Merge remote-tracking branch 'refs/remotes/origin/rs2' into dhrs2-servicing

.openpublishing.redirection.json

@@ -1,6 +1,56 @@
 { 
 "redirections": [
 {
+"source_path": "windows/keep-secure/configure-windows-defender-in-windows-10.md",
+"redirect_url": "/itpro/windows/keep-secure/deploy-manage-report-windows-defender-antivirus",
+"redirect_document_id": true 
+},
+{
+"source_path": "windows/keep-secure/enable-pua-windows-defender-for-windows-10.md",
+"redirect_url": "/itpro/windows/keep-secure/detect-block-potentially-unwanted-apps-windows-defender-antivirus",
+"redirect_document_id": true 
+},
+{
+"source_path": "windows/keep-secure/get-started-with-windows-defender-for-windows-10.md",
+"redirect_url": "/itpro/windows/keep-secure/deploy-manage-report-windows-defender-antivirus",
+"redirect_document_id": false 
+},
+{
+"source_path": "windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md",
+"redirect_url": "/itpro/windows/keep-secure/command-line-arguments-windows-defender-antivirus",
+"redirect_document_id": true 
+},
+{
+"source_path": "windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md",
+"redirect_url": "/itpro/windows/keep-secure/troubleshoot-windows-defender-antivirus",
+"redirect_document_id": true 
+},
+{
+"source_path": "windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md",
+"redirect_url": "/itpro/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus",
+"redirect_document_id": true 
+},
+{
+"source_path": "windows/keep-secure/windows-defender-block-at-first-sight.md",
+"redirect_url": "/itpro/windows/keep-secure/configure-block-at-first-sight-windows-defender-antivirus",
+"redirect_document_id": true 
+},
+{
+"source_path": "windows/keep-secure/windows-defender-in-windows-10.md",
+"redirect_url": "/itpro/windows/keep-secure/windows-defender-antivirus-in-windows-10",
+"redirect_document_id": true 
+},
+{
+"source_path": "windows/keep-secure/windows-defender-enhanced-notifications.md",
+"redirect_url": "/itpro/windows/keep-secure/configure-notifications-windows-defender-antivirus",
+"redirect_document_id": true 
+},
+{
+"source_path": "windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md",
+"redirect_url": "/itpro/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection",
+"redirect_document_id": true
+},
+{
 "source_path": "windows/manage/cortana-at-work-scenario-7.md",
 "redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-7",
 "redirect_document_id": true

devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md

@@ -65,22 +65,22 @@ For more information, see [SurfaceHub configuration service provider](https://ms
 | Automatically turn on the screen using motion sensors | InBoxApps/Welcome/AutoWakeScreen | Yes | Yes | Yes |
 | Require a pin for wireless projection | InBoxApps/WirelessProjection/PINRequired | Yes | Yes | Yes |
 | Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.<br> Use a custom setting. | Yes |
+| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 | Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID <br> MOMAgent/WorkspaceKey | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 | Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 | Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Friendly name for wireless projection | Properties/FriendlyName | Yes <br> [Use a custom policy.](#example-intune)) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Friendly name for wireless projection | Properties/FriendlyName | Yes <br> [Use a custom policy.](#example-intune) | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 | Device account, including password rotation | DeviceAccount/*`<name_of_policy>`* <br> See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes |
-| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
+| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes </br>  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
+| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes </br>  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Set default volume | Properties/DefaultVolume | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
+| Set default volume | Properties/DefaultVolume | Yes </br>  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Set screen timeout | Properties/ScreenTimeout | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
+| Set screen timeout | Properties/ScreenTimeout | Yes </br>  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Set session timeout | Properties/SessionTimeout | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
+| Set session timeout | Properties/SessionTimeout | Yes </br>  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Set sleep timeout | Properties/SleepTimeout | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
+| Set sleep timeout | Properties/SleepTimeout | Yes </br>  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
+| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes </br>  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
+| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes </br>  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
+| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes </br>  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes </br> [Use a custom policy.](#example-intune)) | Yes<br> [Use a custom setting.] Yes |
+| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes </br>  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. 
 
 ### Supported Windows 10 settings
@@ -92,46 +92,46 @@ The following tables include info on Windows 10 settings that have been validate
 #### Security settings
 | Setting  | Details  | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
 | -------- | -------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
-| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes. <br>  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br>  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes. <br>  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes. <br> . |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes. <br> Use a custom policy. | Yes.<br> Use a custom setting. | Yes |
+| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes. <br>  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 #### Browser settings
 
 | Setting  | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
 | -------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
-| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages)  | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages)  |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Allow developer tools  | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes. <br>  Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow developer tools  | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes <br> [Use a custom policy.](#example-intune) |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Allow SmartScreen | Keep this enabled to turn on SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Allow SmartScreen | Keep this enabled to turn on SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 #### Windows Update settings
 
 | Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML*? |
 | ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
-| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes |
+| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Defer feature updates| See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Defer feature updates| See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes|
+| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) |  Yes <br> [Use a custom policy.](#example-intune)  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes|
-| Configure device to use WSUS| Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Configure device to use WSUS| Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 #### Windows Defender settings
 
 | Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
 | ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
-| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes. <br>  Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*`<name of policy>`* <br> See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 | Defender status | Use to initiate a Defender scan, force a signature update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | No. | No. | Yes |
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
@@ -140,8 +140,8 @@ The following tables include info on Windows 10 settings that have been validate
 | Setting     | Details          | CSP reference | Supported with<br>Intune? | Supported with<br>Configuration Manager? | Supported with<br>SyncML\*? |
 | ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- |
 | Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | No | No | Yes |
-| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
-| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes. <br> Use a custom policy. | Yes. <br> Use a custom setting. | Yes |
+| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent <br> See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) |  Yes <br> [Use a custom policy.](#example-intune)  |  Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package.
 
 #### Install certificates

devices/surface-hub/prepare-your-environment-for-surface-hub.md

@@ -42,6 +42,20 @@ Microsoft collects telemetry to help improve your Surface Hub experience. Add th
 - Telemetry client endpoint: `https://vortex.data.microsoft.com/`
 - Telemetry settings endpoint: `https://settings.data.microsoft.com/`
 
+### Proxy configuration
+
+If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Store for Business. Some of the Store for Business features use Windows Store app and Windows Store services. Devices using Store for Business – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy server to block traffic, your configuration needs to allow these URLs:
+
+- login.live.com
+- login.windows.net
+- account.live.com
+- clientconfig.passport.net
+- windowsphone.com
+- *.wns.windows.com
+- *.microsoft.com
+- www.msftncsi.com (prior to Windows 10, version 1607)
+- www.msftconnecttest.com/connecttest.txt (replaces www.msftncsi.com starting with Windows 10, version 1607)
+
 
 ## Work with other admins
 

devices/surface-hub/troubleshoot-surface-hub.md

@@ -622,7 +622,9 @@ This section lists status codes, mapping, user messages, and actions an admin ca
  
 
  
+## Related content
 
+- [Troubleshooting Miracast connection to the Surface Hub](https://blogs.msdn.microsoft.com/surfacehub/2017/01/30/troubleshooting-miracast-connection-to-the-surface-hub/)
  
 
 

windows/configure/how-it-pros-can-use-configuration-service-providers.md

@@ -21,8 +21,8 @@ Configuration service providers (CSPs) expose device configuration settings in W
 
 The CSPs are documented on the [Hardware Dev Center](https://go.microsoft.com/fwlink/p/?LinkId=717390) because CSPs are used by mobile device management (MDM) service providers. This topic explains how IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations.
 
-**Note**  
+>[!NOTE]  
-The explanation of CSPs and CSP documentation also apply to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile.
+>The explanation of CSPs and CSP documentation also apply to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile.
 
  [See what's new for CSPs in Windows 10, version 1607.](https://msdn.microsoft.com/library/windows/hardware/mt299056.aspx#whatsnew_1607)
 
@@ -60,15 +60,15 @@ In addition, you may have unmanaged devices, or a large number of devices that y
 
 In addition, some of the topics in the [Windows 10 and Windows 10 Mobile](../index.md) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](cortana-at-work-overview.md) which links to the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings.
 
-### CSPs in Windows Imaging and Configuration Designer (ICD)
+### CSPs in Windows Configuration Designer 
 
-You can use Windows Imaging and Configuration Designer (ICD) to create [provisioning packages](https://go.microsoft.com/fwlink/p/?LinkId=717466) to apply settings to devices during the out-of-box-experience (OOBE) and after devices are set up. You can use provisioning packages to configure a device's connectivity and enroll the device in MDM. Many of the runtime settings in Windows ICD are based on CSPs.
+You can use Windows Configuration Designer to create [provisioning packages](https://go.microsoft.com/fwlink/p/?LinkId=717466) to apply settings to devices during the out-of-box-experience (OOBE) and after devices are set up. You can use provisioning packages to configure a device's connectivity and enroll the device in MDM. Many of the runtime settings in Windows Configuration Designer are based on CSPs.
 
-Many settings in Windows ICD will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image.
+Many settings in Windows Configuration Designer will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image.
 
 ![how help content appears in icd](images/cspinicd.png)
 
-[Configure devices without MDM](../manage/configure-devices-without-mdm.md) explains how to use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package.
+[Provisioning packages in Windows 10](provisioning-packages.md) explains how to use the Windows Configuration Designer tool to create a runtime provisioning package.
 
 ### CSPs in MDM
 
@@ -78,7 +78,7 @@ When a CSP is available but is not explicitly included in your MDM solution, you
 
 ### CSPs in Lockdown XML
 
-Lockdown XML can be used to configure devices running Windows 10 Mobile. You can manually author a [Lockdown XML file](lockdown-xml.md) to make use of the configuration settings available through the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601).
+Lockdown XML can be used to configure devices running Windows 10 Mobile. You can manually author a [Lockdown XML file](lockdown-xml.md) to make use of the configuration settings available through the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601). In Windows 10, version 1703, you can also use the new [Lockdown Designer app](mobile-lockdown-designer.md) to configure your Lockdown XML.
 
 ## <a href="" id="bkmk-csp-doc"></a>How do you use the CSP documentation?
 

windows/configure/lockdown-xml.md

@@ -91,7 +91,7 @@ The following example is a complete lockdown XML file that disables Action Cente
 
 The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running. 
 
-You provide the product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you should also provide the App User Model ID (AUMID) to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md)
+You provide the App User Model ID (AUMID) and product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you also provide the ADUMID to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md)
 
 The following example makes Outlook Calendar available on the device.
 

windows/configure/mobile-lockdown-designer.md

@@ -47,6 +47,11 @@ Perform these steps on the device running Windows 10 Mobile that you will use to
 
 4. Enable **Device discovery**, and then turn on **Device Portal**. 
 
+>[!IMPORTANT]
+>Check **Settings > Personalization > Start > Show more tiles** on the test mobile device. If **Show more tiles** is **On**, you must select **Large** on the [**Start screen** page](#start) in Lockdown Designer. If you want to apply a **Small** layout, set **Show more tiles** on the test mobile device to **Off**.
+>
+>![turn off show more tiles for small start screen size](images/show-more-tiles.png) 
+
 ## Prepare the PC
 
 [Install Lockdown Designer](https://www.microsoft.com/store/r/9nblggh40753) on the PC. 
@@ -130,7 +135,7 @@ The apps and settings available in the pages of Lockdown Designer should now be
 | ![Quick actions](images/ld-quick.png)  |  On this page, you select the settings that you want visible to users. |
 | ![Buttons](images/ld-buttons.png)  |  Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.</br></br>Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. |
 | ![Other settings](images/ld-other.png)  | This page contains several settings that you can configure:</br></br>- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.</br></br>- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.</br></br>- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both.  |
-| ![Start screen](images/ld-start.png)  | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)</br></br>On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.</br></br>When you are done changing the layout on the test mobile device, click **Accept** on the PC. |
+| <span id="start" />![Start screen](images/ld-start.png)  | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)</br></br>On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.</br></br>When you are done changing the layout on the test mobile device, click **Accept** on the PC. |
 
 
 ## Validate and export

windows/configure/product-ids-in-windows-10-mobile.md

@@ -230,21 +230,8 @@ The following table lists the product ID and AUMID for each app that is included
 
  
 
-## Get product ID and AUMID for other apps
 
 
-To get the product ID and AUMID for apps that are installed from Windows Store or installed locally ([side-loaded](https://go.microsoft.com/fwlink/p/?LinkID=623433)), use the following steps.
-
-**Prerequisites**: a device with an SD card inserted and all apps installed that you want to get IDs for
-
-1.  On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) > **Accounts** > **Apps Corner**.
-
-2.  Tap **Apps**, tap to select the app that you want to get IDs for, and then tap done ![done button](images/doneicon.png)
-
-3.  Tap **advanced**, and then **tap export to SD card**.
-
-4.  Connect the device to a PC using USB, and then open the WEHLockdown.xml file on the SD card of the device to view the product ID and AUMID for each app.
-
 ## Related topics
 
 

windows/configure/provision-pcs-with-apps.md

@@ -40,7 +40,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
 
 - **Restart required**: Optionally, specify if you want to initiate a reboot after a successful install of this app 
 
-- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. 
+- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract).
 
