diff --git a/store-for-business/windows-store-for-business-overview.md b/store-for-business/windows-store-for-business-overview.md
index 92902b6347..feca670cd6 100644
--- a/store-for-business/windows-store-for-business-overview.md
+++ b/store-for-business/windows-store-for-business-overview.md
@@ -157,6 +157,193 @@ For more information, see [Manage settings in the Store for Business](manage-set
Microsoft Store for Business and Education is currently available in these markets.
+
+### Support for free and paid apps
Support for free and paid apps
@@ -294,6 +481,7 @@ Microsoft Store for Business and Education is currently available in these marke
+### Support for free apps
Support for free apps only
@@ -304,12 +492,33 @@ Microsoft Store for Business and Education is currently available in these marke
Brazil
India
Russia
+
+
+
+
+
+### Support for free apps and Minecraft: Education Edition
+
+
+
Support for free apps and Minecraft: Education Edition
+
+
+
+
Taiwan
Ukraine
+
+**Microsoft Store for Business customers**
+- Admins can acquire free apps from **Microsoft Store for Business**.
+
+**Microsoft Store for Education customers**
+- Admins can acquire free apps from **Microsoft Store for Education**.
+- Admins can use an invoice to acquire **Minecraft: Education Edition**. For more information, see [Invoice payment option](https://docs.microsoft.com/education/windows/school-get-minecraft#invoices).
+- Teachers can acquire free apps, but not **Minecraft: Education Edition**.
## Privacy notice
diff --git a/windows/access-protection/enterprise-certificate-pinning.md b/windows/access-protection/enterprise-certificate-pinning.md
index 130251d4b2..c5c53ac5e6 100644
--- a/windows/access-protection/enterprise-certificate-pinning.md
+++ b/windows/access-protection/enterprise-certificate-pinning.md
@@ -189,9 +189,12 @@ Sign-in to the reference computer using domain administrator equivalent credenti
8. Right-click the **Registry** node and click **New**.
9. In the **New Registry Properties** dialog box, select **Update** from the **Action** list. Select **HKEY_LOCAL_MACHINE** from the **Hive** list.
10. For the **Key Path**, click **…** to launch the **Registry Item Browser**. Navigate to the following registry key and select the **PinRules** registry value name:
+
HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config
+
Click **Select** to close the **Registry Item Browser**.
-11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REGBINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal). Click **OK** to save your settings and close the dialog box.
+
+11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REG\_BINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal). Click **OK** to save your settings and close the dialog box.
diff --git a/windows/deployment/update/images/update-compliance-wdav-assessment.png b/windows/deployment/update/images/update-compliance-wdav-assessment.png
new file mode 100644
index 0000000000..266c5b7210
Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-assessment.png differ
diff --git a/windows/deployment/update/images/update-compliance-wdav-overview.png b/windows/deployment/update/images/update-compliance-wdav-overview.png
new file mode 100644
index 0000000000..977478fb74
Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-overview.png differ
diff --git a/windows/deployment/update/images/update-compliance-wdav-prot-status.png b/windows/deployment/update/images/update-compliance-wdav-prot-status.png
new file mode 100644
index 0000000000..2c6c355ca4
Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-prot-status.png differ
diff --git a/windows/deployment/update/images/update-compliance-wdav-query-not-assessed.png b/windows/deployment/update/images/update-compliance-wdav-query-not-assessed.png
new file mode 100644
index 0000000000..733bfb6ae7
Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-query-not-assessed.png differ
diff --git a/windows/deployment/update/images/update-compliance-wdav-status-add-filter.png b/windows/deployment/update/images/update-compliance-wdav-status-add-filter.png
new file mode 100644
index 0000000000..d914960a7a
Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-add-filter.png differ
diff --git a/windows/deployment/update/images/update-compliance-wdav-status-filter-apply.png b/windows/deployment/update/images/update-compliance-wdav-status-filter-apply.png
new file mode 100644
index 0000000000..7d8021b02e
Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-filter-apply.png differ
diff --git a/windows/deployment/update/images/update-compliance-wdav-status-filter.png b/windows/deployment/update/images/update-compliance-wdav-status-filter.png
new file mode 100644
index 0000000000..cd500c2cb3
Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-filter.png differ
diff --git a/windows/deployment/update/images/update-compliance-wdav-status-log.png b/windows/deployment/update/images/update-compliance-wdav-status-log.png
new file mode 100644
index 0000000000..30e2e2352f
Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-log.png differ
diff --git a/windows/deployment/update/images/update-compliance-wdav-status-query.png b/windows/deployment/update/images/update-compliance-wdav-status-query.png
new file mode 100644
index 0000000000..c7d1a436fe
Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-status-query.png differ
diff --git a/windows/deployment/update/images/update-compliance-wdav-threat-status.png b/windows/deployment/update/images/update-compliance-wdav-threat-status.png
new file mode 100644
index 0000000000..ada9c09bbf
Binary files /dev/null and b/windows/deployment/update/images/update-compliance-wdav-threat-status.png differ
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index f6c1878943..2b42051399 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -10,7 +10,7 @@ author: greg-lindsay
# Get started with Update Compliance
-This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance.
+This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance.
Steps are provided in sections that follow the recommended setup process:
1. Ensure that [prerequisites](#update-compliance-prerequisites) are met.
@@ -19,22 +19,25 @@ Steps are provided in sections that follow the recommended setup process:
## Update Compliance Prerequisites
-Update Compliance has the following requirements:
-1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops).
-2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization).
+Update Compliance has the following requirements:
+1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops).
+2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization).
