Merged PR 10238: 7/31 AM Publish

browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md

@@ -14,6 +14,10 @@
 |Enabled |3 |3 |Send both intranet and Internet history | |
 ---
 
+>>You can find this setting in the following location of the Group Policy Editor:
+>> 
+>>      **_Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\_**
+
 >[!IMPORTANT]
 >For this policy to work, enable the Allow Telemetry policy with the _Enhanced_ option and enable the Configure the Commercial ID policy by providing the Commercial ID.
 

browsers/edge/new-policies.md

@@ -22,7 +22,7 @@ We are discontinuing the use of the **Configure Favorites** group policy. Use th
 
 
 
->>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor:
+>>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
 >> 
 >>      **_Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\_**
 <p>

devices/surface-hub/index.md

@@ -51,3 +51,10 @@ In some ways, adding your new Surface Hub is just like adding any other Microsof
 
 
 
+## Additional resources
+
+- [Surface Hub update history](https://support.microsoft.com/help/4037666/surface-surface-hub-update-history)
+- [Surface IT Pro Blog](https://blogs.technet.microsoft.com/surface/)
+- [Surface Playlist of videos](https://www.youtube.com/playlist?list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ)
+- [Microsoft Surface on Twitter](https://twitter.com/surface)
+

devices/surface/surface-dock-updater.md

@@ -121,7 +121,9 @@ Microsoft periodically updates Surface Dock Updater. To learn more about the app
 *Release Date: 26 July 2018*
 
 This version of Surface Dock Updater adds support for the following:
-t.b.d.
+
+- Increase update reliability
+- Add support for Surface Go
 
 ### Version 2.12.136.0
 *Release Date: 29 January 2018*

devices/surface/windows-autopilot-and-surface-devices.md

@@ -49,4 +49,8 @@ Surface devices with support for out-of-box deployment with Windows Autopilot, e
 ## Surface partners enabled for Windows Autopilot
 Enrolling Surface devices in Windows Autopilot at the time of purchase is a capability provided by select Surface partners that are enabled with the capability to identify individual Surface devices during the purchase process and perform enrollment on an organization’s behalf. Devices enrolled by a Surface partner at time of purchase can be shipped directly to users and configured entirely through the zero-touch process of Windows Autopilot, Azure Active Directory, and Mobile Device Management.
 
-You can find a list of Surface partners enabled for Windows Autopilot at the [Windows Autopilot for Surface portal](https://www.microsoft.com/en-us/itpro/surface/windows-autopilot-for-surface).
+When you purchase Surface devices from a Surface partner enabled for Windows Autopilot, your new devices can be enrolled in your Windows Autopilot deployment for you by the partner. Surface partners enabled for Windows Autopilot include: 
+
+- [SHI](https://www.shi.com/?reseller=shi)
+- [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface.html)
+- [Atea](https://www.atea.com/)

mdop/mbam-v25/getting-started-with-mbam-25.md

@@ -20,8 +20,6 @@ See the following resources for additional MBAM documentation:
 
 -   [Microsoft BitLocker Administration and Monitoring Deployment Guide](https://go.microsoft.com/fwlink/?LinkId=396653)
 
--   [Microsoft Training Overview](https://go.microsoft.com/fwlink/p/?LinkId=80347)
-
 Before you deploy MBAM to a production environment, we recommend that you validate your deployment plan in a test environment.
 
 ## Getting started with MBAM 2.5

windows/client-management/mdm/policy-configuration-service-provider.md

@@ -365,6 +365,15 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-authentication.md#authentication-allowsecondaryauthenticationdevice" id="authentication-allowsecondaryauthenticationdevice">Authentication/AllowSecondaryAuthenticationDevice</a>
   </dd>
+  <dd>
+    <a href="./policy-csp-authentication.md#authentication-enablefastfirstsignin" id="authentication-enablefastfirstsignin">Authentication/EnableFastFirstSignIn</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-authentication.md#authentication-enablewebsignin" id="authentication-enablewebsignin">Authentication/EnableWebSignIn</a>
+  </dd>
+  <dd>
+    <a href="./policy-csp-authentication.md#authentication-preferredaadtenantdomainname" id="authentication-preferredaadtenantdomainname">Authentication/PreferredAadTenantDomainName</a>
+  </dd>
 </dl>
 