 ### Exe or other installer
 
@@ -52,22 +52,22 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
 
 - **Restart required**: Optionally, specify if you want to initiate a reboot after a successful install of this app 
 
-- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. 
+- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract).
 
 
 <span id="adv" />
-## Add an app using advanced editor in Windows Configuration Designer
+## Add a Classic Windows app using advanced editor in Windows Configuration Designer
 
 
-1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandFiles**. 
+1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **PrimaryContext** > **Command**. 
 
-2. Add all the files required for the app install, including the data files and the installer.
+2. Enter a name for the first app, and then click **Add**.
 
-3. Go to **Runtime settings** > **ProvisioningCommands** > **DeviceContext** > **CommandLine** and specify the command line that needs to be executed to install the app. This is a single command line (such as a script, executable, or msi) that triggers a silent install of your CommandFiles. Note that the install must execute silently (without displaying any UI). For MSI installers use, the `msiexec /quiet` option. 
+    ![enter name for first app](images/wcd-app-name.png)
 
-> [!NOTE]
+3. [Configure the settings for the appropriate installer type.](#settings-for-classic-windows-apps)
-> If you are installing more than one app, then use `CommandLine` to invoke the script or batch file that orchestrates installation of the files. For more information, see [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md). 
 
+    ![enter settings for first app](images/wcd-app-commands.png)
 
 ### Add a universal app to your package
 
@@ -87,7 +87,7 @@ Universal apps that you can distribute in the provisioning package can be line-o
 
 5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. 
 
-    - In Windows Store for Business, generate the unencoded license for the app on the app's download page, and change the extension of the license file from **.xml** to **.ms-windows-store-license**.
+    - In Windows Store for Business, generate the unencoded license for the app on the app's download page. 
 
         ![generate license for offline app](images/uwp-license.png)
         

windows/configure/provisioning-apply-package.md

@@ -46,7 +46,7 @@ Provisioning packages can be applied to a device during the first-run experience
     
 ### After setup, from a USB drive, network folder, or SharePoint site
 
-On a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. 
+Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network forlder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation.
 
 ![add a package option](images/package.png)
     

windows/configure/provisioning-script-to-install-app.md

@@ -29,6 +29,7 @@ This walkthrough describes how to leverage the ability to include scripts in a W
 
 2. If you need to include a directory structure of files, you will need to cab the assets for easy inclusion in the provisioning packages.
 
+<span id="cab" />
 ## Cab the application assets
 
 1. Create a .DDF file as below, replacing *file1* and *file2* with the files you want to package, and adding the name of file/directory.
@@ -89,7 +90,9 @@ This walkthrough describes how to leverage the ability to include scripts in a W
 
 ## Create the script to install the application
 
-Create a script to perform whatever work is needed to install the application(s). The following examples are provided to help get started authoring the orchestrator script that will execute the required installers. In practice, the orchestrator script may reference many more assets than those in these examples.
+In Windows 10, version 1607 and earlier, create a script to perform whatever work is needed to install the application(s). The following examples are provided to help get started authoring the orchestrator script that will execute the required installers. In practice, the orchestrator script may reference many more assets than those in these examples.
+
+In Windows 10, version 1703, you don’t need to create an orchestrator script. You can have one command line per app. If necessary, you can create a script that logs the output per app, as mentioned below (rather than one orchestrator script for the entire provisioning package). 
 
 >[!NOTE]
 >All actions performed by the script must happen silently, showing no UI and requiring no user interaction.
@@ -138,6 +141,7 @@ PsExec.exe -accepteula -i -s cmd.exe /c powershell.exe my_powershell_script.ps1'
 echo result: %ERRORLEVEL% >> %LOGFILE%
 ```
 
+<span id="cab-extract" />
 ### Extract from a .CAB example
 
 This example script shows expansion of a .cab from the provisioning commands script, as well as installation of the expanded setup.exe
@@ -154,7 +158,9 @@ echo result: %ERRORLEVEL% >> %LOGFILE%
 
 ### Calling multiple scripts in the package
 
-You are currently allowed one CommandLine per PPKG. The batch files shown above are orchestrator scripts that manage the installation and calls any other scripts included in the PPKG. The orchestrator script is what should be invoked from the CommandLine specified in the package. 
+In Windows 10, version 1703, your provisioning package can include multiple CommandLines.
+
+In Windows 10, version 1607 and earlier, you are allowed one CommandLine per provisioning package. The batch files shown above are orchestrator scripts that manage the installation and call any other scripts included in the provisioning package. The orchestrator script is what should be invoked from the CommandLine specified in the package. 
 
 Here’s a table describing this relationship, using the PowerShell example from above:
 
@@ -166,7 +172,7 @@ Here’s a table describing this relationship, using the PowerShell example from
 | ProvisioningCommands/DeviceContext/CommandFiles | my_powershell_script.ps1 | Other assets referenced by the orchestrator script. In this example there is only one, but there could be many assets referenced here. One common use case is using the orchestrator to call a series of install.exe or setup.exe installers to install several applications. Each of those installers must be included as an asset here. |
 
  
-### Add script to provisioning package 
+### Add script to provisioning package (Windows 10, version 1607)
  
 When you have the batch file written and the referenced assets ready to include, you can add them to a provisioning package in the Window Configuration Designer. 
 
@@ -197,10 +203,15 @@ When you are done, [build the package](provisioning-create-package.md#build-pack
 2. When applied at first boot, provisioning runs early in the boot sequence and before a user context has been established; care must be taken to only include installers that can run at this time. Other installers can be provisioned via a management tool.
 3. If the device is put into an unrecoverable state because of a bad script, you can reset it using [recovery options in Windows 10](https://support.microsoft.com/help/12415/windows-10-recovery-options).
 4. The CommandFile assets are deployed on the device to a temporary folder unique to each package.
+    - For Windows 10, version 1607 and earlier:
         a. For packages added during the out of box experience, this is usually in `%WINDIR%\system32\config\systemprofile\appdata\local\Temp\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands`
         b. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the PPKG: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands`
+    - For Windows 10, version 1703:
+        a. For packages added during the out of box experience, this is usually in `%WINDIR%\system32\config\systemprofile\appdata\local\Temp\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0`
+        The `0` after `Commands\` refers to the installation order and indicates the first app to be installed. The number will increment for each app in the package.
+        b. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the provisioning package: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0`
 5. The command line will be executed with the directory the CommandFiles were deployed to as the working directory. This means you do not need to specific the full path to assets in the command line or from within any script.
-6. The runtime provisioning component will attempt to run the scripts from the PPKG at the earliest point possible, depending on the stage when the PPKG was added. For example, if the package was added during the Out-of-Box Experience, it will be run immediately after the package is applied, while the Out-of-Box Experience is still happening. This is before the user account configuration options are presented to the user. A spinning progress dialog will appear and “please wait” will be displayed on the screen. 
+6. The runtime provisioning component will attempt to run the scripts from the provisioning package at the earliest point possible, depending on the stage when the PPKG was added. For example, if the package was added during the Out-of-Box Experience, it will be run immediately after the package is applied, while the out of box experience is still happening. This is before the user account configuration options are presented to the user. A spinning progress dialog will appear and “please wait” will be displayed on the screen. 
 
     >[!NOTE]
     >There is a timeout of 30 minutes for the provisioning process at this point. All scripts and installs need to complete within this time. 

windows/deploy/upgrade-readiness-deployment-script.md

@@ -42,9 +42,9 @@ To run the Upgrade Readiness deployment script:
     3.  By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
 
         > *logMode = 0 log to console only*
->
+        >
         > *logMode = 1 log to file and console*
->
+        >
         > *logMode = 2 log to file only*
 
 3.  To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
@@ -57,7 +57,16 @@ To run the Upgrade Readiness deployment script:
     >
     > *IEOptInLevel = 3 Data collection is enabled for all sites*
 
-4.  After you finish editing the parameters in RunConfig.bat, you are ready to run the script.  If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
+4. The latest version (03.02.17) of the deployment script is configured to collect and send diagnostic and debugging data to Microsoft. If you wish to disable sending diagnostic and debugging data to Microsoft, set **AppInsightsOptIn = false**. By default, **AppInsightsOptIn** is set to **true**.
+
+    The data that is sent is the same data that is collected in the text log file that captures the events and error codes while running the script. This file is named in the following format: **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. Log files are created in the drive that is specified in the RunConfig.bat file. By default this is set to: **%SystemDrive%\UADiagnostics**.
+
+    This data gives us the ability to determine the status of your machines and to help troubleshoot issues. If you choose to opt-in to and send this data to Microsoft, you must also allow https traffic to be sent to the following wildcard endpoints:
+
+    \*vortex\*.data.microsoft.com<BR>
+    \*settings\*.data.microsoft.com
+
+5.  After you finish editing the parameters in RunConfig.bat, you are ready to run the script.  If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
 
 The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
 

windows/deploy/upgrade-readiness-get-started.md

@@ -79,7 +79,7 @@ For Upgrade Readiness to receive and display upgrade readiness data from Microso
 
 To enable data sharing, whitelist the following endpoints. Note that you may need to get approval from your security group to do this.
 
-Note: The compatibility update KB runs under the computer’s system account. If you are using user authenticated proxies, read [this blog post](https://go.microsoft.com/fwlink/?linkid=838688) to learn what you need to do to run it under the logged on user account.
+Note: The compatibility update KB runs under the computer’s system account. If you are using user authenticated proxies, read [this blog post](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) to learn what you need to do to run it under the logged on user account.
 
 | **Endpoint**  | **Function**  |
 |---------------------------------------------------------|-----------|

windows/deploy/upgrade-readiness-requirements.md

@@ -78,8 +78,6 @@ See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields
 
 Before you get started configuring Upgrade Anatlyics, review the following tips and limitations about this release.
 
-**User authenticated proxies are not supported in this release.** User computers communicate with Microsoft through Windows telemetry. The Windows telemetry client runs in System context and requires a connection to various Microsoft telemetry endpoints. User authenticated proxies are not supported at this time. Work with your Network Administrator to ensure that user computers can communicate with telemetry endpoints.
-
 **Upgrade Readiness does not support on-premises Windows deployments.** Upgrade Readiness is built as a cloud service, which allows Upgrade Readiness to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premises.
 
 **In-region data storage requirements.** Windows telemetry data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in the Microsoft Operations Management Suite (OMS) portal. At the time this topic is being published, only OMS workspaces created in the East US and West Europe are supported. We’re adding support for additional regions and we’ll update this information when new international regions are supported.

windows/index.md

@@ -19,7 +19,7 @@ This library provides the core content that IT pros need to evaluate, plan, depl
   <tr style="text-align:center;">
     <td style="width:25%; border:0;">
       <a href="https://technet.microsoft.com/en-us/itpro/windows/whats-new/index">
-        <img src="images/w10-whatsnew.png" alt="Read what's new in Windows 10" title="What's new in Windows 10?" />
+        <img src="images/w10-whatsnew-highlight.png" alt="Read what's new in Windows 10" title="What's new in Windows 10?" />
       </a>
       <br/>What's New?
     </td>
@@ -45,7 +45,7 @@ This library provides the core content that IT pros need to evaluate, plan, depl
   <tr style="text-align:center;">
     <td style="width:25%; border:0;">
     <br/>
-      <a href="https://technet.microsoft.com/en-us/itpro/windows/deploy/index">
+      <a href="https://technet.microsoft.com/en-us/itpro/windows/keep-secure/index">
         <img src="images/w10-secure.png" alt="Keep Windows 10 secure" title="Keep Windows 10 secure" />
       </a>
       <br/>Keep Secure
@@ -67,7 +67,7 @@ This library provides the core content that IT pros need to evaluate, plan, depl
     <td style="width:25%; border:0;">
       <br/>
       <a href="">
-        <img src="images/w10-plan.png" alt="Get your " title="What's new in Windows 10" />
+        <img src="images/w10-evaluation.png" alt="Try Windows 10" title="Try Windows 10" />
       </a>
       <br/>Try it
     </td>
@@ -76,19 +76,18 @@ This library provides the core content that IT pros need to evaluate, plan, depl
 
 <br/>
 
-# Get to know Windows as a Service (WaaS)
+## Get to know Windows as a Service (WaaS)
 <table border="0" width="100%" align='center'>
 <tr>
-  <td valign=top width=60%>The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers.
+  <td valign=top width:50%; border:0;>The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers.
 
   These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
+  - [Read more about Windows as a Service]()
 
-
+  - [Download the WaaS infographic]()
-  * [Read more about Windows as a Service]()
-  * [Download the WaaS infographic]()
 
   </td>
-  <td width=40%><center><img style='border:thin silver solid' src="images/w10-WaaS-poster.png" alt="Get to know Windows as a Service (WaaS) " title="Get to know Windows as a Service (WaaS)" /></center></td>
+  <td valign=top width:50%; border:0;><center><img style='border:thin silver solid' src="images/w10-WaaS-poster.png" alt="Get to know Windows as a Service (WaaS) " title="Get to know Windows as a Service (WaaS)" /></center></td>
 </tr>
 <table>
 

windows/keep-secure/TOC.md

@@ -578,6 +578,7 @@
 ###### [Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)
 ###### [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)
 ###### [Interactive logon: Don't display last signed-in](interactive-logon-do-not-display-last-user-name.md)
+###### [Interactive logon: Don't display username at sign-in](interactive-logon-dont-display-username-at-sign-in.md)
 ###### [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)
 ###### [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md)
 ###### [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)
@@ -800,9 +801,10 @@
 #### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md)
 #### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
 #### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
-#### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
+#### [Windows Defender Antivirus compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
 ###	[Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
 #### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md)
+#### [Windows Defender Antivirus on Windows Server](windows-defender-antivirus-on-windows-server-2016.md)
 #### [Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md)
 #### [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
 ##### [Deploy and enable Windows Defender Antivirus](deploy-windows-defender-antivirus.md)

windows/keep-secure/bitlocker-group-policy-settings.md

@@ -32,7 +32,7 @@ The following sections provide a comprehensive list of BitLocker Group Policy se
 
 The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked.
 
--   [Allow devices with Secure Boot and protect DMS ports to opt out of preboot PIN](#bkmk-hstioptout)
+-   [Allow devices with Secure Boot and protect DMA ports to opt out of preboot PIN](#bkmk-hstioptout)
 -   [Allow network unlock at startup](#bkmk-netunlock)
 -   [Require additional authentication at startup](#bkmk-unlockpol1)
 -   [Allow enhanced PINs for startup](#bkmk-unlockpol2)
@@ -86,7 +86,7 @@ The following policies are used to support customized deployment scenarios in yo
 -   [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#bkmk-depopt4)
 -   [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#bkmk-depopt5)
 
-### <a href="" id="bkmk-hstioptout"></a>Allow devices with Secure Boot and protect DMS ports to opt out of preboot PIN
+### <a href="" id="bkmk-hstioptout"></a>Allow devices with Secure Boot and protect DMA ports to opt out of preboot PIN
 
 This policy setting allows users on devices that are compliant with InstantGo or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication.
  
@@ -137,7 +137,8 @@ This setting enables an exception to the PIN-required policy on secure hardware.
 
 ### <a href="" id="bkmk-netunlock"></a>Allow network unlock at startup
 
-This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature.
+This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. 
+This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature.
  
 <table>
 <colgroup>

windows/keep-secure/change-history-for-keep-windows-10-secure.md

@@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
 ## March 2017
 |New or changed topic |Description |
 |---------------------|------------|
+|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)]|Added note about Azure RMS and USB drives and added new limitation about folder redirection.|
 |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.|
 |[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.|
 |[Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md)|New |
@@ -29,6 +30,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
 |---------------------|------------|
 |[Overview of threat mitigations in Windows 10](overview-of-threat-mitigations-in-windows-10.md) | Reorganized from existing content, to provide a better overview of threat mitigations. Added information that maps the Enhanced Mitigation Experience Toolkit (EMET) to Windows 10 features. |
 
+>>>>>>> refs/remotes/origin/rs2
 
 
 ## January 2017

windows/keep-secure/choose-the-right-bitlocker-countermeasure.md

@@ -117,8 +117,9 @@ Tables 1 and 2 summarize the recommended mitigations for different types of atta
 
 **Table 2.**  How to choose the best countermeasures for Windows 10
 
-The latest InstantGo devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be, too. DMA port–based attacks, which represent the attack vector of choice, are not possible on InstantGo devices, because these port types are prohibited. The inclusion of DMA ports on even non-InstantGo devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case DMA ports can be disabled entirely, which is an increasingly popular option because the use of 
+The latest InstantGo devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be secure by default too. DMA port–based attacks, which represent the attack vector of choice, are not possible on InstantGo devices because these port types are prohibited. The inclusion of DMA ports on even non-InstantGo devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case, DMA ports can be disabled entirely, which is an increasingly popular option because the use of DMA ports is infrequent in the non-developer space. To prevent DMA port usage unless an authorized user is signed in, you can set the DataProtection/AllowDirectMemoryAccess policy by using Mobile Device Management (MDM) or the Group Policy setting **Disable new DMA devices when this computer is locked** (beginning with Windows 10, version 1703). This setting is **Not configured** by default. The path to the Group Policy setting is:
-DMA ports is infrequent in the non-developer space.
+
+**Computer Configuration|Administrative Templates|Windows Components|BitLocker Drive Encryption**
     
 Memory remanence attacks can be mitigated with proper configuration; in cases where the system memory is fixed and non-removable, they are not possible using published techniques. Even in cases where system memory can be removed and loaded into another device, attackers will find the attack vector extremely unreliable, as has been shown in the DRDC Valcartier group’s analysis (see [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078)).
 

windows/keep-secure/command-line-arguments-windows-defender-antivirus.md

@@ -19,10 +19,14 @@ author: iaanw
 
 - Windows 10
 
+**Audience**
+
+- Enterprise security administrators
+
 
 You can use a dedicated command-line tool to perform various functions in Windows Defender Antivirus. 
 
-This utility can be handy when you want to automate the use of Windows Defender Antivirus. 
+This utility can be useful when you want to automate the use of Windows Defender Antivirus. 
 
 The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_ and must be run from a command prompt.
 

windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md

@@ -1,116 +0,0 @@
----
-title: Configure an Azure Active Directory application for SIEM integration
-description: Configure an Azure Active Directory application so that it can communicate with supported SIEM tools.
-keywords: configure aad for siem integration, siem integration, application, oauth 2
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
-localizationpriority: high
----
-
-# Configure an Azure Active Directory application for SIEM integration
-
-**Applies to:**
-
-- Azure Active Directory
-- Windows 10 Enterprise
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application  to communicate with it so that your security information and events management (SIEM) tool can pull alerts from Windows Defender ATP portal.
-
-1. Login to the [Azure management portal](https://ms.portal.azure.com).
-
-2. Select **Active Directory**.
-
-3. Select your tenant.
-
-4. Click **Applications**, then select **Add** to create a new application.
-
-5. Click **Add an application my organization is developing**.
-
-6. Choose a client name for the application, for example, *Alert Export Client*.
-
-7. Select **WEB APPLICATION AND/OR WEB API** in the Type section.
-
-8. Assign a sign-on URL and app ID URI to the application, for example, `https://alertexportclient`.
-
-9. Confirm the request details and verify that you have successfully added the app.
-
-10. Select the application you've just created from the directory application list and click the **Configure** tab.
-
-11. Scroll down to the **keys** section and select a duration for the application key.
-
-12. Type the following URLs in the **Reply URL** field:
-
-  - `https://DataAccess-PRD.trafficmanager.net:444/api/FetchAccessTokenFromAuthCode`
-  - `https://localhost:44300/WDATPconnector`
-
-13. Click **Save** and copy the key in a safe place. You'll need this key to authenticate the client application on Azure Active Directory.
-
-14. Open a web browser and connect to the following URL: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=f7c1acd8-0458-48a0-a662-dba6de049d1c&tenantId=<tenant ID>&clientSecret=1234`<br>
-
-  An Azure login page appears.
-  > [!NOTE]
-  > - Replace *tenant ID* with your actual tenant ID.  
-  > - Keep the *clientSecret* as is. This is a dummy value, but the parameter must appear.
-
-15. Sign in with the credentials of a user from your tenant.
-
-16. Click **Accept** to provide consent. Ignore the error.
-
-17. Click **Application configuration** under your tenant.
-
-18. Click **Permissions to other applications**, then select **Add application**.
-
-19. Click **All apps** from the **SHOW** field and submit.
-
-20. Click **WDATPAlertExport**, then select **+** to add the application. You should see it on the **SELECTED** panel.
-
-21. Submit your changes.
-
-22. On the **WDATPAlertExport** record, in the **Delegated Permissions** field, select **Access WDATPAlertExport**.
-
-23. Save the application changes.
-
-After configuring the application in AAD, you'll need to obtain a refresh token. You'll need to use the token when you configure the connector for your SIEM tool in the next steps. The token lets the connector access Windows Defender ATP events to be pulled by your SIEM.
-
-## Obtain a refresh token using an events URL
-Obtain a refresh token used to retrieve the Windows Defender Advanced Threat Protection events to your SIEM. This section provides information on how you can use an events URL to obtain the required refresh token.
->[!NOTE]
->For HP ArcSight, you can obtain a refresh token using the restutil tool. For more information, see [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md).
-
-### Before you begin
-Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
-
-    - OAuth 2 Client ID
-    - OAuth 2 Client secret
-
-You'll use these values to obtain a refresh token.
-
->[!IMPORTANT]
->Before using the OAuth 2 Client secret described in the next steps, you **must** encode it. Use a URL encoder to transform the OAuth 2 client secret.
-
-### Obtain a refresh token
-1. Open a web browser and connect to the following URL: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=<client ID>&tenantId=<tenant ID>&clientSecret=<client secret>`
-
-  >[!NOTE]
-  >- Replace the *client ID* value with the one you got from your AAD application.
-  >- Replace *tenant ID* with your actual tenant ID.
-  >- Replace *client secret* with your encoded client secret. The client secret **must** be pasted encoded.
-
-2. Click **Accept**. When you authenticate, a web page opens with your refresh token.
-
-3.  Save the refresh token which you'll find it the `<RefreshToken></RefreshToken>`value. You'll need this value when configuring your SIEM tool.
-
-After configuring your AAD application and generating a refresh token, you can proceed to configure your SIEM tool.
-
-## Related topics
-- [Configure security information and events management (SIEM) tools to pull alerts](configure-siem-windows-defender-advanced-threat-protection.md)
-- [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
-- [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)

windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md

@@ -1,5 +1,5 @@
 ---
-title: Configure advanced scanning types for Windows Defender AV
+title: Configure scanning options for Windows Defender AV
 description: You can configure Windows Defender AV to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files).
 keywords: advanced scans, scanning, email, archive, zip, rar, archive, reparse scanning
 search.product: eADQiWindows 10XVcnh
@@ -12,147 +12,92 @@ localizationpriority: medium
 author: iaanw
 ---
 
-# Configure email, removable storage, network, reparse point, and archive scanning in Windows Defender AV
+# Configure scanning options in Windows Defender AV
 
 
 **Applies to**
 -   Windows 10
 
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- System Center Configuration Manager
+- Microsoft Intune
+
+
+To configure the Group Policy settings described in the following table:
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
+
+6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx).
+
+Description | GP location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class
+---|---|---|---
+See [Email scanning limitations](#ref1)) below | Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning`
+Scan [reparse points](https://msdn.microsoft.com/library/windows/desktop/aa365503.aspx) | Scan > Turn on reparse point scanning | Disabled | `-DisableRestorePoint`
+Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan`
+ Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-exclusions-windows-defender-antivirus.md) will take precendence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning`
+Scan files on the network | Scan > Scan network files | Disabled | `-DisableScanningNetworkFiles`
+Scan packed executables | Scan > Scan packed executables | Enabled | Not available
+Scan removable drives during full scans only | Scan > Scan removable drives | Disabled | `-DisableRemovableDriveScanning`
+Specify the level of subfolders within an archive folder to scan | Scan > Specify the maximum depth to scan archive files | 0 | Not available
+ Specify the maximum CPU load (as a percentage) during a scan. This a theoretical maximum - scans will not always use the maximum load defined here, but they will never exceed it | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 |  `-ScanAvgCPULoadFactor`
+ Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies not limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available
+
+**Use Configuration Manager to configure scanning options:**
+
+See [How to create and deploy antimalware policies: Scan settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring System Center Configuration Manager (current branch).
+
+
+**Use Microsoft Intune to configure scanning options**
 
 
 
+See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Scan options](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#specify-scan-options-settings) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details.
  
 
 
-## Manage email scans in Windows Defender
+<a id="ref1"></a>
-
+### Email scanning limitations
-You can use Windows Defender to scan email files. Malware can install itself and hide in email files, and although real-time protection offers you the best protection from email malware, you can also scan emails stored on your PC or server with Windows Defender.
+Enabling email scanning will cause Windows Defender AV to scan emails during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
-> **Important:**  Mail scanning only applies to on-demand and scheduled scans, not on-access scans.
- 
-Windows Defender scans Microsoft Office Outlook 2003 and older email files. We identify the file type at run-time based on the content of the file, not on location or extension.
-> **Note: **  Scanning email files might increase the time required to complete a scan.
- 
-Windows Defender can extract embedded objects within a file (attachments and archived files, for example) and scan internally.
-> **Note:**  While Windows Defender can be configured to scan email files, it can only remediate threats detected inside certain files, for example:
 - DBX
 - MBX
 - MIME
 
-You can configure Windows Defender to scan PST files used by Outlook 2003 or older versions (where the archive type is set to non-uni-code), but Windows Defender cannot remediate threats detected inside PST files. We recommend using real-time protection to protect against email malware.
+>[!WARNING]
+> Is this true - can it scan Outlook 2013/ 2016?
+> "Windows Defender scans Microsoft Office Outlook 2003 and older email files."
+
+You can configure Windows Defender to scan PST files used by Outlook 2003 or older versions (where the archive type is set to non-uni-code), but Windows Defender cannot remediate threats detected inside PST files. We recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware.
 
 If Windows Defender detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat:
 -   Email subject
 -   Attachment name
-Email scanning in Windows Defender is turned off by default. There are three ways you can manage scans through Windows Defender:
+
--   *Group Policy* settings
+>[!WARNING]
--   WMI
+>There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles:
--   PowerShell
-> **Important:**  There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles:
 -   [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1)
 -   [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2)
 
-## Use *Group Policy* settings to enable email scans
+## Related topics
-
-This policy setting allows you to turn on email scanning. When email scanning is enabled, the engine will parse the mailbox and mail files to analyze the mail bodies and attachments.
-
-Turn on email scanning with the following *Group Policy* settings:
-1.  Open the **Group Policy Editor**.
-2.  In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
-3.  Click **Scan**.
-4.  Double-click **Turn on e-mail scanning**.
-
-    This will open the **Turn on e-mail scanning** window:
-    
-    ![turn on e-mail scanning window](images/defender-scanemailfiles.png)
-    
-5.  Select **Enabled**.
-6.  Click **OK** to apply changes.
-
-## Use WMI to disable email scans
-
-You can write a WMI script or application to disable email scanning. Read more about [WMI in this article](https://msdn.microsoft.com/library/windows/desktop/dn439477.aspx), and read about [Windows Preference classes in this article](https://msdn.microsoft.com/library/windows/desktop/dn455323.aspx).
-
-Use the **DisableEmailScanning** property of the **MSFT\_MpPreference** class (part of the Windows DefenderWMI provider) to enable or disable this setting:
-**DisableEmailScanning**
-Data type: **boolean**
-Access type: Read-only
-Disable email scanning.
-
-## Use PowerShell to enable email scans
-
-You can also enable email scanning using the following PowerShell parameter:
-1.  Open PowerShell or PowerShellIntegrated Scripting Environment (ISE).
-2.  Type **Set-MpPreference -DisableEmailScanning $false**.
-
-Read more about this in:
--   [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
--   [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
-
-## Manage archive scans in Windows Defender
-
-You can use Windows Defender to scan archive files. Malware can install itself and hide in archive files, and although real-time protection offers you the best protection from malware, you can also scan archives stored on your PC or server with Windows Defender.
-> **Important:**  Archive scanning only applies to on-demand and scheduled scans, not on-access scans.
- 
-Archive scanning in Windows Defender is turned on by default. There are four ways you can manage scans through Windows Defender:
--   *Group Policy* settings
--   WMI
--   PowerShell
--   Endpoint Protection
-> **Note:**  Scanning archive files might increase the time required to complete a scan.
- 
-If you exclude an archive file type by using the **Extensions** box, Windows Defender will not scan files with that extension (no matter what the content is), even when you have selected the **Scan archive files** check box. For example, if you exclude .rar files but there’s a .r00 file that’s actually .rar content, it will still be scanned if archive scanning is enabled.
-
-## Use *Group Policy* settings to enable archive scans
-
-This policy setting allows you to turn on archive scanning.
-
-Turn on email scanning with the following *Group Policy* settings:
-1.  Open the **Group Policy Editor**.
-2.  In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
-3.  Click **Scan**.
-4.  Double-click **Scan archive files**.
-
-    This will open the **Scan archive files** window:
-    
-    ![scan archive files window](images/defender-scanarchivefiles.png)
-    
-5.  Select **Enabled**.
-6.  Click **OK** to apply changes.
-
-There are a number of archive scan settings in the **Scan** repository you can configure through *Group Policy*, for example:
--   Maximum directory depth level into which archive files are unpacked during scanning
-
-    ![specify the maximum depth to scan archive files window](images/defender-scanarchivedepth.png)
-    
--   Maximum size of archive files that will be scanned
-
-    ![specify the maximum size of archive files to be scanned window](images/defender-scanarchivesize.png)
-    
--   Maximum percentage CPU utilization permitted during a scan
-
-    ![specify the maximum percentage od cpu utilization during a scan window](images/defender-scanarchivecpu.png)
-
-## Use WMI to disable archive scans
-
-You can write a WMI script or application to disable archive scanning. Read more about [WMI in this article](https://msdn.microsoft.com/library/windows/desktop/dn439477.aspx), and read about [Windows Preference classes in this article](https://msdn.microsoft.com/library/windows/desktop/dn455323.aspx).
-
-Use the **DisableArchiveScanning** property of the **MSFT\_MpPreference** class (part of the Windows DefenderWMI provider) to enable or disable this setting:
-**DisableArchiveScanning**
-Data type: **boolean**
-Access type: Read-only
-Disable archive scanning.
-
-## Use PowerShell to enable archive scans
-
-You can also enable archive scanning using the following PowerShell parameter:
-1.  Open PowerShell or PowerShellISE.
-2.  Type **Set-MpPreference -DisableArchiveScanning $false**.
-
-Read more about this in:
--   [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
--   [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
-
-## Use Endpoint Protection to configure archive scans
-
-In Endpoint Protection, you can use the advanced scanning options to configure archive scanning. For more information, see [What are advanced scanning options?](https://technet.microsoft.com/library/ff823807.aspx)
 
+- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md)
+- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md

@@ -84,7 +84,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
 
     a. Click **Endpoint Management** on the **Navigation pane**.
 
-    b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file.
+    b. Click the **Endpoint offboarding** section.
+
+    c. Select **Group Policy**, click **Download package** and save the .zip file.
 
 2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
 

windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md

@@ -108,7 +108,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
 
     a. Click **Endpoint Management** on the **Navigation pane**.
 
-    b. Under **Endpoint offboarding** section, select **Mobile Device Management /Microsoft Intune**, click **Download package** and save the .zip file.
+    b. Click the **Endpoint offboarding** section.
+
+    c. Select **Mobile Device Management /Microsoft Intune**, click **Download package** and save the .zip file.
 
 2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*.
 

windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md

@@ -88,7 +88,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
 
     a. Click **Endpoint Management** on the **Navigation pane**.
 
-    b. Under **Endpoint offboarding** section, select **System Center Configuration Manager System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file.
+    b. Click the **Endpoint offboarding** section.
+
+    c. Select **System Center Configuration Manager System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file.
 
 2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
 

windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md

@@ -78,7 +78,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
 
     a. Click **Endpoint Management** on the **Navigation pane**.
 
-    b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file.
+    b. Click the **Endpoint offboarding** section.
+
+    c. Select **Group Policy**, click **Download package** and save the .zip file.
 
 2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
 

windows/keep-secure/configure-exclusions-windows-defender-antivirus.md

@@ -1,6 +1,6 @@
 ---
 title: Set up exclusions for Windows Defender AV scans
-description: You can exclude files (including files modified by specified processes) and folders from being scanned by Windows Defender AV
+description: You can exclude files (including files modified by specified processes) and folders from being scanned by Windows Defender AV. Validate your exclusions with PowerShell.
 keywords: 
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -12,7 +12,7 @@ localizationpriority: medium
 author: iaanw
 ---
 
-# Exclude files and processes from Windows Defender AV scans
+# Configure and validate file and folder exclusions in Windows Defender AV scans
 
 
 **Applies to:**
@@ -27,24 +27,56 @@ author: iaanw
 **Manageability available with**
 
 - Group Policy
-- System Center Configuration Manager 
 - PowerShell
 - Windows Management Instrumentation (WMI)
+- System Center Configuration Manager
 - Microsoft Intune
 - Windows Defender Security Center
 
-You can exclude certain files, folders, and process-modified files from being scanned by Windows Defender AV. The exclusions apply to both [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md).
+You can exclude certain files, folders, processes, and process-modified files from being scanned by Windows Defender AV. The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md).
 
-Changes made via Group Policy to the exclusion lists will show in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
+Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists.
 
-However, changes made in the Windows Defender Security Center app will not show in the lists in the Group Policy settings.
+You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Defender Security Center app](#man-tools).
+
+You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), although you will need to use several different cmdlets.
+
+By default, local changes made to the lists (by users with administrator privileges) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, Intune, PowerShell, or WMI. The Group Policy lists will take precedence in the case of conflicts. You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to disable this setting.
+
+PowerShell can be used to [validate that your exclusion lists are working as expected](#validate).
 
 
-## Exclude file extensions from Windows Defender AV scans
+## Types of exclusions
 
-You can exclude certain file extenstions from being scanned by Windows Defender AV.
+There are three exclusion lists that you can configure:
+- Extension exclusions list
+- File and folder exclusions list
+- Files opened by defined processes list
 
-**Use Group Policy to exclude specified file extensions from scans:**
+The following table shows some of the typical scenarios and which list would need to be configured.
+
+Exclusion | Examples | Exclusion list
+---|---|---
+Any file with a specific extension | All files with the .test extension, anywhere on the machine | Extension exclusions
+Any file under a specific folder | All files under the c:\test\sample folder | File and folder exclusions
+Any file with a specific file name | The file "sample.test", anywhere on the machine | File and folder exclusions
+A specific file in a specific folder | The file c:\sample\sample.test only | File and folder exclusions
+A specific process | The executable file c:\test\process.exe | File and folder exclusions list
+Any file opened by a specific process | Any file opened by the process c:\test\open.exe, even if the file that is opened is located in d:\folder43 | Process-opened exclusions
+
+
+This means the exclusion lists have the following characteristics:
+- If you exclude a file, the exclusion will apply to all versions of that file, regardless of where the file is located.
+- Folder exclusions will apply to all files and folders under that folder.
+- File extensions will apply to any file name with the defined extension, regardless of where the file is located.
+- Any file opened by the defined process will be excluded, regardless of where the file is located. The process itself will **not** be excluded.
+
+
+
+<a id="gp"></a>
+## Use Group Policy to configure exclusion lists
+
+**Use Group Policy to configure file extension exclusions:**
 
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
@@ -64,13 +96,11 @@ You can exclude certain file extenstions from being scanned by Windows Defender
 7. Click **OK**. 
 
 ![The Group Policy setting for file exclusions](images/defender/wdav-extension-exclusions.png)
+<a id="exclude-paths-files"></a>
+**Use Group Policy to exclude specified files or folders from scans:**
 
-
+>[!NOTE]
-
+>The exclusion will apply to any file with the defined file name - regardless of its location. If a folder is defined in the exclusion, then all files and subdirectories under that folder will be excluded.
-
-## Exclude paths and files from Windows Defender AV scans
-
-**Use Group Policy to exclude specified paths or folders from scans:**
 
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
@@ -85,21 +115,19 @@ You can exclude certain file extenstions from being scanned by Windows Defender
 
     1. Set the option to **Enabled**. 
     2. Under the **Options** section, click **Show...**
-    3. Enter each path or file on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extesnsion. Enter **0** in the **Value** column for all processes.
+    3. Enter each path or file on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column for all processes.
 
 7. Click **OK**. 
 
 ![The Group Policy setting for folder exclusions](images/defender/wdav-path-exclusions.png)
 
-
-## Exclude files opened by processes from Windows Defender AV scns
-
-You can exclude files that are opened by specified processes from being scanned. The specified process won't be excluded - but any files that are opened by that process will be.
-
-You can only exclude executable files.
-
 **Use Group Policy to exclude files that have been used or modified by specified processes from scans:**
 
+>[!NOTE] 
+>You can exclude files that are opened by specified processes from being scanned. The specified process won't be excluded - but any files that are opened by that process (regardless of where they are or what they are named) will be excluded. If you need to exclude the process itself, [exclude it as a file](#exclude-paths-files).  
+>You can only exclude files modified by processes if the process is an executable.  
+
+
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
 3.  In the **Group Policy Management Editor** go to **Computer configuration**.
@@ -113,26 +141,231 @@ You can only exclude executable files.
 
     1. Set the option to **Enabled**. 
     2. Under the **Options** section, click **Show...**
-    3. Enter each process on its own line under the **Value name** column. Ensure you enter a fully qualified path to the process, including the drive letter, folder path, filename, and extesnsion. Enter **0** in the **Value** column for all processes.
+    3. Enter each process on its own line under the **Value name** column. Ensure you enter a fully qualified path to the process, including the drive letter, folder path, filename, and extension. The process must be an executable. Enter **0** in the **Value** column for all processes.
 
 7. Click **OK**. 
 
 ![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png)
 
+<a id="ps"></a>
+## Use PowerShell cmdlets and WMI to configure exclusion lists
+
+Excluding and reviewing file extensions, paths and files (including processes), and files opened by processes with PowerShell requires using a combination of four  cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender).
+
+There are three exclusion lists:
+- ExclusionExtension
+- ExclusionPath
+- ExclusionProcess
+
+You can modify each of the lists with the following cmdlets:
+- Set-MpPreference to create or overwrite the defined list
+- Add-MpPreference to add new items to the defined list
+- Remove-MpPreference to remove or delete items from the defined list
+- Get-MpPreference to review the items in the list, either all at once with all other Windows Defender AV settings, or individually for each of the lists
+
+>[!IMPORTANT]
+>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. 
+
+The following matrix provides sample commands based on what you want to exclude, and whether you want to create a list, add to the list, or remove items from the list.
+
+<table>
+<tr><th>Configuration action</th><th>Type of exclusion</th><th>PowerShell command</th></tr>
+
+
+<tr><td rowspan="3">Create or overwrite a list</td><td>File extensions that should be excluded from scans</td><td>
+Set-MpPreference -ExclusionExtension ".extension1, .extension2, .extension3"</td></tr>
+
+<tr><td>Files (including processes) and paths that should be excluded from scans</td><td>
+Set-MpPreference -ExclusionPath "c:\example, d:\test\process.exe, c:\test\file.bat"</td></tr>
+
+<tr><td>Files opened by the specified processes (executables)</td><td>
+Set-MpPreference -ExclusionProcess "c:\example\test.exe"</td></tr>
+
+
+
+<tr><td rowspan="3">Add to a list</td><td>File extensions that should be excluded from scans</td><td>
+Add-MpPreference -ExclusionExtension ".extension4, .extension5"</td></tr>
+
+<tr><td>Files (including processes) and paths that should be excluded from scans</td><td>
+Add-MpPreference -ExclusionPath "d:\test, d:\example\file.png"</td></tr>
+
+<tr><td>Files opened by specified processes (executables)</td><td>
+Add-MpPreference -ExclusionProcess "f:\test\sample.exe"</td></tr>
+
+
+
+
+<tr><td rowspan="3">Remove items from a list</td><td>File extensions that should be excluded from scans</td><td>
+Remove-MpPreference -ExclusionExtension ".extension1, .extension4, .extension5"</td></tr>
+
+<tr><td>Files (including processes) and paths that should be excluded from scans</td><td>
+Remove-MpPreference -ExclusionPath "c:\example, d:\example\file.png"</td></tr>
+
+<tr><td>Files opened by specified processes (executables)</td><td>
+Remove-MpPreference -ExclusionProcess "c:\example\test.exe"</td></tr>
+</table>
+
+### Review the exclusion lists with PowerShell
+
+You can retrieve the items in any of the lists in two ways:
+- Retrieve the status of all Windows Defender AV preferences. Each of the three lists will be displayed on separate lines, but the items within the list will be combined into the same line.
+- Write the status of all preferences to a variable, and only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
+
+In both instances the items are sorted alphabetically.
+
+The following sequence of code examples helps to show how this works.
+
+1. Create an example list of extensions that should be excluded from scans:
+    ```PowerShell
+    PS C:\> Set-MpPreference -ExclusionExtension ".test1, .test2"
+    ```
+
+2. Add some additional extensions:
+
+    ```PowerShell
+    PS C:\> Add-MpPreference -ExclusionExtension ".test40, test50"
+    ```
+
+3. Add another set of extensions:
+
+    ```PowerShell
+    PS C:\> Add-MpPreference -ExclusionExtension ".secondadd1, .secondadd2"
+    ```
+
+4. Review the list as a combined list:
+    ```PowerShell
+    PS C:\> Get-MpPreference
+    ```
+
+    ![PowerShell output for Get-MpPreference showing the exclusion list alongside other preferences](images/defender/wdav-powershell-get-exclusions-all.png)
+
+
+5. Use a variable to store and retrieve only the exclusions list:
+
+    ```PowerShell
+    PS C:\> $WDAVprefs = Get-MpPreference
+    PS C:\> $WDAVprefs.ExclusionExtension
+    ```
+
+    ![PowerShell output showing only the entries in the exclusion list](images/defender/wdav-powershell-get-exclusions-variable.png)
+
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+### Use Windows Management Instruction (WMI) to configure file extension exclusions
+
+Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+ExclusionExtension
+ExclusionPath
+ExclusionProcess
+```
+
+The use of **Set**, **Add**, and **Remove** are analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+<a id="man-tools"></a>
+## Use System Center Configuration Manager, Intune, or the Windows Defender Security Center app to configure exclusion lists
+
+
+**Use Configuration Manager to configure file extension exclusions:**
+
+See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch).
+
+
+**Use Microsoft Intune to configure file extension exclusions:**
+
+
+See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details.
+
+
+**Use the Windows Defender Security app to add exclusions to Windows Defender AV:**
+
+See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
+
+
 
  ## Configure auto exclusions lists for Windows Server deployments
 
-If you are using Windows Defender AV to protect Windows Server endpoints or machines, you are [automatically enrolled in certain exclusions](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender), as defined by your specified Server role.
+If you are using Windows Defender AV to protect Windows Server endpoints or machines, you are [automatically enrolled in certain exclusions](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender), as defined by your specified Windows Server Role.
 
 These exclusions will not appear in the standard exclusion lists shown in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
 
-You can also [add custom exclusions to the auto exclusions with PowerShell](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server#BKMK_DefExclusions).
+You can still add or remove custom exclusions (in addition to the Server Role-defined auto exclusions) as described in the other sections in this topic.
-Exclusions | Turn off Auto Exclusions | 
+
+You can also disable the auto-exclusions lists with Group Policy, PowerShell cmdlets, and WMI.
+
+**Use Group Policy to disable the auto-exclusions list on Windows Server 2016:**
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
+
+6. Double-click the **Turn off Auto Exclusions** setting and set the option to **Enabled**. Click **OK**. 
+
+**Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016:**
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -DisableAutoExclusions
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016:**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+DisableAutoExclusions
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+## Use wildcards in exclusion lists
+
+You can use the asterisk **\***, question mark **?**, or environment variables (such as %APPDATA%) as wildcards when defining items in the exclusion lists.
+
+You cannot use a wildcard in place of a drive letter.
 
 
+The following table describes how the wildcards can be used and provides some examples.
+
+Wildcard | Use | Example use | Example matches
+---|---|---|---
+**\*** (asterisk) | Replaces any number of chararacters | <ul><li>C:\MyData\my\*.zip</li><li>C:\somepath\\\*\Data</li><li>.t\*t</li></ul> | <ul><li>C:\MyData\my-archived-files-43.zip</li><li>C:\somepath\folder1\folder2\Data</li><li>.test</li></ul>
+**?** (question mark) | Replaces a single character | <ul><li>C:\MyData\my\*.zip</li><li>C:\somepath\\\*\Data</li><li>.t\*t</li></ul> | <ul><li>C:\MyData\my1.zip</li><li>C:\somepath\P\Data</li><li>.txt </li></ul>
+Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |  <ul><li>%ALLUSERSPROFILE%\CustomLogFiles</li><li>%APPDATA%\Data\file.png</li></ul> | <ul><li>C:\ProgramData\CustomLogFiles\Folder1\file1.txt</li><li>C:\Users\username\AppData\Roaming\Data\file.png</li></ul>
 
 
+<a id="validate"></a>
+## Validate exclusions lists with the EICAR test file
 
+You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file.
+
+In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the .testing extension, replace *test.txt* with *test.testing*. If you are testing a path, ensure you run the cmdlet within that path.
+
+```PowerShell
+Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt"
+```
+
+If Windows Defender AV reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR testfile website](http://www.eicar.org/86-0-Intended-use.html).
+
+You can also use the following PowerShell code, which calls the .NET WebClient class to download the testfile - as with the `Invoke-WebRequest` cmdlet, replace *c:\test.txt* with a file that conforms to the rule you are validating:
+
+```PowerShell 
+$client = new-object System.Net.WebClient
+$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt")
+```
 
 
 ## Related topics

windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md

@@ -73,7 +73,7 @@ Scan | Configure local setting override for the scan type to use for a scheduled
 
 
 
-
+<a id="merge-lists"></a>
 ## Configure how locally and globally defined threat remediation and exclusions lists are merged
 
 You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md) and [specified remediation lists](configure-remediation-windows-defender-antivirus.md).

windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md

@@ -37,8 +37,8 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe
 
 
  - Manual static proxy configuration:
-    - WinHTTP configured using netsh command
     - Registry based configuration
+    - WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
 
 ## Configure the proxy server manually using a registry-based static proxy
 Configure a registry-based static proxy to allow only Windows Defender ATP sensor to report telemetry and communicate with Windows Defender ATP services if a computer is not be permitted to connect to the Internet.
@@ -61,7 +61,8 @@ The registry value `DisableEnterpriseAuthProxy` should be set to 1.
 Use netsh to configure a system-wide static proxy.
 
 > [!NOTE]
-> This will affect all applications including Windows services which use WinHTTP with default proxy.
+> - This will affect all applications including Windows services which use WinHTTP with default proxy.</br>
+> - Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-based static proxy configuration.
 
 1. Open an elevated command-line:
 

windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md

@@ -67,7 +67,7 @@ Real-time protection | Turn on process scanning whenever real-time protection is
 Real-time protection | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity | Enabled
 Real-time protection | Turn on raw volume write notifications | Information about raw volume writes will be analysed by behavior monitoring | Enabled
 Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled 
-Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or server roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. 
+Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. 
 Scan	| Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the AV engine is asked to detect the activity | Enabled (both directions)
 
 

windows/keep-secure/configure-remediation-windows-defender-antivirus.md

@@ -15,3 +15,40 @@ author: iaanw
 
 
 # Configure remediation for Windows Defender AV scans
+
+**Applies to**
+-   Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Group Policy
+- System Center Configuration Manager 
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- Microsoft Intune
+
+
+
+Main | Allow antimalware service to startup with normal priority
+Main | Allow antimalware service to remain running always
+Scan | Create a system restore point
+
+Main | Turn off routine remediation
+Quarantine | Configure removal of items from Quarantine folder
+Scan | Turn on removal of items from scan history folder
+
+
+
+
+
+[Configure remediation-required scheduled full scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md#remed)
+
+Threats | Specify threat alert levels at which default action should not be taken when detected
+Threats | Specify threats upon which default action should not be taken when detected
+
+https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings
+https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#choose-default-actions-settings

windows/keep-secure/configure-windows-defender-in-windows-10.md

@@ -1,16 +0,0 @@
----
-title: Configure and use Windows Defender in Windows 10
-description: IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
-ms.assetid: 22649663-AC7A-40D8-B1F7-5CAD9E49653D
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: jasesso
-redirect_url: /itpro/windows/keep-secure/deploy-manage-report-windows-defender-antivirus/
----
-
-# Configure Windows Defender in Windows 10
-
-This page has been redirected to *Windows Defender Antivirus in Windows 10*.

windows/keep-secure/credential-guard.md

@@ -126,9 +126,9 @@ The following tables describe baseline protections, plus protections for improve
 
 <br>
 
-#### 2017 Additional security qualifications starting with Windows 10, version 1703 
+#### 2017 Additional security qualifications starting in 2017 
 
-The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications. 
+The following table lists qualifications for 2017, which are in addition to all preceding qualifications. 
 
 | Protection for Improved Security          | Description                                        |
 |---------------------------------------------|----------------------------------------------------|

windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md

@@ -144,7 +144,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
 ```
 