3. The telemetry of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for different aspects of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint:
-
+
+4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV.
+
## Add Update Compliance to Microsoft Operations Management Suite
-Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
+Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
If you are already using OMS, you’ll find Update Compliance in the Solutions Gallery. Select the **Update Compliance** tile in the gallery and then click **Add** on the solution's details page. Update Compliance is now visible in your workspace.
@@ -52,7 +55,7 @@ If you are not yet using OMS, use the following steps to subscribe to OMS Update
-3. Create a new OMS workspace.
+3. Create a new OMS workspace.
@@ -76,7 +79,7 @@ If you are not yet using OMS, use the following steps to subscribe to OMS Update
-7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible on your workspace.
+7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible on your workspace.
@@ -100,7 +103,7 @@ After you are subscribed to OMS Update Compliance and your devices have a Commer
## Deploy your Commercial ID to your Windows 10 devices
-In order for your devices to show up in Windows Analytics: Update Compliance, they must be configured with your organization’s Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that device’s data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM).
+In order for your devices to show up in Windows Analytics: Update Compliance, they must be configured with your organization’s Commercial ID. This is so that Microsoft knows that a given device is a member of your organization and to feed that device’s data back to you. There are two primary methods for widespread deployment of your Commercial ID: Group Policy and Mobile Device Management (MDM).
- Using Group Policy
Deploying your Commercial ID using Group Policy can be accomplished by configuring domain Group Policy Objects with the Group Policy Management Editor, or by configuring local Group Policy using the Local Group Policy Editor.
@@ -114,4 +117,4 @@ In order for your devices to show up in Windows Analytics: Update Compliance, th
## Related topics
-[Use Update Compliance to monitor Windows Updates](update-compliance-using.md)
\ No newline at end of file
+[Use Update Compliance to monitor Windows Updates](update-compliance-using.md)
diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
index 39d8b0e012..08daf13df1 100644
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@@ -31,7 +31,8 @@ Update Compliance has the following primary blades:
3. [Latest and Previous Security Update Status](#latest-and-previous-security-update-status)
4. [Overall Feature Update Status](#overall-feature-update-status)
5. [CB, CBB, LTSB Deployment Status](#cb-cbb-ltsb-deployment-status)
-6. [List of Queries](#list-of-queries)
+6. [Windows Defender Antivirus Assessment](#wdav-assessment)
+7. [List of Queries](#list-of-queries)
## OS Update Overview
@@ -41,6 +42,7 @@ The first blade of OMS Update Compliance is the General **OS Update Overview** b
+
This blade is divided into three sections:
- Device Summary:
- Needs Attention Summary
@@ -139,6 +141,133 @@ The Overall Feature Update Status blade focuses around whether or not your devic
Devices are evaluated by OS Version (e.g., 1607) and the count of how many are Current, Not Current, and have Update Failures is displayed. Clicking on any of these counts will allow you to view all those devices, as well as select the **Update Deployment Status** perspective, described below. 
+
+## Windows Defender Antivirus Assessment
+
+You'll notice some new tiles in the Overview blade which provide a summary of Windows Defender AV-related issues, highlighted in the following screenshot.
+
+
+
+The **AV Signature** chart shows the number of devices that either have up-to-date [protection updates (also known as signatures or definitions)](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus), while the **Windows Defender AV Status** tile indicates the percentage of all assessed devices that are not updated and do not have real-time protection enabled. The Windows Defender Antivirus Assessment section provides more information that lets you investigate potential issues.
+
+If you're using [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) to protect devices in your organization and have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus), you can use this section to review the overall status of key protection features, including the number of devices that have [always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) and up-to-date definitions.
+
+There are two blades in the Windows Defender AV Assessment section:
+
+- Protection status
+- Threats status
+
+
+
+The **Protection Status** blade shows three key measurements:
+
+1. How many devices have old or current signatures (also known as protection updates or definitions)
+2. How many devices have the core Windows Defender AV always-on scanning feature enabled, called real-time protection
+
+
+
+
+See the [Manage Windows Defender AV updates and apply baselines](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) topic for an overview on how updates work, and further information on applying updates.
+
+The **Threats Status** blade shows the following measurements:
+
+1. How many devices that have threats that have been remediated (removed or quarantined on the device)
+2. How many devices that have threats where remediation was not successful (this may indicate a manual reboot or clean is required)
+
+
+
+
+Devices can be in multiple states at once, as one device may have multiple threats, some of which may or may not be remediated.
+
+> [!IMPORTANT]
+> The data reported in Update Compliance can be delayed by up to 24 hours.
+
+See the [Customize, initiate, and review the results of Windows Defender AV scans and remediation](/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus) topic for more information on how to perform scans and other manual remediation tasks.
+
+As with other blades in Update Compliance, clicking on a specific measurement or item will open the associated query that you can use to investigate individual devices and issues, as described below.
+
+
+### Investigate individual devices and threats
+
+
+Click on any of the status measurements to be taken to a pre-built log query that shows the impacted devices for that status.
+
+
+
+You can also find a pre-built query on the main Update Compliance screen, under the **Queries** blade, that lists devices that have not been assessed for Windows Defender AV.
+
+
+
+
+
+
+
+
+
+
+You can further filter queries by clicking any of the measurement labels for each incident, changing the values in the query filter pane, and then clicking **Apply**.
+
+
+
+
+
+Click **+Add** at the bottom of the filter pane to open a list of filters you can apply.
+
+
+
+
+You can also click the **. . .** button next to each label to instantly filter by that label or value.
+
+
+
+You can create your own queries by using a query string in the following format:
+
+```
+Type:
