Merge remote-tracking branch 'origin/master' into atp-rs4

devices/surface-hub/prepare-your-environment-for-surface-hub.md

@@ -36,9 +36,10 @@ Additionally, note that Surface Hub requires the following open ports:
 - HTTP: 80
 - NTP: 123
 
-Depending on your environment, access to additional ports may be needed:
-- For online environments, see [Office 365 IP URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
-- For on-premises installations, see [Skype for Business Server: Ports and protocols for internal servers](https://technet.microsoft.com/library/gg398833.aspx). 
+If you are using Surface Hub with Skype for Business, you will need to open additional ports. Please follow the guidance below:
+- If you use Skype for Business Online, see [Office 365 IP URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
+- If you use Skype for Business Server, see [Skype for Business Server: Ports and protocols for internal servers](https://technet.microsoft.com/library/gg398833.aspx). 
+- If you use a hybrid of Skype for Business Online and Skype for Business Server, you need to open all documented ports from [Office 365 IP URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) and [Skype for Business Server: Ports and protocols for internal servers](https://technet.microsoft.com/library/gg398833.aspx).
 
 Microsoft collects diagnostic data to help improve your Surface Hub experience. Add these sites to your allow list:
 - Diagnostic data client endpoint: `https://vortex.data.microsoft.com/`

windows/configuration/TOC.md

@@ -3,9 +3,9 @@
 ## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
 ## [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
 ## [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
-## [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)
-## [Windows 10, version 1709 diagnostic data for the Full telemetry level](windows-diagnostic-data.md)
-## [Windows 10, version 1703 diagnostic data for the Full telemetry level](windows-diagnostic-data-1703.md)
+## [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)
+## [Windows 10, version 1709 diagnostic data for the Full level](windows-diagnostic-data.md)
+## [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md)
 ## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)
 ## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
 ## [Manage Windows 10 connection endpoints](manage-windows-endpoints-version-1709.md)

windows/configuration/ue-v/uev-getting-started.md

@@ -16,8 +16,8 @@ ms.date: 03/08/2018
 
 Follow the steps in this topic to deploy User Experience Virtualization (UE-V) for the first time in a test environment. Evaluate UE-V to determine whether it’s the right solution to manage user settings across multiple devices within your enterprise.
 
->**Note**
-The information in this section is explained in greater detail throughout the rest of the documentation. If you’ve already determined that UE-V is the right solution and you don’t need to further evaluate it, see [Prepare a UE-V deployment](uev-prepare-for-deployment.md).
+>[!NOTE]
+>The information in this section is explained in greater detail throughout the rest of the documentation. If you’ve already determined that UE-V is the right solution and you don’t need to further evaluate it, see [Prepare a UE-V deployment](uev-prepare-for-deployment.md).
 
 The standard installation of UE-V synchronizes the default Microsoft Windows and Office settings and many Windows applications settings. For best results, ensure that your test environment includes two or more user computers that share network access.
 
@@ -94,13 +94,13 @@ A storage path must be configured on the client-side to tell where the personali
 
 4.  Select **Enabled**, fill in the **Settings storage path**, and click **OK**.
 
-    - Ensure that the storage path ends with **%username%** to ensure that eah user gets a unique folder.
+    - Ensure that the storage path ends with **%username%** to ensure that each user gets a unique folder.
 
 **To set the storage path for UE-V with PowerShell**
 
 1.  In a PowerShell window, type **Set-uevConfiguration -SettingsStoragePath [StoragePath]** where **[StoragePath]** is the path to the location created in step 2 followed by **\%username%**.
 
-    - Ensure that the storage path ends with **%username%** to ensure that eah user gets a unique folder.
+    - Ensure that the storage path ends with **%username%** to ensure that each user gets a unique folder.
 
 With Windows 10, version 1607 and later, the UE-V service is installed on user devices when the operating system is installed. Enable the service to start using UE-V. You can enable the service with the Group Policy editor or with Windows PowerShell.
 

windows/deployment/update/update-compliance-delivery-optimization.md

@@ -13,6 +13,10 @@ ms.date: 03/27/2018
 # Delivery Optimization in Update Compliance
 The Update Compliance solution of Windows Analytics provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days.
 
+>[!Note]
+>Delivery Optimization Status is currently in development. See the [Known Issues](#known-issues) section for issues we are aware of and potential workarounds. 
+
+
 ## Delivery Optimization Status
  
 The Delivery Optimization Status section includes three blades:
@@ -40,3 +44,8 @@ The download sources that could be included are:
 - Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the “Group” download mode is used)
 - HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or an SCCM Distribution Point for Express Updates. 
 
+## Known Issues
+Delivery Optimization is currently in development. The following issues are known:
+
+- DO Download Mode is not accurately portrayed in the Device Configuration blade. There is no workaround at this time. 
+

windows/deployment/update/windows-analytics-get-started.md

@@ -127,7 +127,6 @@ Use a software distribution system such as System Center Configuration Manager t
 
 ### Distributing policies at scale
 There are a number of policies that can be centrally managed to control Windows Analytics device configuration. All of these policies have *preference* registry key equivalents that can be set by using the deployment script. Policy settings override preference settings if both are set.
-
 >[!NOTE]
 >You can only set the diagnostic data level to Enhanced by using policy. For example, this is necessary for using Device Health.
 