-> To enable **VBS with Secure Boot and DMA (value 2)**, in the preceding command, change **/d 1** to **/d 2**.
+> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**.
 
 **To enable VBS without UEFI lock (value 0)**
 
@@ -196,7 +196,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
 ```
 
-> To enable **VBS with Secure Boot and DMA (value 2)**, in the preceding command, change **/d 1** to **/d 2**.
+> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**.
 
 **To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)**
 

windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md

@@ -26,7 +26,7 @@ You can deploy, manage, and report on Windows Defender Antivirus in a number of
 
 As the Windows Defender AV client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply.
 
-However, in most cases you will still need to enable the protection service on your endpoints with System Center Configuration Manager, Microsoft Intune, Azure Secrutiy Center, or Group Policy Objects, which is described in the following table.
+However, in most cases you will still need to enable the protection service on your endpoints with System Center Configuration Manager, Microsoft Intune, Azure Security Center, or Group Policy Objects, which is described in the following table.
 
 You'll also see additional links for:
 - Managing Windows Defender Antivirus protection, including managing product and protection updates
@@ -49,7 +49,7 @@ Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by
 
 1. <span id="fn2" />Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library.  [(Return to table)](#ref2)
   
-1.	<span id="fn3" />In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date. Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers.  [(Return to table)](#ref3)
+1.	<span id="fn3" />In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers.  [(Return to table)](#ref3)
 
 
 

windows/keep-secure/deployment-vdi-windows-defender-antivirus.md

@@ -20,7 +20,7 @@ author: iaanw
 
 **Audience**
 
-- IT professionals
+- Enterprise security administrators
 
 **Manageability available with**
 

windows/keep-secure/enable-pua-windows-defender-for-windows-10.md

@@ -1,18 +0,0 @@
----
-title: Detect and block Potentially Unwanted Application with Windows Defender
-description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
-keywords: pua, enable, detect pua, block pua, windows defender and pua
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: detect
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: dulcemv
-redirect_url: /detect-block-potentially-unwanted-apps-windows-defender-antivirus/
----
-
-# Detect and block Potentially Unwanted Application in Windows 10
-
-This page has been redirected to *Detect and block unwanted applications*.

windows/keep-secure/get-started-with-windows-defender-for-windows-10.md

@@ -1,16 +0,0 @@
----
-title: Update and manage Windows Defender in Windows 10 (Windows 10)
-description: IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using Group Policy SettingsWindows Management Instrumentation (WMI)PowerShell.
-ms.assetid: 045F5BF2-87D7-4522-97E1-C1D508E063A7
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: jasesso
-redirect_url: /deploy-manage-report-windows-defender-antivirus/
----
-
-# Update and manage Windows Defender in Windows 10
-
-This page has been redirected to *Windows Defender Antivirus in Windows 10*.

windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md

@@ -112,7 +112,7 @@ Membership in the local Administrators group, or equivalent, is the minimum requ
 
 5.  After the PC restarts, your TPM will be automatically prepared for use by Windows 10.
 
-## <a href="" id="turn-on-or-turn-off"></a>Turn on or turn off the TPM (TPM 1.2 with Windows 10, version 1507 or 1511)
+## <a href="" id="turn-on-or-turn-off"></a>Turn on or turn off the TPM (available only with TPM 1.2 with Windows 10, version 1507 or 1511)
 
 Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC.
 
@@ -148,6 +148,20 @@ If you want to stop using the services that are provided by the TPM, you can use
 
   -   If you did not save your TPM owner password or no longer know it, click **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password.
   
+### Change the TPM Owner Password (available only with Windows 10, version 1607 and earlier versions)
+
+If you have the [owner password](https://technet.microsoft.com/itpro/windows/keep-secure/change-the-tpm-owner-password) available, you can use TPM.msc to change the TPM Owner Password.
+
+1.  Open the TPM MMC (tpm.msc).
+
+2. In the **Action** pane, click **Change the Owner Password**
+
+  -   If you saved your TPM owner password on a removable storage device, insert it, and then click **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, click **Browse** to locate the .tpm file that is saved on your removable storage device, click **Open**, and then click **Turn TPM Off**.
+
+  -   If you do not have the removable storage device with your saved TPM owner password, click **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then click **Turn TPM Off**.
+
+This capability was fully removed from TPM.msc in later versions of Windows.
+
 ## Use the TPM cmdlets
 
 You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).

windows/keep-secure/interactive-logon-dont-display-username-at-sign-in.md

@@ -0,0 +1,86 @@
+---
+title: Interactive logon Don't display username at sign-in (Windows 10)
+description: Describes the best practices, location, values, and security considerations for the Interactive logon Don't display username at sign-in security policy setting.
+ms.assetid: 98b24b03-95fe-4edc-8e97-cbdaa8e314fd
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Interactive logon: Don't display username at sign-in
+
+**Applies to**
+-   Windows Server 2003, Windows Vista, Windows XP, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8, Windows 10
+
+Describes the best practices, location, values, and security considerations for the **Interactive logon: Don't display username at sign-in** security policy setting. 
+
+## Reference
+
+A new policy setting has been introduced in Windows 10 starting with Windows 10 version 1703. This security policy setting determines whether the username is displayed during sign in. This setting only affects the **Other user** tile.
+
+If the policy is enabled and a user signs in as **Other user**, the full name of the user is not displayed during sign-in. In the same context, if users type their email address and password at the sign in screen and press **Enter**, the displayed text “Other user” remains unchanged, and is no longer replaced by the user’s first and last name, as in previous versions of Windows 10. Additionally,if users enter their domain user name and password and click **Submit**, their full name is not shown until the Start screen displays.
+
+If the policy is disabled and a user signs in as **Other user**, the “Other user” text is replaced by the user’s first and last name during sign-in.
+
+### Possible values
+
+-   Enabled
+-   Disabled
+-   Not defined
+
+### Best practices
+
+Your implementation of this policy depends on your security requirements for displayed logon information. If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy.
+
+### Location
+
+Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+
+### Default values
+
+| Server type or Group Policy object (GPO) | Default value|
+| - | - |
+| Default domain policy| Not defined|
+| Default domain controller policy| Not defined|
+| Stand-alone server default settings | Not defined|
+| Domain controller effective default settings | Not defined|
+| Member server effective default settings | Not defined|
+| Effective GPO default settings on client computers | Not defined|
+ 
+## Policy management
+
+This section describes features and tools that are available to help you manage this policy.
+
+### Restart requirement
+
+None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
+
+### Policy conflict considerations
+
+None.
+
+### Group Policy
+
+This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
+
+## Security considerations
+
+This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
+
+### Vulnerability
+
+An attacker with access to the console (for example, someone with physical access or someone who can connect to the device through Remote Desktop Session Host) could view the name of the last user who logged on. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try to log on.
+
+### Countermeasure
+
+Enable the **Interactive logon: Don't display user name at sign-in** setting.
+
+### Potential impact
+
+Users must always type their usernames and passwords when they log on locally or to the domain. The logon tiles of all logged on users are not displayed.
+
+## Related topics
+
+- [Security Options](security-options.md)

windows/keep-secure/limitations-with-wip.md

@@ -27,7 +27,7 @@ This table provides info about the most common problems you might encounter whil
     <tr>
         <td>Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration.</td>
         <td><strong>If you’re using Azure RMS:</strong> Authenticated users can open enterprise data on USB drives, on computers running the latest build from the Windows Insider Program.<p><strong>If you’re not using Azure RMS:</strong> Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.</td>
-        <td>Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.<p>We strongly recommend educating employees about how to limit or eliminate the need for this decryption.</td>
+        <td>Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.<p>We strongly recommend educating employees about how to limit or eliminate the need for this decryption.<p><strong>Important</strong><br>If you're running WIP with Azure Rights Management (Azure RMS), you can open any enterprise data copied to a USB drive on computers running Windows 10, version 1703 and later. For more info about how to set up WIP with Azure RMS, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/create-wip-policy-using-intune).</td>
     </tr>
     <tr>
         <td>Direct Access is incompatible with WIP.</td>
@@ -79,6 +79,27 @@ This table provides info about the most common problems you might encounter whil
         <td>Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP.</td>
         <td>We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.<p>For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).</td>
     </tr>
+    <tr>
+        <td>WIP isn’t turned on if any of the following folders have the <strong>MakeFolderAvailableOfflineDisabled</strong> option set to <strong>False</strong>:
+            <ul>
+                <li>AppDataRoaming</li>
+                <li>Desktop</li>
+                <li>StartMenu</li>
+                <li>Documents</li>
+                <li>Pictures</li>
+                <li>Music</li>
+                <li>Videos</li>
+                <li>Favorites</li>
+                <li>Contacts</li>
+                <li>Downloads</li>
+                <li>Links</li>
+                <li>Searches</li>
+                <li>SavedGames</li>
+            </ul>
+        </td>
+        <td>WIP isn’t turned on for employees in your organization.</td>
+        <td>Don’t set the <strong>MakeFolderAvailableOfflineDisabled</strong> option to <strong>False</strong> for any of the specified folders.<p>If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection).</td>
+    </tr>
 </table>
 
 >[!NOTE]

windows/keep-secure/mandatory-settings-for-wip.md

@@ -19,7 +19,7 @@ localizationpriority: high
 This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise.
 
 >[!IMPORTANT]
->All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your enterprise.
+>All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your organization.
 
 
 |Task                                |Description               |

windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md

@@ -62,7 +62,9 @@ The following tables provide more information about the hardware, firmware, and
 
 The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met.
 
-### Additional Qualification Requirements starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4
+
+### Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4
+
 
 | Protections for Improved Security - requirement         | Description                                        |
 |---------------------------------------------|----------------------------------------------------|

windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md

@@ -85,8 +85,9 @@ You can roll back and remove a file from quarantine if you’ve determined that
   ```
   “%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All
   ```
-    >[!NOTE]
+  
-    >Windows Defender ATP will remove all files that were quarantined on this machine in the last 30 days.
+> [!NOTE]
+> Windows Defender ATP will remove all files that were quarantined on this machine in the last 30 days.
 
 ## Block files in your network
 You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.

windows/keep-secure/review-scan-results-windows-defender-antivirus.md

@@ -1,7 +1,7 @@
 ---
 title: Review the results of Windows Defender AV scans 
 description: Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Defender Security Center app
-keywords: 
+keywords: scan results, remediation, full scan, quick scan
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -13,3 +13,79 @@ author: iaanw
 ---
 
 # Review Windows Defender AV scan results
+
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- System Center Configuration Manager 
+- Microsoft Intune
+- Windows Defender Security Center app
+
+
+After Windows Defender Antivirus has completed a scan, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results. You can also define
+
+
+**Use Configuration Manager to review Windows Defender AV scan results:**
+
+See [How to monitor Endpoint Protection status](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection).
+
+
+**Use the Windows Defender Security app to review Windows Defender AV scan results:**
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label.
+
+    - Click **See full history** for any of the sections to see previous detections and the action taken. You can also clear the list.
+    - Information about the last scan is displayed at the bottom of the page.
+
+
+
+
+**Use PowerShell cmdlets to review Windows Defender AV scan results:**
+
+The following cmdlet will return each detection on the endpoint. If there are multiple detection of the same threat, each detection will be listed separately, based on the time of each detection:
+
+```PowerShell
+Get-MpThreatDetection
+```
+
+![IMAGEALT](images/defender/wdav-get-mpthreatdetection.png)
+
+You can specify `-ThreatID` to limit the output to only show the detections for a specific threat.
+
+If you want to list threat detections, but combine detections of the same threat into a single item, you can use the following cmdlet:
+
+```PowerShell
+Get-MpThreat
+```
+
+![IMAGEALT](images/defender/wdav-get-mpthreat.png)
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to review Windows Defender AV scan results:**
+
+Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) classes.
+
+
+**Use Microsoft Intune to review Windows Defender AV scan results:**
+
+See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Monitor Endpoint Protection](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection).
+
+
+
+## Related topics
+
+- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md

@@ -1,18 +0,0 @@
----
-title: Learn how to run a scan from command line in Windows Defender (Windows 10)
-description: Windows Defender utility enables IT professionals to use command line to run antivirus scans.
-keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: mjcaparas
-redirect_url: /command-line-arguments-windows-defender-antivirus/
----
-
-# Run a Windows Defender scan from the command line
-
-This page has been redirected to *Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus*.

windows/keep-secure/run-scan-windows-defender-antivirus.md

@@ -1,7 +1,7 @@
 ---
 title: Run and customize on-demand scans in Windows Defender AV
 description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app
-keywords: 
+keywords: scan, on-demand, dos, intune, instant scan
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -16,44 +16,93 @@ author: iaanw
 
 
 
-# Configure and run Windows Defender AV scans
+# Configure and run on-demand Windows Defender AV scans
 
 **Applies to:**
 
 - Windows 10
 
-IT professionals can use a command-line utility to run a Windows Defender scan. 
+**Audience**
 
-The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_.
+- Enterprise security administrators
 
-This utility can be handy when you want to automate the use of Windows Defender. 
+**Manageability available with**
 
-**To run a quick scan from the command line**
+- Windows Defender AV mpcmdrun utility
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- System Center Configuration Manager 
+- Microsoft Intune
+- Windows Defender Security Center app
 
-1. Click **Start**, type **cmd**, and press **Enter**.
+You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type.
-2. Navigate to _%ProgramFiles%\Windows Defender_ and enter the following command, and press **Enter**:
-
-```
-C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 1
-```
-The quick scan will start. When the scan completes, you'll see a message indicating that the scan is finished. 
 
 
-The utility also provides other commands that you can run:
+## Quick scan versus full scan
 
-```
+Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. 
-MpCmdRun.exe [command] [-options]
+
+Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.  
+
+In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
+
+A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans.
+
+
+**Use the mpcmdrum.exe command-line utility to run a scan:**
+
+Use the following `-scan` parameter:
+
+```DOS
+mpcmdrun.exe -scan -scantype 1
 ```
 
