\
 | Configure how the Home Button behaves.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton
**Data type:** Integer
**Allowed values:**
- **0 (default)** - Not configured. Show home button, and load the default Start page.
- **1** - Enabled. Show home button and load New Tab page
- **2** - Enabled. Show home button & set a specific page.
- **3** - Enabled. Hide the home button.
 | If you set ConfigureHomeButton to 2, configure the home button URL.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.bing.com | - | **[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**
 | Set a custom URL for the New Tab page.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.msn.com | + | **[ConfigureKioskMode](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**
 | Configure the display mode for Microsoft Edge Legacy as a kiosk app.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode
**Data type:** Integer
**Allowed values:**
- **Single-app kiosk experience**
- **0** - Digital signage and interactive display
- **1** - InPrivate Public browsing
- **Multi-app kiosk experience**
- **0** - Normal Microsoft Edge Legacy running in assigned access
- **1** - InPrivate public browsing with other apps
 | Change the time in minutes from the last user activity before Microsoft Edge Legacy kiosk mode resets the user's session.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout
**Data type:** Integer
**Allowed values:**
- **0** - No idle timer
- **1-1440 (5 minutes is the default)** - Set reset on idle timer
 | Set one or more start pages, URLs, to load when Microsoft Edge Legacy launches.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages
**Data type:** String
**Allowed values:**
Enter one or more URLs, for example,  | Configure how the Home Button behaves. **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton **Data type:** Integer **Allowed values:**  | If you set ConfigureHomeButton to 2, configure the home button URL. **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL **Data type:** String **Allowed values:** Enter a URL, for example, https://www.bing.com |
+ | **[SetNewTabPageURL](/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**  | Set a custom URL for the New Tab page. **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL **Data type:** String **Allowed values:** Enter a URL, for example, https://www.msn.com |
**_Congratulations!_** You’ve just finished setting up a kiosk or digital signage with policies for Microsoft Edge Legacy kiosk mode using Microsoft Intune or other MDM service.
@@ -179,75 +179,75 @@ With this method, you can use Microsoft Intune or other MDM services to configur
## Supported policies for kiosk mode
-Use any of the Microsoft Edge Legacy policies listed below to enhance the kiosk experience depending on the Microsoft Edge Legacy kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser).
+Use any of the Microsoft Edge Legacy policies listed below to enhance the kiosk experience depending on the Microsoft Edge Legacy kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](/windows/client-management/mdm/policy-csp-browser).
Make sure to check with your provider for instructions.
| **MDM Setting** | **Digital /
*1) For multi-app assigned access, you must configure Internet Explorer 11.*
 = Not applicable or not supported
-To prevent access to unwanted websites on your kiosk device, use Windows Defender Firewall to configure a list of allowed websites, blocked websites or both, using IP addresses. For more details, see [Windows Defender Firewall with Advanced Security Deployment Guide](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide).
+To prevent access to unwanted websites on your kiosk device, use Windows Defender Firewall to configure a list of allowed websites, blocked websites or both, using IP addresses. For more details, see [Windows Defender Firewall with Advanced Security Deployment Guide](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide).
---
@@ -284,4 +284,4 @@ To prevent access to unwanted websites on your kiosk device, use Windows Defende
To provide feedback on Microsoft Edge Legacy kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory.
-**_For multi-app kiosk only._** If you have set up the Feedback Hub in assigned access, you can you submit the feedback from the device running Microsoft Edge in kiosk mode in which you can include diagnostic logs. In the Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory.
+**_For multi-app kiosk only._** If you have set up the Feedback Hub in assigned access, you can you submit the feedback from the device running Microsoft Edge in kiosk mode in which you can include diagnostic logs. In the Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory.
\ No newline at end of file
diff --git a/browsers/edge/microsoft-edge.yml b/browsers/edge/microsoft-edge.yml
index 797d881911..54276502a1 100644
--- a/browsers/edge/microsoft-edge.yml
+++ b/browsers/edge/microsoft-edge.yml
@@ -27,7 +27,7 @@ landingContent:
- linkListType: whats-new
links:
- text: Documentation for Microsoft Edge version 77 or later
- url: https://docs.microsoft.com/DeployEdge/
+ url: /DeployEdge/
- text: Microsoft Edge Legacy desktop app will reach end of support on March 9, 2021
url: https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-365-apps-say-farewell-to-internet-explorer-11-and/ba-p/1591666
- text: The latest in Microsoft Edge
@@ -35,11 +35,11 @@ landingContent:
- text: Microsoft Edge for iOS and Android
url: https://blogs.windows.com/windowsexperience/2017/11/30/microsoft-edge-now-available-for-ios-and-android
- text: Application Guard
- url: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview
+ url: /windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview
- linkListType: download
links:
- text: Evaluate the impact
- url: /microsoft-edge/deploy/microsoft-edge-forrester
+ url: ./microsoft-edge-forrester.md
# Card (optional)
- title: Test your site on Microsoft Edge
@@ -57,9 +57,9 @@ landingContent:
- linkListType: how-to-guide
links:
- text: Use Enterprise mode to improve compatibility
- url: /microsoft-edge/deploy/emie-to-improve-compatibility
+ url: ./emie-to-improve-compatibility.md
- text: Turn on Enterprise Mode and use a site list
- url: https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list
+ url: /internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list
- text: Enterprise Site List Portal
url: https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal
@@ -69,7 +69,7 @@ landingContent:
- linkListType: overview
links:
- text: Overview
- url: /microsoft-edge/deploy/emie-to-improve-compatibility
+ url: ./emie-to-improve-compatibility.md
# Card (optional)
- title: Security
@@ -83,7 +83,7 @@ landingContent:
- text: Microsoft Edge sandbox
url: https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/
- text: Windows Defender SmartScreen
- url: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview
+ url: /windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview
# Card (optional)
- title: Deployment
@@ -91,15 +91,15 @@ landingContent:
- linkListType: overview
links:
- text: Microsoft Edge deployment guide
- url: /microsoft-edge/deploy/
+ url: ./index.yml
- text: Microsoft Edge FAQ
- url: /microsoft-edge/deploy/microsoft-edge-faq
+ url: ./microsoft-edge-faq.yml
- text: System requirements and language support
url: /microsoft-edge/deploy/hardware-and-software-requirements
- text: Group Policy and MDM settings in Microsoft Edge
- url: /microsoft-edge/deploy/available-policies
+ url: ./available-policies.md
- text: Microsoft Edge training and demonstrations
- url: /microsoft-edge/deploy/edge-technical-demos
+ url: ./edge-technical-demos.md
- linkListType: download
links:
- text: Web Application Compatibility Lab Kit
@@ -121,9 +121,9 @@ landingContent:
- text: Use Microsoft Edge to collaborate (PDF, 468 KB)
url: https://go.microsoft.com/fwlink/?linkid=825653
- text: Group Policy and MDM settings in Microsoft Edge
- url: /microsoft-edge/deploy/available-policies
+ url: ./available-policies.md
- text: Microsoft Edge training and demonstrations
- url: /microsoft-edge/deploy/edge-technical-demos
+ url: ./edge-technical-demos.md
- linkListType: how-to-guide
links:
- text: Import bookmarks
@@ -141,4 +141,4 @@ landingContent:
- text: Microsoft Edge Dev blog
url: https://blogs.windows.com/msedgedev
- text: Microsoft Edge Dev on Twitter
- url: https://twitter.com/MSEdgeDev
+ url: https://twitter.com/MSEdgeDev
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md
index 35f4b5ac73..efcbb2959e 100644
--- a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md
+++ b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md
@@ -9,5 +9,5 @@ ms.prod: edge
ms.topic: include
---
-[Microsoft browser extension policy](https://docs.microsoft.com/legal/microsoft-edge/microsoft-browser-extension-policy):
-This article describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content these browsers display. Techniques that aren't explicitly listed in this article are considered to be **unsupported**.
+[Microsoft browser extension policy](/legal/microsoft-edge/microsoft-browser-extension-policy):
+This article describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content these browsers display. Techniques that aren't explicitly listed in this article are considered to be **unsupported**.
\ No newline at end of file
diff --git a/browsers/includes/interoperability-goals-enterprise-guidance.md b/browsers/includes/interoperability-goals-enterprise-guidance.md
deleted file mode 100644
index 407e07bf91..0000000000
--- a/browsers/includes/interoperability-goals-enterprise-guidance.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-author: eavena
-ms.author: eravena
-ms.date: 10/15/2018
-ms.reviewer:
-audience: itpro
manager: dansimp
-ms.prod: edge
-ms.topic: include
----
-
-## Interoperability goals and enterprise guidance
-
-Our primary goal is that your websites work in Microsoft Edge. To that end, we've made Microsoft Edge the default browser.
-
-You must continue using IE11 if web apps use any of the following:
-
-* ActiveX controls
-
-* x-ua-compatible headers
-
-* <meta> tags with an http-equivalent value of X-UA-Compatible header
-
-* Enterprise mode or compatibility view to addressing compatibility issues
-
-* legacy document modes
-
-If you have uninstalled IE11, you can download it from the Microsoft Store or the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11.
-
-> [!TIP]
-> If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=620714).
-
-
-|Technology |Why it existed |Why we don't need it anymore |
-|---------|---------|---------|
-|ActiveX |ActiveX is a binary extension model introduced in 1996 which allowed developers to embed native Windows technologies (COM/OLE) in web pages. These controls can be downloaded and installed from a site and were subsequently loaded in-process and rendered in Internet Explorer. | |
-|Browser Helper Objects (BHO) |BHOs are a binary extension model introduced in 1997 which enabled developers to write COM objects that were loaded in-process with the browser and could perform actions on available windows and modules. A common use was to build toolbars that installed into Internet Explorer. | |
-|Document modes | Starting with IE8, Internet Explorer introduced a new “document mode” with every release. These document modes could be requested via the x-ua-compatible header to put the browser into a mode which emulates legacy versions. |Similar to other modern browsers, Microsoft Edge has a single “living” document mode. To minimize the compatibility burden, we test features behind switches in about:flags until stable and ready to be turned on by default. |
-
-
----
diff --git a/browsers/internet-explorer/TOC.md b/browsers/internet-explorer/TOC.md
deleted file mode 100644
index 060f6ffb99..0000000000
--- a/browsers/internet-explorer/TOC.md
+++ /dev/null
@@ -1,191 +0,0 @@
-# [IE11 Deployment Guide for IT Pros](ie11-deploy-guide/index.md)
-
-## [Change history for the Internet Explorer 11 (IE11) Deployment Guide](ie11-deploy-guide/change-history-for-internet-explorer-11.md)
-
-## [System requirements and language support for Internet Explorer 11](ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md)
-
-## [List of updated features and tools - Internet Explorer 11 (IE11)](ie11-deploy-guide/updated-features-and-tools-with-ie11.md)
-
-## [Install and Deploy Internet Explorer 11 (IE11)](ie11-deploy-guide/install-and-deploy-ie11.md)
-### [Customize Internet Explorer 11 installation packages](ie11-deploy-guide/customize-ie11-install-packages.md)
-#### [Using IEAK 11 to create packages](ie11-deploy-guide/using-ieak11-to-create-install-packages.md)
-#### [Create packages for multiple operating systems or languages](ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md)
-#### [Using .INF files to create packages](ie11-deploy-guide/using-inf-files-to-create-install-packages.md)
-### [Choose how to install Internet Explorer 11 (IE11)](ie11-deploy-guide/choose-how-to-install-ie11.md)
-#### [Install Internet Explorer 11 (IE11) - System Center 2012 R2 Configuration Manager](ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md)
-#### [Install Internet Explorer 11 (IE11) - Windows Server Update Services (WSUS)](ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md)
-#### [Install Internet Explorer 11 (IE11) - Microsoft Intune](ie11-deploy-guide/install-ie11-using-microsoft-intune.md)
-#### [Install Internet Explorer 11 (IE11) - Network](ie11-deploy-guide/install-ie11-using-the-network.md)
-#### [Install Internet Explorer 11 (IE11) - Operating system deployment systems](ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md)
-#### [Install Internet Explorer 11 (IE11) - Third-party tools](ie11-deploy-guide/install-ie11-using-third-party-tools.md)
-### [Choose how to deploy Internet Explorer 11 (IE11)](ie11-deploy-guide/choose-how-to-deploy-ie11.md)
-#### [Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS)](ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md)
-#### [Deploy Internet Explorer 11 using software distribution tools](ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md)
-### [Virtualization and compatibility with Internet Explorer 11](ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md)
-
-## [Collect data using Enterprise Site Discovery](ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md)
-
-## [Enterprise Mode for Internet Explorer 11 (IE11)](ie11-deploy-guide/enterprise-mode-overview-for-ie11.md)
-### [Tips and tricks to manage Internet Explorer compatibility](ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md)
-### [Enterprise Mode and the Enterprise Mode Site List](ie11-deploy-guide/what-is-enterprise-mode.md)
-### [Set up Enterprise Mode logging and data collection](ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md)
-### [Turn on Enterprise Mode and use a site list](ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md)
-### [Enterprise Mode schema v.2 guidance](ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md)
-### [Enterprise Mode schema v.1 guidance](ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md)
-### [Check for a new Enterprise Mode site list xml file](ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md)
-### [Turn on local control and logging for Enterprise Mode](ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md)
-### [Use the Enterprise Mode Site List Manager](ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md)
-#### [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md)
-#### [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md)
-#### [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md)
-#### [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md)
-#### [Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager](ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md)
-#### [Fix validation problems using the Enterprise Mode Site List Manager](ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md)
-#### [Search your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
-#### [Save your site list to XML in the Enterprise Mode Site List Manager](ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md)
-#### [Export your Enterprise Mode site list from the Enterprise Mode Site List Manager](ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md)
-#### [Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md)
-#### [Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
-#### [Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
-#### [Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager](ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md)
-### [Use the Enterprise Mode Site List Portal](ie11-deploy-guide/use-the-enterprise-mode-portal.md)
-#### [Set up the Enterprise Mode Site List Portal](ie11-deploy-guide/set-up-enterprise-mode-portal.md)
-##### [Use the Settings page to finish setting up the Enterprise Mode Site List Portal](ie11-deploy-guide/configure-settings-enterprise-mode-portal.md)
-##### [Add employees to the Enterprise Mode Site List Portal](ie11-deploy-guide/add-employees-enterprise-mode-portal.md)
-#### [Workflow-based processes for employees using the Enterprise Mode Site List Portal](ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md)
-##### [Create a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/create-change-request-enterprise-mode-portal.md)
-##### [Verify your changes using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md)
-##### [Approve a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md)
-##### [Schedule approved change requests for production using the Enterprise Mode Site List Portal](ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md)
-##### [Verify the change request update in the production environment using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md)
-##### [View the apps currently on the Enterprise Mode Site List](ie11-deploy-guide/view-apps-enterprise-mode-site-list.md)
-##### [View the available Enterprise Mode reports from the Enterprise Mode Site List Portal](ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md)
-### [Using IE7 Enterprise Mode or IE8 Enterprise Mode](ie11-deploy-guide/using-enterprise-mode.md)
-### [Fix web compatibility issues using document modes and the Enterprise Mode site list](ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md)
-### [Remove sites from a local Enterprise Mode site list](ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md)
-### [Remove sites from a local compatibility view list](ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md)
-### [Turn off Enterprise Mode](ie11-deploy-guide/turn-off-enterprise-mode.md)
-
-
-## [Group Policy and Internet Explorer 11 (IE11)](ie11-deploy-guide/group-policy-and-ie11.md)
-### [Group Policy management tools](ie11-deploy-guide/group-policy-objects-and-ie11.md)
-#### [Group Policy and the Group Policy Management Console (GPMC)](ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md)
-#### [Group Policy and the Local Group Policy Editor](ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md)
-#### [Group Policy and Advanced Group Policy Management (AGPM)](ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md)
-#### [Group Policy and Windows Powershell](ie11-deploy-guide/group-policy-windows-powershell-ie11.md)
-#### [Group Policy and Shortcut Extensions](ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md)
-### [New group policy settings for Internet Explorer 11](ie11-deploy-guide/new-group-policy-settings-for-ie11.md)
-### [Set the default browser using Group Policy](ie11-deploy-guide/set-the-default-browser-using-group-policy.md)
-### [ActiveX installation using group policy](ie11-deploy-guide/activex-installation-using-group-policy.md)
-### [Group Policy and compatibility with Internet Explorer 11](ie11-deploy-guide/group-policy-compatibility-with-ie11.md)
-### [Group policy preferences and Internet Explorer 11](ie11-deploy-guide/group-policy-preferences-and-ie11.md)
-### [Administrative templates and Internet Explorer 11](ie11-deploy-guide/administrative-templates-and-ie11.md)
-### [Enable and disable add-ons using administrative templates and group policy](ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md)
-
-## [Manage Internet Explorer 11](ie11-deploy-guide/manage-ie11-overview.md)
-### [Auto detect settings Internet Explorer 11](ie11-deploy-guide/auto-detect-settings-for-ie11.md)
-### [Auto configuration settings for Internet Explorer 11](ie11-deploy-guide/auto-configuration-settings-for-ie11.md)
-### [Auto proxy configuration settings for Internet Explorer 11](ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md)
-
-## [Troubleshoot Internet Explorer 11 (IE11)](ie11-deploy-guide/troubleshoot-ie11.md)
-### [Setup problems with Internet Explorer 11](ie11-deploy-guide/setup-problems-with-ie11.md)
-### [Install problems with Internet Explorer 11](ie11-deploy-guide/install-problems-with-ie11.md)
-### [Problems after installing Internet Explorer 11](ie11-deploy-guide/problems-after-installing-ie11.md)
-### [Auto configuration and auto proxy problems with Internet Explorer 11](ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md)
-### [User interface problems with Internet Explorer 11](ie11-deploy-guide/user-interface-problems-with-ie11.md)
-### [Group Policy problems with Internet Explorer 11](ie11-deploy-guide/group-policy-problems-ie11.md)
-### [.NET Framework problems with Internet Explorer 11](ie11-deploy-guide/net-framework-problems-with-ie11.md)
-### [Enhanced Protected Mode problems with Internet Explorer](ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md)
-### [Fix font rendering problems by turning off natural metrics](ie11-deploy-guide/turn-off-natural-metrics.md)
-### [Intranet problems with Internet Explorer 11](ie11-deploy-guide/intranet-problems-and-ie11.md)
-### [Browser cache changes and roaming profiles](ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md)
-
-## [Out-of-date ActiveX control blocking](ie11-deploy-guide/out-of-date-activex-control-blocking.md)
-### [Blocked out-of-date ActiveX controls](ie11-deploy-guide/blocked-out-of-date-activex-controls.md)
-
-## [Deprecated document modes and Internet Explorer 11](ie11-deploy-guide/deprecated-document-modes.md)
-
-## [What is the Internet Explorer 11 Blocker Toolkit?](ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md)
-### [Internet Explorer 11 delivery through automatic updates](ie11-deploy-guide/ie11-delivery-through-automatic-updates.md)
-### [Internet Explorer 11 Blocker Toolkit FAQ](ie11-faq/faq-ie11-blocker-toolkit.md)
-
-## [Missing Internet Explorer Maintenance settings for Internet Explorer 11](ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md)
-
-## [Missing the Compatibility View Button](ie11-deploy-guide/missing-the-compatibility-view-button.md)
-
-## [Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013](ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md)
-
-# [IE11 Frequently Asked Questions (FAQ) Guide for IT Pros](ie11-faq/faq-for-it-pros-ie11.md)
-
-# [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](ie11-ieak/index.md)
-## [What IEAK can do for you](ie11-ieak/what-ieak-can-do-for-you.md)
-## [Internet Explorer Administration Kit (IEAK) information and downloads](ie11-ieak/ieak-information-and-downloads.md)
-## [Before you start using IEAK 11](ie11-ieak/before-you-create-custom-pkgs-ieak11.md)
-### [Hardware and software requirements for IEAK 11](ie11-ieak/hardware-and-software-reqs-ieak11.md)
-### [Determine the licensing version and features to use in IEAK 11](ie11-ieak/licensing-version-and-features-ieak11.md)
-### [Security features and IEAK 11](ie11-ieak/security-and-ieak11.md)
-### [File types used or created by IEAK 11](ie11-ieak/file-types-ieak11.md)
-### [Tasks and references to consider before creating and deploying custom packages using IEAK 11](ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md)
-### [Create the build computer folder structure using IEAK 11](ie11-ieak/create-build-folder-structure-ieak11.md)
-### [Set up auto detection for DHCP or DNS servers using IEAK 11](ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md)
-### [Use proxy auto-configuration (.pac) files with IEAK 11](ie11-ieak/proxy-auto-config-examples.md)
-### [Customize the toolbar button and Favorites List icons using IEAK 11](ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md)
-### [Use the uninstallation .INF files to uninstall custom components](ie11-ieak/create-uninstall-inf-files-for-custom-components.md)
-### [Add and approve ActiveX controls using the IEAK 11](ie11-ieak/add-and-approve-activex-controls-ieak11.md)
-### [Register an uninstall app for custom components using IEAK 11](ie11-ieak/register-uninstall-app-ieak11.md)
-### [Customize Automatic Search for Internet Explorer using IEAK 11](ie11-ieak/customize-automatic-search-for-ie.md)
-### [Create multiple versions of your custom package using IEAK 11](ie11-ieak/create-multiple-browser-packages-ieak11.md)
-### [Before you install your package over your network using IEAK 11](ie11-ieak/prep-network-install-with-ieak11.md)
-### [Use the RSoP snap-in to review policy settings](ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md)
-### [IEAK 11 - Frequently Asked Questions](ie11-faq/faq-ieak11.md)
-### [Troubleshoot custom package and IEAK 11 problems](ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md)
-
-## [Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](ie11-ieak/ieak11-wizard-custom-options.md)
-### [Use the File Locations page in the IEAK 11 Wizard](ie11-ieak/file-locations-ieak11-wizard.md)
-### [Use the Platform Selection page in the IEAK 11 Wizard](ie11-ieak/platform-selection-ieak11-wizard.md)
-### [Use the Language Selection page in the IEAK 11 Wizard](ie11-ieak/language-selection-ieak11-wizard.md)
-### [Use the Package Type Selection page in the IEAK 11 Wizard](ie11-ieak/pkg-type-selection-ieak11-wizard.md)
-### [Use the Feature Selection page in the IEAK 11 Wizard](ie11-ieak/feature-selection-ieak11-wizard.md)
-### [Use the Automatic Version Synchronization page in the IEAK 11 Wizard](ie11-ieak/auto-version-sync-ieak11-wizard.md)
-### [Use the Custom Components page in the IEAK 11 Wizard](ie11-ieak/custom-components-ieak11-wizard.md)
-### [Use the Internal Install page in the IEAK 11 Wizard](ie11-ieak/internal-install-ieak11-wizard.md)
-### [Use the User Experience page in the IEAK 11 Wizard](ie11-ieak/user-experience-ieak11-wizard.md)
-### [Use the Browser User Interface page in the IEAK 11 Wizard](ie11-ieak/browser-ui-ieak11-wizard.md)
-### [Use the Search Providers page in the IEAK 11 Wizard](ie11-ieak/search-providers-ieak11-wizard.md)
-### [Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md)
-### [Use the Accelerators page in the IEAK 11 Wizard](ie11-ieak/accelerators-ieak11-wizard.md)
-### [Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard](ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md)
-### [Use the Browsing Options page in the IEAK 11 Wizard](ie11-ieak/browsing-options-ieak11-wizard.md)
-### [Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard](ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md)
-### [Use the Compatibility View page in the IEAK 11 Wizard](ie11-ieak/compat-view-ieak11-wizard.md)
-### [Use the Connection Manager page in the IEAK 11 Wizard](ie11-ieak/connection-mgr-ieak11-wizard.md)
-### [Use the Connection Settings page in the IEAK 11 Wizard](ie11-ieak/connection-settings-ieak11-wizard.md)
-### [Use the Automatic Configuration page in the IEAK 11 Wizard](ie11-ieak/auto-config-ieak11-wizard.md)
-### [Use the Proxy Settings page in the IEAK 11 Wizard](ie11-ieak/proxy-settings-ieak11-wizard.md)
-### [Use the Security and Privacy Settings page in the IEAK 11 Wizard](ie11-ieak/security-and-privacy-settings-ieak11-wizard.md)
-### [Use the Add a Root Certificate page in the IEAK 11 Wizard](ie11-ieak/add-root-certificate-ieak11-wizard.md)
-### [Use the Programs page in the IEAK 11 Wizard](ie11-ieak/programs-ieak11-wizard.md)
-### [Use the Additional Settings page in the IEAK 11 Wizard](ie11-ieak/additional-settings-ieak11-wizard.md)
-### [Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard](ie11-ieak/wizard-complete-ieak11-wizard.md)
-
-## [Using Internet Settings (.INS) files with IEAK 11](ie11-ieak/using-internet-settings-ins-files.md)
-### [Use the Branding .INS file to create custom branding and setup info](ie11-ieak/branding-ins-file-setting.md)
-### [Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar](ie11-ieak/browsertoolbars-ins-file-setting.md)
-### [Use the CabSigning .INS file to review the digital signatures for your apps](ie11-ieak/cabsigning-ins-file-setting.md)
-### [Use the ConnectionSettings .INS file to review the network connections for install](ie11-ieak/connectionsettings-ins-file-setting.md)
-### [Use the CustomBranding .INS file to specify the custom branding location](ie11-ieak/custombranding-ins-file-setting.md)
-### [Use the ExtRegInf .INS file to specify installation files and mode](ie11-ieak/extreginf-ins-file-setting.md)
-### [Use the FavoritesEx .INS file for your Favorites icon and URLs](ie11-ieak/favoritesex-ins-file-setting.md)
-### [Use the HideCustom .INS file to hide GUIDs](ie11-ieak/hidecustom-ins-file-setting.md)
-### [Use the ISP_Security .INS file to add your root certificate](ie11-ieak/isp-security-ins-file-setting.md)
-### [Use the Media .INS file to specify your install media](ie11-ieak/media-ins-file-setting.md)
-### [Use the Proxy .INS file to specify a proxy server](ie11-ieak/proxy-ins-file-setting.md)
-### [Use the Security Imports .INS file to import security info](ie11-ieak/security-imports-ins-file-setting.md)
-### [Use the URL .INS file to use an auto-configured proxy server](ie11-ieak/url-ins-file-setting.md)
-
-## [IExpress Wizard for Windows Server 2008 R2 with SP1](ie11-ieak/iexpress-wizard-for-win-server.md)
-### [IExpress Wizard command-line options](ie11-ieak/iexpress-command-line-options.md)
-### [Internet Explorer Setup command-line options and return codes](ie11-ieak/ie-setup-command-line-options-and-return-codes.md)
-
-## KB Troubleshoot
-### [Internet Explorer and Microsoft Edge FAQ for IT Pros](kb-support/ie-edge-faqs.md)
diff --git a/browsers/internet-explorer/TOC.yml b/browsers/internet-explorer/TOC.yml
new file mode 100644
index 0000000000..de568c9e0a
--- /dev/null
+++ b/browsers/internet-explorer/TOC.yml
@@ -0,0 +1,359 @@
+- name: IE11 Deployment Guide for IT Pros
+ href: ie11-deploy-guide/index.md
+ items:
+ - name: Change history for the Internet Explorer 11 (IE11) Deployment Guide
+ href: ie11-deploy-guide/change-history-for-internet-explorer-11.md
+ - name: System requirements and language support for Internet Explorer 11
+ href: ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
+ - name: List of updated features and tools - Internet Explorer 11 (IE11)
+ href: ie11-deploy-guide/updated-features-and-tools-with-ie11.md
+ - name: Install and Deploy Internet Explorer 11 (IE11)
+ href: ie11-deploy-guide/install-and-deploy-ie11.md
+ items:
+ - name: Customize Internet Explorer 11 installation packages
+ href: ie11-deploy-guide/customize-ie11-install-packages.md
+ items:
+ - name: Using IEAK 11 to create packages
+ href: ie11-deploy-guide/using-ieak11-to-create-install-packages.md
+ - name: Create packages for multiple operating systems or languages
+ href: ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md
+ - name: Using .INF files to create packages
+ href: ie11-deploy-guide/using-inf-files-to-create-install-packages.md
+ - name: Choose how to install Internet Explorer 11 (IE11)
+ href: ie11-deploy-guide/choose-how-to-install-ie11.md
+ items:
+ - name: Install Internet Explorer 11 (IE11) - System Center 2012 R2 Configuration Manager
+ href: ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
+ - name: Install Internet Explorer 11 (IE11) - Windows Server Update Services (WSUS)
+ href: ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
+ - name: Install Internet Explorer 11 (IE11) - Microsoft Intune
+ href: ie11-deploy-guide/install-ie11-using-microsoft-intune.md
+ - name: Install Internet Explorer 11 (IE11) - Network
+ href: ie11-deploy-guide/install-ie11-using-the-network.md
+ - name: Install Internet Explorer 11 (IE11) - Operating system deployment systems
+ href: ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
+ - name: Install Internet Explorer 11 (IE11) - Third-party tools
+ href: ie11-deploy-guide/install-ie11-using-third-party-tools.md
+ - name: Choose how to deploy Internet Explorer 11 (IE11)
+ href: ie11-deploy-guide/choose-how-to-deploy-ie11.md
+ items:
+ - name: Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS)
+ href: ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md
+ - name: Deploy Internet Explorer 11 using software distribution tools
+ href: ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
+ - name: Virtualization and compatibility with Internet Explorer 11
+ href: ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
+ - name: Collect data using Enterprise Site Discovery
+ href: ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+ - name: Enterprise Mode for Internet Explorer 11 (IE11)
+ href: ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
+ items:
+ - name: Tips and tricks to manage Internet Explorer compatibility
+ href: ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
+ - name: Enterprise Mode and the Enterprise Mode Site List
+ href: ie11-deploy-guide/what-is-enterprise-mode.md
+ - name: Set up Enterprise Mode logging and data collection
+ href: ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
+ - name: Turn on Enterprise Mode and use a site list
+ href: ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
+ - name: Enterprise Mode schema v.2 guidance
+ href: ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md
+ - name: Enterprise Mode schema v.1 guidance
+ href: ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md
+ - name: Check for a new Enterprise Mode site list xml file
+ href: ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md
+ - name: Turn on local control and logging for Enterprise Mode
+ href: ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
+ - name: Use the Enterprise Mode Site List Manager
+ href: ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md
+ items:
+ - name: Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)
+ href: ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
+ - name: Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)
+ href: ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md
+ - name: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)
+ href: ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
+ - name: Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)
+ href: ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md
+ - name: Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager
+ href: ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
+ - name: Fix validation problems using the Enterprise Mode Site List Manager
+ href: ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md
+ - name: Search your Enterprise Mode site list in the Enterprise Mode Site List Manager
+ href: ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+ - name: Save your site list to XML in the Enterprise Mode Site List Manager
+ href: ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md
+ - name: Export your Enterprise Mode site list from the Enterprise Mode Site List Manager
+ href: ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md
+ - name: Import your Enterprise Mode site list to the Enterprise Mode Site List Manager
+ href: ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md
+ - name: Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager
+ href: ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+ - name: Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager
+ href: ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md
+ - name: Review neutral sites for Internet Explorer mode using the Enterprise Mode Site List Manager
+ href: ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
+ - name: Use the Enterprise Mode Site List Portal
+ href: ie11-deploy-guide/use-the-enterprise-mode-portal.md
+ items:
+ - name: Set up the Enterprise Mode Site List Portal
+ href: ie11-deploy-guide/set-up-enterprise-mode-portal.md
+ items:
+ - name: Use the Settings page to finish setting up the Enterprise Mode Site List Portal
+ href: ie11-deploy-guide/configure-settings-enterprise-mode-portal.md
+ - name: Add employees to the Enterprise Mode Site List Portal
+ href: ie11-deploy-guide/add-employees-enterprise-mode-portal.md
+ - name: Workflow-based processes for employees using the Enterprise Mode Site List Portal
+ href: ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md
+ items:
+ - name: Create a change request using the Enterprise Mode Site List Portal
+ href: ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
+ - name: Verify your changes using the Enterprise Mode Site List Portal
+ href: ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md
+ - name: Approve a change request using the Enterprise Mode Site List Portal
+ href: ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md
+ - name: Schedule approved change requests for production using the Enterprise Mode Site List Portal
+ href: ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md
+ - name: Verify the change request update in the production environment using the Enterprise Mode Site List Portal
+ href: ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md
+ - name: View the apps currently on the Enterprise Mode Site List
+ href: ie11-deploy-guide/view-apps-enterprise-mode-site-list.md
+ - name: View the available Enterprise Mode reports from the Enterprise Mode Site List Portal
+ href: ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md
+ - name: Using IE7 Enterprise Mode or IE8 Enterprise Mode
+ href: ie11-deploy-guide/using-enterprise-mode.md
+ - name: Fix web compatibility issues using document modes and the Enterprise Mode site list
+ href: ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
+ - name: Remove sites from a local Enterprise Mode site list
+ href: ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md
+ - name: Remove sites from a local compatibility view list
+ href: ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md
+ - name: Turn off Enterprise Mode
+ href: ie11-deploy-guide/turn-off-enterprise-mode.md
+ - name: Group Policy and Internet Explorer 11 (IE11)
+ href: ie11-deploy-guide/group-policy-and-ie11.md
+ items:
+ - name: Group Policy management tools
+ href: ie11-deploy-guide/group-policy-objects-and-ie11.md
+ items:
+ - name: Group Policy and the Group Policy Management Console (GPMC)
+ href: ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
+ - name: Group Policy and the Local Group Policy Editor
+ href: ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
+ - name: Group Policy and Advanced Group Policy Management (AGPM)
+ href: ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md
+ - name: Group Policy and Windows Powershell
+ href: ie11-deploy-guide/group-policy-windows-powershell-ie11.md
+ - name: Group Policy and Shortcut Extensions
+ href: ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
+ - name: New group policy settings for Internet Explorer 11
+ href: ie11-deploy-guide/new-group-policy-settings-for-ie11.md
+ - name: Set the default browser using Group Policy
+ href: ie11-deploy-guide/set-the-default-browser-using-group-policy.md
+ - name: ActiveX installation using group policy
+ href: ie11-deploy-guide/activex-installation-using-group-policy.md
+ - name: Group Policy and compatibility with Internet Explorer 11
+ href: ie11-deploy-guide/group-policy-compatibility-with-ie11.md
+ - name: Group policy preferences and Internet Explorer 11
+ href: ie11-deploy-guide/group-policy-preferences-and-ie11.md
+ - name: Administrative templates and Internet Explorer 11
+ href: ie11-deploy-guide/administrative-templates-and-ie11.md
+ - name: Enable and disable add-ons using administrative templates and group policy
+ href: ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md
+ - name: Manage Internet Explorer 11
+ href: ie11-deploy-guide/manage-ie11-overview.md
+ items:
+ - name: Auto detect settings Internet Explorer 11
+ href: ie11-deploy-guide/auto-detect-settings-for-ie11.md
+ - name: Auto configuration settings for Internet Explorer 11
+ href: ie11-deploy-guide/auto-configuration-settings-for-ie11.md
+ - name: Auto proxy configuration settings for Internet Explorer 11
+ href: ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
+ - name: Troubleshoot Internet Explorer 11 (IE11)
+ href: ie11-deploy-guide/troubleshoot-ie11.md
+ items:
+ - name: Setup problems with Internet Explorer 11
+ href: ie11-deploy-guide/setup-problems-with-ie11.md
+ - name: Install problems with Internet Explorer 11
+ href: ie11-deploy-guide/install-problems-with-ie11.md
+ - name: Problems after installing Internet Explorer 11
+ href: ie11-deploy-guide/problems-after-installing-ie11.md
+ - name: Auto configuration and auto proxy problems with Internet Explorer 11
+ href: ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
+ - name: User interface problems with Internet Explorer 11
+ href: ie11-deploy-guide/user-interface-problems-with-ie11.md
+ - name: Group Policy problems with Internet Explorer 11
+ href: ie11-deploy-guide/group-policy-problems-ie11.md
+ - name: .NET Framework problems with Internet Explorer 11
+ href: ie11-deploy-guide/net-framework-problems-with-ie11.md
+ - name: Enhanced Protected Mode problems with Internet Explorer
+ href: ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
+ - name: Fix font rendering problems by turning off natural metrics
+ href: ie11-deploy-guide/turn-off-natural-metrics.md
+ - name: Intranet problems with Internet Explorer 11
+ href: ie11-deploy-guide/intranet-problems-and-ie11.md
+ - name: Browser cache changes and roaming profiles
+ href: ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
+ - name: Out-of-date ActiveX control blocking
+ href: ie11-deploy-guide/out-of-date-activex-control-blocking.md
+ items:
+ - name: Blocked out-of-date ActiveX controls
+ href: ie11-deploy-guide/blocked-out-of-date-activex-controls.md
+ - name: Deprecated document modes and Internet Explorer 11
+ href: ie11-deploy-guide/deprecated-document-modes.md
+ - name: What is the Internet Explorer 11 Blocker Toolkit?
+ href: ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
+ items:
+ - name: Internet Explorer 11 delivery through automatic updates
+ href: ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
+ - name: Internet Explorer 11 Blocker Toolkit FAQ
+ href: ie11-faq/faq-ie11-blocker-toolkit.md
+ - name: Missing Internet Explorer Maintenance settings for Internet Explorer 11
+ href: ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
+ - name: Missing the Compatibility View Button
+ href: ie11-deploy-guide/missing-the-compatibility-view-button.md
+ - name: Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013
+ href: ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
+- name: IE11 Frequently Asked Questions (FAQ) Guide for IT Pros
+ href: ie11-faq/faq-for-it-pros-ie11.md
+- name: Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros
+ href: ie11-ieak/index.md
+ items:
+ - name: What IEAK can do for you
+ href: ie11-ieak/what-ieak-can-do-for-you.md
+ - name: Internet Explorer Administration Kit (IEAK) information and downloads
+ href: ie11-ieak/ieak-information-and-downloads.md
+ - name: Before you start using IEAK 11
+ href: ie11-ieak/before-you-create-custom-pkgs-ieak11.md
+ items:
+ - name: Hardware and software requirements for IEAK 11
+ href: ie11-ieak/hardware-and-software-reqs-ieak11.md
+ - name: Determine the licensing version and features to use in IEAK 11
+ href: ie11-ieak/licensing-version-and-features-ieak11.md
+ - name: Security features and IEAK 11
+ href: ie11-ieak/security-and-ieak11.md
+ - name: File types used or created by IEAK 11
+ href: ie11-ieak/file-types-ieak11.md
+ - name: Tasks and references to consider before creating and deploying custom packages using IEAK 11
+ href: ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md
+ - name: Create the build computer folder structure using IEAK 11
+ href: ie11-ieak/create-build-folder-structure-ieak11.md
+ - name: Set up auto detection for DHCP or DNS servers using IEAK 11
+ href: ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
+ - name: Use proxy auto-configuration (.pac) files with IEAK 11
+ href: ie11-ieak/proxy-auto-config-examples.md
+ - name: Customize the toolbar button and Favorites List icons using IEAK 11
+ href: ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md
+ - name: Use the uninstallation .INF files to uninstall custom components
+ href: ie11-ieak/create-uninstall-inf-files-for-custom-components.md
+ - name: Add and approve ActiveX controls using the IEAK 11
+ href: ie11-ieak/add-and-approve-activex-controls-ieak11.md
+ - name: Register an uninstall app for custom components using IEAK 11
+ href: ie11-ieak/register-uninstall-app-ieak11.md
+ - name: Customize Automatic Search for Internet Explorer using IEAK 11
+ href: ie11-ieak/customize-automatic-search-for-ie.md
+ - name: Create multiple versions of your custom package using IEAK 11
+ href: ie11-ieak/create-multiple-browser-packages-ieak11.md
+ - name: Before you install your package over your network using IEAK 11
+ href: ie11-ieak/prep-network-install-with-ieak11.md
+ - name: Use the RSoP snap-in to review policy settings
+ href: ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md
+ - name: IEAK 11 - Frequently Asked Questions
+ href: ie11-faq/faq-ieak11.md
+ - name: Troubleshoot custom package and IEAK 11 problems
+ href: ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md
+ - name: Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options
+ href: ie11-ieak/ieak11-wizard-custom-options.md
+ items:
+ - name: Use the File Locations page in the IEAK 11 Wizard
+ href: ie11-ieak/file-locations-ieak11-wizard.md
+ - name: Use the Platform Selection page in the IEAK 11 Wizard
+ href: ie11-ieak/platform-selection-ieak11-wizard.md
+ - name: Use the Language Selection page in the IEAK 11 Wizard
+ href: ie11-ieak/language-selection-ieak11-wizard.md
+ - name: Use the Package Type Selection page in the IEAK 11 Wizard
+ href: ie11-ieak/pkg-type-selection-ieak11-wizard.md
+ - name: Use the Feature Selection page in the IEAK 11 Wizard
+ href: ie11-ieak/feature-selection-ieak11-wizard.md
+ - name: Use the Automatic Version Synchronization page in the IEAK 11 Wizard
+ href: ie11-ieak/auto-version-sync-ieak11-wizard.md
+ - name: Use the Custom Components page in the IEAK 11 Wizard
+ href: ie11-ieak/custom-components-ieak11-wizard.md
+ - name: Use the Internal Install page in the IEAK 11 Wizard
+ href: ie11-ieak/internal-install-ieak11-wizard.md
+ - name: Use the User Experience page in the IEAK 11 Wizard
+ href: ie11-ieak/user-experience-ieak11-wizard.md
+ - name: Use the Browser User Interface page in the IEAK 11 Wizard
+ href: ie11-ieak/browser-ui-ieak11-wizard.md
+ - name: Use the Search Providers page in the IEAK 11 Wizard
+ href: ie11-ieak/search-providers-ieak11-wizard.md
+ - name: Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard
+ href: ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md
+ - name: Use the Accelerators page in the IEAK 11 Wizard
+ href: ie11-ieak/accelerators-ieak11-wizard.md
+ - name: Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard
+ href: ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md
+ - name: Use the Browsing Options page in the IEAK 11 Wizard
+ href: ie11-ieak/browsing-options-ieak11-wizard.md
+ - name: Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard
+ href: ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md
+ - name: Use the Compatibility View page in the IEAK 11 Wizard
+ href: ie11-ieak/compat-view-ieak11-wizard.md
+ - name: Use the Connection Manager page in the IEAK 11 Wizard
+ href: ie11-ieak/connection-mgr-ieak11-wizard.md
+ - name: Use the Connection Settings page in the IEAK 11 Wizard
+ href: ie11-ieak/connection-settings-ieak11-wizard.md
+ - name: Use the Automatic Configuration page in the IEAK 11 Wizard
+ href: ie11-ieak/auto-config-ieak11-wizard.md
+ - name: Use the Proxy Settings page in the IEAK 11 Wizard
+ href: ie11-ieak/proxy-settings-ieak11-wizard.md
+ - name: Use the Security and Privacy Settings page in the IEAK 11 Wizard
+ href: ie11-ieak/security-and-privacy-settings-ieak11-wizard.md
+ - name: Use the Add a Root Certificate page in the IEAK 11 Wizard
+ href: ie11-ieak/add-root-certificate-ieak11-wizard.md
+ - name: Use the Programs page in the IEAK 11 Wizard
+ href: ie11-ieak/programs-ieak11-wizard.md
+ - name: Use the Additional Settings page in the IEAK 11 Wizard
+ href: ie11-ieak/additional-settings-ieak11-wizard.md
+ - name: Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard
+ href: ie11-ieak/wizard-complete-ieak11-wizard.md
+ - name: Using Internet Settings (.INS) files with IEAK 11
+ href: ie11-ieak/using-internet-settings-ins-files.md
+ items:
+ - name: Use the Branding .INS file to create custom branding and setup info
+ href: ie11-ieak/branding-ins-file-setting.md
+ - name: Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar
+ href: ie11-ieak/browsertoolbars-ins-file-setting.md
+ - name: Use the CabSigning .INS file to review the digital signatures for your apps
+ href: ie11-ieak/cabsigning-ins-file-setting.md
+ - name: Use the ConnectionSettings .INS file to review the network connections for install
+ href: ie11-ieak/connectionsettings-ins-file-setting.md
+ - name: Use the CustomBranding .INS file to specify the custom branding location
+ href: ie11-ieak/custombranding-ins-file-setting.md
+ - name: Use the ExtRegInf .INS file to specify installation files and mode
+ href: ie11-ieak/extreginf-ins-file-setting.md
+ - name: Use the FavoritesEx .INS file for your Favorites icon and URLs
+ href: ie11-ieak/favoritesex-ins-file-setting.md
+ - name: Use the HideCustom .INS file to hide GUIDs
+ href: ie11-ieak/hidecustom-ins-file-setting.md
+ - name: Use the ISP_Security .INS file to add your root certificate
+ href: ie11-ieak/isp-security-ins-file-setting.md
+ - name: Use the Media .INS file to specify your install media
+ href: ie11-ieak/media-ins-file-setting.md
+ - name: Use the Proxy .INS file to specify a proxy server
+ href: ie11-ieak/proxy-ins-file-setting.md
+ - name: Use the Security Imports .INS file to import security info
+ href: ie11-ieak/security-imports-ins-file-setting.md
+ - name: Use the URL .INS file to use an auto-configured proxy server
+ href: ie11-ieak/url-ins-file-setting.md
+ - name: IExpress Wizard for Windows Server 2008 R2 with SP1
+ href: ie11-ieak/iexpress-wizard-for-win-server.md
+ items:
+ - name: IExpress Wizard command-line options
+ href: ie11-ieak/iexpress-command-line-options.md
+ - name: Internet Explorer Setup command-line options and return codes
+ href: ie11-ieak/ie-setup-command-line-options-and-return-codes.md
+ - name: KB Troubleshoot
+ items:
+ - name: Internet Explorer and Microsoft Edge FAQ for IT Pros
+ href: kb-support/ie-edge-faqs.md
diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json
index a796135a6b..927e4c51ac 100644
--- a/browsers/internet-explorer/docfx.json
+++ b/browsers/internet-explorer/docfx.json
@@ -48,7 +48,7 @@
"jborsecnik",
"tiburd",
"garycentric"
- ],
+ ]
},
"externalReference": [],
"template": "op.html",
diff --git a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
index f09832c403..855b556dd8 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/activex-installation-using-group-policy.md
@@ -43,11 +43,8 @@ You use the ActiveX Installer Service (AXIS) and Group Policy to manage your Act
- **ActiveX installation policy for sites in trusted zones.** Identifies how AXIS should behave when a website tries to install an ActiveX control. First, AXIS looks to see if the site appears in either the list of approved installation sites or in the **Trusted sites** zone. If the does, then AXIS checks to make sure the control meets your company's policy requirements. If the ActiveX control meets all of these requirements, the control is installed.
-For more information about the ActiveX Installer Service, see [Administering the ActiveX Installer Service in Windows 7](https://go.microsoft.com/fwlink/p/?LinkId=214503).
+For more information about the ActiveX Installer Service, see [Administering the ActiveX Installer Service in Windows 7](/previous-versions/windows/it-pro/windows-7/dd631688(v=ws.10)).
-
-
-
-
+
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
index 63f0d7bd6f..c7273e1661 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md
@@ -61,15 +61,15 @@ You can add individual sites to your compatibility list by using the Enterprise
5. In conjunction with the compatibility mode, you'll need to use the **Open in** box to pick which browser opens the site.
- - **IE11**. Opens the site in IE11, regardless of which browser is opened by the employee. If you have enabled [Internet Explorer mode integration on Microsoft Edge](https://docs.microsoft.com/deployedge/edge-ie-mode), this option will open sites in Internet Explorer mode.
+ - **IE11**. Opens the site in IE11, regardless of which browser is opened by the employee. If you have enabled [Internet Explorer mode integration on Microsoft Edge](/deployedge/edge-ie-mode), this option will open sites in Internet Explorer mode.
- **MSEdge**. Opens the site in Microsoft Edge, regardless of which browser is opened by the employee.
- **None**. Opens in whatever browser the employee chooses.
-6. If you have enabled [Internet Explorer mode integration on Microsoft Edge](https://docs.microsoft.com/deployedge/edge-ie-mode), and you have sites that still need to opened in the standalone Internet Explorer 11 application, you can check the box for **Standalone IE**. This checkbox is only relevant when associated to 'Open in' IE11. Checking the box when 'Open In' is set to MSEdge or None will not change browser behavior.
+6. If you have enabled [Internet Explorer mode integration on Microsoft Edge](/deployedge/edge-ie-mode), and you have sites that still need to opened in the standalone Internet Explorer 11 application, you can check the box for **Standalone IE**. This checkbox is only relevant when associated to 'Open in' IE11. Checking the box when 'Open In' is set to MSEdge or None will not change browser behavior.
-7. The checkbox **Allow Redirect** applies to the treatment of server side redirects. If you check this box, server side redirects will open in the browser specified by the open-in tag. For more information, see [here](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance#updated-schema-attributes).
+7. The checkbox **Allow Redirect** applies to the treatment of server side redirects. If you check this box, server side redirects will open in the browser specified by the open-in tag. For more information, see [here](./enterprise-mode-schema-version-2-guidance.md#updated-schema-attributes).
8. Click **Save** to validate your website and to add it to the site list for your enterprise.
If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway.
@@ -84,7 +84,3 @@ After you’ve added all of your sites to the tool and saved the file to XML, yo
- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853)
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
index 23bb9ee14a..4de574cbe2 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/administrative-templates-and-ie11.md
@@ -31,7 +31,7 @@ Administrative Templates are made up of a hierarchy of policy categories and sub
- Text explanations about each setting and the supported version of Internet Explorer.
-For a conceptual overview of Administrative Templates, see [Managing Group Policy ADMX Files Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=214519).
+For a conceptual overview of Administrative Templates, see [Managing Group Policy ADMX Files Step-by-Step Guide](/previous-versions/windows/it-pro/windows-vista/cc709647(v=ws.10)).
## What are Administrative Templates?
Administrative Templates are XML-based, multi-language files that define the registry-based Group Policy settings in the Local Group Policy Editor. There are two types of Administrative Templates:
@@ -42,7 +42,7 @@ Administrative Templates are XML-based, multi-language files that define the reg
## How do I store Administrative Templates?
As an admin, you can create a central store folder on your SYSVOL directory, named **PolicyDefinitions**. For example, %*SystemRoot*%\\PolicyDefinitions. This folder provides a single, centralized storage location for your Administrative Templates (both ADMX and ADML) files, so they can be used by your domain-based Group Policy Objects (GPOs).
- Important Important **Note** **Note** Important Important **No
2. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings. For more information about the **Automatic Configuration** page, see [Use the Automatic Configuration page in the IEAK 11 Wizard](../ie11-ieak/auto-config-ieak11-wizard.md).
-3. Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649).
+3. Open the [DHCP Administrative Tool](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd145324(v=ws.10)), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](/previous-versions/tn-archive/bb794881(v=technet.10)).
**To turn on automatic detection for DNS servers**
@@ -45,7 +45,7 @@ To use automatic detection, you have to set up your DHCP and DNS servers. **No
5. Choose the **Automatically detect configuration settings** box to automatically detect your browser settings.
-6. In your DNS database file, create a host record named, **WPAD**. This record has the IP address of the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file. **-OR-** Create a canonical name (CNAME) alias record named, **WPAD**. This record has the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file. **Note** **-OR-** Create a canonical name (CNAME) alias record named, **WPAD**. This record has the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file. **Note** **Note** **No
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
index f285933bcb..faba1eb9ac 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md
@@ -44,11 +44,8 @@ You have two options to restrict your users' ability to override the automatic c
- **Using Microsoft Active Directory.** Choose **Disable changing proxy settings** from the Administrative Templates setting.
-- **Not Using Active Directory.** Choose the **Prevent changing proxy settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object. For more information about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514).
+- **Not Using Active Directory.** Choose the **Prevent changing proxy settings** setting in the `User Configuration\Administrative Templates\Windows Components\Internet Explorer` Group Policy object. For more information about Group Policy, see the [Group Policy TechCenter](/windows/deployment/deploy-whats-new).
-
-
-
-
+
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
index 9aca832f3e..3fc8a84465 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md
@@ -22,7 +22,7 @@ ms.date: 10/16/2017
We’ve redesigned the browser cache to improve the performance, flexibility, reliability, and scalability of Internet Explorer and the apps that rely on the Windows Internet (WinINet) cache. Our new database design stops multiple clients from simultaneously accessing and using cached information, while also providing a higher level of data integrity.
-You won’t notice any changes to the management of your roaming profile data if you use our new database implementation in conjunction with the [roaming user profile guidelines](https://go.microsoft.com/fwlink/p/?LinkId=401544). This means that IE data that’s stored in the `AppData\Roaming` user profile folder is still be uploaded to your normal profile storage location after a user successfully logs off. **Note** **Note** **Note** Because of this change, your IEM-configured settings will no longer work on computers running Internet Explorer 10 or newer. To fix this, you need to update the affected settings using Group Policy preferences, Administrative Templates (.admx), or the IEAK 11. Because Group Policy Preferences and IEAK 11 run using asynchronous processes, you should choose to use only one of the tools within each group of settings. For example, using only IEAK 11 in the Security settings or Group Policy Preferences within the Internet Zone settings. Also, it's important to remember that policy is enforced and can't be changed by the user, while preferences are configured, but can be changed by the user. |
|[Missing the Compatibility View Button](missing-the-compatibility-view-button.md) |Compatibility View was introduced in Internet Explorer 8 to help existing content continue to work with Windows Internet Explorer 7, while developers updated their content to support modern interoperable web standards. Since then, the IE web platform, and the web itself, have changed so that most public web content looks for standards-based features instead of IE 7-compatible behavior. Thanks to these changes, using IE11 in the latest standards mode is more compatible with the web than ever before. As a result, IE11 simplifies web page compatibility for users by removing the Compatibility View button and reducing the number of compatibility options in the F12 developer tools for developers. |
-|[Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013](deploy-pinned-sites-using-mdt-2013.md) |You can pin websites to the Windows 8.1 taskbar for quick access. You pin a website simply by dragging its tab to the taskbar. Some websites can also extend the icon’s Jump List. The ability to pin websites to the Windows 8.1 taskbar can help make end-users in businesses more productive. As an IT professional, for example, you can pin intranet and SharePoint websites to the taskbar to make them immediately available to employees. In this article, you learn how to deploy pinned websites by using Lite Touch Installation in the [Microsoft Deployment Toolkit (MDT) 2013](https://go.microsoft.com/fwlink/p/?LinkId=398474).