@@ -155,4 +154,10 @@ For more information about Internet Explorer Security Zones, see [About URL Secu
 
 ### Distribution at scale without using the deployment script
 
-We recommend using the deployment script to configure devices. However if this is not an option, you can still manage settings by policy as described in the previous section. However, if you don't run the deployment script, you might have to wait a long time (possibly weeks) before devices send the initial full inventory scan.
+We recommend using the deployment script to configure devices. However if this is not an option, you can still manage settings by policy as described in the previous section. However, if you don't run the deployment script, you won't benefit from its error checking, and you might have to wait a long time (possibly weeks) before devices send the initial full inventory scan.
+
+Note that it is possible to intiate a full inventory scan on a device by calling these commands:
+- CompatTelRunner.exe -m:generaltel.dll -f:DoCensusRun
+- CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun ent
+
+For details on how to run these and how to check results, see the deployment script.

windows/deployment/upgrade/setupdiag.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
-ms.date: 03/30/2018
+ms.date: 04/11/2018
 ms.localizationpriority: high
 ---
 
@@ -103,7 +103,7 @@ SetupDiag.exe /Output:C:\SetupDiag\Dumpdebug.log /Mode:Offline /LogsPath:D:\Dump
 
 ## Known issues
 
-1. Some rules can take a long time to process if the log files involved as large.
+1. Some rules can take a long time to process if the log files involved are large.
 2. SetupDiag only outputs data in a text format. If another format is desired, please provide this [feedback](#feedback).
 3. If the failing computer is opted into the Insider program and getting regular pre-release updates, or an update is already pending on the computer when SetupDiag is run, it can encounter problems trying to open these log files. This will likely cause a failure to determine a root cause.  In this case, try gathering the log files and running SetupDiag in offline mode.
 

windows/security/identity-protection/credential-guard/credential-guard-considerations.md

@@ -24,7 +24,7 @@ Passwords are still weak. We recommend that in addition to deploying Windows Def
 Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, are not supported. 
 
 ## Wi-fi and VPN Considerations
-When you enable Windows Defender Credential Guard, you can no longer use NTLM classic deployment model authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. 
+When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for Single Sign-On. You will be forced to enter your credentials to use these protocols and cannot save the credentials for future use. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. 
 
 ## Kerberos Considerations
 

windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.md

@@ -336,7 +336,7 @@ To use Network Unlock you must also have a PIN configured for your computer. Whe
 BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it.
 
 Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is 
-not available you will need to use the recovery key to unlock the computer if it can ot be connected to the network.
+not available you will need to use the recovery key to unlock the computer if it can not be connected to the network.
 
 For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
 

windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md

@@ -108,7 +108,7 @@ For Azure AD-joined computers, including virtual machines, the recovery password
 ``` 
 PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
 
-PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:”
+PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:"
 
 PS C:\>BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
 ``` 
@@ -118,7 +118,7 @@ For domain-joined computers, including servers, the recovery password should be
 ``` 
 PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
 
-PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:”
+PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:"
 
 PS C:\>Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
  ```

windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md

@@ -175,7 +175,7 @@ To gain the most value out of the baseline subscription we recommend to have the
 -   Enable disabled event channels and set the minimum size for modern event files.
 -   Currently, there is no GPO template for enabling or setting the maximum size for the modern event files. This must be done by using a GPO. For more info, see [Appendix C – Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc).
 
-The annotated event query can be found in the following. For more info, see [Appendix F – Annotated Baseline Subscription Event Query](#bkmk-appendixf).
+The annotated event query can be found in the following. For more info, see [Appendix F – Annotated Suspect Subscription Event Query](#bkmk-appendixf).
 
 -   Anti-malware events from Microsoft Antimalware or Windows Defender. This can be configured for any given anti-malware product easily if it writes to the Windows event log.
 -   Security event log Process Create events.

windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md

@@ -13,7 +13,8 @@ ms.date: 10/23/2017
 # Windows Defender Application Guard overview
 
 **Applies to:**
-- Windows 10 Enterprise edition, version 1709
+- Windows 10 Enterprise edition, version 1709 or higher
+- Windows 10 Professional edition, version 1803
 
 The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks.
  
@@ -27,7 +28,7 @@ If an employee goes to an untrusted site through either Microsoft Edge or Intern
 ![Hardware isolation diagram](images/appguard-hardware-isolation.png)
 
 ### What types of devices should use Application Guard?
-Application Guard has been created to target 3 types of enterprise systems:
+Application Guard has been created to target several types of systems:
 
 - **Enterprise desktops.** These desktops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network.
 
@@ -35,6 +36,8 @@ Application Guard has been created to target 3 types of enterprise systems:
 
 - **Bring your own device (BYOD) mobile laptops.** These personally-owned laptops are not domain-joined, but are managed by your organization through tools like Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home.
 
+- **Personal devices.** These personally-owned desktops or mobile laptops are not domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside.
+
 ## In this section
 |Topic |Description |
 |------|------------|