-Command | Description 
+
-:---|:---
+
-\- ? / -h | Displays all available options for the tool
+See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths.
-\-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]][-Timeout <days>] | Scans for malicious software
+
-\-Trace  [-Grouping #] [-Level #]| Starts diagnostic tracing
+
-\-GetFiles | Collects support information
+
-\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
+**Use Configuration Manager to run a scan:**
-\-AddDynamicSignature [-Path] | Loads a dynamic signature
+
-\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
+See [Antimalware and firewall tasks: How to perform an on-demance scan](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan.
-\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
+
-<br>
+
-The command-line utility provides detailed information on the other commands supported by the tool. 
+
+**Use the Windows Defender Security Center app to run a scan:**
+
+See [Run a scan in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints.
+
+
+
+**Use PowerShell cmdlets to run a scan:**
+
+Use the following cmdlet:
+
+```PowerShell
+Start-MpScan
+```
+
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to run a scan:**
+
+Use the [**Start** method of the **MSFT_MpScan**](https://msdn.microsoft.com/en-us/library/dn455324(v=vs.85).aspx#methods) class.
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+**Use Microsoft Intune to run a scan:**
+
+
+See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Run a malware scan](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#run-a-malware-scan-or-update-malware-definitions-on-a-computer) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details.
+
+
+## Related topics
+
+
+- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md

@@ -1,7 +1,7 @@
 ---
 title: Schedule regular scans with Windows Defender AV
 description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
-keywords: 
+keywords: schedule scan, daily, weekly, time, scheduled, recurring, regular
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
 ms.prod: w10
@@ -22,7 +22,7 @@ author: iaanw
 
 **Audience**
 
-- Network administrators
+- Enterprise security administrators
 
 **Manageability available with**
 
@@ -37,7 +37,197 @@ author: iaanw
 > By default, Windows Defender AV will check for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default. 
 
 
-RANDOMIZE
+In addition to always-on real-time protection and [on-demand](run-scan-windows-defender-antivirus.md) scans, you can set up regular, scheduled scans. 
+
+You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-windows-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur.
+
+This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intunespecify-scan-schedule-settings).
+
+To configure the Group Policy settings described in this topic:
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
+
+6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+
+
+Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topics.
+
+## Quick scan versus full scan
+
+When you set up scheduled scans, you can set up whether the scan should be a full or quick scan.
+
+Quick scans look at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. 
+
+Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.  
+
+In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
+
+A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up. In this instance, you may want to use a full scan when running an [on-demand scan](run-scan-windows-defender-antivirus.md).
+
+## Set up scheduled scans
+
+Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans.
+
+
+**Use Group Policy to schedule scans:**
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Scan | Specify the scan type to use for a scheduled scan | Quick scan
+Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never
+Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
+Main | Randomize scheduled task times | Randomize the start time of the scan to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments | Enabled
+
+**Use PowerShell cmdlets to schedule scans:**
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -ScanParameters
+Set-MpPreference -ScanScheduleDay
+Set-MpPreference -ScanScheduleTime
+Set-MpPreference -RandomizeScheduleTaskTimes
+
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to schedule scans:**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+SignatureFallbackOrder
+SignatureDefinitionUpdateFileSharesSouce
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+
+
+## Start scheduled scans only when the endpoint is not in use
+
+You can set the scheduled scan to only occur when the endpoint is turned on but not in use with Group Policy, PowerShell, or WMI.
+
+**Use Group Policy to schedule scans**
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled
+
+**Use PowerShell cmdlets:**
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -ScanOnlyIfIdleEnabled
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI):**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+SignatureFallbackOrder
+SignatureDefinitionUpdateFileSharesSouce
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+<a id="remed"></a>
+## Configure when full scans should be run to complete remediation
+
+Some threats may require a full scan to complete their removal and remediation. You can schedule when these scans should occur with Group Policy, PowerShell, or WMI.
+
+
+**Use Group Policy to schedule remediation-required scans**
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never
+Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
+
+**Use PowerShell cmdlets:**
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -RemediationScheduleDay
+Set-MpPreference -RemediationScheduleTime
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI):**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+SignatureFallbackOrder
+SignatureDefinitionUpdateFileSharesSouce
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+
+
+## Set up daily quick scans
+
+You can enable a daily quick scan that can be run in addition to your other scheduled scans with Group Policy, PowerShell, or WMI.
+
+
+**Use Group Policy to schedule daily scans:**
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never
+Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
+
+**Use PowerShell cmdlets to schedule daily scans:**
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference Set-MpPreference -ScanScheduleQuickTime
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to schedule daily scans:**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+SignatureFallbackOrder
+SignatureDefinitionUpdateFileSharesSouce
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+## Enable scans after protection updates
+
+You can force a scan to occur after every [protection update](manage-protection-updates-windows-defender-antivirus.md) with Group Policy.
+
+**Use Group Policy to schedule scans after protection updates**
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Signature updates | Turn on scan after signature update | A scan will occur immediately after a new protection update is downloaded | Enabled
 
 
 
@@ -45,6 +235,10 @@ RANDOMIZE
 
 ## Related topics
 
+
+- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md)
+- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
 - [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
+- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) 
-- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md

@@ -229,22 +229,21 @@ If the verification fails and your environment is using a proxy to connect to th
 
 **Solution**: If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy.
 
-- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are set to ```0``` or that the settings are cleared:
+- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared:
 
-  - ```DisableAntiSpyware```
+  - DisableAntiSpyware
-  - ```DisableAntiVirus```
+  - DisableAntiVirus
 
-  For example, in Group Policy:
+  For example, in Group Policy there should be no entries such as the following values:
 
-  ```<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiSpyware"/></Key>
+  - ```<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiSpyware"/></Key>```
-  ```
+  - ```<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiSpyware"/></Key>```
 -  After clearing the policy, run the onboarding steps again on the endpoint.
 
 - You can also check the following registry key values to verify that the policy is disabled:
 
-  1. Open the registry ```key HKEY_LOCAL_MACHINE\ SOFTWARE\Policies\Microsoft\Windows Defender```.
+  1. Open the registry ```key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender```.
-  2. Find the value ```DisableAntiSpyware```.
+  2. Ensure that the value ```DisableAntiSpyware``` is not present.
-  3. Ensure that the value is set to 0.
 
     ![Image of registry key for Windows Defender](images/atp-disableantispyware-regkey.png)
 

windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md

@@ -1,16 +0,0 @@
----
-title: Troubleshoot Windows Defender in Windows 10 (Windows 10)
-description: IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take.
-ms.assetid: EE488CC1-E340-4D47-B50B-35BD23CB4D70
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: jasesso
-redirect_url: /troubleshoot-windows-defender-antivirus/
----
-
-# Troubleshoot Windows Defender in Windows 10
-
-This page has been redirected to *Troubleshoot Windows Defender Antivirus*. 

windows/keep-secure/use-group-policy-windows-defender-antivirus.md

@@ -13,3 +13,32 @@ author: iaanw
 ---
 
 # Use Group Policy settings to configure and manage Windows Defender AV
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+You can use [Group Policy](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx) to configure and manage Windows Defender AV on your endpoints.
+
+<!-- 
+The table in this topic lists the Group Policy settings available in Windows 10, version 1703, and provides links to the appropriate topic in this documentation library (where applicable).
+-->
+
+In general, you can use the following procedure to configure or change Windows Defender AV group policy settings:
+
+1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+
+3.  In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4.  Click **Policies** then **Administrative templates**.
+
+5.  Expand the tree to **Windows components > Windows Defender Antivirus**.
+
+6. Expand the section that contains the setting you want to configure, double-click the setting to open it, and make configuration changes.
+
+7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). 
+
+## Related topics
+
+- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md

@@ -13,3 +13,17 @@ author: iaanw
 ---
 
 # Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
+
+If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender AV.
+
+In both cases, the protection will be labelled as Endpoint Protection, although the engine is the same as that used by Windows Defender AV.
+
+See the [Endpoint Protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager.
+
+For Microsoft Intune, consult the [Help secure Windows PCs with Endpoint Protection for Microsoft Intune library](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune).
+
+
+## Related topics
+
+- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md

@@ -30,7 +30,7 @@ PowerShell cmdlets are most useful in Windows Server environments that don't rel
 PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
 
 
-**Use Windows Defender PowerShell cmdlets**
+**Use Windows Defender AV PowerShell cmdlets:**
 
 1. Click **Start**, type **powershell**, and press **Enter**.
 2. Click **Windows PowerShell** to open the interface. 

windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md

@@ -1,18 +0,0 @@
----
-title: Use PowerShell cmdlets to configure and run Windows Defender in Windows 10
-description: In Windows 10, you can use PowerShell cmdlets to run scans, update definitions, and change settings in Windows Defender.
-keywords: scan, command line, mpcmdrun, defender
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: iaanw
-redirect_url: /use-powershell-cmdlets-windows-defender-antivirus/
----
-
-# Use PowerShell cmdlets to configure and run Windows Defender
-
-This page has been redirected to *Use PowerShell cmdlets to configure and run Windows Defender Antivirus*.

windows/keep-secure/use-wmi-windows-defender-antivirus.md

@@ -1,6 +1,6 @@
 ---
 title: Configure Windows Defender AV with WMI
-description: Use WMI scripts to configure Windows Defender AV
+description: Use WMI scripts to configure Windows Defender AV.
 keywords: wmi, scripts, windows management instrumentation, configuration
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -12,4 +12,23 @@ localizationpriority: medium
 author: iaanw
 ---
 
-# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
+# Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV
+
+**Applies to:**
+
+- Windows 10
+
+Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings.
+
+Read more about WMI at the [Microsoft Develop Network System Administration library](https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx).
+
+Windows Defender AV has a number of specific WMI classes that can be used to perform most of the same functions as Group Policy and other management tools. Many of the classes are analogous to [Defender PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md).
+
+The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Windows Defender AV, and includes example scripts.
+
+
+
+## Related topics
+
+- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

windows/keep-secure/windows-defender-antivirus-in-windows-10.md

@@ -35,7 +35,7 @@ We've expanded this documentation library to cover end-to-end deployment, manage
 
 See the [In this library](#in-this-library) list at the end of this topic for links to each of the updated sections in this library.
 