+|[Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013](deploy-pinned-sites-using-mdt-2013.md) |You can pin websites to the Windows 8.1 taskbar for quick access. You pin a website simply by dragging its tab to the taskbar. Some websites can also extend the icon’s Jump List. The ability to pin websites to the Windows 8.1 taskbar can help make end-users in businesses more productive. As an IT professional, for example, you can pin intranet and SharePoint websites to the taskbar to make them immediately available to employees. In this article, you learn how to deploy pinned websites by using Lite Touch Installation in the [Microsoft Deployment Toolkit (MDT) 2013](/mem/configmgr/mdt/).
## IE11 naming conventions
@@ -62,5 +62,4 @@ IE11 offers differing experiences in Windows 8.1:
## Related topics
- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md)
- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md)
-- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643)
-
+- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/)
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
index 027cf25129..125703ca28 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md
@@ -18,7 +18,7 @@ ms.date: 07/27/2017
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-Internet Explorer 11 is available as an update in Microsoft Intune. Microsoft Intune uses Windows cloud services to help you manage updates, monitor and protect your computers, provide remote assistance, track hardware and software inventory, and set security policies. For more information, see the [Documentation Library for Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301805).
+Internet Explorer 11 is available as an update in Microsoft Intune. Microsoft Intune uses Windows cloud services to help you manage updates, monitor and protect your computers, provide remote assistance, track hardware and software inventory, and set security policies. For more information, see the [Documentation Library for Microsoft Intune](/mem/intune/).
## Adding and deploying the IE11 package
You can add and then deploy the IE11 package to any computer that's managed by Microsoft Intune.
@@ -29,7 +29,7 @@ You can add and then deploy the IE11 package to any computer that's managed by M
2. Add your IE11 package as either an external link or as a Windows installer package (.exe or .msi).
-For more info about how to decide which one to use, and how to use it, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806).
+For more info about how to decide which one to use, and how to use it, see [Deploy and configure apps](/mem/intune/).
**To automatically deploy and install the IE11 package**
@@ -39,7 +39,7 @@ For more info about how to decide which one to use, and how to use it, see [Depl
3. After the package is on your employee's computers, the installation process runs, based on what you set up in your wizard.
-For more info about this, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806).
+For more info about this, see [Deploy and configure apps](/mem/intune/).
**To let your employees install the IE11 package**
@@ -51,7 +51,4 @@ For more info about this, see [Update apps using Microsoft Intune](https://go.mi
-
-
-
-
+
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
index c6bd4e15e8..469b700481 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
@@ -32,7 +32,7 @@ After you install the .msu file updates, you'll need to add them to your MDT dep
## Installing IE11 using Microsoft Deployment Toolkit (MDT)
-MDT adds IE11 to your Windows images, regardless whether you are creating or deploying a customized or non-customized image. MDT also lets you perform offline servicing during the System Center 2012 R2 Configuration Manager task sequence, letting you add IE11 before starting Windows. For info, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?linkid=331148).
+MDT adds IE11 to your Windows images, regardless whether you are creating or deploying a customized or non-customized image. MDT also lets you perform offline servicing during the System Center 2012 R2 Configuration Manager task sequence, letting you add IE11 before starting Windows. For info, see [Microsoft Deployment Toolkit (MDT)](/mem/configmgr/mdt/).
**To add IE11 to a MDT deployment share**
@@ -51,13 +51,10 @@ You can add the IE11 update while you're performing offline servicing, or slipst
These articles have step-by-step details about adding packages to your Windows images:
-- For Windows 8.1, see [Add or Remove Packages Offline Using DISM](https://go.microsoft.com/fwlink/p/?LinkId=276791).
+- For Windows 8.1, see [Add or Remove Packages Offline Using DISM](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824838(v=win.10)).
-- For Windows 7 SP1, see [Add or Remove Packages Offline](https://go.microsoft.com/fwlink/p/?LinkId=214490).
+- For Windows 7 SP1, see [Add or Remove Packages Offline](/previous-versions/windows/it-pro/windows-7/dd744559(v=ws.10)).
-
-
-
-
+
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
index e08ca5dffe..8beef9b99d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
@@ -20,7 +20,7 @@ ms.date: 07/27/2017
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-You can install Internet Explorer 11 (IE11) by using [System Center R2 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?linkid=276664). Complete these steps for each operating system and platform combination.
+You can install Internet Explorer 11 (IE11) by using [System Center R2 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)). Complete these steps for each operating system and platform combination.
**To install IE11**
@@ -36,7 +36,4 @@ You can also use System Center Essentials 2010 to deploy IE11 installation packa
-
-
-
-
+
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
index 662514e102..07b0485309 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
@@ -19,7 +19,7 @@ ms.date: 07/27/2017
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-Windows Server Update Services (WSUS) lets you download a single copy of the Microsoft product update and cache it on your local WSUS servers. You can then configure your computers to get the update from your local servers instead of Windows Update. For more information about WSUS, see [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790).
+Windows Server Update Services (WSUS) lets you download a single copy of the Microsoft product update and cache it on your local WSUS servers. You can then configure your computers to get the update from your local servers instead of Windows Update. For more information about WSUS, see [Windows Server Update Services](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)).
**To import from Windows Update to WSUS**
@@ -50,7 +50,3 @@ Windows Server Update Services (WSUS) lets you download a single copy of the Mic
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
index e0dbd2bdab..e3e56157b3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md
@@ -44,9 +44,9 @@ For more information about all of the new options and Group Policy, see:
- [Group Policy Settings Reference for Windows and Windows Server](https://go.microsoft.com/fwlink/p/?LinkId=279876)
-- [Group Policy ADMX Syntax Reference Guide](https://go.microsoft.com/fwlink/p/?LinkId=276830)
+- [Group Policy ADMX Syntax Reference Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753471(v=ws.10))
-- [Enable and Disable Settings in a Preference Item](https://go.microsoft.com/fwlink/p/?LinkId=282671)
+- [Enable and Disable Settings in a Preference Item](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754299(v=ws.11))
## IEM replacements
The IEM settings have replacements you can use in either Group Policy Preferences or IEAK 11.
@@ -98,5 +98,4 @@ The Advanced IEM settings, including Corporate and Internet settings, were also
|IEM setting |Description |Replacement tool |
|------------|------------|-----------------|
|Corporate settings |Specifies the location of the file with the settings you use to make IE work best in your organization. |On the Additional Settings page of IEAK 11, expand Corporate Settings, and then customize how your organization handles temporary Internet files, code downloads, menu items, and toolbar buttons. |
-|Internet settings |Specifies the location of the file that includes your default IE settings. |In the Internet Settings Group Policy Preferences dialog box, click the Advanced tab, and then update your Internet-related settings, as required -OR- On the Additional Settings page of IEAK 11, expand Internet Settings, and then customize your default values in the Internet Options dialog box. |
-
+|Internet settings |Specifies the location of the file that includes your default IE settings. |In the Internet Settings Group Policy Preferences dialog box, click the Advanced tab, and then update your Internet-related settings, as required -OR- On the Additional Settings page of IEAK 11, expand Internet Settings, and then customize your default values in the Internet Options dialog box. |
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
index 9b8ab9eb33..557d57b34a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md
@@ -74,5 +74,4 @@ After you've finished updating and deploying your Group Policy, you can use the
1. Open and run the Resultant Set of Policy (RSoP) wizard, specifying the information you want to see.
2. Open your wizard results in the Group Policy Management Console (GPMC).
-For complete instructions about how to add, open, and use RSoP, see [Use the RSoP Snap-in](https://go.microsoft.com/fwlink/p/?LinkId=395201)
-
+For complete instructions about how to add, open, and use RSoP, see [Use the RSoP Snap-in](/previous-versions/windows/it-pro/windows-server-2003/cc736424(v=ws.10))
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
index a2f12352fd..75283c1f64 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
@@ -168,7 +168,7 @@ Here’s a detailed example and description of what’s included in the VersionA
- **Allowed/Blocked** Whether IE blocked the ActiveX control.
-- **Enhanced Protected Mode (EPM)-compatible.** Whether the loaded ActiveX control is compatible with [Enhanced Protected Mode](https://go.microsoft.com/fwlink/p/?LinkId=403865). **Note** **Note**
This lets you create an ASP form that accepts the incoming POST messages.
@@ -158,7 +158,3 @@ You may need to do some additional package cleanup to remove older package versi
- [Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md)
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
index 37b7bc16cf..818b3acf64 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
@@ -31,7 +31,7 @@ ms.date: 07/27/2017
Internet Explorer 11 is available for a number of systems and languages. This topic provides info about the minimum system requirements and language support.
## Minimum system requirements for IE11
-IE11 is pre-installed on Windows 8.1, Windows 10, and Windows Server 2012 R2 and is listed here for reference. For more info about IE11 on Windows 10, see [Browser: Microsoft Edge and Internet Explorer 11](https://technet.microsoft.com/library/mt156988.aspx).
+IE11 is pre-installed on Windows 8.1, Windows 10, and Windows Server 2012 R2 and is listed here for reference. For more info about IE11 on Windows 10, see [Browser: Microsoft Edge and Internet Explorer 11](/microsoft-edge/deploy/emie-to-improve-compatibility).
**Important**
+- **Client Hyper-V.** Uses the same virtualization technology previously available in Windows Server, but now installed for Windows 8.1. For more information, see [Client Hyper-V](/previous-versions/windows/it-pro/windows-8.1-and-8/hh857623(v=ws.11)).
For more information about virtualization options, see [Microsoft Desktop Virtualization](https://go.microsoft.com/fwlink/p/?LinkId=271662).
-
-
-
-
+
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
index b9fb67f961..5ea3970866 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
@@ -73,7 +73,7 @@ The Enterprise Mode Site List is an XML document that specifies a list of sites,
Starting with Windows 10, version 1511 (also known as the Anniversary Update), you can also [restrict IE11 to only the legacy web apps that need it](https://blogs.windows.com/msedgedev/2016/05/19/edge14-ie11-better-together/), automatically sending sites not included in the Enterprise Mode Site List to Microsoft Edge.
### Site list xml file
-This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](turn-on-enterprise-mode-and-use-a-site-list.md). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location.
+This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](turn-on-enterprise-mode-and-use-a-site-list.md). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location.
```xml
-OR-
Create a canonical name (CNAME) alias record, named WPAD. This record lets you use more than one name to point to a single host, letting you host both an FTP server and a web server on the same computer. It also includes the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file.
- Note
-In addition, after you run the Internet Explorer Customization Wizard, we highly recommend that you sign the IEAK package and the branding.cab file (if you are using it separately from the package). You can do this also using the tools mentioned above. For more information, download Code-Signing Best Practices ([Code-Signing Best Practices](https://go.microsoft.com/fwlink/p/?LinkId=71300)).
+- **If you plan to distribute custom packages over the Internet**, you must sign all custom components and the CMAK profile package (if used). Before you start the Internet Explorer Customization Wizard, make sure that both are signed. Typically, their respective manufacturers will have signed them. Otherwise, you can sign these using the Sign Tool (SignTool.exe) ( [SignTool.exe (Sign Tool)](/dotnet/framework/tools/signtool-exe)) or use the File Signing Tool (Signcode.exe) ([Signcode.exe (File Signing Tool)](/previous-versions/9sh96ycy(v=vs.100))). You should read the documentation included with these tools for more info about all of the signing options.
+In addition, after you run the Internet Explorer Customization Wizard, we highly recommend that you sign the IEAK package and the branding.cab file (if you are using it separately from the package). You can do this also using the tools mentioned above. For more information, download Code-Signing Best Practices ([Code-Signing Best Practices](/previous-versions/windows/hardware/design/dn653556(v=vs.85))).
- **If you plan to distribute your custom packages over an intranet**, sign the custom files or preconfigure the Local intranet zone with a Low security setting, because the default security setting does not allow users to download unsigned programs or code.
@@ -65,5 +65,4 @@ You must keep your private key, private. To do this, we recommend:
- **Tamper-proof storage.** Save your private keys on secure, tamper-proof hardware devices.
-- **Security.** Protect your private keys using physical security measures, such as cameras and card readers.
-
+- **Security.** Protect your private keys using physical security measures, such as cameras and card readers.
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md
index d62e11e507..2428cba980 100644
--- a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md
+++ b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md
@@ -65,8 +65,8 @@ ISVs install IEAK using External mode (for Internet Explorer 10 or newer) or Int
- [IEAK 11 - Frequently Asked Questions](../ie11-faq/faq-ieak11.md)
- [Download IEAK 11](ieak-information-and-downloads.md)
- [IEAK 11 overview](index.md)
-- [IEAK 11 administrators guide](https://docs.microsoft.com/internet-explorer/ie11-ieak/index)
+- [IEAK 11 administrators guide](./index.md)
- [IEAK 11 licensing guidelines](licensing-version-and-features-ieak11.md)
- [Internet Explorer 11 - FAQ for IT Pros](../ie11-faq/faq-for-it-pros-ie11.md)
- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
-- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643)
+- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/)
\ No newline at end of file
diff --git a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md
index 96a04e5f70..b86d5467b3 100644
--- a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md
+++ b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md
@@ -10,4 +10,4 @@ ms.topic: include
---
> [!IMPORTANT]
-> Microsoft 365 apps and services will not support Internet Explorer 11 starting August 17, 2021 (Microsoft Teams will not support Internet Explorer 11 earlier, starting November 30, 2020). [Learn more](https://aka.ms/AA97tsw). Please note that Internet Explorer 11 will remain a supported browser. Internet Explorer 11 is a component of the Windows operating system and [follows the Lifecycle Policy](https://docs.microsoft.com/lifecycle/faq/internet-explorer-microsoft-edge) for the product on which it is installed.
\ No newline at end of file
+> Microsoft 365 apps and services will not support Internet Explorer 11 starting August 17, 2021 (Microsoft Teams will not support Internet Explorer 11 earlier, starting November 30, 2020). [Learn more](https://aka.ms/AA97tsw). Please note that Internet Explorer 11 will remain a supported browser. Internet Explorer 11 is a component of the Windows operating system and [follows the Lifecycle Policy](/lifecycle/faq/internet-explorer-microsoft-edge) for the product on which it is installed.
\ No newline at end of file
diff --git a/browsers/internet-explorer/internet-explorer.yml b/browsers/internet-explorer/internet-explorer.yml
index 7a2759960e..1d1950f20d 100644
--- a/browsers/internet-explorer/internet-explorer.yml
+++ b/browsers/internet-explorer/internet-explorer.yml
@@ -21,13 +21,13 @@ landingContent:
- linkListType: get-started
links:
- text: IE11 features and tools
- url: /internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11
+ url: ./ie11-deploy-guide/updated-features-and-tools-with-ie11.md
- text: System requirements and language support
- url: /internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11
+ url: ./ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
- text: Frequently asked questions
- url: /internet-explorer/ie11-faq/faq-for-it-pros-ie11
+ url: ./ie11-faq/faq-for-it-pros-ie11.md
- text: Internet Explorer 11 deployment guide
- url: /internet-explorer/ie11-deploy-guide/
+ url: ./ie11-deploy-guide/index.md
- text: Use Enterprise Mode to improve compatibility
url: /microsoft-edge/deploy/emie-to-improve-compatibility
- text: Lifecycle FAQ - Internet Explorer
@@ -57,13 +57,13 @@ landingContent:
- linkListType: get-started
links:
- text: What is Enterprise Mode?
- url: /internet-explorer/ie11-deploy-guide/what-is-enterprise-mode
+ url: ./ie11-deploy-guide/what-is-enterprise-mode.md
- text: Tips and tricks to manage Internet Explorer compatibility
- url: /internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility
+ url: ./ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
- text: Download the Enterprise Site Discovery Toolkit
url: https://www.microsoft.com/download/details.aspx?id=44570
- text: Collect data using Enterprise Site Discovery
- url: /internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery
+ url: ./ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
- text: Manage Windows upgrades with Upgrade Readiness
url: /windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness
- text: 'Demo: Plan and manage Windows 10 upgrades and feature updates with'
@@ -71,13 +71,13 @@ landingContent:
- linkListType: how-to-guide
links:
- text: Turn on Enterprise Mode and use a site list
- url: /internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list
+ url: ./ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
- text: Add sites to the Enterprise Mode site list
- url: /internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool
+ url: ./ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md
- text: Edit the Enterprise Mode site list
- url: /internet-explorer/ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager
+ url: ./ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md
- text: Turn on local control and logging for Enterprise Mode
- url: /internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode
+ url: ./ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
# Card
- title: Deploy
@@ -85,29 +85,29 @@ landingContent:
- linkListType: get-started
links:
- text: IEAK 11 user's guide
- url: /internet-explorer/ie11-ieak/
+ url: ./ie11-ieak/index.md
- text: Download IEAK 11
- url: /internet-explorer/ie11-ieak/ieak-information-and-downloads
+ url: ./ie11-ieak/ieak-information-and-downloads.md
- text: Frequently asked questions about IEAK 11
- url: /internet-explorer/ie11-faq/faq-ieak11
+ url: ./ie11-faq/faq-ieak11.md
- text: Customization and distribution guidelines
- url: /internet-explorer/ie11-ieak/licensing-version-and-features-ieak11#customization-guidelines
+ url: ./ie11-ieak/licensing-version-and-features-ieak11.md#customization-guidelines
- linkListType: deploy
links:
- text: Install Internet Explorer 11 through automatic updates (recommended)
- url: /internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates
+ url: ./ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
- text: Install Internet Explorer 11 as part of an operating system deployment
- url: /internet-explorer/ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems
+ url: ./ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md
- text: Install Internet Explorer 11 over the network
- url: /internet-explorer/ie11-deploy-guide/install-ie11-using-the-network
+ url: ./ie11-deploy-guide/install-ie11-using-the-network.md
- text: Install Internet Explorer 11 with System Center 2012 R2 Configuration Manager
- url: /internet-explorer/ie11-deploy-guide/install-ie11-using-system-center-configuration-manager
+ url: ./ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md
- text: Install Internet Explorer 11 with Windows Server Update Services (WSUS)
- url: /internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus
+ url: ./ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md
- text: Install Internet Explorer 11 with Microsoft Intune
- url: /internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune
+ url: ./ie11-deploy-guide/install-ie11-using-microsoft-intune.md
- text: Install Internet Explorer 11 with third-party tools
- url: /internet-explorer/ie11-deploy-guide/install-ie11-using-third-party-tools
+ url: ./ie11-deploy-guide/install-ie11-using-third-party-tools.md
# Card
- title: Manage
@@ -117,17 +117,17 @@ landingContent:
- text: Group Policy for beginners
url: /previous-versions/windows/it-pro/windows-7/hh147307(v=ws.10)
- text: New Group Policy settings for IE11
- url: /internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11
+ url: ./ie11-deploy-guide/new-group-policy-settings-for-ie11.md
- text: Administrative templates for IE11
url: https://www.microsoft.com/download/details.aspx?id=40905
- text: Group Policy preferences for IE11
- url: /internet-explorer/ie11-deploy-guide/group-policy-preferences-and-ie11
+ url: ./ie11-deploy-guide/group-policy-preferences-and-ie11.md
- text: Configure Group Policy preferences
url: https://support.microsoft.com/help/2898604/how-to-configure-group-policy-preference-settings-for-internet-explorer-11-in-windows-8.1-or-windows-server-2012-r2
- text: Blocked out-of-date ActiveX controls
- url: /internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls
+ url: ./ie11-deploy-guide/blocked-out-of-date-activex-controls.md
- text: Out-of-date ActiveX control blocking
- url: /internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking
+ url: ./ie11-deploy-guide/out-of-date-activex-control-blocking.md
- text: Update to block out-of-date ActiveX controls in Internet Explorer
url: https://support.microsoft.com/help/2991000/update-to-block-out-of-date-activex-controls-in-internet-explorer
- text: Script to join user to AD with automatic Local user Profile Migration
@@ -143,11 +143,11 @@ landingContent:
- text: Change or reset Internet Explorer settings
url: https://support.microsoft.com/help/17441/windows-internet-explorer-change-reset-settings
- text: Troubleshoot problems with setup, installation, auto configuration, and more
- url: /internet-explorer/ie11-deploy-guide/troubleshoot-ie11
+ url: ./ie11-deploy-guide/troubleshoot-ie11.md
- text: Disable VBScript execution in Internet Explorer for Internet Zone and Restricted Sites Zone
url: https://support.microsoft.com/help/4012494/option-to-disable-vbscript-execution-in-internet-explorer-for-internet
- text: Frequently asked questions about IEAK 11
- url: /internet-explorer/ie11-faq/faq-ieak11
+ url: ./ie11-faq/faq-ieak11.md
- text: Internet Explorer 8, 9, 10, 11 forum
url: https://social.technet.microsoft.com/forums/ie/home?forum=ieitprocurrentver
- text: Contact a Microsoft support professional
@@ -171,4 +171,4 @@ landingContent:
- text: Microsoft Edge Dev blog
url: https://blogs.windows.com/msedgedev
- text: Microsoft Edge Dev on Twitter
- url: https://twitter.com/MSEdgeDev
+ url: https://twitter.com/MSEdgeDev
\ No newline at end of file
diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.md b/browsers/internet-explorer/kb-support/ie-edge-faqs.md
index 5c29be5126..3e2d6c100e 100644
--- a/browsers/internet-explorer/kb-support/ie-edge-faqs.md
+++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.md
@@ -25,10 +25,10 @@ An HTTP cookie (the web cookie or browser cookie) is a small piece of data that
For more information about how Internet Explorer handles cookies, see the following articles:
-- [Beware Cookie Sharing in Cross-Zone Scenarios](https://blogs.msdn.microsoft.com/ieinternals/2011/03/10/beware-cookie-sharing-in-cross-zone-scenarios/)
-- [A Quick Look at P3P](https://blogs.msdn.microsoft.com/ieinternals/2013/09/17/a-quick-look-at-p3p/)
-- [Internet Explorer Cookie Internals FAQ](https://blogs.msdn.microsoft.com/ieinternals/2009/08/20/internet-explorer-cookie-internals-faq/)
-- [Privacy Beyond Blocking Cookies](https://blogs.msdn.microsoft.com/ie/2008/08/25/privacy-beyond-blocking-cookies-bringing-awareness-to-third-party-content/)
+- [Beware Cookie Sharing in Cross-Zone Scenarios](/archive/blogs/ieinternals/beware-cookie-sharing-in-cross-zone-scenarios)
+- [A Quick Look at P3P](/archive/blogs/ieinternals/a-quick-look-at-p3p)
+- [Internet Explorer Cookie Internals FAQ](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq)
+- [Privacy Beyond Blocking Cookies](/archive/blogs/ie/privacy-beyond-blocking-cookies-bringing-awareness-to-third-party-content)
- [Description of Cookies](https://support.microsoft.com/help/260971/description-of-cookies)
### Where does Internet Explorer store cookies?
@@ -63,7 +63,7 @@ There's still a 5 Kilobytes (KB) limit on the size of the cookie header that is
The JavaScript limitation was updated to 10 KB from 4 KB.
-For more information, see [Internet Explorer Cookie Internals (FAQ)](https://blogs.msdn.microsoft.com/ieinternals/2009/08/20/internet-explorer-cookie-internals-faq/).
+For more information, see [Internet Explorer Cookie Internals (FAQ)](/archive/blogs/ieinternals/internet-explorer-cookie-internals-faq).
#### Additional information about cookie limits
@@ -115,11 +115,11 @@ For more information, see the following blog article:
### How to add sites to the Enterprise Mode (EMIE) site list
-For more information about how to add sites to an EMIE list, see [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool).
+For more information about how to add sites to an EMIE list, see [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](../ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md).
### What is Content Security Policy (CSP)?
-By using [Content Security Policy](https://docs.microsoft.com/microsoft-edge/dev-guide/security/content-security-policy), you create an allow list of sources of trusted content in the HTTP headers. You also pre-approve certain servers for content that is loaded into a webpage, and instruct the browser to execute or render only resources from those sources. You can use this technique to prevent malicious content from being injected into sites.
+By using [Content Security Policy](/microsoft-edge/dev-guide/security/content-security-policy), you create an allow list of sources of trusted content in the HTTP headers. You also pre-approve certain servers for content that is loaded into a webpage, and instruct the browser to execute or render only resources from those sources. You can use this technique to prevent malicious content from being injected into sites.
Content Security Policy is supported in all versions of Microsoft Edge. It lets web developers lock down the resources that can be used by their web application. This helps prevent [cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) attacks that remain a common vulnerability on the web. However, the first version of Content Security Policy was difficult to implement on websites that used inline script elements that either pointed to script sources or contained script directly.
@@ -150,7 +150,7 @@ To play HTML5 videos in the Internet Zone, use the default settings or make sure
This key is read by the **URLACTION\_ALLOW\_AUDIO\_VIDEO 0x00002701** URL action flag that determines whether media elements (audio and video) are allowed in pages in a URL security zone.
-For more information, see [Unable to play HTML5 Videos in IE](https://blogs.msdn.microsoft.com/askie/2014/12/31/unable-to-play-html5-videos-in-ie/).
+For more information, see [Unable to play HTML5 Videos in IE](/archive/blogs/askie/unable-to-play-html5-videos-in-ie).
For Windows 10 N and Windows KN editions, you must also download the feature pack that is discussed in [Media feature pack for Windows 10 N and Windows 10 KN editions](https://support.microsoft.com/help/3010081/media-feature-pack-for-windows-10-n-and-windows-10-kn-editions).
@@ -162,11 +162,11 @@ This is a new feature to add sites to your enterprise mode site list XML. For mo
### What is Enterprise Mode Feature?
-For more information about this topic, see [Enterprise Mode and the Enterprise Mode Site List](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode).
+For more information about this topic, see [Enterprise Mode and the Enterprise Mode Site List](../ie11-deploy-guide/what-is-enterprise-mode.md).
### Where can I obtain a list of HTTP Status codes?
-For information about this list, see [HTTP Status Codes](https://docs.microsoft.com/windows/win32/winhttp/http-status-codes).
+For information about this list, see [HTTP Status Codes](/windows/win32/winhttp/http-status-codes).
### What is end of support for Internet Explorer 11?
@@ -207,14 +207,14 @@ This policy setting is available for both Computer Configuration and User Config
- User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
**References**
-[How to configure Internet Explorer security zone sites using group polices](https://blogs.msdn.microsoft.com/askie/2012/06/05/how-to-configure-internet-explorer-security-zone-sites-using-group-polices/)
+[How to configure Internet Explorer security zone sites using group polices](/archive/blogs/askie/how-to-configure-internet-explorer-security-zone-sites-using-group-polices)
### What are the limits for MaxConnectionsPerServer, MaxConnectionsPer1_0Server for the current versions of Internet Explorer?
-For more information about these settings and limits, see [Connectivity Enhancements in Windows Internet Explorer 8](https://docs.microsoft.com/previous-versions/cc304129(v=vs.85)).