 ### Autoplay policies

windows/client-management/mdm/policy-csp-authentication.md

@@ -11,6 +11,8 @@ ms.date: 07/30/2018
 
 # Policy CSP - Authentication
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 
 <hr/>
@@ -34,6 +36,15 @@ ms.date: 07/30/2018
   <dd>
     <a href="#authentication-allowsecondaryauthenticationdevice">Authentication/AllowSecondaryAuthenticationDevice</a>
   </dd>
+  <dd>
+    <a href="#authentication-enablefastfirstsignin">Authentication/EnableFastFirstSignIn</a>
+  </dd>
+  <dd>
+    <a href="#authentication-enablewebsignin">Authentication/EnableWebSignIn</a>
+  </dd>
+  <dd>
+    <a href="#authentication-preferredaadtenantdomainname">Authentication/PreferredAadTenantDomainName</a>
+  </dd>
 </dl>
 
 
@@ -302,6 +313,182 @@ The following list shows the supported values:
 
 <!--/SupportedValues-->
 <!--/Policy-->
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="authentication-enablefastfirstsignin"></a>**Authentication/EnableFastFirstSignIn**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td></td>
+	<td></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.
+
+Value type is integer. Supported values:
+
+- 0 - (default) The feature defaults to the existing SKU and device capabilities.
+- 1 - Enabled. Auto connect new non-admin AZure AD accounts to pre-configured candidate local accounts
+- 2 - Disabled. Do not auto connect new non-admin Azure AD accounts to pre-configured local accounts
+
+<!--/Description-->
+<!--SupportedValues-->
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="authentication-enablewebsignin"></a>**Authentication/EnableWebSignIn**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td></td>
+	<td></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for non-ADFS federated providers (e.g. SAML). 
+
+> [!Note]  
+> Web Sign-in is only supported on Azure AD Joined PCs.
+
+Value type is integer. Supported values:
+
+- 0 - (default) The feature defaults to the existing SKU and device capabilities.
+- 1 - Enabled. Web Credential Provider will be enabled for Sign In
+- 2 - Disabled. Web Credential Provider will not be enabled for Sign In
+
+<!--/Description-->
+<!--SupportedValues-->
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
+
+<hr/>
+
+<!--Policy-->
+<a href="" id="authentication-preferredaadtenantdomainname"></a>**Authentication/PreferredAadTenantDomainName**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td></td>
+	<td></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+Specifies the preferred domain among available domains in the Azure AD tenant.
+
+Example: If your organization is using the "@contoso.com" tenant domain name, the policy value should be "contoso.com". For the user "abby@constoso.com", she would then be able to sign in using "abby" in the username field instead of "abby@contoso.com".
+
+
+Value type is string.
+
+<!--/Description-->
+<!--SupportedValues-->
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
 <hr/>
 
 Footnote:
@@ -310,5 +497,6 @@ Footnote:
 -   2 - Added in Windows 10, version 1703.
 -   3 - Added in Windows 10, version 1709.
 -   4 - Added in Windows 10, version 1803.
+-   5 - Added in the next major release of Windows 10.
 
 <!--/Policies-->

windows/configuration/guidelines-for-assigned-access-app.md

@@ -59,8 +59,8 @@ In Windows 10, version 1803, you can install the **Kiosk Browser** app from Micr
 
 Kiosk Browser settings | Use this setting to
 --- | ---
-Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.<br><br>For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs.
+Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards. Separate multiple URLs using `&#xF000;`.<br><br>For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs.
-Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.<br><br>If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list.
+Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards. Separate multiple URLs using `&#xF000;`.<br><br>If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list.
 Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL.
 Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL.
 Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL.

windows/configuration/wcd/wcd-policies.md

@@ -290,8 +290,8 @@ These settings apply to the **Kiosk Browser** app available in Microsoft Store.
 
 | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
 | --- | --- | :---: | :---: | :---: | :---: | :---: |
-[BlockedUrlExceptions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | X |  |  |  |  |
+[BlockedUrlExceptions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). Separate multiple URLs using ``. This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | X |  |  |  |  |
-[BlockedUrls](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. | X |  |  |  |  |
+[BlockedUrls](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). Separate multiple URLs using ``. This is used to configure blocked URLs kiosk browsers cannot navigate to. | X |  |  |  |  |
 [DefaultURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-defaulturl) | Configures the default URL kiosk browsers to navigate on launch and restart.  | X |  |  |  |  |
 [EnableHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablehomebutton) | Enable/disable kiosk browser's home button.  | X |  |  |  |  |
 [EnableNavigationButtons](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablenavigationbuttons) | Enable/disable kiosk browser's navigation buttons (forward/back). | X |  |  |  |  |
@@ -439,7 +439,7 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl
 | [ActiveHoursEnd](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | X | X | X |  | X |
 | [ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | X | X | X |  | X |
 | [ActiveHoursStart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | X | X | X |  | X |
-| [AllowautoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X |
+| [AllowAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X |
 | [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork)| Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | X | X | X |  | X |
 | [AllowMUUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | X | X | X | X | X |
 | [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | X | X | X |  | X |