-
+<a id="sysreq"></a>
 ## Minimum system requirements
 
 Windows Defender has the same hardware requirements as Windows 10. For more information, see:
@@ -45,13 +45,15 @@ Windows Defender has the same hardware requirements as Windows 10. For more info
 
 Some features require a certain version of Windows 10 - the minimum version required is specified at the top of each topic.
 
+Functionality, configuration, and management is largely the same when using Windows Defender Antivirus on Windows Server 2016, however [there are some differences](windows-defender-antivirus-on-windows-server-2016.md).
+
 ## Compatibility with Windows Defender Advanced Threat Protection
 
 Windows Defender Advanced Threat Protection (ATP) is an additional service that helps enterprises to detect, investigate, and respond to advanced persistent threats on their network. 
 
 See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service.
 
-If you are enrolled in Windows Defender ATP, and you are not using Windows Defender as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. 
+If you are enrolled in Windows Defender ATP, and you are not using Windows Defender AV as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. On Windows Server 2016 SKUs, Windows Defender AV will not enter into the passive mode and will run alongisde your other antivirus product.
 
 In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won’t run, and Windows Defender will not provide real-time protection from malware.
 

windows/keep-secure/windows-defender-antivirus-on-windows-server-2016.md

@@ -0,0 +1,50 @@
+---
+title: Windows Defender Antivirus on Windows Server 2016
+description: Compare the differences when Windows Defender AV is on a Windows Server SKU versus a Windows 10 endpoint
+keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+
+# Windows Defender Antivirus on Windows Server
+
+
+**Applies to:**
+
+- Windows Server 2016
+
+**Audience**
+
+- Enterprise security administrators
+- Network administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- System Center Configuration Manager 
+- PowerShell
+- Windows Management Instrumentation (WMI)
+
+
+Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint Protection - however, the protection engine is the same.
+
+See [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server) for more information on enabling the client interface and configuring roles and specific server features.
+
+While the functionality, configuration, and management is largely the same for Windows Defender AV either on Windows 10 or Windows Server 2016, there are a few key differences:
+
+- In Windows Server 2016, [automatic exclusions](configure-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role.
+- In Windows Server 2016, [Windows Defender AV will not disable itself if you are running another antivirus product](windows-defender-antivirus-on-windows-server-2016.md#sysreq).
+
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)

windows/keep-secure/windows-defender-block-at-first-sight.md

@@ -1,19 +0,0 @@
----
-title: Enable the Block at First Sight feature to detect malware within seconds
-description: In Windows 10 the Block at First Sight feature determines and blocks new malware variants in seconds. You can enable the feature with Group Policy.
-keywords: scan, BAFS, malware, first seen, first sight, cloud, MAPS, defender
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: iaanw
-redirect_url: /configure-block-at-first-sight-windows-defender-antivirus/
-
----
-
-# Block at First Sight
-
-This page has been redirected to *Configure the Block at First Sight feature*.

windows/keep-secure/windows-defender-enhanced-notifications.md

@@ -1,18 +0,0 @@
----
-title: Configure enhanced notifications for Windows Defender
-description: In Windows 10, you can enable advanced notifications for endpoints throughout your enterprise network.
-keywords: notifications, defender, endpoint, management, admin
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: iaanw
-redirect_url: /configure-notifications-windows-defender-antivirus/
----
-
-# Configure enhanced notifications for Windows Defender in Windows 10
-
-This page has been redirected to *Configure notifications*.

windows/keep-secure/windows-defender-in-windows-10.md

@@ -1,16 +0,0 @@
----
-title: Windows Defender in Windows 10 (Windows 10)
-description: This topic provides an overview of Windows Defender, including a list of system requirements and new features.
-ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: jasesso
-redirect_url: /windows-defender-antivirus-in-windows-10/
----
-
-# Windows Defender in Windows 10
-
-This page has been redirected to *Windows Defender Antivirus in Windows 10*.

windows/keep-secure/windows-defender-security-center-antivirus.md

@@ -42,6 +42,9 @@ The app also includes the settings and status of:
 - Windows Defender SmartScreen Filter
 - Parental and Family Controls
 
+>[!NOTE]
+>The Windows Defender Security Center app is a client interface on Windows 10, version 1703. It is not the Windows Defender Advanced Security Center, which is the web portal used to review and manage [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md).
+
 **Review virus and threat protection settings in the Windows Defender Security Center app:**
 
 1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -76,6 +79,7 @@ This section describes how to perform some of the most common tasks when reviewi
 > [!NOTE]
 > If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) topic describes how local policy override settings can be configured.
 
+<a id="scan"></a>
 **Run a scan with the Windows Defender Security Center app**
 1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 

windows/whats-new/whats-new-windows-10-version-1703.md

@@ -1,6 +1,6 @@
 ---
 title: What's in Windows 10, version 1703
-description: New and updated IT Pro content about new features in Windows 10, version 1703 (also known as the Creators Updated).
+description: New and updated IT pro content about new features in Windows 10, version 1703 (also known as the Creators Updated).
 keywords: ["What's new in Windows 10", "Windows 10", "creators update"]
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -10,9 +10,9 @@ localizationpriority: high
 ms.assetid: dca7c655-c4f6-45f8-aa02-64187b202617
 ---
 
-# What's new in Windows 10, version 1703 IT Pro content
+# What's new in Windows 10, version 1703 IT pro content
 
-Below is a list of some of the new and updated content that discusses Information Technology (IT) Pro features in Windows 10, version 1703 (also known as the Creators Update).
+Below is a list of some of the new and updated content that discusses Information Technology (IT) pro features in Windows 10, version 1703 (also known as the Creators Update).
 
 For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](index.md).
 
@@ -58,13 +58,6 @@ Additional MDM policy settings are available for Start and taskbar layout. For d
 
 Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10, version 1703, adds support for customized taskbars to [MDM](../configure/customize-windows-10-start-screens-by-using-mobile-device-management.md).
 
-### Lockdown Designer for Windows 10 Mobile lockdown files
-
-The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](../configure/lockdown-xml.md).
-
-![Lockdown Designer app in Store](images/ldstore.png)
-
-[Learn more about the Lockdown Designer app.](../configure/mobile-lockdown-designer.md)
 
 ### Cortana at work
 
@@ -95,7 +88,7 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10
   - [Use the threat intelligence API to create custom alerts](../keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
   - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks
   - Upgraded detections of ransomware and other advanced attacks
-  - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect attacks that previously went unnoticed
+  - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed
 
 - **Investigation**<br>
   Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus detections and Device Guard blocks being surfaced in the Windows Defender ATP portal. Other capabilities have been added to help you gain a holistic view on investigations.
@@ -114,15 +107,9 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10
 - **Other features**
   - [Check sensor health state](../keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues.
 
- 
+You can read more about ransomware mitigations and detection capability in Windows Defender Advanced Threat Protection in the blog: [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/).
 
 ### Windows Defender Antivirus
-New features for Windows Defender Antivirus (AV) in Windows 10, version 1703 include:
-
-- [Updates to how the Block at First Sight feature can be configured](../keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md)
-- [The ability to specify the level of cloud-protection](../keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md)
-- [Windows Defender Antivirus protection in the Windows Defender Security Center app](../keep-secure/windows-defender-security-center-antivirus.md)
-
 Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](../keep-secure/windows-defender-antivirus-in-windows-10.md).
 
 The new library includes information on:
@@ -136,6 +123,16 @@ Some of the highlights of the new library include:
 - [Evaluation guide for Windows Defender AV](../keep-secure/evaluate-windows-defender-antivirus.md)
 - [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](../keep-secure/deployment-vdi-windows-defender-antivirus.md)
 
+New features for Windows Defender AV in Windows 10, version 1703 include:
+
+- [Updates to how the Block at First Sight feature can be configured](../keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md)
+- [The ability to specify the level of cloud-protection](../keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md)
+- [Windows Defender Antivirus protection in the Windows Defender Security Center app](../keep-secure/windows-defender-security-center-antivirus.md)
+
+In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated beahvior monitoring and always-on real-time protection](../keep-secure/configure-real-time-protection-windows-defender-antivirus.md).
+
+
+You can read more about ransomware mitigations and detection capability in Windows Defender AV in the [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) and at the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/).
 
 ### Device Guard and Credential Guard
 
@@ -146,13 +143,16 @@ For more information, see [Device Guard Requirements](../keep-secure/requirement
 
 The security setting [**Interactive logon: Display user information when the session is locked**](../keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
 
+A new security policy setting
+[**Interactive logon: Don't display username at sign-in**](../keep-secure/interactive-logon-dont-display-username-at-sign-in.md) has been introduced in Windows 10 version 1703. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
+
 ## Update
 
 ### Windows Update for Business
 
 The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](../update/waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](../update/waas-configure-wufb.md#pause-quality-updates).
 
-Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days. In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](../update/waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-quality-updates) for details.
+Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](../update/waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-quality-updates) for details.
 
 ### Optimize update delivery
 
@@ -169,11 +169,15 @@ Added policies include:
 
 To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](../update/waas-delivery-optimization.md)
 
+### Uninstalled in-box apps no longer automatically reinstall
+
+When upgrading to Windows 10, version 1703, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process.  (Apps de-provisioned by IT administrators will still be reinstalled.)
+
 ## Management
 
 ### New MDM capabilities
 
-Windows 10, version 1703 adds several new configuration service providers (CSPs) that provide new capabilities for managing Windows 10 devices using MDM. Some of the new CSPs are:
+Windows 10, version 1703 adds several new [configuration service providers (CSPs)](../configure/how-it-pros-can-use-configuration-service-providers.md) that provide new capabilities for managing Windows 10 devices using MDM. Some of the new CSPs are:
 
 - The [DynamicManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
 
@@ -185,6 +189,12 @@ Windows 10, version 1703 adds several new configuration service providers (CSPs)
 
 [Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10)
 
+### Mobile application management support for Windows 10
+
+The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703.
+
+For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management).
+
 
 
 ### Application Virtualization for Windows (App-V)
@@ -196,6 +206,32 @@ For more info, see the following topics:
 - [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-batch-updating.md)
 - [Automatically cleanup unpublished packages on the App-V client](../manage/appv-auto-clean-unpublished-packages.md)
 
+## Windows 10 Mobile enhancements
+
+### Lockdown Designer
+
+The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](../configure/lockdown-xml.md).
+
+![Lockdown Designer app in Store](images/ldstore.png)
+
+[Learn more about the Lockdown Designer app.](../configure/mobile-lockdown-designer.md)
+
+### Other enhancements
+
+Windows 10 Mobile, version 1703 also includes the following enhancements:
+
+- SD card encryption
+- Remote PIN resets for Azure Active Directory accounts
+- SMS text message archiving
+- WiFi Direct management
+- OTC update tool
+- Continuum display management
+   - Individually turn off the monitor or phone screen when not in use
+   - Indivudally adjust screen time-out settings
+- Continuum docking solutions
+   - Set Ethernet port properties
+   - Set proxy properties for the Ethernet port
+
 ## New features in related products
 The following new features aren't part of Windows 10, but help you make the most of it.
 
@@ -215,10 +251,6 @@ For more information about Upgrade Readiness, see the following topics:
 
 Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
 
-Update Compliance is a solution built using OMS Logs and Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
+Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
 
 For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](../manage/update-compliance-monitor.md).
-
-### Enhanced Mobile Device Management (MDM) support
-
-Mobile device management (MDM) has new configuration service providers (CSPs) that can be called from code to manage Windows 10 devices. For more info, see [What's new in MDM in Windows 10, version 1703](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10).