+For more information about these settings and limits, see [Connectivity Enhancements in Windows Internet Explorer 8](/previous-versions/cc304129(v=vs.85)).
### What is the MaxConnectionsPerProxy setting, and what are the maximum allowed values for this setting?
The **MaxConnectionsPerProxy** setting controls the number of connections that a single-user client can maintain to a given host by using a proxy server.
-For more information, see [Understanding Connection Limits and New Proxy Connection Limits in WinInet and Internet Explorer](https://blogs.msdn.microsoft.com/jpsanders/2009/06/29/understanding-connection-limits-and-new-proxy-connection-limits-in-wininet-and-internet-explorer/).
+For more information, see [Understanding Connection Limits and New Proxy Connection Limits in WinInet and Internet Explorer](/archive/blogs/jpsanders/understanding-connection-limits-and-new-proxy-connection-limits-in-wininet-and-internet-explorer).
\ No newline at end of file
diff --git a/devices/hololens/docfx.json b/devices/hololens/docfx.json
index 6d55b1a859..9b7317309d 100644
--- a/devices/hololens/docfx.json
+++ b/devices/hololens/docfx.json
@@ -54,7 +54,7 @@
"jborsecnik",
"tiburd",
"garycentric"
- ],
+ ]
},
"fileMetadata": {},
"template": [],
diff --git a/education/developers.yml b/education/developers.yml
index 6533d8c51c..5b67147739 100644
--- a/education/developers.yml
+++ b/education/developers.yml
@@ -18,11 +18,11 @@ additionalContent:
# Card
- title: UWP apps for education
summary: Learn how to write universal apps for education.
- url: https://docs.microsoft.com/windows/uwp/apps-for-education/
+ url: /windows/uwp/apps-for-education/
# Card
- title: Take a test API
summary: Learn how web applications can use the API to provide a locked down experience for taking tests.
- url: https://docs.microsoft.com/windows/uwp/apps-for-education/take-a-test-api
+ url: /windows/uwp/apps-for-education/take-a-test-api
# Card
- title: Office Education Dev center
summary: Integrate with Office 365 across devices and services to extend Microsoft enterprise-scale compliance and security to students, teachers, and staff in your education app
@@ -30,4 +30,4 @@ additionalContent:
# Card
- title: Data Streamer
summary: Bring new STEM experiences into the classroom with real-time data in Excel using Data Streamer. Data Streamer can send data to Excel from a sensor or application.
- url: https://docs.microsoft.com/microsoft-365/education/data-streamer
+ url: /microsoft-365/education/data-streamer
\ No newline at end of file
diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md
index 156feee1de..fd0f0a83fb 100644
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@@ -7,5 +7,5 @@
| Published On |Topic title | Change |
|------|------------|--------|
-| 1/14/2021 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
-| 1/14/2021 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
+| 1/14/2021 | [Chromebook migration guide (Windows 10)](../windows/chromebook-migration-guide.md) | modified |
+| 1/14/2021 | [Deploy Windows 10 in a school district (Windows 10)](../windows/deploy-windows-10-in-a-school-district.md) | modified |
\ No newline at end of file
diff --git a/education/itadmins.yml b/education/itadmins.yml
index 4aa321c59c..849c8bb478 100644
--- a/education/itadmins.yml
+++ b/education/itadmins.yml
@@ -19,70 +19,70 @@ productDirectory:
- title: Phase 1 - Cloud deployment
imageSrc: ./images/EDU-Deploy.svg
links:
- - url: https://docs.microsoft.com/microsoft-365/education/deploy/create-your-office-365-tenant
+ - url: /microsoft-365/education/deploy/create-your-office-365-tenant
text: 1. Create your Office 365 tenant
- - url: https://docs.microsoft.com/microsoft-365/education/deploy/secure-and-configure-your-network
+ - url: /microsoft-365/education/deploy/secure-and-configure-your-network
text: 2. Secure and configure your network
- - url: https://docs.microsoft.com/microsoft-365/education/deploy/aad-connect-and-adfs
+ - url: /microsoft-365/education/deploy/aad-connect-and-adfs
text: 3. Sync your active directory
- - url: https://docs.microsoft.com/microsoft-365/education/deploy/school-data-sync
+ - url: /microsoft-365/education/deploy/school-data-sync
text: 4. Sync you SIS using School Data Sync
- - url: https://docs.microsoft.com/microsoft-365/education/deploy/license-users
+ - url: /microsoft-365/education/deploy/license-users
text: 5. License users
# Card
- title: Phase 2 - Device management
imageSrc: ./images/EDU-Device-Mgmt.svg
links:
- - url: https://docs.microsoft.com/en-us/education/windows/
+ - url: ./windows/index.md
text: 1. Get started with Windows 10 for Education
- - url: https://docs.microsoft.com/microsoft-365/education/deploy/set-up-windows-10-education-devices
+ - url: /microsoft-365/education/deploy/set-up-windows-10-education-devices
text: 2. Set up Windows 10 devices
- - url: https://docs.microsoft.com/microsoft-365/education/deploy/intune-for-education
+ - url: /microsoft-365/education/deploy/intune-for-education
text: 3. Get started with Intune for Education
- - url: https://docs.microsoft.com/microsoft-365/education/deploy/use-intune-for-education
+ - url: /microsoft-365/education/deploy/use-intune-for-education
text: 4. Use Intune to manage groups, apps, and settings
- - url: https://docs.microsoft.com/en-us/intune/enrollment/enrollment-autopilot
+ - url: /intune/enrollment/enrollment-autopilot
text: 5. Enroll devices using Windows Autopilot
# Card
- title: Phase 3 - Apps management
imageSrc: ./images/EDU-Apps-Mgmt.svg
links:
- - url: https://docs.microsoft.com/microsoft-365/education/deploy/configure-admin-settings
+ - url: /microsoft-365/education/deploy/configure-admin-settings
text: 1. Configure admin settings
- - url: https://docs.microsoft.com/microsoft-365/education/deploy/set-up-teams-for-education
+ - url: /microsoft-365/education/deploy/set-up-teams-for-education
text: 2. Set up Teams for Education
- - url: https://docs.microsoft.com/microsoft-365/education/deploy/deploy-office-365
+ - url: /microsoft-365/education/deploy/deploy-office-365
text: 3. Set up Office 365
- - url: https://docs.microsoft.com/microsoft-365/education/deploy/microsoft-store-for-education
+ - url: /microsoft-365/education/deploy/microsoft-store-for-education
text: 4. Install apps from Microsoft Store for Education
- - url: https://docs.microsoft.com/microsoft-365/education/deploy/minecraft-for-education
+ - url: /microsoft-365/education/deploy/minecraft-for-education
text: 5. Install Minecraft - Education Edition
# Card
- title: Complete your deployment
# imageSrc should be square in ratio with no whitespace
imageSrc: ./images/EDU-Tasks.svg
links:
- - url: https://docs.microsoft.com/microsoft-365/education/deploy/deploy-exchange-online
+ - url: /microsoft-365/education/deploy/deploy-exchange-online
text: Deploy Exchange Online
- - url: https://docs.microsoft.com/microsoft-365/education/deploy/deploy-sharepoint-online-and-onedrive
+ - url: /microsoft-365/education/deploy/deploy-sharepoint-online-and-onedrive
text: Deploy SharePoint Online and OneDrive
- - url: https://docs.microsoft.com/microsoft-365/education/deploy/deploy-exchange-server-hybrid
+ - url: /microsoft-365/education/deploy/deploy-exchange-server-hybrid
text: Deploy Exchange Server hybrid
- - url: https://docs.microsoft.com/microsoft-365/education/deploy/deploy-sharepoint-server-hybrid
+ - url: /microsoft-365/education/deploy/deploy-sharepoint-server-hybrid
text: Deploy SharePoint Server Hybrid
# Card
- title: Security & compliance
imageSrc: ./images/EDU-Lockbox.svg
links:
- - url: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-deployment-checklist-p2
+ - url: /azure/active-directory/fundamentals/active-directory-deployment-checklist-p2
text: AAD feature deployment guide
- url: https://techcommunity.microsoft.com/t5/Azure-Information-Protection/Azure-Information-Protection-Deployment-Acceleration-Guide/ba-p/334423
text: Azure information protection deployment acceleration guide
- - url: https://docs.microsoft.com/en-us/cloud-app-security/getting-started-with-cloud-app-security
+ - url: /cloud-app-security/getting-started-with-cloud-app-security
text: Microsoft Cloud app security
- - url: https://docs.microsoft.com/microsoft-365/compliance/create-test-tune-dlp-policy
+ - url: /microsoft-365/compliance/create-test-tune-dlp-policy
text: Office 365 data loss prevention
- - url: https://docs.microsoft.com/microsoft-365/compliance/
+ - url: /microsoft-365/compliance/
text: Office 365 advanced compliance
- url: https://social.technet.microsoft.com/wiki/contents/articles/35748.office-365-what-is-customer-lockbox-and-how-to-enable-it.aspx
text: Deploying Lockbox
@@ -90,15 +90,15 @@ productDirectory:
- title: Analytics & insights
imageSrc: ./images/EDU-Education.svg
links:
- - url: https://docs.microsoft.com/en-us/power-bi/service-admin-administering-power-bi-in-your-organization
+ - url: /power-bi/service-admin-administering-power-bi-in-your-organization
text: Power BI for IT admins
- - url: https://docs.microsoft.com/en-us/dynamics365/#pivot=get-started
+ - url: /dynamics365/#pivot=get-started
text: Dynamics 365
# Card
- title: Find deployment help
imageSrc: ./images/EDU-FindHelp.svg
links:
- - url: https://docs.microsoft.com/microsoft-365/education/deploy/find-deployment-help
+ - url: /microsoft-365/education/deploy/find-deployment-help
text: IT admin help
- url: https://social.technet.microsoft.com/forums/en-us/home
text: TechNet
diff --git a/education/trial-in-a-box/TOC.md b/education/trial-in-a-box/TOC.md
deleted file mode 100644
index 71ed4cbd0c..0000000000
--- a/education/trial-in-a-box/TOC.md
+++ /dev/null
@@ -1,4 +0,0 @@
-# [Microsoft Education Trial in a Box](index.md)
-## [Educator Trial in a Box Guide](educator-tib-get-started.md)
-## [IT Admin Trial in a Box Guide](itadmin-tib-get-started.md)
-## [Microsoft Education Trial in a Box Support](support-options.md)
\ No newline at end of file
diff --git a/education/trial-in-a-box/TOC.yml b/education/trial-in-a-box/TOC.yml
new file mode 100644
index 0000000000..6050d91b67
--- /dev/null
+++ b/education/trial-in-a-box/TOC.yml
@@ -0,0 +1,9 @@
+- name: Microsoft Education Trial in a Box
+ href: index.md
+ items:
+ - name: Educator Trial in a Box Guide
+ href: educator-tib-get-started.md
+ - name: IT Admin Trial in a Box Guide
+ href: itadmin-tib-get-started.md
+ - name: Microsoft Education Trial in a Box Support
+ href: support-options.md
diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md
index 1965c6abf7..51e0cf23d8 100644
--- a/education/trial-in-a-box/itadmin-tib-get-started.md
+++ b/education/trial-in-a-box/itadmin-tib-get-started.md
@@ -60,7 +60,7 @@ To try out the IT admin tasks, start by logging in as an IT admin.
## 2. Configure Device B with Set up School PCs
Now you're ready to learn how to configure a brand new device. You will start on **Device A** by downloading and running the Set up School PCs app. Then, you will configure **Device B**.
-If you've previously used Set up School PCs to provision student devices, you can follow the instructions in this section to quickly configure **Device B**. Otherwise, we recommend you follow the instructions in [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for more detailed information, including tips for successfully running Set up School PCs.
+If you've previously used Set up School PCs to provision student devices, you can follow the instructions in this section to quickly configure **Device B**. Otherwise, we recommend you follow the instructions in [Use the Set up School PCs app](../windows/use-set-up-school-pcs-app.md) for more detailed information, including tips for successfully running Set up School PCs.
### Download, install, and get ready
@@ -103,7 +103,7 @@ If you've previously used Set up School PCs to provision student devices, you ca
- Set up School PCs will change some account management logic so that it sets the expiration time for an account to 180 days (without requiring sign-in).
- This setting also increases the maximum storage to 100% of the available disk space. This prevents the student's account from being erased if the student stores a lot of files or data or if the student doesn't use the PC over a prolonged period.
- **Let guests sign-in to these PCs** allows guests to use student PCs without a school account. If you select this option, a **Guest** account button will be added in the PC's sign-in screen to allow anyone to use the PC.
- - **Enable Windows 10 Autopilot Reset** enables IT admins to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment the student PC is returned to a fully configured or known approved state. For more info, see [Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset).
+ - **Enable Windows 10 Autopilot Reset** enables IT admins to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment the student PC is returned to a fully configured or known approved state. For more info, see [Autopilot Reset](../windows/autopilot-reset.md).
- **Lock screen background** shows the default background used for student PCs provisioned by Set up School PCs. Select **Browse** to change the default.
7. **Set up the Take a Test app** configures the device for taking quizzes and high-stakes assessments by some providers like Smarter Balanced. Windows will lock down the student PC so that students can't access anything else while taking the test.
@@ -224,7 +224,7 @@ The Microsoft Store for Education is where you can shop for more apps for your s
- In the **Private store** column of the **Products & services** page, the status for some apps will indicate that it's "In private store" while others will say "Adding to private store" or "Not applicable". Learn more about this in Distribute apps using your private store.
+ In the **Private store** column of the **Products & services** page, the status for some apps will indicate that it's "In private store" while others will say "Adding to private store" or "Not applicable". Learn more about this in Distribute apps using your private store.
> [!NOTE]
> Sync happens automatically, but it may take up to 36 hours for your organization's private store and 12 hours for Intune for Education to sync all your purchased apps.
@@ -246,7 +246,7 @@ Update settings for all devices in your tenant by adding the **Documents** and *
## Verify correct device setup and other IT admin tasks
Follow these instructions to confirm if you configured your tenant correctly and the right apps and settings were applied to all users or devices on your tenant:
-* [Verify correct device setup](https://docs.microsoft.com/education/get-started/finish-setup-and-other-tasks#verify-correct-device-setup)
+* [Verify correct device setup](/microsoft-365/education/deploy/#verify-correct-device-setup)
1. Confirm that the apps you bought from the Microsoft Store for Education appear in the Windows Start screen's **Recently added** section.
@@ -256,13 +256,13 @@ Follow these instructions to confirm if you configured your tenant correctly and
2. Confirm that the folders you added, if you chose to customize the Windows interface from Intune for Education, appear in the Start menu.
3. If you added **Office 365 for Windows 10 S (Education Preview)** to the package and provisioned **Device B** with it, you need to click on one of the Office apps in the **Start** menu to complete app registration.
-* [Verify the device is Azure AD joined](https://docs.microsoft.com/education/get-started/finish-setup-and-other-tasks#verify-the-device-is-azure-ad-joined) - Confirm that your devices are being managed in Intune for Education.
-* [Add more users](https://docs.microsoft.com/education/get-started/finish-setup-and-other-tasks#add-more-users) - Go to the Microsoft 365 admin center to add more users.
+* [Verify the device is Azure AD joined](/microsoft-365/education/deploy/#verify-the-device-is-azure-ad-joined) - Confirm that your devices are being managed in Intune for Education.
+* [Add more users](/microsoft-365/education/deploy/#add-more-users) - Go to the Microsoft 365 admin center to add more users.
* Get app updates (including updates for Office 365 for Windows 10 S)
1. Open the **Start** menu and go to the **Microsoft Store**.
2. From the **Microsoft Store**, click **...** (See more) and select **Downloads and updates**.
3. In the **Downloads and updates** page, click **Get updates**.
-* [Try the BYOD scenario](https://docs.microsoft.com/education/get-started/finish-setup-and-other-tasks#connect-other-devices-to-your-cloud-infrastructure)
+* [Try the BYOD scenario](/microsoft-365/education/deploy/#connect-other-devices-to-your-cloud-infrastructure)
## Update your apps
@@ -278,4 +278,4 @@ For more information about checking for updates, and how to optionally turn on a
## Get more info
* Learn more at microsoft.com/education
* Find out if your school is eligible for a device trial at aka.ms/EDUTrialInABox
-* Buy Windows 10 devices
+* Buy Windows 10 devices
\ No newline at end of file
diff --git a/education/windows/TOC.md b/education/windows/TOC.md
deleted file mode 100644
index b55cbbfe02..0000000000
--- a/education/windows/TOC.md
+++ /dev/null
@@ -1,31 +0,0 @@
-# [Windows 10 for Education](index.md)
-## [Windows 10 editions for education customers](windows-editions-for-education-customers.md)
-## [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md)
-## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
-## [Set up Windows devices for education](set-up-windows-10.md)
-### [What's new in Set up School PCs](set-up-school-pcs-whats-new.md)
-### [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md)
-#### [Azure AD Join for school PCs](set-up-school-pcs-azure-ad-join.md)
-#### [Shared PC mode for school devices](set-up-school-pcs-shared-pc-mode.md)
-#### [Provisioning package settings](set-up-school-pcs-provisioning-package.md)
-### [Use the Set up School PCs app](use-set-up-school-pcs-app.md)
-### [Set up student PCs to join domain](set-up-students-pcs-to-join-domain.md)
-### [Provision student PCs with apps](set-up-students-pcs-with-apps.md)
-## [Take tests in Windows 10](take-tests-in-windows-10.md)
-### [Set up Take a Test on a single PC](take-a-test-single-pc.md)
-### [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md)
-### [Take a Test app technical reference](take-a-test-app-technical.md)
-## [Reset devices with Autopilot Reset](autopilot-reset.md)
-## [Working with Microsoft Store for Education](education-scenarios-store-for-business.md)
-## [Get Minecraft: Education Edition](get-minecraft-for-education.md)
-### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md)
-### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md)
-### [Get Minecraft: Education Edition with Windows 10 device promotion](get-minecraft-device-promotion.md)
-## [Test Windows 10 in S mode on existing Windows 10 education devices](test-windows10s-for-edu.md)
-## [Enable Windows 10 in S mode on Surface Go devices](enable-s-mode-on-surface-go-devices.md)
-## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
-## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
-## [Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode](s-mode-switch-to-edu.md)
-## [Change to Windows 10 Pro Education from Windows 10 Pro](change-to-pro-education.md)
-## [Chromebook migration guide](chromebook-migration-guide.md)
-## [Change history for Windows 10 for Education](change-history-edu.md)
diff --git a/education/windows/TOC.yml b/education/windows/TOC.yml
new file mode 100644
index 0000000000..6571e40f23
--- /dev/null
+++ b/education/windows/TOC.yml
@@ -0,0 +1,67 @@
+- name: Windows 10 for Education
+ href: index.md
+ items:
+ - name: Windows 10 editions for education customers
+ href: windows-editions-for-education-customers.md
+ - name: Windows 10 configuration recommendations for education customers
+ href: configure-windows-for-education.md
+ - name: Deployment recommendations for school IT administrators
+ href: edu-deployment-recommendations.md
+ - name: Set up Windows devices for education
+ href: set-up-windows-10.md
+ items:
+ - name: What's new in Set up School PCs
+ href: set-up-school-pcs-whats-new.md
+ - name: Technical reference for the Set up School PCs app
+ href: set-up-school-pcs-technical.md
+ items:
+ - name: Azure AD Join for school PCs
+ href: set-up-school-pcs-azure-ad-join.md
+ - name: Shared PC mode for school devices
+ href: set-up-school-pcs-shared-pc-mode.md
+ - name: Provisioning package settings
+ href: set-up-school-pcs-provisioning-package.md
+ - name: Use the Set up School PCs app
+ href: use-set-up-school-pcs-app.md
+ - name: Set up student PCs to join domain
+ href: set-up-students-pcs-to-join-domain.md
+ - name: Provision student PCs with apps
+ href: set-up-students-pcs-with-apps.md
+ - name: Take tests in Windows 10
+ href: take-tests-in-windows-10.md
+ items:
+ - name: Set up Take a Test on a single PC
+ href: take-a-test-single-pc.md
+ - name: Set up Take a Test on multiple PCs
+ href: take-a-test-multiple-pcs.md
+ - name: Take a Test app technical reference
+ href: take-a-test-app-technical.md
+ - name: Reset devices with Autopilot Reset
+ href: autopilot-reset.md
+ - name: Working with Microsoft Store for Education
+ href: education-scenarios-store-for-business.md
+ - name: "Get Minecraft: Education Edition"
+ href: get-minecraft-for-education.md
+ items:
+ - name: "For teachers: get Minecraft Education Edition"
+ href: teacher-get-minecraft.md
+ - name: "For IT administrators: get Minecraft Education Edition"
+ href: school-get-minecraft.md
+ - name: "Get Minecraft: Education Edition with Windows 10 device promotion"
+ href: get-minecraft-device-promotion.md
+ - name: Test Windows 10 in S mode on existing Windows 10 education devices
+ href: test-windows10s-for-edu.md
+ - name: Enable Windows 10 in S mode on Surface Go devices
+ href: enable-s-mode-on-surface-go-devices.md
+ - name: Deploy Windows 10 in a school
+ href: deploy-windows-10-in-a-school.md
+ - name: Deploy Windows 10 in a school district
+ href: deploy-windows-10-in-a-school-district.md
+ - name: Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode
+ href: s-mode-switch-to-edu.md
+ - name: Change to Windows 10 Pro Education from Windows 10 Pro
+ href: change-to-pro-education.md
+ - name: Chromebook migration guide
+ href: chromebook-migration-guide.md
+ - name: Change history for Windows 10 for Education
+ href: change-history-edu.md
diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md
index 8ba6fec5bb..dba25c2b0f 100644
--- a/education/windows/autopilot-reset.md
+++ b/education/windows/autopilot-reset.md
@@ -30,7 +30,7 @@ To enable Autopilot Reset in Windows 10, version 1709 (Fall Creators Update), yo
To use Autopilot Reset, [Windows Recovery Environment (WinRE) must be enabled on the device](#winre).
-**DisableAutomaticReDeploymentCredentials** is a policy that enables or disables the visibility of the credentials for Autopilot Reset. It is a policy node in the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, this policy is set to 1 (Disable). This ensures that Autopilot Reset isn't triggered by accident.
+**DisableAutomaticReDeploymentCredentials** is a policy that enables or disables the visibility of the credentials for Autopilot Reset. It is a policy node in the [Policy CSP](/windows/client-management/mdm/policy-csp-credentialproviders), **CredentialProviders/DisableAutomaticReDeploymentCredentials**. By default, this policy is set to 1 (Disable). This ensures that Autopilot Reset isn't triggered by accident.
You can set the policy using one of these methods:
@@ -45,7 +45,7 @@ You can set the policy using one of these methods:
- Windows Configuration Designer
- You can [use Windows Configuration Designer](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package) to set the **Runtime settings > Policies > CredentialProviders > DisableAutomaticReDeploymentCredentials** setting and create a provisioning package.
+ You can [use Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) to set the **Runtime settings > Policies > CredentialProviders > DisableAutomaticReDeploymentCredentials** setting and create a provisioning package.
- Set up School PCs app
@@ -95,9 +95,9 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
## Troubleshoot Autopilot Reset
-Autopilot Reset will fail when the [Windows Recovery Environment (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is not enabled on the device. You will see `Error code: ERROR_NOT_SUPPORTED (0x80070032)`.
+Autopilot Reset will fail when the [Windows Recovery Environment (WinRE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is not enabled on the device. You will see `Error code: ERROR_NOT_SUPPORTED (0x80070032)`.
-To make sure WinRE is enabled, use the [REAgentC.exe tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command:
+To make sure WinRE is enabled, use the [REAgentC.exe tool](/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command:
```
reagentc /enable
@@ -107,9 +107,4 @@ If Autopilot Reset fails after enabling WinRE, or if you are unable to enable Wi
## Related topics
-[Set up Windows devices for education](set-up-windows-10.md)
-
-
-
-
-
+[Set up Windows devices for education](set-up-windows-10.md)
\ No newline at end of file
diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md
index 9302c8fdb4..aafc6c622f 100644
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@@ -21,7 +21,7 @@ This topic lists new and updated topics in the [Windows 10 for Education](index.
|New or changed topic | Description|
|-----------|-------------|
-|[Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation)|Subscription activation support for Windows 10 Pro Education to Windows 10 Education|
+|[Windows 10 Subscription Activation](/windows/deployment/windows-10-subscription-activation)|Subscription activation support for Windows 10 Pro Education to Windows 10 Education|
## April 2018
New or changed topic | Description
@@ -92,8 +92,8 @@ New or changed topic | Description
| New or changed topic | Description|
| --- | --- |
-| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](https://docs.microsoft.com/education/get-started/get-started-with-microsoft-education) | New. Learn how you can you can quickly and easily use the new Microsoft Education system to implement a full IT cloud solution for your school. |
-| [Microsoft Education documentation and resources](https://docs.microsoft.com/education) | New. Find links to more content for IT admins, teachers, students, and education app developers. |
+| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](/microsoft-365/education/deploy/) | New. Learn how you can you can quickly and easily use the new Microsoft Education system to implement a full IT cloud solution for your school. |
+| [Microsoft Education documentation and resources](/education) | New. Find links to more content for IT admins, teachers, students, and education app developers. |
| [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) | New. Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school. |
| [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) | Updated the screenshots and related instructions to reflect the current UI and experience. |
| [Set up Windows devices for education](set-up-windows-10.md) | Updated for Windows 10, version 1703. |
@@ -150,5 +150,5 @@ The topics in this library have been updated for Windows 10, version 1607 (also
| [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) | New. Learn how the Set up School PCs app works and how to use it. |
| [Set up School PCs app technical reference (Preview)](set-up-school-pcs-technical.md) | New. Describes the changes that the Set up School PCs app makes to a PC. |
| [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md) [Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md) [Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md) [Take a Test app technical reference (Preview)](take-a-test-app-technical.md) | New. Learn how to set up and use the Take a Test app. |
-| [Chromebook migration guide](chromebook-migration-guide.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/plan/index) library, originally published in November 2015 |
-| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/plan/index) library, originally published in May 2016 |
+| [Chromebook migration guide](chromebook-migration-guide.md) | Moved from [Windows 10 and Windows 10 Mobile](/windows/deployment/planning/) library, originally published in November 2015 |
+| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Moved from [Windows 10 and Windows 10 Mobile](/windows/deployment/planning/) library, originally published in May 2016 |
\ No newline at end of file
diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md
index e40ce61ea7..b104042dbc 100644
--- a/education/windows/change-to-pro-education.md
+++ b/education/windows/change-to-pro-education.md
@@ -18,12 +18,12 @@ manager: dansimp
Windows 10 Pro Education is a new offering in Windows 10, version 1607. This edition builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools by providing education-specific default settings.
If you have an education tenant and use devices with Windows 10 Pro, global administrators can opt-in to a free change to Windows 10 Pro Education depending on your scenario.
-- [Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode](https://docs.microsoft.com/education/windows/s-mode-switch-to-edu)
+- [Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode](./s-mode-switch-to-edu.md)
To take advantage of this offering, make sure you meet the [requirements for changing](#requirements-for-changing). For academic customers who are eligible to change to Windows 10 Pro Education, but are unable to use the above methods, contact Microsoft Support for assistance.
