(v=ws.11)).
 
 Audit File System determines whether the operating system generates audit events when users attempt to access file system objects.
 
@@ -61,4 +63,3 @@ Only one event, “[4658](event-4658.md): The handle to an object was closed,”
 -   [5051](event-5051.md)(-): A file was virtualized.
 
 -   [4670](event-4670.md)(S): Permissions on an object were changed.
-

windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md

@@ -514,8 +514,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
     - Identifier Type: Bundle ID
     - Code Requirement: `identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9`
 
-
-    ![Image of configuration setting privacy preference policy control details](images/22cb439de958101c0a12f3038f905b27.png)
+    ![Image of configuration setting](images/22cb439de958101c0a12f3038f905b27.png)
 
 6. Select **+ Add**.
 

windows/security/threat-protection/microsoft-defender-atp/network-protection.md

@@ -31,6 +31,11 @@ ms.date: 03/08/2021
 Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that might host phishing scams, exploits, and other malicious content on the Internet. Network protection expands the scope of [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
 
 Network protection is supported on Windows, beginning with Windows 10, version 1709. 
+Network Protection is not yet supported on other operating systems. To learn which Web Protection functionality is supported using the Edge (Chromium) browser, see [Web protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview)  to find out which Web Protection functionality is supported using the Edge (Chromium) browser.
+
+Network Protection extends the protection in [Web protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview) to an OS level – and would thus provide Web protection functionality in Edge to other supported browsers as well as non-browser applications.
+In addition, Network Protection provides visibility and blocking of Indicators of Compromise (IOCs) when used with [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) including the enforcement of your [custom indicator list](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).
+
 
 For more information about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
 
@@ -88,6 +93,23 @@ This procedure creates a custom view that filters to only show the following eve
 | 1125 | Event when network protection fires in audit mode |
 | 1126 | Event when network protection fires in block mode |
 
+
+## Considerations for Windows virtual desktop running Windows 10 Enterprise Multi-Session
+Due to the multi-user nature of this operating system, please observe the following:
+ 
+1.	Network Protection is a machine-wide feature and cannot be targeted to specific user (sessions).
+2.	This applies to Web content filtering policies as well.
+3.	If differentiation between user groups is required, consider creating separate Windows Virtual Desktop host pools and assignments.
+4.	Test Network Protection in audit mode to test behavior before blocking. 
+5.	Due to the multi-user nature, you may consider resizing your deployment accordingly.
+ 
+Alternative option:
+For Windows 10 Enterprise Multi-Session 1909 and up, used in Windows Virtual Desktop on Azure, Network protection for Microsoft Edge can be enabled using the following method:
+ 
+1.	Use Turn on network protection - Windows security | Microsoft Docs and follow the instructions to apply your policy
+2.	Execute the following PowerShell command: Set-MpPreference -AllowNetworkProtectionOnWinServer 1
+
+
 ## Related articles
 
 - [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrates how the feature works, and what events would typically be created.

windows/security/threat-protection/security-compliance-toolkit-10.md

@@ -31,7 +31,6 @@ The Security Compliance Toolkit consists of:
     - Windows 10 Version 20H2 (October 2020 Update)
     - Windows 10 Version 2004 (May 2020 Update)
     - Windows 10 Version 1909 (November 2019 Update)
-    - Windows 10 Version 1903 (May 2019 Update)
     - Windows 10 Version 1809 (October 2018 Update)
     - Windows 10 Version 1803 (April 2018 Update)
     - Windows 10 Version 1607 (Anniversary Update)

windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md

@@ -10,11 +10,10 @@ ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
 ms.collection: M365-security-compliance
-author: jsuther1974
+author: dansimp
 ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
-ms.date: 05/21/2019
 ms.technology: mde
 ---
 