windows/configuration/windows-10-start-layout-options-and-policies.md

@@ -29,7 +29,7 @@ Organizations might want to deploy a customized Start and taskbar configuration
 >
 >Start and taskbar configuration can be applied to devices running Windows 10 Pro, version 1703.
 >
->Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/library/jj649079.aspx).
+>For information on using the layout modification XML to configure Start with roaming user profiles, see [Deploy Roaming User Profiles](https://docs.microsoft.com/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs).
 >
 >Using CopyProfile for Start menu customization in Windows 10 isn't supported. For more information [Customize the Default User Profile by Using CopyProfile](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile)
 

windows/privacy/configure-windows-diagnostic-data-in-your-organization.md

@@ -379,7 +379,7 @@ Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/
 
 Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting.
 
-1.  Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**.
+1.  Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**.
 
 2.  Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**.
 

windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md

@@ -85,13 +85,13 @@ DMA-based expansion slots are another avenue of attack, but these slots generall
 
 To mitigate a port-based DMA attack an administrator can configure policy settings to disable FireWire and other device types that have DMA. Also, many PCs allow those devices to be disabled by using firmware settings. Although the need for pre-boot authentication can be eliminated at the device level or through Windows configuration, the BitLocker pre-boot authentication feature is still available when needed. When used, it successfully mitigates all types of DMA port and expansion slot attacks on any type of device.
 
-### Hyberfil.sys Attacks
+### Hiberfil.sys Attacks
 
-The hyberfil.sys file is the Windows hibernation file. It contains a snapshot of system memory that is generated when a device goes into hibernation and includes the encryption key for BitLocker and other encryption technologies. Attackers have claimed that they have successfully extracted encryption keys from the hyberfil.sys file.
+The hiberfil.sys file is the Windows hibernation file. It contains a snapshot of system memory that is generated when a device goes into hibernation and includes the encryption key for BitLocker and other encryption technologies. Attackers have claimed that they have successfully extracted encryption keys from the hiberfil.sys file.
 
-Like the DMA port attack discussed in the previous section, tools are available that can scan the hyberfile.sys file and locate the encryption key, including a tool made by [Passware](http://www.lostpassword.com/). Microsoft does not consider Windows to be vulnerable to this type of attack, because Windows stores the hyberfil.sys file within the encrypted system volume. As a result, the file would be accessible only if the attacker had both physical and sign-in access to the PC. When an attacker has sign-in access to the PC, there are few reasons for the attacker to decrypt the drive, because they would already have full access to the data within it.
+Like the DMA port attack discussed in the previous section, tools are available that can scan the hiberfile.sys file and locate the encryption key, including a tool made by [Passware](http://www.lostpassword.com/). Microsoft does not consider Windows to be vulnerable to this type of attack, because Windows stores the hiberfil.sys file within the encrypted system volume. As a result, the file would be accessible only if the attacker had both physical and sign-in access to the PC. When an attacker has sign-in access to the PC, there are few reasons for the attacker to decrypt the drive, because they would already have full access to the data within it.
 
-In practice, the only reason an attack on hyberfil.sys would grant an attacker additional access is if an administrator had changed the default Windows configuration and stored the hyberfil.sys file on an unencrypted drive. By default, Windows 10 is designed to be secure against this type of attack.
+In practice, the only reason an attack on hiberfil.sys would grant an attacker additional access is if an administrator had changed the default Windows configuration and stored the hiberfil.sys file on an unencrypted drive. By default, Windows 10 is designed to be secure against this type of attack.
 
 ### Memory Remanence Attacks
 

windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md

@@ -50,7 +50,7 @@ By default, the members of the following groups have this right on domain contro
 
 ### Location
 
-Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
+Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
 
 ### Default values
 

windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md

@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 05/08/2018
+ms.date: 07/30/2018
 ---
 
 # Onboard servers to the Windows Defender ATP service
@@ -114,6 +114,25 @@ You’ll be able to onboard in the same method available for Windows 10 client m
 