>[!IMPORTANT]
->If you change a Windows 10 Pro device to Windows 10 Pro Education using Microsoft Store for Education, [subscription activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation) won't work.
+>If you change a Windows 10 Pro device to Windows 10 Pro Education using Microsoft Store for Education, [subscription activation](/windows/deployment/windows-10-subscription-activation) won't work.
## Requirements for changing
Before you change to Windows 10 Pro Education, make sure you meet these requirements:
@@ -82,7 +82,7 @@ You can use Windows Configuration Designer to create a provisioning package that
3. Complete the rest of the process for creating a provisioning package and then apply the package to the devices you want to change to Windows 10 Pro Education.
- For more information about using Windows Configuration Designer, see [Set up student PCs to join domain](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain).
+ For more information about using Windows Configuration Designer, see [Set up student PCs to join domain](./set-up-students-pcs-to-join-domain.md).
### Change using the Activation page
@@ -307,7 +307,7 @@ You need to synchronize these identities so that users will have a *single ident
For more information about integrating on-premises AD DS domains with Azure AD, see these resources:
-- [Integrating your on-premises identities with Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/)
+- [Integrating your on-premises identities with Azure Active Directory](/azure/active-directory/hybrid/whatis-hybrid-identity)
- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
## Related topics
@@ -315,5 +315,4 @@ For more information about integrating on-premises AD DS domains with Azure AD,
[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
-[Windows 10 subscription activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation)
-
+[Windows 10 subscription activation](/windows/deployment/windows-10-subscription-activation)
\ No newline at end of file
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index 3cd18bebdd..59da859362 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -265,7 +265,7 @@ Assign the setting-migration priority based on how critical the setting is to th
Many of your users may be using Google Apps Gmail to manage their email, calendars, and contacts. You need to create the list of users you will migrate and the best time to perform the migration.
-Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information, see [Migrate Google Apps mailboxes to Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690252).
+Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information, see [Migrate Google Apps mailboxes to Office 365](/Exchange/mailbox-migration/migrating-imap-mailboxes/migrate-g-suite-mailboxes).
**Identify the list of user mailboxes to migrate**
@@ -273,7 +273,7 @@ In regards to creating the list of users you will migrate, it might seem that th
Also, when you perform a migration it is a great time to verify that all user mailboxes are active. In many environments there are a significant number of mailboxes that were provisioned for users that are no longer a part of the institution (such as interns or student assistants). You can eliminate these users from your list of user mailboxes to migrate.
-Create your list of user mailboxes to migrate in Excel 2016 based on the format described in step 7 in [Create a list of Gmail mailboxes to migrate](https://go.microsoft.com/fwlink/p/?LinkId=690253). If you follow this format, you can use the Microsoft Excel spreadsheet to perform the actual migration later in the process.
+Create your list of user mailboxes to migrate in Excel 2016 based on the format described in step 7 in [Create a list of Gmail mailboxes to migrate](/Exchange/mailbox-migration/migrating-imap-mailboxes/migrate-g-suite-mailboxes). If you follow this format, you can use the Microsoft Excel spreadsheet to perform the actual migration later in the process.
**Identify companion devices that access Google Apps Gmail**
@@ -680,15 +680,15 @@ Table 7. Network infrastructure products and technologies and deployment resourc
@@ -460,9 +460,9 @@ After you have selected your user and group account bulk import method, you’re
| Method | Source file format |
|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Ldifde.exe | Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx). |
-| VBScript | VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx). |
-| Windows PowerShell | Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). |
+| Ldifde.exe | Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816781(v=ws.10)), and [LDIFDE](/previous-versions/orphan-topics/ws.10/cc755456(v=ws.10)). |
+| VBScript | VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)). |
+| Windows PowerShell | Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](/archive/blogs/technet/bettertogether/import-bulk-users-to-active-directory) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). |
@@ -474,9 +474,9 @@ With the bulk-import source file finished, you’re ready to import the user and
For more information about how to import user accounts into AD DS by using:
-- Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).
-- VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx).
-- Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).
+- Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816781(v=ws.10)), and [LDIFDE](/previous-versions/orphan-topics/ws.10/cc755456(v=ws.10)).
+- VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)).
+- Windows PowerShell, see [Import Bulk Users to Active Directory](/archive/blogs/technet/bettertogether/import-bulk-users-to-active-directory) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).
### Summary
@@ -534,7 +534,7 @@ You can assign Azure AD Premium licenses to the users who need the features this
For more information about:
-- Azure AD editions, see [Azure Active Directory editions](https://azure.microsoft.com/documentation/articles/active-directory-editions/).
+- Azure AD editions, see [Azure Active Directory editions](/azure/active-directory/fundamentals/active-directory-whatis).
- How to assign user licenses for Azure AD Premium, see [How to assign EMS/Azure AD Premium licenses to user accounts](https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/How-to-assign-Azure-AD-Premium-Licenses-to-user-accounts).
## Create and configure a Microsoft Store for Business portal
@@ -545,7 +545,7 @@ Microsoft Store for Business allows you to create your own private portal to man
- Manage apps, app licenses, and updates.
- Distribute apps to your users.
-For more information about Microsoft Store for Business, see [Microsoft Store for Business overview](https://technet.microsoft.com/itpro/windows/whats-new/windows-store-for-business-overview).
+For more information about Microsoft Store for Business, see [Microsoft Store for Business overview](/microsoft-store/microsoft-store-for-business-overview).
The following section shows you how to create a Microsoft Store for Business portal and configure it for your school.
@@ -568,13 +568,13 @@ After you create the Microsoft Store for Business portal, configure it by using
| Menu selection | What you can do in this menu |
|----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Account information | Displays information about your Microsoft Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure Portal. For more information, see [Update Microsoft Store for Business account settings](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings). |
-| Device Guard signing | Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide). |
-| LOB publishers | Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](https://technet.microsoft.com/itpro/windows/manage/working-with-line-of-business-apps). |
-| Management tools | Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-with-management-tool). |
-| Offline licensing | Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see [Licensing model: online and offline licenses](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model). |
-| Permissions | Allows you to grant other users in your organization the ability to buy, manage, and administer your Microsoft Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Microsoft Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business). |
-| Private store | Allows you to change the organization name used in your Microsoft Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store). |
+| Account information | Displays information about your Microsoft Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure Portal. For more information, see [Update Microsoft Store for Business account settings](/microsoft-store/update-microsoft-store-for-business-account-settings). |
+| Device Guard signing | Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). |
+| LOB publishers | Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](/microsoft-store/working-with-line-of-business-apps). |
+| Management tools | Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](/microsoft-store/distribute-apps-with-management-tool). |
+| Offline licensing | Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see [Licensing model: online and offline licenses](/microsoft-store/apps-in-microsoft-store-for-business#licensing-model). |
+| Permissions | Allows you to grant other users in your organization the ability to buy, manage, and administer your Microsoft Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Microsoft Store for Business](/microsoft-store/roles-and-permissions-microsoft-store-for-business). |
+| Private store | Allows you to change the organization name used in your Microsoft Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store). |
@@ -586,7 +586,7 @@ Now that you have created your Microsoft Store for Business portal, you’re rea
You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users.
-For more information about how to find, acquire, and distribute apps in the portal, see [App inventory management for Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/app-inventory-management-microsoft-store-for-business).
+For more information about how to find, acquire, and distribute apps in the portal, see [App inventory management for Microsoft Store for Business](/microsoft-store/app-inventory-management-microsoft-store-for-business).
### Summary
@@ -612,7 +612,7 @@ Depending on your school’s requirements, you may need any combination of the f
- **Windows 10 Education**. Use this operating system to:
- Upgrade institution-owned devices to Windows 10 Education.
- Deploy new instances of Windows 10 Education so that new devices have a known configuration.
-- **Windows 10 Pro Education**. Use this operating system to upgrade existing eligible institution-owned devices running Windows 10 Pro Education, version 1903 or later, to Windows 10 Education using [subscription activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation).
+- **Windows 10 Pro Education**. Use this operating system to upgrade existing eligible institution-owned devices running Windows 10 Pro Education, version 1903 or later, to Windows 10 Education using [subscription activation](/windows/deployment/windows-10-subscription-activation).
**Note** Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business. These features are not available in Windows 10 Home.
@@ -719,14 +719,14 @@ The first step in preparation for Windows 10 deployment is to configure—that i
Windows Deployment Services is a server role available in all Windows Server editions. You can enable the Windows Deployment Services server role on a new server or on any server running Windows Server in your institution. For more information about how to perform this step, see the following resources:
- - [Windows Deployment Services overview](https://technet.microsoft.com/library/hh831764.aspx)
+ - [Windows Deployment Services overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831764(v=ws.11))
- The Windows Deployment Services Help file, included in Windows Deployment Services
- - [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx)
+ - [Windows Deployment Services Getting Started Guide for Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj648426(v=ws.11))
-2. Add LTI boot images (Windows PE images) to Windows Deployment Services. The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](https://technet.microsoft.com/library/dn759415.aspx#AddLTIBootImagestoWindowsDeploymentServices).
+2. Add LTI boot images (Windows PE images) to Windows Deployment Services. The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](/mem/configmgr/mdt/use-the-mdt#AddLTIBootImagestoWindowsDeploymentServices).
### Summary
@@ -916,7 +916,7 @@ Microsoft has several recommended settings for educational institutions. Table 1
Windows 8.1 deployment planning Windows 8.1 deployment to PCs BYOD Deploying Windows RT 8.1 Virtual Desktop Infrastructure Microsoft Store apps Windows To Go Windows 8.1 deployment planning Windows 8.1 deployment to PCs BYOD Deploying Windows RT 8.1 Virtual Desktop Infrastructure Microsoft Store apps Windows To Go Try it out: Windows 10 deployment (for education) Dynamic policy examples: AppVPackageManagement - Primarily read-only App-V package inventory data for MDM servers to query current packages. A complete list of App-V policies can be found here: Complete list of App-V policies can be found here: Optional. Integer. Specifies the default roaming value. Valid values are: Added a new section: Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store. The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message: An integer value that is used to configure the HTTPS port for incoming connections to the Windows Device Portal service.
- The only supported operation is Replace.
+ The only supported operation is Replace.
\ No newline at end of file
diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md
index eb09896b90..00d784cb32 100644
--- a/windows/client-management/mdm/device-update-management.md
+++ b/windows/client-management/mdm/device-update-management.md
@@ -36,7 +36,7 @@ In Windows 10, the MDM protocol has been extended to better enable IT admins to
- Specify a per-device update approval list, to ensure devices don’t install unapproved updates that have not been tested.
- Approve EULAs on behalf of the end-user so update deployment can be automated even for updates with EULAs.
-The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID, which is a GUID that identifies a particular update. The MDM, of course, will want to expose IT-friendly information about the update (instead of a raw GUID), including the update’s title, description, KB, update type (for example, a security update or service pack). For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526707).
+The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID, which is a GUID that identifies a particular update. The MDM, of course, will want to expose IT-friendly information about the update (instead of a raw GUID), including the update’s title, description, KB, update type (for example, a security update or service pack). For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c).
For more information about the CSPs, see [Update CSP](update-csp.md) and the update policy area of the [Policy CSP](policy-configuration-service-provider.md).
@@ -60,13 +60,13 @@ This section describes how this is done. The following diagram shows the server-
MSDN provides much information about the Server-Server sync protocol. In particular:
-- It is a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](https://go.microsoft.com/fwlink/p/?LinkId=526727). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development.
-- You can find code samples in [Protocol Examples](https://go.microsoft.com/fwlink/p/?LinkId=526720). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx.
+- It is a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development.
+- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx.
Some important highlights:
-- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](https://go.microsoft.com/fwlink/p/?LinkId=526720), the **Sample 1: Authorization** code shows how this is done. Even though this is called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired.
-- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](https://msdn.microsoft.com/library/dd304816.aspx) in MSDN. The LocURI to get the applicable updates with their revision Numbers is ` Used to perform App-V synchronization. Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see [MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol. Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see [MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol. Supported operations are Get, Delete, and Execute. XML for App-V Policy Configuration documents for publishing packages. Value type is xml. Supported operations are Add, Get, Delete, and Replace. Value type is xml. Supported operations are Add, Get, Delete, and Replace. Value type in integer. Supported operation is Get. Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law. Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law. Value type in integer. Supported operation is Get. Value type is integer. Supported operations are Add, Get, Replace, and Delete. Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. Default value is 1. Value type is integer. Supported operations are Add, Get, Replace, and Delete. This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. Default value is 0. Value type is integer. Supported operations are Add, Get, Replace, and Delete. Boolean value. Supported operations are Get and Replace. Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. If not specified, the default is All. Value type is integer. Supported operations are Get and Replace. Visio Pro for Office 365 Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.) The root node for the NetworkQoSPolicy configuration service provider. Added the following setting: Defines the root node for the Personalization configuration service provider. Supported operation is Get.
-**Policy/Config/***AreaName*
+**Policy/Config/_AreaName_**
The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value.
Supported operations are Add, Get, and Delete.
-**Policy/Config/***AreaName/PolicyName*
+**Policy/Config/_AreaName/PolicyName_**
Specifies the name/value pair used in the policy.
The following list shows some tips to help you when configuring policies:
@@ -81,12 +81,12 @@ The following diagram shows the Policy configuration service provider in tree fo
Supported operation is Get.
-**Policy/Result/***AreaName*
+**Policy/Result/_AreaName_**
The area group that can be configured by a single technology independent of the providers.
Supported operation is Get.
-**Policy/Result/***AreaName/PolicyName*
+**Policy/Result/_AreaName/PolicyName_**
Specifies the name/value pair used in the policy.
Supported operation is Get.
@@ -100,33 +100,33 @@ The following diagram shows the Policy configuration service provider in tree fo
Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ADMX files that have been installed by using ConfigOperations/ADMXInstall can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, Supported operations are Add, Get, and Delete.
-**Policy/ConfigOperations/ADMXInstall/***AppName*
+**Policy/ConfigOperations/ADMXInstall/_AppName_**
Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file.
Supported operations are Add, Get, and Delete.
-**Policy/ConfigOperations/ADMXInstall/***AppName*/Policy
+**Policy/ConfigOperations/ADMXInstall/_AppName_/Policy**
Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported.
Supported operations are Add, Get, and Delete.
-**Policy/ConfigOperations/ADMXInstall/***AppName*/Policy/*UniqueID*
+**Policy/ConfigOperations/ADMXInstall/_AppName_/Policy/_UniqueID_**
Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import.
Supported operations are Add and Get. Does not support Delete.
-**Policy/ConfigOperations/ADMXInstall/***AppName*/Preference
+**Policy/ConfigOperations/ADMXInstall/_AppName_/Preference**
Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported.
Supported operations are Add, Get, and Delete.
-**Policy/ConfigOperations/ADMXInstall/***AppName*/Preference/*UniqueID*
+**Policy/ConfigOperations/ADMXInstall/_AppName_/Preference/_UniqueID_**
Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import.
Supported operations are Add and Get. Does not support Delete.
@@ -697,6 +697,14 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_DistributedLinkTracking policies
+
+ If you enabled this policy and now want to disable it, disabling removes all previously configured search engines.
-- 1 – Allowed. Add up to five additional search engines and set any one of them as the default. For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery).
+- 1 – Allowed. Add up to five additional search engines and set any one of them as the default. For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](/microsoft-edge/dev-guide/browser/search-provider-discovery).
Most restricted value: 0
@@ -2343,7 +2343,7 @@ Supported values:
[!INCLUDE [configure-kiosk-mode-shortdesc](../../../browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md)]
-For this policy to work, you must configure Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/windows/configuration/kiosk-shared-pc).
+For this policy to work, you must configure Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](/windows/configuration/kiosk-shared-pc).
@@ -2428,7 +2428,7 @@ Supported values:
[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../../../browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)]
-You must set ConfigureKioskMode to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/windows/configuration/kiosk-shared-pc).
+You must set ConfigureKioskMode to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](/windows/configuration/kiosk-shared-pc).
@@ -2678,7 +2678,7 @@ Most restricted value: 0
> This policy has no effect when the Browser/HomePages policy is not configured.
> [!IMPORTANT]
-> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy).
+> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](/legal/windows/agreements/microsoft-browser-extension-policy).
@@ -2837,7 +2837,7 @@ ADMX Info:
Supported values:
- 0 (default) - Turned off. Microsoft Edge does not check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps.
-- 1 - Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the {URI} box. For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](https://docs.microsoft.com/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp).
+- 1 - Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the {URI} box. For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp).
@@ -3823,7 +3823,7 @@ Most restricted value: 0
[!INCLUDE [set-default-search-engine-shortdesc](../../../browsers/edge/shortdesc/set-default-search-engine-shortdesc.md)]
> [!IMPORTANT]
-> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy).
+> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](/legal/windows/agreements/microsoft-browser-extension-policy).
Most restricted value: 0
@@ -3843,7 +3843,7 @@ Supported values:
- Blank (default) - Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the [AllowSearchEngineCustomization](#browser-allowsearchenginecustomization) policy, users cannot make changes.
- 0 - Microsoft Edge removes the policy-set search engine and uses the Microsoft Edge specified engine for the market.
-- 1 - Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users cannot change the default search engine. Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add. If you want users to use the default Microsoft Edge settings for each market, set the string to **EDGEDEFAULT**. If you want users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**.
+- 1 - Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users cannot change the default search engine. Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add. If you want users to use the default Microsoft Edge settings for each market, set the string to **EDGEDEFAULT**. If you want users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**.
Most restricted value: 1
@@ -4378,4 +4378,4 @@ Footnotes:
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
index 2cde160250..b1e5575610 100644
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@@ -5,9 +5,8 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
-author: manikadhiman
+author: dansimp
ms.localizationpriority: medium
-ms.date: 09/27/2019
ms.reviewer:
manager: dansimp
---
@@ -77,10 +76,12 @@ manager: dansimp
Added in Windows 10, version 1803. This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy (GP) are set on the device.
> [!NOTE]
-> MDMWinsOverGP only applies to policies in Policy CSP. It does not apply to other MDM settings with equivalent GP settings that are defined on other configuration service providers.
+> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs.
This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
-Note: This policy doesn’t support the Delete command and doesn’t support setting the value to 0 again after it was previously set to 1. Windows 10 version 1809 will support using the Delete command to set the value to 0 again, if it was previously set to 1.
+
+> [!NOTE]
+> This policy doesn't support the Delete command and doesn’t support setting the value to 0 again after it was previously set to 1. Windows 10 version 1809 will support using the Delete command to set the value to 0 again, if it was previously set to 1.
The following list shows the supported values:
@@ -101,7 +102,7 @@ The [Policy DDF](policy-ddf-file.md) contains the following tags to identify the
- \ The root node for the Reboot configuration service provider. Defines the root node for the RemoteLock configuration service provider. The root node for the Surface Hub configuration service provider.
**DeviceAccount**
@@ -258,6 +309,24 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
The data type is integer. Supported operation is Get and Replace.
+**InBoxApps/Whiteboard**
+ Node for the Whiteboard app settings.
+
+**InBoxApps/Whiteboard/SharingDisabled**
+ Invitations to collaborate from the Whiteboard app are not allowed.
+
+ The data type is boolean. Supported operation is Get and Replace.
+
+**InBoxApps/Whiteboard/SigninDisabled**
+ Sign-ins from the Whiteboard app are not allowed.
+
+ The data type is boolean. Supported operation is Get and Replace.
+
+**InBoxApps/Whiteboard/TelemeteryDisabled**
+ Telemetry collection from the Whiteboard app is not allowed.
+
+ The data type is boolean. Supported operation is Get and Replace.
+
**InBoxApps/WirelessProjection**
Node for the wireless projector app settings.
diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md
index 14cd5810b2..5b211a0f55 100644
--- a/windows/client-management/mdm/understanding-admx-backed-policies.md
+++ b/windows/client-management/mdm/understanding-admx-backed-policies.md
@@ -19,7 +19,7 @@ Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy confi
## Background
-In addition to standard policies, the Policy CSP can now also handle ADMX-backed policies. In an ADMX-backed policy, an administrative template contains the metadata of a Window Group Policy and can be edited in the Local Group Policy Editor on a PC. Each administrative template specifies the registry keys (and their values) that are associated with a Group Policy and defines the policy settings that can be managed. Administrative templates organize Group Policies in a hierarchy in which each segment in the hierarchical path is defined as a category. Each setting in a Group Policy administrative template corresponds to a specific registry value. These Group Policy settings are defined in a standards-based, XML file format known as an ADMX file. For more information, see [Group Policy ADMX Syntax Reference Guide](https://technet.microsoft.com/library/cc753471(v=ws.10).aspx).
+In addition to standard policies, the Policy CSP can now also handle ADMX-backed policies. In an ADMX-backed policy, an administrative template contains the metadata of a Window Group Policy and can be edited in the Local Group Policy Editor on a PC. Each administrative template specifies the registry keys (and their values) that are associated with a Group Policy and defines the policy settings that can be managed. Administrative templates organize Group Policies in a hierarchy in which each segment in the hierarchical path is defined as a category. Each setting in a Group Policy administrative template corresponds to a specific registry value. These Group Policy settings are defined in a standards-based, XML file format known as an ADMX file. For more information, see [Group Policy ADMX Syntax Reference Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753471(v=ws.10)).
ADMX files can either describe operating system (OS) Group Policies that are shipped with Windows or they can describe settings of applications, which are separate from the OS and can usually be downloaded and installed on a PC.
Depending on the specific category of the settings that they control (OS or application), the administrative template settings are found in the following two locations in the Local Group Policy Editor:
@@ -30,10 +30,10 @@ In a domain controller/Group Policy ecosystem, Group Policies are automatically
An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policydefinitions`) or it can be ingested to a device through the Policy CSP URI (`./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`). Inbox ADMX files are processed into MDM policies at OS-build time. ADMX files that are ingested are processed into MDM policies post-OS shipment through the Policy CSP. Because the Policy CSP does not rely upon any aspect of the Group Policy client stack, including the PC's Group Policy Service (GPSvc), the policy handlers that are ingested to the device are able to react to policies that are set by the MDM.
-Windows maps the name and category path of a Group Policy to a MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\ Specifies the update GUID.
- To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly.
+ To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly.
Supported operations are Get and Add.
@@ -220,10 +220,3 @@ Added in Windows 10, version 1803. Returns the result of last RollBack FeatureUp
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md b/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md
index 5bdd2eaf0f..37ff112671 100644
--- a/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md
+++ b/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md
@@ -14,16 +14,16 @@ ms.date: 06/26/2017
# Using PowerShell scripting with the WMI Bridge Provider
-This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, as well as how to invoke methods through the [WMI Bridge Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx).
+This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, as well as how to invoke methods through the [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal).
## Configuring per-device policy settings
-This section provides a PowerShell Cmdlet sample script to configure per-device settings through the [WMI Bridge Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx). If a class supports device settings, there must be a class level qualifier defined for InPartition("local-system").
+This section provides a PowerShell Cmdlet sample script to configure per-device settings through the [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). If a class supports device settings, there must be a class level qualifier defined for InPartition("local-system").
For all device settings, the WMI Bridge client must be executed under local system user. To do that, download the psexec tool from Currently testing. Currently testing. Currently testing. Currently testing. Currently testing. Test not started. Test not started. Test not started. Currently testing. Currently testing. Accessibility Assigned access does not change Ease of Access settings. We recommend that you use Keyboard Filter to block the following key combinations that bring up accessibility features: We recommend that you use Keyboard Filter to block the following key combinations that bring up accessibility features: Assigned access Windows PowerShell cmdlets In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see Assigned access Windows PowerShell reference. In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see Assigned access Windows PowerShell reference. Key sequences blocked by assigned access When in assigned access, some key combinations are blocked for assigned access users. Alt+F4, Alt+Shift+Tab, Alt+Tab are not blocked by Assigned Access, it is recommended you use Keyboard Filter to block these key combinations. Ctrl+Alt+Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in WEKF_Settings. Alt+F4, Alt+Shift+Tab, Alt+Tab are not blocked by Assigned Access, it is recommended you use Keyboard Filter to block these key combinations. Ctrl+Alt+Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in WEKF_Settings. Keyboard Filter settings apply to other standard accounts. Key sequences blocked by Keyboard Filter If Keyboard Filter is turned ON then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the Keyboard Filter reference topic. Keyboard Filter is only available on Windows 10 Enterprise or Windows 10 Education. Key sequences blocked by Keyboard Filter If Keyboard Filter is turned ON then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the Keyboard Filter reference topic. Keyboard Filter is only available on Windows 10 Enterprise or Windows 10 Education. Power button Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user cannot turn off the device when it is in assigned access. For more information on removing the power button or disabling the physical power button, see Custom Logon. For more information on removing the power button or disabling the physical power button, see Custom Logon. Unified Write Filter (UWF) UWFsettings apply to all users, including those with assigned access. For more information, see Unified Write Filter. For more information, see Unified Write Filter. WEDL_AssignedAccess class Although you can use this class to configure and manage basic lockdown features for assigned access, we recommend that you use the Windows PowerShell cmdlets instead. If you need to use assigned access API, see WEDL_AssignedAccess. If you need to use assigned access API, see WEDL_AssignedAccess. Welcome Screen Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own. For more information, see Custom Logon. For more information, see Custom Logon. Hibernate Once/Resume Many (HORM): Quick boot to device Hibernate Once/Resume Many (HORM): Quick boot to device HORM is supported in Windows 10, version 1607 and later. Unified Write Filter: protect a device's physical storage media Unified Write Filter: protect a device's physical storage media The Unified Write Filter is continued in Windows 10. Keyboard Filter: block hotkeys and other key combinations Keyboard Filter: block hotkeys and other key combinations Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via Turn Windows Features On/Off. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path. Shell Launcher: launch a Windows desktop application on sign-on Shell Launcher: launch a Windows desktop application on sign-on Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the SMISettings category. Learn how to use Shell Launcher to create a kiosk device that runs a Windows desktop application. Learn how to use Shell Launcher to create a kiosk device that runs a Windows desktop application. Application Launcher: launch a Universal Windows Platform (UWP) app on sign-on Application Launcher: launch a Universal Windows Platform (UWP) app on sign-on The Windows 8 Application Launcher has been consolidated into Assigned Access. Application Launcher enabled launching a Windows 8 app and holding focus on that app. Assigned Access offers a more robust solution for ensuring that apps retain focus. Dialog Filter: suppress system dialogs and control which processes can run Dialog Filter: suppress system dialogs and control which processes can run Dialog Filter has been deprecated for Windows 10. Dialog Filter provided two capabilities; the ability to control which processes were able to run, and the ability to prevent dialogs (in practice, system dialogs) from appearing. Toast Notification Filter: suppress toast notifications Toast Notification Filter: suppress toast notifications Toast Notification Filter has been replaced by MDM and Group Policy settings for blocking the individual components of non-critical system toasts that may appear. For example, to prevent a toast from appearing when a USB drive is connected, ensure that USB connections have been blocked using the USB-related policies, and turn off notifications from apps. Group Policy: User Configuration > Administrative Templates > Start Menu and Taskbar > Notifications MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow action center notifications and a custom OMA-URI setting for AboveLock/AllowActionCenterNotifications. Embedded Lockdown Manager: configure lockdown features Embedded Lockdown Manager: configure lockdown features The Embedded Lockdown Manager has been deprecated for Windows 10 and replaced by the Windows ICD. Windows ICD is the consolidated tool for Windows imaging and provisioning scenarios and enables configuration of all Windows settings, including the lockdown features previously configurable through Embedded Lockdown Manager. USB Filter: restrict USB devices and peripherals on system USB Filter: restrict USB devices and peripherals on system The USB Filter driver has been replaced by MDM and Group Policy settings for blocking the connection of USB devices. Group Policy: Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions MDM policy name may vary depending on your MDM service. In Microsoft Intune, use Allow removable storage or Allow USB connection (Windows 10 Mobile only). Assigned Access: launch a UWP app on sign-in and lock access to system Assigned Access: launch a UWP app on sign-in and lock access to system Assigned Access has undergone significant improvement for Windows 10. In Windows 8.1, Assigned Access blocked system hotkeys and edge gestures, and non-critical system notifications, but it also applied some of these limitations to other accounts on the device. In Windows 10, Assigned Access no longer affects accounts other than the one being locked down. Assigned Access now restricts access to other apps or system components by locking the device when the selected user account logs in and launching the designated app above the lock screen, ensuring that no unintended functionality can be accessed. Learn how to use Assigned Access to create a kiosk device that runs a Universal Windows app. Learn how to use Assigned Access to create a kiosk device that runs a Universal Windows app. Gesture Filter: block swipes from top, left, and right edges of screen Gesture Filter: block swipes from top, left, and right edges of screen In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. In Windows 10, Charms have been removed. In Windows 10, version 1607, you can block swipes using the Allow edge swipe policy. In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. In Windows 10, Charms have been removed. In Windows 10, version 1607, you can block swipes using the Allow edge swipe policy. Custom Logon: suppress Windows UI elements during Windows sign-on, sign-off, and shutdown Custom Logon: suppress Windows UI elements during Windows sign-on, sign-off, and shutdown No changes. Applies only to Windows 10 Enterprise and Windows 10 Education. Unbranded Boot: custom brand a device by removing or replacing Windows boot UI elements Unbranded Boot: custom brand a device by removing or replacing Windows boot UI elements No changes. Applies only to Windows 10 Enterprise and Windows 10 Education. Setting this value to 0 turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see How to configure Wi-Fi Sense on Windows 10 in an enterprise.