@@ -92,4 +91,65 @@ Example 3: Allows a specific COM object to register in PowerShell
   </Value>
 </Setting>
 ```
+### How to configure settings for the CLSIDs
 
+Given the following example of an error in the Event Viewer (**Application and Service Logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**):
+
+Log Name:      Microsoft-Windows-AppLocker/MSI and Script
+Source:        Microsoft-Windows-AppLocker
+Date:          11/11/2020 1:18:11 PM
+Event ID:      8036
+Task Category: None
+Level:         Error
+Keywords:
+User:          S-1-5-21-3340858017-3068726007-3466559902-3647
+Computer:      contoso.com
+Description:
+{f8d253d9-89a4-4daa-87b6-1168369f0b21} was prevented from running due to Config CI policy.
+
+Event XML:
+
+```XML
+<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+  <System>
+    <Provider Name="Microsoft-Windows-AppLocker" Guid="{cbda4dbf-8d5d-4f69-9578-be14aa540d22}" />
+    <EventID>8036</EventID>
+    <Version>0</Version>
+    <Level>2</Level>
+    <Task>0</Task>
+    <Opcode>0</Opcode>
+    <Keywords>0x4000000000000000</Keywords>
+    <TimeCreated SystemTime="2020-11-11T19:18:11.4029179Z" />
+    <EventRecordID>819347</EventRecordID>
+    <Correlation ActivityID="{61e3e871-adb0-0047-c9cc-e761b0add601}" />
+    <Execution ProcessID="21060" ThreadID="23324" />
+    <Channel>Microsoft-Windows-AppLocker/MSI and Script</Channel>
+    <Computer>contoso.com</Computer>
+    <Security UserID="S-1-5-21-3340858017-3068726007-3466559902-3647" />
+  </System>
+  <EventData>
+    <Data Name="IsApproved">false</Data>
+    <Data Name="CLSID">{f8d253d9-89a4-4daa-87b6-1168369f0b21}</Data>
+  </EventData>
+</Event>
+```
+
+To add this CLSID to the existing policy, use the following steps:
+
+1. Open PowerShell ISE with Administrative privileges.
+2. Copy and edit this command, then run it from the admin PowerShell ISE. Consider the policy name to be `WDAC_policy.xml`.
+
+```PowerShell
+PS C:\WINDOWS\system32> Set-CIPolicySetting -FilePath <path to policy xml>\WDAC_policy.xml -Key 8856f961-340a-11d0-a96b-00c04fd705a2 -Provider WSH -Value True -ValueName EnterpriseDefinedClsId -ValueType Boolean
+```
+
+Once the command has been run, you will find that the following section is added to the policy XML.
+
+```XML
+  <Settings>
+    <Setting Provider="WSH" Key="8856f961-340a-11d0-a96b-00c04fd705a2" ValueName="EnterpriseDefinedClsId">
+      <Value>
+        <Boolean>true</Boolean>
+      </Value>
+    </Setting>
+```

windows/whats-new/whats-new-windows-10-version-2004.md

@@ -33,7 +33,7 @@ To download and install Windows 10, version 2004, use Windows Update (**Settings
 
 - You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
 
-- Windows Hello PIN sign-in support is [added to Safe mode](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#windows-hello-pin-in-safe-mode-build-18995).
+- Windows Hello PIN sign-in support is [added to Safe mode](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
 
 - Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
 
@@ -108,17 +108,17 @@ Windows PowerShell cmdlets have been improved:
 - **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting.
 
 Additional improvements:
-- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
+- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
 - Automatic cloud-based congestion detection is available for PCs with cloud service support.
 
 The following [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) policies are removed in this release:
 
 - Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
-  - Reason: Replaced with separate policies for foreground and background
+  - Reason: Replaced with separate policies for foreground and background.
 - Max Upload Bandwidth (DOMaxUploadBandwidth)
-  - Reason: impacts uploads to internet peers only, which isn't used in Enterprises. 
+  - Reason: Impacts uploads to internet peers only, which isn't used in enterprises.
 - Absolute max throttle (DOMaxDownloadBandwidth)
-  - Reason: separated to foreground and background
+  - Reason: Separated to foreground and background.
 
 ### Windows Update for Business
 
@@ -182,7 +182,7 @@ Also see information about the exciting new Edge browser [here](https://blogs.wi
 
 ## Application settings
 
-This release enables explicit [control over when Windows automatically restarts apps](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#control-over-restarting-apps-at-sign-in-build-18965) that were open when you restart your PC.
+This release enables explicit [Control over restarting apps at sign-in (Build 18965)](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#control-over-restarting-apps-at-sign-in-build-18965) that were open when you restart your PC.
 
 ## Windows Shell
 
@@ -208,7 +208,7 @@ Windows Search is improved in several ways. For more information, see [Superchar
 
 ### Virtual Desktops
 
-You can now [rename your virtual desktops](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#renaming-your-virtual-desktops-build-18975), instead of getting stuck with the system-issued names like Desktop 1. 
+There is a new [Update on Virtual Desktop renaming (Build 18975)](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#update-on-virtual-desktop-renaming-build-18975), where, instead of getting stuck with the system-issued names like Desktop 1, you can now rename your virtual desktops more freely.
 
 ### Bluetooth pairing
 
@@ -216,13 +216,13 @@ Pairing Bluetooth devices with your computer will occur through notifications, s
 
 ### Reset this PC
 
-The 'reset this PC' recovery function now includes a [cloud download](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-reset-this-pc-option-cloud-download-build-18970) option.
+The 'reset this PC' recovery function now includes a [cloud download](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#reset-your-pc-from-the-cloud-build-18970) option.
 
 ### Task Manager
 
 The following items are added to Task Manager in this release:
 - GPU Temperature is available on the Performance tab for devices with a dedicated GPU card.
-- Disk type is now [listed for each disk on the Performance tab](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#disk-type-visible-in-task-manager-performance-tab-build-18898).
+- Disk type is now [listed for each disk on the Performance tab](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#disk-type-now-visible-in-task-manager-performance-tab-build-18898).
 
 ## Graphics & display
 
@@ -232,7 +232,7 @@ The following items are added to Task Manager in this release:
 
 ### 2-in-1 PCs
 
-A [new tablet experience](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-tablet-experience-for-2-in-1-convertible-pcs-build-18970) for two-in-one convertible PCs is available. The screen will be optimized for touch when you detach your two-in-one's keyboard, but you'll still keep the familiar look of your desktop without interruption. 
+See [Introducing a new tablet experience for 2-in-1 convertible PCs! (Build 18970)](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#introducing-a-new-tablet-experience-for-2-in-1-convertible-pcs-build-18970) for details on a new tablet experience for two-in-one convertible PCs that is now available. The screen will be optimized for touch when you detach your two-in-one's keyboard, but you'll still keep the familiar look of your desktop without interruption.
 
 ### Specialized displays
 
@@ -256,13 +256,13 @@ For information about Desktop Analytics and this release of Windows 10, see [Wha
 
 ## See Also
 
- - [What’s new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog.<br>
- - [What’s new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog.<br>
- - [What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.<br>
- - [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.<br>
- - [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.<br>
- - [Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.<br>
- - [What's new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new): A preview of new features for businesses.<br>
- - [What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.<br>
- - [Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.<br>
- - [Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.<br>
+- [What’s new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog.
+- [What’s new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog.
+- [What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
+- [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
+- [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
+- [Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.
+- [What's new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/Active-Dev-Branch): A preview of new features for businesses.
+- [What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.
+- [Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.
+- [Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.