     If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
 
+
+## Integration with Azure Security Center
+Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
+
+The following capabilities are included in this integration:
+- Automated onboarding - Windows Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to ASC. For more information on onboarding to ASC, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/en-us/azure/security-center/security-center-onboarding).
+
+    >[!NOTE]
+    > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016.
+
+- Servers monitored by  Azure Security Center will also be available in Windows Defender ATP - ASC seamlessly connects to the Windows Defender ATP tenant, providing a single view across clients and servers.  In addition, Windows Defender ATP alerts will be available in the Azure Security Center console.
+- Server investigation -  Azure Security Center customers can access the Windows Defender ATP portal to perform detailed investigation to uncover the scope of a potential breach
+
+>[!IMPORTANT]
+>- When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. 
+>- If you use Windows Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time.
+
+
+
 ## Offboard servers 
 You can offboard Windows Server, version 1803 in the same method available for Windows 10 client machines. 
 

windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md

@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 06/21/2018
+ms.date: 07/30/2018
 ---
 
 # Windows Defender ATP preview features
@@ -49,6 +49,10 @@ Onboard supported versions of Windows machines so that they can send sensor data
   - Windows 8.1 Enterprise
   - Windows 8.1 Pro 
 
+- [Integration with Azure Security Center](configure-server-endpoints-windows-defender-advanced-threat-protection.md#integration-with-azure-security-center)<br>
+Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
+
+
  
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink)  

windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md

@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 07/12/2017
+ms.date: 07/30/2018
 ---
 
 # Troubleshoot service issues
@@ -22,11 +22,11 @@ ms.date: 07/12/2017
 
 This section addresses issues that might arise as you use the Windows Defender Advanced Threat service.
 
-### Server error - Access is denied due to invalid credentials
+## Server error - Access is denied due to invalid credentials
 If you encounter a server error when trying to access the service, you’ll need to change your browser cookie settings.
 Configure your browser to allow cookies.
 
-### Elements or data missing on the portal
+## Elements or data missing on the portal
 If some UI elements or data is missing on Windows Defender Security Center it’s possible that proxy settings are blocking it.
 
 Make sure that `*.securitycenter.windows.com` is included the proxy whitelist.
@@ -35,17 +35,17 @@ Make sure that `*.securitycenter.windows.com` is included the proxy whitelist.
 > [!NOTE]
 > You must use the HTTPS protocol when adding the following endpoints.
 
-### Windows Defender ATP service shows event or error logs in the Event Viewer
+## Windows Defender ATP service shows event or error logs in the Event Viewer
 
 See the topic [Review events and errors using Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) for a list of event IDs that are reported by the Windows Defender ATP service. The topic also contains troubleshooting steps for event errors.
 
-### Windows Defender ATP service fails to start after a reboot and shows error 577
+## Windows Defender ATP service fails to start after a reboot and shows error 577
 
 If onboarding machines successfully completes but Windows Defender ATP does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy.
 
 For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
 
-#### Known issues with regional formats
+## Known issues with regional formats
 
 **Date and time formats**<br>
 There are some known issues with the time and date formats. 
@@ -65,6 +65,20 @@ Support of use of comma as a separator in numbers are not supported. Regions whe
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink)
 
+## Windows Defender ATP tenant was automatically created in Europe
+When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default.
+
+
+
+
+
+
+
+
+
+
+
+
 
 ## Related topics
 - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 06/29/2018
+ms.date: 07/30/2018
 ---
 
 
@@ -103,6 +103,7 @@ Block credential stealing from the Windows local security authority subsystem (l
 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
 Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block Adobe Reader from creating child processes (available for beta testing) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 
 The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version.
 
@@ -214,12 +215,16 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
 - Executable files (such as .exe, .dll, or .scr) 
 - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
 
-### Rule: Block Office communication applications from creating child processes
+### Rule: Block Office communication applications from creating child processes (available for beta testing)
 
 Office communication apps will not be allowed to create child processes. This includes Outlook.
 
 This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
 
+### Rule: Block Adobe Reader from creating child processes (available for beta testing)
+
+This rule blocks Adobe Reader from creating child processes.
+
 ## Review Attack surface reduction events in Windows Event Viewer
 
 You can review the Windows event log to see events that are created when an Attack surface reduction rule is triggered (or audited):

windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 06/29/2018
+ms.date: 07/30/2018
 ---
 
 # Customize Attack surface reduction
@@ -76,7 +76,8 @@ Use advanced protection against ransomware | [!include[Check mark yes](images/sv
 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
 Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c
 Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark no](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block Adobe Reader from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 
 
 See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.

windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 06/29/2018
+ms.date: 07/30/2018
 ---
 
 
@@ -65,6 +65,7 @@ Block credential stealing from the Windows local security authority subsystem (l
 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
 Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
 Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block Adobe Reader from creating child processes (available for beta testing) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 
 See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.