+ Setting this value to 0 turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see How to configure Wi-Fi Sense on Windows 10 in an enterprise.
@@ -68,7 +68,7 @@ You can manage your Wi-Fi Sense settings by changing the Windows provisioning se
**To set up Wi-Fi Sense using WiFISenseAllowed**
- Change the Windows Provisioning setting, **WiFISenseAllowed**, to **0**.
- Setting this value to 0 turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Windows Provisioning settings reference topic, WiFiSenseAllowed.
+ Setting this value to 0 turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Windows Provisioning settings reference topic, WiFiSenseAllowed.
### Using Unattended Windows Setup settings
If your company still uses Unattend, you can manage your Wi-Fi Sense settings by changing the Unattended Windows Setup setting, **WiFiSenseAllowed**.
@@ -76,7 +76,7 @@ If your company still uses Unattend, you can manage your Wi-Fi Sense settings by
**To set up Wi-Fi Sense using WiFISenseAllowed**
- Change the Unattended Windows Setup setting, **WiFISenseAllowed**, to **0**.
- Setting this value to 0 turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Unattended Windows Setup Reference topic, WiFiSenseAllowed.
+ Setting this value to 0 turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but can't be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see the Unattended Windows Setup Reference topic, WiFiSenseAllowed.
### How employees can change their own Wi-Fi Sense settings
If you don’t turn off the ability for your employees to use Wi-Fi Sense, they can turn it on locally by selecting **Settings > Network & Internet > Wi-Fi > Manage Wi-Fi settings**, and then turning on **Connect to suggested open hotspots**.
@@ -93,13 +93,7 @@ If you select the **Share network with my contacts** check box the first time yo
## Related topics
- [Wi-Fi Sense and Privacy](https://go.microsoft.com/fwlink/p/?LinkId=620911)
-- [How to configure Wi-Fi Sense on Windows 10 in an enterprise](https://go.microsoft.com/fwlink/p/?LinkId=620959)
+- [How to configure Wi-Fi Sense on Windows 10 in an enterprise](/troubleshoot/windows-client/networking/configure-wifi-sense-and-paid-wifi-service)
-
-
-
-
-
-
diff --git a/windows/configuration/mobile-devices/lockdown-xml.md b/windows/configuration/mobile-devices/lockdown-xml.md
index 28bf0b87e3..5f6122363c 100644
--- a/windows/configuration/mobile-devices/lockdown-xml.md
+++ b/windows/configuration/mobile-devices/lockdown-xml.md
@@ -26,10 +26,10 @@ Windows 10 Mobile allows enterprises to lock down a device, define multiple user
This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile. When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file.
-In this topic, you'll learn how to create an XML file that contains all lockdown entries available in the AssignedAccessXml area of the [EnterpriseAssignedAccess configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseassignedaccess-csp). This topic provides example XML that you can use in your own lockdown XML file that can be included in a provisioning package or when using a mobile device management (MDM) solution to push lockdown settings to enrolled devices. You can also use the [Lockdown Designer app](mobile-lockdown-designer.md) to configure and export your lockdown XML file.
+In this topic, you'll learn how to create an XML file that contains all lockdown entries available in the AssignedAccessXml area of the [EnterpriseAssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/enterpriseassignedaccess-csp). This topic provides example XML that you can use in your own lockdown XML file that can be included in a provisioning package or when using a mobile device management (MDM) solution to push lockdown settings to enrolled devices. You can also use the [Lockdown Designer app](mobile-lockdown-designer.md) to configure and export your lockdown XML file.
> [!NOTE]
-> On Windows 10 desktop editions, *assigned access* is a feature that lets you configure the device to run a single app above the lockscreen ([kiosk mode](../set-up-a-device-for-anyone-to-use.md)). On a Windows 10 Mobile device, assigned access refers to the lockdown settings in AssignedAccessXml in the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601).
+> On Windows 10 desktop editions, *assigned access* is a feature that lets you configure the device to run a single app above the lockscreen ([kiosk mode](../kiosk-methods.md)). On a Windows 10 Mobile device, assigned access refers to the lockdown settings in AssignedAccessXml in the [EnterpriseAssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/enterpriseassignedaccess-csp).
If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](../provisioning-packages/how-it-pros-can-use-configuration-service-providers.md) first.
@@ -272,14 +272,14 @@ In the following example, when a user presses the Search button, the phone diale
-You can use CSPRunner to include settings that are not defined in AssignedAccessXML. For example, you can include settings from other sections of EnterpriseAssignedAccess CSP, such as lockscreen, theme, and time zone. You can also include settings from other CSPs, such as [Wi-Fi CSP](https://go.microsoft.com/fwlink/p/?LinkID=717460) or [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962%28v=vs.85%29.aspx).
+You can use CSPRunner to include settings that are not defined in AssignedAccessXML. For example, you can include settings from other sections of EnterpriseAssignedAccess CSP, such as lockscreen, theme, and time zone. You can also include settings from other CSPs, such as [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp) or [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
CSPRunner is helpful when you are configuring a device to support multiple roles. It lets you apply different policies according to the role that is signed on. For example, Wi-Fi could be enabled for a supervisor role and disabled for a stocking clerk role.
In CSPRunner, you specify the CSP and settings using SyncML, a standardized markup language for device management. A SyncML section can include multiple settings, or you can use multiple SyncML sections -- it's up to you how you want to organize settings in this section.
> [!NOTE]
-> This description of SyncML is just the information that you need to use SyncML in a lockdown XML file. To learn more about SyncML, see [Structure of OMA DM provisioning files](https://msdn.microsoft.com/windows/hardware/dn914774.aspx).
+> This description of SyncML is just the information that you need to use SyncML in a lockdown XML file. To learn more about SyncML, see [Structure of OMA DM provisioning files](/windows/client-management/mdm/structure-of-oma-dm-provisioning-files).
Let's start with the structure of SyncML in the following example:
@@ -385,14 +385,14 @@ For a list of the settings and quick actions that you can allow or block, see [S
If you have existing lockdown xml, you must update start screen size if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4.
- [Learn about effective pixel width (epx) for different device size classes.](https://go.microsoft.com/fwlink/p/?LinkId=733340)
+ [Learn about effective pixel width (epx) for different device size classes.](/windows/uwp/design/layout/screen-sizes-and-breakpoints-for-responsive-design)
## Configure additional roles
You can add custom configurations by role. In addition to the role configuration, you must also install a login application on the device. The app displays a list of available roles on the device; the user taps a role, such as "Manager"; the configuration defined for the "Manager" role is applied.
-[Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin) For reference, see the [Windows.Embedded.DeviceLockdown API](https://msdn.microsoft.com/library/windows/apps/windows.embedded.devicelockdown).
+[Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin) For reference, see the [Windows.Embedded.DeviceLockdown API](/uwp/api/Windows.Embedded.DeviceLockdown).
In the XML file, you define each role with a GUID and name, as shown in the following example:
@@ -433,14 +433,14 @@ You can configure the same settings for each role as you did for the default rol
## Validate your XML
-You can validate your lockdown XML file against the [EnterpriseAssignedAccess XSD](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseassignedaccess-xsd).
+You can validate your lockdown XML file against the [EnterpriseAssignedAccess XSD](/windows/client-management/mdm/enterpriseassignedaccess-xsd).
## Add lockdown XML to a provisioning package
Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](https://go.microsoft.com/fwlink/p/?LinkId=526740)
-1. Follow the instructions at [Build and apply a provisioning package](https://go.microsoft.com/fwlink/p/?LinkID=629651) to create a project, selecting **Common to all Windows mobile editions** for your project.
+1. Follow the instructions at [Build and apply a provisioning package](../provisioning-packages/provisioning-create-package.md) to create a project, selecting **Common to all Windows mobile editions** for your project.
2. In **Available customizations**, go to **Runtime settings** > **EmbeddedLockdownProfiles** > **AssignedAccessXml**.
@@ -477,12 +477,12 @@ Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (
- If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
- If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
-After you build the provisioning package, follow the instructions for [applying a provisioning package at runtime to Windows 10 Mobile](https://go.microsoft.com/fwlink/p/?LinkID=619164).
+After you build the provisioning package, follow the instructions for [applying a provisioning package at runtime to Windows 10 Mobile](../provisioning-packages/provisioning-create-package.md).
## Push lockdown XML using MDM
-After you deploy your devices, you can still configure lockdown settings through your MDM solution if it supports the [EnterpriseAssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=618601).
+After you deploy your devices, you can still configure lockdown settings through your MDM solution if it supports the [EnterpriseAssignedAccess CSP](/windows/client-management/mdm/enterpriseassignedaccess-csp).
To push lockdown settings to enrolled devices, use the AssignedAccessXML setting and use the lockdown XML as the value. The lockdown XML will be in a HandheldLockdown section that becomes XML embedded in XML, so the XML that you enter must use escaped characters (such as `<` in place of <). After the MDM provider pushes your lockdown settings to the device, the CSP processes the file and updates the device.
@@ -865,4 +865,4 @@ To push lockdown settings to enrolled devices, use the AssignedAccessXML setting
[Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md)
-[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
+[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
\ No newline at end of file
diff --git a/windows/configuration/mobile-devices/mobile-lockdown-designer.md b/windows/configuration/mobile-devices/mobile-lockdown-designer.md
index bb398d4a09..ce16eeccca 100644
--- a/windows/configuration/mobile-devices/mobile-lockdown-designer.md
+++ b/windows/configuration/mobile-devices/mobile-lockdown-designer.md
@@ -136,7 +136,7 @@ The apps and settings available in the pages of Lockdown Designer should now be
| --- | --- |
|  | Each app from the test mobile device is listed. Select the apps that you want visible to users.You can select an app to run automatically when a user signs in to the device. The **Select Auto-Run** menu is populated by the apps that you select to allow on the device. |
|  | CSPRunner enables you to include settings and policies that are not defined in other sections of the app. To make use of CSPRunner, you must create the SyncML block that contains the settings, and then import the SyncML in Lockdown Designer. [Learn how to use CSPRunner and author SyncML.](lockdown-xml.md#csprunner) |
-|  | On this page, you select the settings that you want visible to users. See the [ms settings: URI scheme reference](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to see which Settings page maps to a URI. |
+|  | On this page, you select the settings that you want visible to users. See the [ms settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to see which Settings page maps to a URI. |
|  | On this page, you select the settings that you want visible to users. |
|  | Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. |
|  | This page contains several settings that you can configure:- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. |
@@ -169,7 +169,4 @@ You can create additional roles for the device and have unique configurations fo
4. Configure the settings for the role as above, but make sure on each page that you select the correct role.
- 
-
-
-
+ 
\ No newline at end of file
diff --git a/windows/configuration/mobile-devices/provisioning-configure-mobile.md b/windows/configuration/mobile-devices/provisioning-configure-mobile.md
index 340219baab..8da62d608f 100644
--- a/windows/configuration/mobile-devices/provisioning-configure-mobile.md
+++ b/windows/configuration/mobile-devices/provisioning-configure-mobile.md
@@ -46,7 +46,7 @@ The **Provision Windows mobile devices** wizard lets you configure common settin
This problem occurs when InstallShield creates installers and uninstallers that fail to complete and that generate error messages or warnings. The fix blocks InstallShield from setting the value of RunAs registry keys to InteractiveUser Because InteractiveUser no longer has Administrator rights. For more detailed information about this application fix, see Using the BlockRunAsInteractiveUser Fix. For more detailed information about this application fix, see Using the BlockRunAsInteractiveUser Fix. The fix scans the existing user profiles and tries to copy the specified keys into the HKEY_CURRENT_USER registry area. You can control this fix further by entering the relevant registry keys as parameters that are separated by the ^ Symbol; for example: For more detailed information about this application fix, see Using the CopyHKCUSettingsFromOtherUsers Fix. For more detailed information about this application fix, see Using the CopyHKCUSettingsFromOtherUsers Fix. The problem is indicated when an application tries to write files to the hard disk and is denied access or receives a file not found or path not found error message. The fix modifies the file path names to point to a new location on the hard disk. For more detailed information about the CorrectFilePaths application fix, see Using the CorrectFilePaths Fix. We recommend that you use this fix together with the CorrectFilePathsUninstall fix if you are applying it to a setup installation file. For more detailed information about the CorrectFilePaths application fix, see Using the CorrectFilePaths Fix. We recommend that you use this fix together with the CorrectFilePathsUninstall fix if you are applying it to a setup installation file. This problem occurs when an uninstalled application leaves behind files, directories, and links. The fix corrects the file paths that are used by the uninstallation process of an application. For more detailed information about this fix, see Using the CorrectFilePathsUninstall Fix. We recommend that you use this fix together with the CorrectFilePaths fix if you are applying it to a setup installation file. For more detailed information about this fix, see Using the CorrectFilePathsUninstall Fix. We recommend that you use this fix together with the CorrectFilePaths fix if you are applying it to a setup installation file. This problem occurs when you start an executable (.exe) and a taskbar item blinks instead of an elevation prompt being opened, or when the application does not provide a valid HWND value when it calls the ShellExecute(Ex) function. The fix intercepts the ShellExecute(Ex) calls, and then inspects the HWND value. If the value is invalid, this fix enables the call to use the currently active HWND value. For more detailed information about the CorrectShellExecuteHWND application fix, see Using the CorrectShellExecuteHWND Fix. For more detailed information about the CorrectShellExecuteHWND application fix, see Using the CorrectShellExecuteHWND Fix. The problem occurs when some objects are not drawn or object artifacts remain on the screen in an application. The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications. For more detailed information about this application fix, see Using the DisableDWM Fix. For more detailed information about this application fix, see Using the DisableDWM Fix. The problem is indicated when installations, de-installations, or updates fail because the host process calls the CreateProcess function and it returns an ERROR_ELEVATION_REQUIRED error message. The fix handles the error code and attempts to recall the CreateProcess function together with requested elevation. If the fixed application already has a UAC manifest, the error code will be returned unchanged. For more detailed information about this application fix, see Using the ElevateCreateProcess Fix. For more detailed information about this application fix, see Using the ElevateCreateProcess Fix. The problem is indicated when an application fails to install or to run, and it generates an error message that there is not enough free disk space to install or use the application, even though there is enough free disk space to meet the application requirements. The fix determines the amount of free space, so that if the amount of free space is larger than 2 GB, the compatibility fix returns a value of 2 GB, but if the amount of free space is smaller than 2 GB, the compatibility fix returns the actual free space amount. For more detailed information about this application fix, see Using the EmulateGetDiskFreeSpace Fix. For more detailed information about this application fix, see Using the EmulateGetDiskFreeSpace Fix. The problem occurs when an application experiences search functionality issues. The fix forces applications that use the CompareStringW/LCMapString sorting table to use an older version of the table. For more detailed information about this e application fix, see Using the EmulateSorting Fix. For more detailed information about this e application fix, see Using the EmulateSorting Fix. The problem is indicated when an application and computer appear to hang because processes cannot end to allow the computer to complete its restart processes. The fix enables the computer to restart and finish the installation process by verifying and enabling that the SeShutdownPrivilege service privilege exists. For more detailed information about this application fix, see Using the EnableRestarts Fix. For more detailed information about this application fix, see Using the EnableRestarts Fix. The problem occurs when a theme application does not properly display: the colors are washed out or the user interface is not detailed. The fix intercepts the GetCurrentThemeName API and returns the value for the Windows XP default theme, (Luna). For more detailed information about the FakeLunaTheme application fix, see Using the FakeLunaTheme Fix. For more detailed information about the FakeLunaTheme application fix, see Using the FakeLunaTheme Fix. The problem occurs when an application fails to function during an explicit administrator check. The fix allows the user to temporarily imitate being a part of the Administrators group by returning a value of True during the administrator check. For more detailed information about this application fix, see Using the ForceAdminAccess Fix. For more detailed information about this application fix, see Using the ForceAdminAccess Fix. The problem occurs when an application fails to function when special key combinations are used. The fix intercepts the RegisterRawInputDevices API and prevents the delivery of the WM_INPUT messages. This delivery failure forces the included hooks to be ignored and forces DInput to use Windows-specific hooks. For more detailed information about this application fix, see Using the IgnoreAltTab Fix. For more detailed information about this application fix, see Using the IgnoreAltTab Fix. For more detailed information about this application fix, see Using the IgnoreException Fix. For more detailed information about this application fix, see Using the IgnoreException Fix. The problem is indicated by a message box that displays with debugging or extraneous content when the application runs on an unexpected operating system. The fix intercepts the MessageBox* APIs and inspects them for specific message text. If matching text is found, the application continues without showing the message box. For more detailed information about this application fix, see Using the IgnoreMessageBox Fix. For more detailed information about this application fix, see Using the IgnoreMessageBox Fix. The problem occurs when an application unsuccessfully tries to create an object in the Global namespace. The fix intercepts the function call to create the object and replaces the word Global with Local. For more detailed information about this application fix, see Using the LocalMappedObject Fix. For more detailed information about this application fix, see Using the LocalMappedObject Fix. The problem is indicated when an application fails to uninstall because of access-related errors. The fix locates any RunDLL.exe-based uninstallers and forces them to run with different credentials during the application installation. After it applies this fix, the installer will create a shortcut that specifies a matching string to run during the application installation, thereby enabling the uninstallation to occur later. For more detailed information about this application fix, see Using the MakeShortcutRunas Fix For more detailed information about this application fix, see Using the MakeShortcutRunas Fix The problem is indicated by an error message that states that you do not have the appropriate permissions to access the application. The fix reduces the security privilege levels on a specified set of files and folders. For more detailed information about this application fix, see Using the OpenDirectoryACL Fix. For more detailed information about this application fix, see Using the OpenDirectoryACL Fix. The problem occurs when installers, uninstallers, or updaters fail when they are started from a host application. The fix enables a child .exe file to run with elevated privileges when it is difficult to determine the parent process with either the ElevateCreateProcess fix or by marking the .exe files to RunAsAdmin. For more detailed information about this application fix, see Using the RelaunchElevated Fix. For more detailed information about this application fix, see Using the RelaunchElevated Fix. SC_MANAGER_QUERY_LOCK_STATUS STANDARD_READ_RIGHTS For more detailed information about this application fix, see Using the RetryOpenSCManagerwithReadAccess Fix. For more detailed information about this application fix, see Using the RetryOpenSCManagerwithReadAccess Fix. The problem occurs when an Unable to open service due to your application using the OpenService() API to test for the existence of a particular service error message displays. The fix retries the OpenService() API call and verifies that the user has Administrator rights, is not a Protected Administrator, and by using read-only access. Applications can test for the existence of a service by calling the OpenService() API but some applications ask for all access when making this check. This fix retries the call but only asking for read-only access. The user needs to be an administrator for this to work For more detailed information about this application fix, see Using the RetryOpenServiceWithReadAccess Fix. For more detailed information about this application fix, see Using the RetryOpenServiceWithReadAccess Fix. The problem occurs when an application fails to function by using the Standard User or Protected Administrator account. The fix enables the application to run by using elevated privileges. The fix is the equivalent of specifying requireAdministrator in an application manifest. For more detailed information about this application fix, see Using the RunAsAdmin Fix. For more detailed information about this application fix, see Using the RunAsAdmin Fix. The problem occurs when administrators cannot view the read/write version of an application that presents a read-only view to standard users. The fix enables the application to run by using the highest available permissions. This is the equivalent of specifying highestAvailable in an application manifest. For more detailed information about this application fix, see Using the RunAsHighest Fix. For more detailed information about this application fix, see Using the RunAsHighest Fix. The problem occurs when an application is not detected as requiring elevation. The fix enables the application to run by using the privileges that are associated with the creation process, without requiring elevation. This is the equivalent of specifying asInvoker in an application manifest. For more detailed information about this application fix, see Using the RunAsInvoker Fix. For more detailed information about this application fix, see Using the RunAsInvoker Fix. For more detailed information about this application fix, see Using the SessionShim Fix. For more detailed information about this application fix, see Using the SessionShim Fix. The problem occurs when an application fails, even after applying acompatibility fix that is known to fix an issue. Applications that use unicows.dll or copy protection often present this issue. The fix applies the specified compatibility fixes by modifying the export table and by nullifying the use of module inclusion and exclusion. For more information about this application fix, see Using the ShimViaEAT Fix. For more information about this application fix, see Using the ShimViaEAT Fix. The problem occurs when an application installation file fails to be picked up by the GenericInstaller function. The fix flags the application as being an installer file (for example, setup.exe), and then prompts for elevation. For more detailed information about this application fix, see Using the SpecificInstaller Fix. For more detailed information about this application fix, see Using the SpecificInstaller Fix. The problem occurs when an application that is not an installer (and has sufficient privileges) generates a false positive from the GenericInstaller function. The fix flags the application to exclude it from detection by the GenericInstaller function. For more detailed information about this application fix, see Using the SpecificNonInstaller Fix. For more detailed information about this application fix, see Using the SpecificNonInstaller Fix. MessageString1 MessageString2 Where MessageString1 and MessageString2 reflect the message strings that can pass. Multiple message strings must be separated by spaces. For more detailed information about this application fix, see Using the UIPIEnableCustomMsgs Fix. Multiple message strings must be separated by spaces. For more detailed information about this application fix, see Using the UIPIEnableCustomMsgs Fix. 1055 1056 1069 Where 1055 reflects the first message ID, 1056 reflects the second message ID, and 1069 reflects the third message ID that can pass. Multiple messages can be separated by spaces. For more detailed information about this application fix, see Using the UIPIEnableStandardMsgs Fix [act]. Multiple messages can be separated by spaces. For more detailed information about this application fix, see Using the UIPIEnableStandardMsgs Fix [act]. VirtualRegistry The problem is indicated when a Component failed to be located error message displays when an application is started. The fix enables the registry functions to allow for virtualization, redirection, expansion values, version spoofing, the simulation of performance data counters, and so on. For more detailed information about this application fix, see Using the VirtualRegistry Fix. For more detailed information about this application fix, see Using the VirtualRegistry Fix. VirtualizeDeleteFile The problem occurs when several error messages display and the application cannot delete files. The fix makes the application's DeleteFile function call a virtual call in an effort to remedy the UAC and file virtualization issues that were introduced with Windows Vista. This fix also links other file APIs (for example, GetFileAttributes) to ensure that the virtualization of the file is deleted. For more detailed information about this application fix, see Using the VirtualizeDeleteFile Fix. For more detailed information about this application fix, see Using the VirtualizeDeleteFile Fix. The fix redirects the HKCR write calls (HKLM) to the HKCU hive for a per-user COM registration. This operates much like the VirtualRegistry fix when you use the VirtualizeHKCR parameter; however, VirtualizeHKCRLite provides better performance. HKCR is a virtual merge of the HKCU\Software\Classes and HKLM\Software\Classes directories. The use of HKCU is preferred if an application is not elevated and is ignored if the application is elevated. You typically will use this compatibility fix in conjunction with the VirtualizeRegisterTypeLib fix. For more detailed information about this application fix, see Using the VirtualizeHKCRLite Fix. For more detailed information about this application fix, see Using the VirtualizeHKCRLite Fix. VirtualizeRegisterTypeLib The fix, when it is used with the VirtualizeHKCRLite fix, ensures that the type library and the COM class registration happen simultaneously. This functions much like the RegistryTypeLib fix when the RegisterTypeLibForUser parameter is used. For more detailed information about this application fix, see Using the VirtualizeRegisterTypelib Fix. For more detailed information about this application fix, see Using the VirtualizeRegisterTypelib Fix. Type vbrun60.dll into the Module Name box, click Include, and then click Add. Save the custom database. For more information about the WinXPSP2VersionLie application fix, see Using the WinXPSP2VersionLie Fix. For more information about the WinXPSP2VersionLie application fix, see Using the WinXPSP2VersionLie Fix. Component1.dll;Component2.dll Where Component1.dll and Component2.dll reflect the components to be skipped. For more detailed information about this application fix, see Using the WRPDllRegister Fix. For more detailed information about this application fix, see Using the WRPDllRegister Fix. The problem is indicated when an access denied error message displays when the application tries to access a protected operating system resource by using more than read-only access. The fix emulates the successful authentication and modification of file and registry APIs, so that the application can continue. For more detailed information about WRPMitigation, see Using the WRPMitigation Fix. For more detailed information about WRPMitigation, see Using the WRPMitigation Fix. urlid Yes UrlID is a string identifier that uniquely identifies this .xml file. This parameter must be a no-colon-name as defined by the XML Namespaces specification. Each migration .xml file must have a unique urlid. If two migration .xml files have the same urlid, the second .xml file that is specified on the command line will not be processed. For more information about XML Namespaces, see Use XML Namespaces. UrlID is a string identifier that uniquely identifies this .xml file. This parameter must be a no-colon-name as defined by the XML Namespaces specification. Each migration .xml file must have a unique urlid. If two migration .xml files have the same urlid, the second .xml file that is specified on the command line will not be processed. For more information about XML Namespaces, see Use XML Namespaces. Name Improved protection against persistent threats. Credential Guard works with other technologies (e.g., Device Guard) to help provide further protection against attacks, no matter how persistent. Improved manageability. Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell. For more information, see Protect derived domain credentials with Credential Guard. For more information, see Protect derived domain credentials with Credential Guard. Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present) Helps protect the Windows system core from vulnerability and zero-day exploits Allows only trusted apps to run For more information, see Introduction to Device Guard. For more information, see Introduction to Device Guard. AppLocker management This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. For more information, see AppLocker. For more information, see AppLocker. Application Virtualization (App-V) This feature makes applications available to end users without installing the applications directly on users’ devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates. For more information, see Getting Started with App-V for Windows 10. For more information, see Getting Started with App-V for Windows 10. User Experience Virtualization (UE-V) Create custom templates for your third-party or line-of-business applications Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state For more information, see User Experience Virtualization (UE-V) for Windows 10 overview. For more information, see User Experience Virtualization (UE-V) for Windows 10 overview. Managed User Experience Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft and stored with one or more unique identifiers that can help us recognize an individual user on an individual device and understand the device's service issues and use patterns. Diagnostic data is categorized into the following: Microsoft uses diagnostic data to keep Windows secure, up to date, troubleshoot problems, and make product improvements. Regardless of what choices you make for diagnostic data collection, the device will be just as secure and will operate normally. This data is collected by Microsoft and stored with one or more unique identifiers that can help us recognize an individual user on an individual device and understand the device's service issues and use patterns. Diagnostic data is categorized into the following: Cortana is Microsoft’s personal digital assistant, which helps busy people get things done, even while they’re at work. Cortana on Windows is available in [certain regions and languages](https://support.microsoft.com/help/4026948/cortanas-regions-and-languages). Cortana learns from certain data about the user, such as location, searches, calendar, contacts, voice input, speech patterns, email, content and communication history from text messages. In Microsoft Edge, Cortana uses browsing history. The user is in control of how much data is shared. Cortana is Microsoft’s personal digital assistant, which helps busy people get things done, even while they’re at work. Cortana on Windows is available in [certain regions and languages](https://support.microsoft.com/help/4026948/cortanas-regions-and-languages). Cortana learns from certain data about the user, such as location, searches, calendar, contacts, voice input, speech patterns, email, content and communication history from text messages. In Microsoft Edge, Cortana uses browsing history. The user is in control of how much data is shared. Use DES encryption types for this account Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES). DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see Hunting down DES in order to securely deploy Kerberos. DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see Hunting down DES in order to securely deploy Kerberos. Important: Notes: [1703 (RS2)](https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/) [1607 (RS1)](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/) [1511 (TH2)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1511-threshold-2-final/) [1507 (TH1)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update/)| October 2017 August 2017 October 2016 January 2016 January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-Windows 8.1 |[9600 (April Update)](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)| October 2013| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-Windows 8 |[9200](https://technet.microsoft.com/library/jj916413.aspx) |October 2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
-Windows 7 |[7601 (SP1)](https://technet.microsoft.com/library/ee712767.aspx)| October 2009| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-| Vista |[6002 (SP2)](https://technet.microsoft.com/library/dd450978.aspx)| January 2007| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-| Windows XP |[2600 (SP3)](https://technet.microsoft.com/library/cc163061.aspx)| October 2001| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+|Windows 10 | [1709 (RS3)](/archive/blogs/secguide/security-baseline-for-windows-10-fall-creators-update-v1709-draft) [1703 (RS2)](/archive/blogs/secguide/security-baseline-for-windows-10-creators-update-v1703-final) [1607 (RS1)](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) [1511 (TH2)](/archive/blogs/secguide/security-baseline-for-windows-10-v1511-threshold-2-final) [1507 (TH1)](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2017 August 2017 October 2016 January 2016 January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+Windows 8 |[9200](/previous-versions/tn-archive/jj916413(v=technet.10)) |October 2012| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10))|
+Windows 7 |[7601 (SP1)](/previous-versions/tn-archive/ee712767(v=technet.10))| October 2009| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+| Vista |[6002 (SP2)](/previous-versions/tn-archive/dd450978(v=technet.10))| January 2007| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+| Windows XP |[2600 (SP3)](/previous-versions/tn-archive/cc163061(v=technet.10))| October 2001| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10))|
-> Starting Monday, October 21, 2019, security intelligence updates will be SHA-2 signed exclusively. Devices must be updated to support SHA-2 in order to get the latest security intelligence updates. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus).
-
-Each source has typical scenarios that depend on how your network is configured, in addition to how often they publish updates, as described in the following table:
-
-|Location | Sample scenario |
-|---|---|
-|Windows Server Update Service | You are using Windows Server Update Service to manage updates for your network.|
-|Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use Windows Server Update Service to manage your updates.|
-|File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-microsoft-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.|
-|Microsoft Endpoint Manager | You are using Microsoft Endpoint Manager to update your endpoints.|
-|Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) |[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively. Manage tamper protection across your tenant | [Manage tamper protection for your organization using the Microsoft Defender Security Center](#manage-tamper-protection-for-your-organization-using-the-microsoft-defender-security-center) |
-| Turn tamper protection on (or off) for all or part of your organization using Intune Fine-tune tamper protection settings in your organization | [Manage tamper protection for your organization using Intune](#manage-tamper-protection-for-your-organization-using-intune) |
-| Turn tamper protection on (or off) for your organization with Configuration Manager | [Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006) |
-| Turn tamper protection on (or off) for an individual device | [Manage tamper protection on an individual device](#manage-tamper-protection-on-an-individual-device) |
-| View details about tampering attempts on devices | [View information about tampering attempts](#view-information-about-tampering-attempts) |
-| Review your security recommendations | [Review security recommendations](#review-your-security-recommendations) |
-| Review the list of frequently asked questions (FAQs) | [Browse the FAQs](#view-information-about-tampering-attempts) |
-
-## Manage tamper protection for your organization using the Microsoft Defender Security Center
-
-Tamper protection can be turned on or off for your tenant using the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). Here are a few points to keep in mind:
-
-- Currently, the option to manage tamper protection in the Microsoft Defender Security Center is on by default for new deployments. For existing deployments, tamper protection is available on an opt-in basis, with plans to make this the default method in the near future. (To opt in, in the Microsoft Defender Security Center, choose **Settings** > **Advanced features** > **Tamper protection**.)
-
-- When you use the Microsoft Defender Security Center to manage tamper protection, you do not have to use Intune or the tenant attach method.
-
-- When you manage tamper protection in the Microsoft Defender Security Center, the setting is applied tenant wide, affecting all of your devices that are running Windows 10, Windows Server 2016, or Windows Server 2019. To fine-tune tamper protection (such as having tamper protection on for some devices but off for others), use either [Intune](#manage-tamper-protection-for-your-organization-using-intune) or [Configuration Manager with tenant attach](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006).
-
-- If you have a hybrid environment, tamper protection settings configured in Intune take precedence over settings configured in the Microsoft Defender Security Center.
-
-### Requirements for managing tamper protection in the Microsoft Defender Security Center
-
-- You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations.
-
-- Your Windows devices must be running one of the following versions of Windows:
- - Windows 10
- - [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
- - Windows Server, version [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803) or later
- - [Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016)
- - For more information about releases, see [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information).
-
-- Your devices must be [onboarded to Microsoft Defender for Endpoint](../microsoft-defender-atp/onboarding.md).
-
-- Your devices must be using anti-malware platform version 4.18.2010.7 (or above) and anti-malware engine version 1.1.17600.5 (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)
-
-- [Cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) must be turned on.
-
-### Turn tamper protection on (or off) in the Microsoft Defender Security Center
-
-
-
-1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
-
-2. Choose **Settings**.
-
-3. Go to **General** > **Advanced features**, and then turn tamper protection on.
-
-## Manage tamper protection for your organization using Intune
-
-If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) portal. Use Intune when you want to fine-tune tamper protection settings. For example, if you want to enable tamper protection on some devices, but not all, use Intune.
-
-### Requirements for managing tamper protection in Intune
-
-- You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations.
-
-- Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; Intune is included in Microsoft 365 E5.)
-
-- Your Windows devices must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019) or later. (For more information about releases, see [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information).)
-
-- You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above).
-
-- Your devices must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)
-
-### Turn tamper protection on (or off) in Intune
-
-
-
-1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) and sign in with your work or school account.
-
-2. Select **Devices** > **Configuration Profiles**.
-
-3. Create a profile that includes the following settings:
- - **Platform: Windows 10 and later**
- - **Profile type: Endpoint protection**
- - **Category: Microsoft Defender Security Center**
- - **Tamper Protection: Enabled**
-
-4. Assign the profile to one or more groups.
-
-### Are you using Windows OS 1709, 1803, or 1809?
-
-If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. Instead, you can use PowerShell to determine whether tamper protection is enabled.
-
-#### Use PowerShell to determine whether tamper protection is turned on
-
-1. Open the Windows PowerShell app.
-
-2. Use the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) PowerShell cmdlet.
-
-3. In the list of results, look for `IsTamperProtected`. (A value of *true* means tamper protection is enabled.)
-
-## Manage tamper protection for your organization with Configuration Manager, version 2006
-
-If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10, Windows Server 2016, and Windows Server 2019 by using a method called *tenant attach*. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver endpoint security configuration policies to on-premises collections & devices.
-
-
-
-> [!NOTE]
-> The procedure can be used to extend tamper protection to devices running Windows 10 and Windows Server 2019. Make sure to review the prerequisites and other information in the resources mentioned in this procedure.
-
-1. Set up tenant attach. To get help with this, see [Microsoft Endpoint Manager tenant attach: Device sync and device actions](https://docs.microsoft.com/mem/configmgr/tenant-attach/device-sync-actions).
-
-2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Antivirus**, and then choose **+ Create Policy**.
\
|
+ | **[SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)**
Interactive signage** | **Public browsing
single-app** | **Public browsing
multi-app** | **Normal
mode** |
|------------------|:---------:|:---------:|:---------:|:---------:|
-| [AllowAddressBarDropdown](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowaddressbardropdown) |  |  |  |  |
-| [AllowAutofill](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowautofill) |  |  |  |  |
-| [AllowBrowser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowbrowser) |  |  |  |  |
-| [AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) |  |  |  |  |
-| [AllowCookies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowcookies) |  |  |  |  |
-| [AllowDeveloperTools](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) |  |  |  |  |
-| [AllowDoNotTrack](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) |  |  |  |  |
-| [AllowExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) |  |  |  |  |
-| [AllowFlash](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflash) |  |  |  |  |
-| [AllowFlashClickToRun](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) | 2 |  |  |  |
-| [AllowFullscreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode)\* |  |  |  |  |
-| [AllowInPrivate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) |  |  |  |  |
-| [AllowMicrosoftCompatibilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) |  |  | 1 |  |
-| [AllowPasswordManager](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) |  |  |  |  |
-| [AllowPopups](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) |  |  |  |  |
-| [AllowPrelaunch](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch)\* |  |  |  |  |
-| [AllowPrinting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprinting)\* |  |  |  |  |
-| [AllowSavingHistory](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory)\* |  |  |  |  |
-| [AllowSearchEngineCustomization](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) |  |  |  |  |
-| [AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) |  |  |  |  |
-| [AllowSideloadingExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions)\* |  |  |  |  |
-| [AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) |  |  |  |  |
-| [AllowSyncMySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) |  |  |  |  |
-| [AllowTabPreloading](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading)\* |  |  |  |  |
-| [AllowWebContentOnNewTabPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage)\* |  |  |  |  |
-| [AlwaysEnabledBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) |  |  |  |  |
-| [ClearBrowsingDataOnExit](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-clearbrowsingdataonexit) |  |  |  |  |
-| [ConfigureAdditionalSearchEngines](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) |  |  |  |  |
-| [ConfigureFavoritesBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar)\* |  |  |  |  |
-| [ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)\* |  |  |  |  |
-| [ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)\* |  |  |  |  |
-| [ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)\* |  |  |  |  |
-| [ConfigureOpenEdgeWith](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith)\* |  |  |  |  |
-| [ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics)\* |  |  |  |  |
-| [DisableLockdownOfStartPages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) |  |  |  |  |
-| [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting)\* and [Experience/PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)\* |  |  |  |  |
-| [EnableExtendedBooksTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) |  |  |  |  |
-| [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) |  |  | 1 |  |
-| [FirstRunURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-firstrunurl) |  |  |  |  |
-| [HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-homepages) |  |  |  |  |
-| [LockdownFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) |  |  |  |  |
-| [PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) |  |  |  |  |
-| [PreventCertErrorOverrides](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides)\* |  |  |  |  |
-| [PreventFirstRunPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) |  | |  |  |
-| [PreventLiveTileDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) |  |  |  |  |
-| [PreventSmartScreenPromptOverride](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) |  |  |  |  |
-| [PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) |  |  |  |  |
-| [PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)\* |  |  |  |  |
-| [PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) |  |  |  |  |
-| [ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) |  |  |  |  |
-| [SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) |  |  | 1 |  |
-| [SetDefaultSearchEngine](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) |  |  |  |  |
-| [SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)\* |  |  |  |  |
-| [SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)\* |  |  |  |  |
-| [ShowMessageWhenOpeningInteretExplorerSites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) |  |  | 1 |  |
-| [SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) |  |  | 1 |  |
-| [UnlockHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton)\* |  |  |  |  |
-| [UseSharedFolderForBooks](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) |  |  |  |  |
+| [AllowAddressBarDropdown](/windows/client-management/mdm/policy-csp-browser#browser-allowaddressbardropdown) |  |  |  |  |
+| [AllowAutofill](/windows/client-management/mdm/policy-csp-browser#browser-allowautofill) |  |  |  |  |
+| [AllowBrowser](/windows/client-management/mdm/policy-csp-browser#browser-allowbrowser) |  |  |  |  |
+| [AllowConfigurationUpdateForBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) |  |  |  |  |
+| [AllowCookies](/windows/client-management/mdm/policy-csp-browser#browser-allowcookies) |  |  |  |  |
+| [AllowDeveloperTools](/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) |  |  |  |  |
+| [AllowDoNotTrack](/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) |  |  |  |  |
+| [AllowExtensions](/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) |  |  |  |  |
+| [AllowFlash](/windows/client-management/mdm/policy-csp-browser#browser-allowflash) |  |  |  |  |
+| [AllowFlashClickToRun](/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) | 2 |  |  |  |
+| [AllowFullscreen](/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode)\* |  |  |  |  |
+| [AllowInPrivate](/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) |  |  |  |  |
+| [AllowMicrosoftCompatibilityList](/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) |  |  | 1 |  |
+| [AllowPasswordManager](/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) |  |  |  |  |
+| [AllowPopups](/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) |  |  |  |  |
+| [AllowPrelaunch](/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch)\* |  |  |  |  |
+| [AllowPrinting](/windows/client-management/mdm/policy-csp-browser#browser-allowprinting)\* |  |  |  |  |
+| [AllowSavingHistory](/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory)\* |  |  |  |  |
+| [AllowSearchEngineCustomization](/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) |  |  |  |  |
+| [AllowSearchSuggestionsinAddressBar](/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) |  |  |  |  |
+| [AllowSideloadingExtensions](/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions)\* |  |  |  |  |
+| [AllowSmartScreen](/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) |  |  |  |  |
+| [AllowSyncMySettings](/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) |  |  |  |  |
+| [AllowTabPreloading](/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading)\* |  |  |  |  |
+| [AllowWebContentOnNewTabPage](/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage)\* |  |  |  |  |
+| [AlwaysEnabledBooksLibrary](/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) |  |  |  |  |
+| [ClearBrowsingDataOnExit](/windows/client-management/mdm/policy-csp-browser#browser-clearbrowsingdataonexit) |  |  |  |  |
+| [ConfigureAdditionalSearchEngines](/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) |  |  |  |  |
+| [ConfigureFavoritesBar](/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar)\* |  |  |  |  |
+| [ConfigureHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)\* |  |  |  |  |
+| [ConfigureKioskMode](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)\* |  |  |  |  |
+| [ConfigureKioskResetAfterIdleTimeout](/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)\* |  |  |  |  |
+| [ConfigureOpenEdgeWith](/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith)\* |  |  |  |  |
+| [ConfigureTelemetryForMicrosoft365Analytics](/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics)\* |  |  |  |  |
+| [DisableLockdownOfStartPages](/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) |  |  |  |  |
+| [Experience/DoNotSyncBrowserSettings](/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting)\* and [Experience/PreventTurningOffRequiredExtensions](/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)\* |  |  |  |  |
+| [EnableExtendedBooksTelemetry](/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) |  |  |  |  |
+| [EnterpriseModeSiteList](/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) |  |  | 1 |  |
+| [FirstRunURL](/windows/client-management/mdm/policy-csp-browser#browser-firstrunurl) |  |  |  |  |
+| [HomePages](/windows/client-management/mdm/policy-csp-browser#browser-homepages) |  |  |  |  |
+| [LockdownFavorites](/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) |  |  |  |  |
+| [PreventAccessToAboutFlagsInMicrosoftEdge](/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) |  |  |  |  |
+| [PreventCertErrorOverrides](/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides)\* |  |  |  |  |
+| [PreventFirstRunPage](/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) |  | |  |  |
+| [PreventLiveTileDataCollection](/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) |  |  |  |  |
+| [PreventSmartScreenPromptOverride](/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) |  |  |  |  |
+| [PreventSmartScreenPromptOverrideForFiles](/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) |  |  |  |  |
+| [PreventTurningOffRequiredExtensions](/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)\* |  |  |  |  |
+| [PreventUsingLocalHostIPAddressForWebRTC](/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) |  |  |  |  |
+| [ProvisionFavorites](/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) |  |  |  |  |
+| [SendIntranetTraffictoInternetExplorer](/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) |  |  | 1 |  |
+| [SetDefaultSearchEngine](/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) |  |  |  |  |
+| [SetHomeButtonURL](/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)\* |  |  |  |  |
+| [SetNewTabPageURL](/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)\* |  |  |  |  |
+| [ShowMessageWhenOpeningInteretExplorerSites](/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) |  |  | 1 |  |
+| [SyncFavoritesBetweenIEAndMicrosoftEdge](/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) |  |  | 1 |  |
+| [UnlockHomeButton](/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton)\* |  |  |  |  |
+| [UseSharedFolderForBooks](/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) |  |  |  |  |
*\* New policy as of Windows 10, version 1809.*
-*2) For digital/interactive signage to enable Flash, set [AllowFlashClickToRun](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) to 0.*
+*2) For digital/interactive signage to enable Flash, set [AllowFlashClickToRun](/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) to 0.*
**Legend:**
@@ -276,7 +276,7 @@ In the following table, we show you the features available in both Microsoft Edg
| SKU availability | Windows 10 October 2018 Update
Professional, Enterprise, and Education | Windows 10 April 2018 Update
Professional, Enterprise, and Education |
**\*Windows Defender Firewall**
Your Group Policy tools use the ADMX files in your store, ignoring any local copies. For more information about creating a central store, see Scenario 1: Editing the Local GPO Using ADMX Files.
+
Your Group Policy tools use the ADMX files in your store, ignoring any local copies. For more information about creating a central store, see Scenario 1: Editing the Local GPO Using ADMX Files.
## Administrative Templates-related Group Policy settings
When you install Internet Explorer 11, it updates the local administrative files, Inetres.admx and Inetres.adml, both located in the **PolicyDefinitions** folder.
@@ -76,11 +76,11 @@ IE11 provides these new policy settings, which are editable in the Local Group P
## Editing Group Policy settings
Regardless which tool you're using to edit your Group Policy settings, you'll need to follow one of these guides for step-by-step editing instructions:
-- **If you're using the Group Policy Management Console (GPMC) or the Local Group Policy Editor.** See [Edit Administrative Template Policy Settings](https://go.microsoft.com/fwlink/p/?LinkId=214521) for step-by-step instructions about editing your Administrative Templates.
+- **If you're using the Group Policy Management Console (GPMC) or the Local Group Policy Editor.** See [Edit Administrative Template Policy Settings](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771479(v=ws.11)) for step-by-step instructions about editing your Administrative Templates.
-- **If you're using GPMC with Advanced Group Policy Management (AGPM).** See [Checklist: Create, Edit, and Deploy a GPO](https://go.microsoft.com/fwlink/p/?LinkId=214522) for step-by-step instructions about how to check out a GPO from the AGPM archive, edit it, and request deployment.
+- **If you're using GPMC with Advanced Group Policy Management (AGPM).** See [Checklist: Create, Edit, and Deploy a GPO](/microsoft-desktop-optimization-pack/agpm/checklist-create-edit-and-deploy-a-gpo-agpm40) for step-by-step instructions about how to check out a GPO from the AGPM archive, edit it, and request deployment.
## Related topics
- [Administrative templates (.admx) for Windows 10 April 2018 Update](https://www.microsoft.com/download/details.aspx?id=56880)
- [Administrative templates (.admx) for Windows 10 October 2018 Update](https://www.microsoft.com/download/details.aspx?id=57576)
-- [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580)
+- [Administrative Templates (.admx) for Windows 8.1 and Windows Server 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=746580)
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
index 7dbfc19776..f87e4e9cc9 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md
@@ -40,7 +40,7 @@ If you experience issues while setting up your proxy server, you can try these t
2. Click **Settings** or **LAN Settings**, and then look at your proxy server address.
-3. If you have multiple proxy servers, click **Advanced** to look at all of the additional addresses.
If IE11 uses a proxy server for local IP addresses, regardless whether you turned on the **Bypass Proxy Server for Local Addresses** option, see [Internet Explorer Uses Proxy Server for Local IP Address Even if the "Bypass Proxy Server for Local Addresses" Option Is Turned On](https://go.microsoft.com/fwlink/p/?LinkId=85652).
+3. If you have multiple proxy servers, click **Advanced** to look at all of the additional addresses.
If IE11 uses a proxy server for local IP addresses, regardless whether you turned on the **Bypass Proxy Server for Local Addresses** option, see [Internet Explorer Uses Proxy Server for Local IP Address Even if the "Bypass Proxy Server for Local Addresses" Option Is Turned On](/troubleshoot/browsers/internet-explorer-uses-proxy-server-local-ip-address).
**To check that you've turned on the correct settings**
@@ -60,7 +60,3 @@ If you experience issues while setting up your proxy server, you can try these t
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
index 82857ac50e..10ff22508d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md
@@ -45,7 +45,7 @@ For custom graphics and branding, add the `FEATURE\AUTOCONFIG\BRANDING` registry
## Updating your automatic configuration settings
After adding the `FEATURE\AUTOCONFIG\BRANDING` registry key, you can change your automatic configuration settings to pick up the updated branding.
-
Your branding changes won't be added or updated if you've previously chosen the Disable external branding of IE setting in the User Configuration\Administrative Templates\Windows Components\Internet Explorer Group Policy object. This setting is intended to prevent branding by a third-party, like an Internet service or content provider. For more information about Group Policy, including videos and the latest technical documentation, see the Group Policy TechCenter.
+
Your branding changes won't be added or updated if you've previously chosen the Disable external branding of IE setting in the User Configuration\Administrative Templates\Windows Components\Internet Explorer Group Policy object. This setting is intended to prevent branding by a third-party, like an Internet service or content provider. For more information about Group Policy, including videos and the latest technical documentation, see the Group Policy TechCenter.
**To update your settings**
@@ -72,7 +72,3 @@ You have two options to restrict your users' ability to override the automatic c
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
index 3e2c898988..bf9f448755 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md
@@ -37,7 +37,7 @@ To use automatic detection, you have to set up your DHCP and DNS servers.
For more information about creating a **WPAD** entry, see [Creating a WPAD entry in DNS](https://go.microsoft.com/fwlink/p/?LinkId=294651).
+6. In your DNS database file, create a host record named, **WPAD**. This record has the IP address of the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.
For more information about creating a **WPAD** entry, see [Creating a WPAD entry in DNS](/previous-versions/tn-archive/cc995062(v=technet.10)).
7. After the database file propagates to the server, the DNS name, `wpad.
Internet Explorer 11 creates a default URL template based on the host name, **wpad**. For example, `https://wpad.
Cookies in a roaming profile can only be set by Internet Explorer for the desktop, with Enhanced Protected Mode turned off. Cookies set by the immersive version of IE or by Microsoft Store apps, can’t be part of a roaming profile. For more information about persistent cookies and roaming, see [Persistent cookies are not roamed in Internet Explorer](https://go.microsoft.com/fwlink/p/?LinkId=401545).
+You won’t notice any changes to the management of your roaming profile data if you use our new database implementation in conjunction with the [roaming user profile guidelines](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj649079(v=ws.11)). This means that IE data that’s stored in the `AppData\Roaming` user profile folder is still be uploaded to your normal profile storage location after a user successfully logs off.
Cookies in a roaming profile can only be set by Internet Explorer for the desktop, with Enhanced Protected Mode turned off. Cookies set by the immersive version of IE or by Microsoft Store apps, can’t be part of a roaming profile. For more information about persistent cookies and roaming, see [Persistent cookies are not roamed in Internet Explorer](https://go.microsoft.com/fwlink/p/?LinkId=401545).
To get the best results while using roaming profiles, we strongly recommend the following:
@@ -36,7 +36,4 @@ To get the best results while using roaming profiles, we strongly recommend the
-
-
-
-
+
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
index 72a5766494..187e1eade3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
@@ -29,13 +29,10 @@ Before you install Internet Explorer 11, you should:
- **Choose how you'll deploy your installation package.** Your deployment method should be based on whether you're installing to computers already running Windows, or if you're deploying IE11 as part of a Windows installation.
- - **Existing computers running Windows.** Use System Center R2 2012 System Center 2012 R2 Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790), and [Microsoft Intune Overview](https://www.microsoft.com/cloud-platform/microsoft-intune).
+ - **Existing computers running Windows.** Use System Center R2 2012 System Center 2012 R2 Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [System Center 2012 R2 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)), and [Microsoft Intune Overview](https://www.microsoft.com/cloud-platform/microsoft-intune).
- - **As part of a Windows deployment.** Update your Windows images to include IE11, and then add the update to your MDT deployment share or to your Windows image. For instructions about how to create and use Windows images, see [Create and Manage a Windows Image Using DISM](https://go.microsoft.com/fwlink/p/?LinkId=299408). For general information about deploying IE, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=331148), [Windows ADK Overview](https://go.microsoft.com/fwlink/p/?LinkId=276669).
+ - **As part of a Windows deployment.** Update your Windows images to include IE11, and then add the update to your MDT deployment share or to your Windows image. For instructions about how to create and use Windows images, see [Create and Manage a Windows Image Using DISM](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825251(v=win.10)). For general information about deploying IE, see [Microsoft Deployment Toolkit (MDT)](/mem/configmgr/mdt/), [Windows ADK Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825486(v=win.10)).
-
-
-
-
+
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index 0ffe059374..1acd936993 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -28,7 +28,7 @@ ms.date: 07/27/2017
Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades.
>**Upgrade Readiness and Windows upgrades**
->You can use Upgrade Readiness to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Readiness to review several site discovery reports. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
+>You can use Upgrade Readiness to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Readiness to review several site discovery reports. For more information, see [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness).
## Before you begin
@@ -36,7 +36,7 @@ Before you start, you need to make sure you have the following:
- Latest cumulative security update (for all supported versions of Internet Explorer):
- 1. Go to the [Microsoft Security Bulletin](https://go.microsoft.com/fwlink/p/?LinkID=718223) page, and change the filter to **Windows Internet Explorer 11**.
+ 1. Go to the [Microsoft Security Bulletin](/security-updates/) page, and change the filter to **Windows Internet Explorer 11**.
@@ -151,7 +151,7 @@ You need to set up your computers for data collection by running the provided Po
**To set up Enterprise Site Discovery**
-- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1`. For more info, see [about Execution Policies](https://go.microsoft.com/fwlink/p/?linkid=517460).
+- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1`. For more info, see [about Execution Policies](/powershell/module/microsoft.powershell.core/about/about_execution_policies).
### WMI only: Set up your firewall for WMI data
If you choose to use WMI as your data output, you need to make sure that your WMI data can travel through your firewall for the domain. If you’re sure, you can skip this section; otherwise, follow these steps:
@@ -480,7 +480,3 @@ You can completely remove the data stored on your employee’s computers.
## Related topics
* [Enterprise Mode Site List Manager (schema v.2) download](https://go.microsoft.com/fwlink/?LinkId=746562)
* [Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md)
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
index ad4441c9e3..2c525dd36c 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md
@@ -61,7 +61,7 @@ Employees assigned to the Requester role can create a change request. A change r
- **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes.
- - **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/library/cc288325(v=vs.85).aspx).
+ - **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](/previous-versions/windows/internet-explorer/ie-developer/compatibility/cc288325(v=vs.85)).
4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing.
@@ -75,4 +75,4 @@ Employees assigned to the Requester role can create a change request. A change r
## Next steps
-After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md).
+After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md).
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
index 342b139714..18ac122bc2 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/customize-ie11-install-packages.md
@@ -36,13 +36,10 @@ In addition, you can configure IE before, during, or after deployment, using the
- **Group Policy**. Configures and enforces IE11 settings. For more information about settings and configuration options, see [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md).
- **Unattend.xml**. Customizes some of the IE settings during your Windows installation. This option only applies if you're updating a Windows image with IE11.
-You'll only see the new IE11 Unattend.xml settings if your Unattend.xml file's associated with a Windows image that includes the IE11 update. For more information about editing and using the Unattend.xml file, see [Unattended Windows Setup Reference](https://go.microsoft.com/fwlink/p/?LinkId=276788). For more information about using the Windows System Image Manager, see [Windows System Image Manager Technical Reference](https://go.microsoft.com/fwlink/p/?LinkId=276789).
+You'll only see the new IE11 Unattend.xml settings if your Unattend.xml file's associated with a Windows image that includes the IE11 update. For more information about editing and using the Unattend.xml file, see [Unattended Windows Setup Reference](/previous-versions/windows/it-pro/windows-8.1-and-8/ff699026(v=win.10)). For more information about using the Windows System Image Manager, see [Windows System Image Manager Technical Reference](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824929(v=win.10)).
-
-
-
-
+
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
index c3940fbefd..9e65453694 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
@@ -21,17 +21,14 @@ ms.date: 07/27/2017
If you already manage software distribution and updates on your network through software distribution tools, you can also use these tools for ongoing deployments of Internet Explorer. Software distribution tools include:
-- **System Center R2 2012 System Center 2012 R2 Configuration Manager.** Deploy and install Internet Explorer 11 on your user's computers through a software distribution package. For more information about using this tool, see [System Center R2 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=276664).
+- **System Center R2 2012 System Center 2012 R2 Configuration Manager.** Deploy and install Internet Explorer 11 on your user's computers through a software distribution package. For more information about using this tool, see [System Center R2 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)).
-- **Windows Server Update Services (WSUS).** Download a single copy of the IE11 updates, caching them to local servers so your users' computers can receive the updates directly from the WSUS servers, instead of through Windows Update. For more information about using this tool, see [Windows Server Update Services](https://go.microsoft.com/fwlink/p/?LinkID=276790).
+- **Windows Server Update Services (WSUS).** Download a single copy of the IE11 updates, caching them to local servers so your users' computers can receive the updates directly from the WSUS servers, instead of through Windows Update. For more information about using this tool, see [Windows Server Update Services](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)).
-- **Group Policy Software Installation.** Deploy and install IE11 on your user's computers through a combination of Group Policy and Microsoft Active Directory. For more information about using this tool, see [Group Policy Software Installation overview](https://go.microsoft.com/fwlink/p/?LinkId=296365).
+- **Group Policy Software Installation.** Deploy and install IE11 on your user's computers through a combination of Group Policy and Microsoft Active Directory. For more information about using this tool, see [Group Policy Software Installation overview](/previous-versions/windows/it-pro/windows-server-2003/cc738858(v=ws.10)).
-- **Microsoft Deployment Toolkit (MDT).** Add the IE11 update to your deployment share, using MDT to update your previously-deployed Windows image. For more information about using this tool, see [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkID=331148).
+- **Microsoft Deployment Toolkit (MDT).** Add the IE11 update to your deployment share, using MDT to update your previously-deployed Windows image. For more information about using this tool, see [Microsoft Deployment Toolkit (MDT)](/mem/configmgr/mdt/).
-
-
-
-
+
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
index 0177418299..c6d0cce921 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md
@@ -30,10 +30,10 @@ ms.date: 07/27/2017
You can pin websites to the Windows 8.1 taskbar for quick access. You pin a website simply by dragging its tab to the taskbar. Some websites can also extend the icon’s Jump List.
-The ability to pin websites to the Windows 8.1 taskbar can help make end users in businesses more productive. As an IT professional, for example, you can pin intranet and SharePoint websites to the taskbar to make them immediately available to users. In this article, you learn how to deploy pinned websites by using Lite Touch Installation in the [Microsoft Deployment Toolkit (MDT) 2013](https://go.microsoft.com/fwlink/p/?LinkId=398474).
+The ability to pin websites to the Windows 8.1 taskbar can help make end users in businesses more productive. As an IT professional, for example, you can pin intranet and SharePoint websites to the taskbar to make them immediately available to users. In this article, you learn how to deploy pinned websites by using Lite Touch Installation in the [Microsoft Deployment Toolkit (MDT) 2013](/mem/configmgr/mdt/).
## Deploying pinned websites in MDT 2013
-This topic requires that you have a complete MDT 2013 deployment share that contains Windows 8.1 which comes with Internet Explorer 11. If you’re deploying to Windows 7 clients and need to learn how to add IE11 to an MDT 2013 deployment share as an update, see [Installing Internet Explorer 11 using Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=398475) in the TechNet library.
+This topic requires that you have a complete MDT 2013 deployment share that contains Windows 8.1 which comes with Internet Explorer 11. If you’re deploying to Windows 7 clients and need to learn how to add IE11 to an MDT 2013 deployment share as an update, see [Installing Internet Explorer 11 using Microsoft Deployment Toolkit (MDT)](./install-ie11-using-operating-system-deployment-systems.md) in the TechNet library.
Deploying pinned websites in MDT 2013 is a 4-step process:
@@ -109,17 +109,14 @@ With the .website files ready to copy to the **Public Links** folder on target c
## Updating intranet websites for pinning
The MDT 2013 deployment share and task sequences are now ready to pin websites to the taskbar during deployment. This pinning feature can include intranet sites important in your organization.
-You can make your intranet websites act more like applications by extending them to fully support the Windows 8.1 taskbar. This includes creating custom Jump Lists, thumbnail previews, and notifications. For info about extending your intranet websites, see [Pinned Sites Developer Documentation](https://go.microsoft.com/fwlink/p/?LinkId=398484) on MSDN. For more ideas about what to pin, see [Add-ons](https://go.microsoft.com/fwlink/p/?LinkId=398483) in the Internet Explorer Gallery.
+You can make your intranet websites act more like applications by extending them to fully support the Windows 8.1 taskbar. This includes creating custom Jump Lists, thumbnail previews, and notifications. For info about extending your intranet websites, see [Pinned Sites Developer Documentation](/previous-versions/windows/internet-explorer/ie-developer/samples/gg491731(v=vs.85)) on MSDN. For more ideas about what to pin, see [Add-ons](https://go.microsoft.com/fwlink/p/?LinkId=398483) in the Internet Explorer Gallery.
## Related topics
-- [Unattended Windows Setup Reference](https://go.microsoft.com/fwlink/p/?LinkId=276788)
-- [Windows System Image Manager Technical Reference](https://go.microsoft.com/fwlink/p/?LinkId=276789)
-- [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=331148)
-- [Windows ADK Overview](https://go.microsoft.com/fwlink/p/?LinkId=276669)
+- [Unattended Windows Setup Reference](/previous-versions/windows/it-pro/windows-8.1-and-8/ff699026(v=win.10))
+- [Windows System Image Manager Technical Reference](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824929(v=win.10))
+- [Microsoft Deployment Toolkit (MDT)](/mem/configmgr/mdt/)
+- [Windows ADK Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825486(v=win.10))
-
-
-
-
+
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
index 7f00307378..0335e7c1dc 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md
@@ -24,11 +24,8 @@ Enhanced Protected Mode further restricts Protected Mode to deny potential attac
You can use your company’s Group Policy to turn Enhanced Protected Mode on or off for all users. For more information, see the [Group policy objects and Internet Explorer 11 (IE11)](group-policy-objects-and-ie11.md) information in this guide.
-For more information about Enhanced Protected Mode, see the [Enhanced Protected Mode](https://go.microsoft.com/fwlink/p/?LinkId=267512) post on IEBlog, and both the [Understanding Enhanced Protected Mode](https://go.microsoft.com/fwlink/p/?LinkId=282662) and the [Enhanced Protected Mode and Local Files](https://go.microsoft.com/fwlink/p/?LinkId=282663) blog posts on IEInternals.
+For more information about Enhanced Protected Mode, see the [Enhanced Protected Mode](https://go.microsoft.com/fwlink/p/?LinkId=267512) post on IEBlog, and both the [Understanding Enhanced Protected Mode](/archive/blogs/ieinternals/understanding-enhanced-protected-mode) and the [Enhanced Protected Mode and Local Files](https://go.microsoft.com/fwlink/p/?LinkId=282663) blog posts on IEInternals.
-
-
-
-
+
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
index a5abdb8400..333686dc07 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
@@ -26,7 +26,7 @@ The Internet Explorer 11 Enterprise Mode site list lets you specify document mo
Enterprises can have critical apps that are coded explicitly for a specific browser version and that might not be in their direct control, making it very difficult and expensive to update to modern standards or newer browser versions. Because you can decide which URLs should open using specific document modes, this update helps ensure better compatibility, faster upgrades, and reduced testing and fixing costs.
## How does this fix work?
-You can continue to use your legacy and orphaned web apps, by specifying a document mode in the centralized Enterprise Mode site list. Then, when IE11 goes to a site on your list, the browser loads the page in the specified document mode just as it would if it were specified through an X-UA-Compatible meta tag on the site. For more information about document modes and X-UA-compatible headers, see [Defining document compatibility](https://go.microsoft.com/fwlink/p/?LinkId=518412).
+You can continue to use your legacy and orphaned web apps, by specifying a document mode in the centralized Enterprise Mode site list. Then, when IE11 goes to a site on your list, the browser loads the page in the specified document mode just as it would if it were specified through an X-UA-Compatible meta tag on the site. For more information about document modes and X-UA-compatible headers, see [Defining document compatibility](/previous-versions/windows/internet-explorer/ie-developer/compatibility/cc288325(v=vs.85)).
**Important**
Enterprise Mode takes precedence over document modes, so sites that are already included in the Enterprise Mode site list won’t be affected by this update and will continue to load in Enterprise Mode, as usual.
@@ -48,7 +48,7 @@ To see if this fix might help you, run through this process one step at a time,
2. Starting with the **11 (Default)** option, test your broken scenario.
-If that doesn’t work, continue down to the next lowest document mode, stopping as soon as you find a document mode that fixes your problems. For more information about the Emulation tool, see [Emulate browsers, screen sizes, and GPS locations](https://go.microsoft.com/fwlink/p/?LinkId=518417).
+If that doesn’t work, continue down to the next lowest document mode, stopping as soon as you find a document mode that fixes your problems. For more information about the Emulation tool, see [Emulate browsers, screen sizes, and GPS locations](/previous-versions/windows/internet-explorer/ie-developer/samples/dn255001(v=vs.85)).
3. If none of the document modes fix your issue, change the **Browser Profile** to **Enterprise**, pick the mode you want to test with starting with **8** (IE8 Enterprise Mode), and then test your broken scenario.
@@ -107,7 +107,4 @@ To help you move forward, you can now use the Enterprise Mode site list to speci
- [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
-
-
-
-
+
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
index e1e763af4c..14284fdfe7 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md
@@ -39,14 +39,11 @@ The GPMC lets you:
- Create scriptable interfaces to support all of the operations available within the GPMC. You can't use scripts to edit individual policy settings in a GPO.
-For more information about the GPMC, see [Group Policy Management Console](https://go.microsoft.com/fwlink/p/?LinkId=214515) on TechNet.
+For more information about the GPMC, see [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11)) on TechNet.
## Searching for Group Policy settings
To search for Group Policy settings in the Group Policy Management Console (GPMC), use the [Group Policy Search tool](https://go.microsoft.com/fwlink/p/?LinkId=279857). To find the Group Policy settings, click **Windows Components**, and then click **Internet Explorer**.
-
-
-
-
+
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
index dce572d812..c3a615888f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md
@@ -22,7 +22,7 @@ ms.date: 07/27/2017
A Microsoft Management Console (MMC)-based tool that manages both computer and user-related configurations for an individual computer policy. This tool is included with Windows® 7 Service Pack 1 (SP1) and Windows 8.1.
-Here's a list of the policy settings you can use, based on the configuration type. For more info, see [Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=294912).
+Here's a list of the policy settings you can use, based on the configuration type. For more info, see [Local Group Policy Editor](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725970(v=ws.11)).
|Computer configuration |User configuration |
|-----------------------|-------------------|
@@ -34,7 +34,4 @@ Here's a list of the policy settings you can use, based on the configuration typ
-
-
-
-
+
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
index 3eafec01ac..6420ff7796 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-objects-and-ie11.md
@@ -25,7 +25,7 @@ Group Policy, based on Microsoft Active Directory Domain Services (AD DS), lets
By using Group Policy, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple Internet Explorer 11 security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain.
**Note**
-For more information about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy.
+For more information about Group Policy, see the [Group Policy TechCenter](/windows/deployment/deploy-whats-new). This site provides links to the latest technical documentation, videos, and downloads for Group Policy.
## Managing settings with GPOs
After deploying IE11 to your organization, you can continue to manage the browser settings by using Active Directory Domain Services (AD DS) together with the following Group Policy-related setting management groups:
@@ -53,7 +53,3 @@ You can use any of these tools to create, manage, view, and troubleshoot Group P
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
index 26cf3ae659..8cec1052e4 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-problems-ie11.md
@@ -20,14 +20,11 @@ ms.date: 07/27/2017
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-If you're having problems with Group Policy and Internet Explorer 11, or if you're looking for high-level information about the concepts and techniques used to troubleshoot Group Policy, as well as links to detailed reference topics, procedures, and troubleshooting scenario guides, see [Group Policy Analysis and Troubleshooting Overview](https://go.microsoft.com/fwlink/p/?LinkId=279872).
+If you're having problems with Group Policy and Internet Explorer 11, or if you're looking for high-level information about the concepts and techniques used to troubleshoot Group Policy, as well as links to detailed reference topics, procedures, and troubleshooting scenario guides, see [Group Policy Analysis and Troubleshooting Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134223(v=ws.11)).
## Group Policy Object-related Log Files
You can use the Event Viewer to review Group Policy-related messages in the **Windows Logs**, **System** file. All of the Group Policy-related events are shown with a source of **GroupPolicy**
-
-
-
-
+
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
index cd9e8a1740..8a23dbf697 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md
@@ -43,11 +43,8 @@ You can create and configure shortcuts for any domain-based Group Policy Object
5. Type the required shortcut settings and your comments into the **Description** box, and click **OK**.
-For more information about shortcut extensions, including step-by-step guidance, see [Shortcuts Extension](https://go.microsoft.com/fwlink/p/?LinkId=214525) and [Configure a Shortcut Item](https://go.microsoft.com/fwlink/p/?LinkId=301837).
+For more information about shortcut extensions, including step-by-step guidance, see [Shortcuts Extension](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc730592(v=ws.11)) and [Configure a Shortcut Item](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753580(v=ws.11)).
-
-
-
-
+
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
index 6f57e982ec..9b5677e069 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/group-policy-windows-powershell-ie11.md
@@ -32,11 +32,8 @@ Each cmdlet is a single-function command-line tool that can:
- Configure registry-based policy settings and registry settings for Group Policy preferences.
-For more info about PowerShell and Group Policy management, see [Use Windows PowerShell to Manage Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=276828).
+For more info about PowerShell and Group Policy management, see [Use Windows PowerShell to Manage Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759177(v=ws.11)).
-
-
-
-
+
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
index bd0befaee9..ba0ca09c45 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
@@ -22,15 +22,13 @@ ms.date: 05/22/2018
Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates.
-- [Automatic updates delivery process](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#automatic-updates-delivery-process)
+- [Automatic updates delivery process](#automatic-updates-delivery-process)
-- [Internet Explorer 11 automatic upgrades](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#internet-explorer-11-automatic-upgrades)
+- [Internet Explorer 11 automatic upgrades](#internet-explorer-11-automatic-upgrades)
-- [Options for blocking automatic delivery](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#options-for-blocking-automatic-delivery)
+- [Options for blocking automatic delivery](#options-for-blocking-automatic-delivery)
-- [Availability of Internet Explorer 11](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#availability-of-internet-explorer-11)
-
-- [Prevent automatic installation of Internet Explorer 11 with WSUS](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#prevent-automatic-installation-of-internet-explorer-11-with-wsus)
+- [Prevent automatic installation of Internet Explorer 11 with WSUS](#prevent-automatic-installation-of-internet-explorer-11-with-wsus)
## Automatic updates delivery process
@@ -59,7 +57,7 @@ If you use Automatic Updates in your company, but want to stop your users from a
> The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.md).
- **Use an update management solution to control update deployment.**
- If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Microsoft Endpoint Configuration Manager](https://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit.
+ If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Microsoft Endpoint Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit.
> [!NOTE]
> If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. This scenario is discussed in detail in the Knowledge Base article [here](https://support.microsoft.com/kb/946202).
@@ -139,8 +137,8 @@ If you need to reset your Update Rollups packages to auto-approve, do this:
- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722)
-- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
+- [Internet Explorer 11 FAQ for IT pros](../ie11-faq/faq-for-it-pros-ie11.md)
-- [Internet Explorer 11 delivery through automatic updates](https://technet.microsoft.com/microsoft-edge/dn449235)
+- [Internet Explorer 11 delivery through automatic updates]()
-- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index)
+- [Internet Explorer 11 deployment guide](./index.md)
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/index.md b/browsers/internet-explorer/ie11-deploy-guide/index.md
index c40ba230ff..07567e994a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/index.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/index.md
@@ -47,7 +47,7 @@ Because this content isn't intended to be a step-by-step guide, not all of the s
|[What is the Internet Explorer 11 Blocker Toolkit?](what-is-the-internet-explorer-11-blocker-toolkit.md) |The IE11 Blocker Toolkit lets you turn off the automatic delivery of IE11 through the Automatic Updates feature of Windows Update. |
|[Missing Internet Explorer Maintenance (IEM) settings for Internet Explorer 11](missing-internet-explorer-maintenance-settings-for-ie11.md) |The Internet Explorer Maintenance (IEM) settings have been deprecated in favor of Group Policy preferences, Administrative Templates (.admx), and the Internet Explorer Administration Kit 11 (IEAK 11).
Enhanced Protected Mode isn’t supported on Internet Explorer 9 or earlier versions of IE. Therefore, if you’re using Internet Explorer 8 or Internet Explorer 9, all ActiveX controls will always be marked as not EPM-compatible.
+- **Enhanced Protected Mode (EPM)-compatible.** Whether the loaded ActiveX control is compatible with [Enhanced Protected Mode](/troubleshoot/browsers/enhanced-protected-mode-add-on-compatibility).
Enhanced Protected Mode isn’t supported on Internet Explorer 9 or earlier versions of IE. Therefore, if you’re using Internet Explorer 8 or Internet Explorer 9, all ActiveX controls will always be marked as not EPM-compatible.
- **Reason.** The ActiveX control can be blocked or allowed for any of these reasons:
@@ -204,9 +204,8 @@ Before running the PowerShell script, you must copy both the .ps1 and .mof file
```
powershell –ExecutionPolicy Bypass .\ConfigureWMILogging.ps1
```
- For more info, see [about_Execution_Policies](https://go.microsoft.com/fwlink/p/?linkid=517460).
+ For more info, see [about_Execution_Policies](/powershell/module/microsoft.powershell.core/about/about_execution_policies).
3. **Optional:** Set up your domain firewall for WMI data. For more info, see [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md).
-The inventory info appears in the WMI class, `IEAXControlBlockingAuditInfo`, located in the WMI namespace, *root\\cimv2\\IETelemetry*. To collect the inventory info from your client computers, we recommend using System Center 2012 R2 Configuration Manager or any agent that can access the WMI data. For more info, see [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md).
-
+The inventory info appears in the WMI class, `IEAXControlBlockingAuditInfo`, located in the WMI namespace, *root\\cimv2\\IETelemetry*. To collect the inventory info from your client computers, we recommend using System Center 2012 R2 Configuration Manager or any agent that can access the WMI data. For more info, see [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md).
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md b/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
index acfe82d2a5..bc7c2ddc2a 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/review-neutral-sites-with-site-list-manager.md
@@ -32,7 +32,7 @@ ms.date: 04/02/2020
## Overview
-While converting your site from v.1 schema to v.2 schema using the latest version of the Enterprise Mode Site List Manager, sites with the *doNotTransition=true* in v.1 convert to *open-in=None* in the v.2 schema, which is characterized as a "neutral site". This is the expected behavior for conversion unless you are using Internet Explorer mode (IE mode). When IE mode is enabled, only authentication servers that are used for modern and legacy sites should be set as neutral sites. For more information, see [Configure neutral sites](https://docs.microsoft.com/deployedge/edge-ie-mode-sitelist#configure-neutral-sites). Otherwise, a site meant to open in Edge might potentially be tagged as neutral, which results in inconsistent experiences for users.
+While converting your site from v.1 schema to v.2 schema using the latest version of the Enterprise Mode Site List Manager, sites with the *doNotTransition=true* in v.1 convert to *open-in=None* in the v.2 schema, which is characterized as a "neutral site". This is the expected behavior for conversion unless you are using Internet Explorer mode (IE mode). When IE mode is enabled, only authentication servers that are used for modern and legacy sites should be set as neutral sites. For more information, see [Configure neutral sites](/deployedge/edge-ie-mode-sitelist#configure-neutral-sites). Otherwise, a site meant to open in Edge might potentially be tagged as neutral, which results in inconsistent experiences for users.
The Enterprise Mode Site List Manager provides the ability to flag sites that are listed as neutral sites, but might have been added in error. This check is automatically performed when you are converting from v.1 to v.2 through the tool. This check might flag sites even if there was no prior schema conversion.
@@ -46,5 +46,5 @@ To identify neutral sites to review:
## Related topics
-- [About IE Mode](https://docs.microsoft.com/deployedge/edge-ie-mode)
-- [Configure neutral sites](https://docs.microsoft.com/deployedge/edge-ie-mode-sitelist#configure-neutral-sites)
+- [About IE Mode](/deployedge/edge-ie-mode)
+- [Configure neutral sites](/deployedge/edge-ie-mode-sitelist#configure-neutral-sites)
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
index 94f9336c89..dd26f8e369 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
@@ -44,7 +44,7 @@ When you turn logging on, you need a valid URL that points to a server that can
**To set up an endpoint server**
-1. Configure an IIS server to work with your Enterprise Mode data collection process. If you’re unsure how to set up IIS, see the [IIS installation webpage](https://go.microsoft.com/fwlink/p/?LinkId=507609).
+1. Configure an IIS server to work with your Enterprise Mode data collection process. If you’re unsure how to set up IIS, see the [IIS installation webpage](/iis/install/installing-iis-7/installing-necessary-iis-components-on-windows-vista).
2. Open Internet Information Services (IIS) and turn on the ASP components from the **Add Roles and Features Wizard**, **Server Roles** page.
IE11 isn't supported on Windows 8 or Windows Server 2012.
@@ -59,7 +59,3 @@ Computers running localized versions of Windows should run the same version of I
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
index 750bca0e82..ea71c2a358 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/updated-features-and-tools-with-ie11.md
@@ -44,11 +44,8 @@ Internet Explorer 11 includes several new features and tools. This topic includ
- **IE Administration Kit (IEAK).** Lets you create custom, branded versions of IE11. For more info and to download the tool, see [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](../ie11-ieak/index.md).
-- **Unattend Settings.** Lets you update the Unattend.xml file, to customize the home page, favorites, search providers, feeds, Accelerators, Web Slices, and settings for top result searches. For more info, see the [Unattend Settings: Microsoft-Windows-IE-InternetExplorer](https://go.microsoft.com/fwlink/p/?LinkId=263709).
+- **Unattend Settings.** Lets you update the Unattend.xml file, to customize the home page, favorites, search providers, feeds, Accelerators, Web Slices, and settings for top result searches. For more info, see the [Unattend Settings: Microsoft-Windows-IE-InternetExplorer](/previous-versions/windows/it-pro/windows-8.1-and-8/ff715726(v=win.10)).
-
-
-
-
+
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
index afc27104af..0f65a6f4ac 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/using-inf-files-to-create-install-packages.md
@@ -19,7 +19,7 @@ ms.date: 07/27/2017
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
-IEAK 11 uses Setup information (.inf) files to provide uninstallation instructions. Uninstallation instructions let your employees remove components, like files, registry entries, or shortcuts, through the **Uninstall or change a program** box. For details about .inf files, see [INF File Sections and Directives](https://go.microsoft.com/fwlink/p/?LinkId=327959).
+IEAK 11 uses Setup information (.inf) files to provide uninstallation instructions. Uninstallation instructions let your employees remove components, like files, registry entries, or shortcuts, through the **Uninstall or change a program** box. For details about .inf files, see [INF File Sections and Directives](/windows-hardware/drivers/install/).
**To add uninstallation instructions to the .inf files**
@@ -37,13 +37,9 @@ IEAK 11 uses Setup information (.inf) files to provide uninstallation instructi
- You can't delete directories.
-- You can't use **RenFiles** to move a file to a different location, it only lets you rename a file in its existing location. For detailed information, see [INF RenFiles Directive](https://go.microsoft.com/fwlink/p/?LinkId=298508).
+- You can't use **RenFiles** to move a file to a different location, it only lets you rename a file in its existing location. For detailed information, see [INF RenFiles Directive](/windows-hardware/drivers/install/inf-renfiles-directive).
-- You can't use **CopyFiles** to copy a file to another place on your hard drive, it can only copy files from the source disk to the destination directory. For information, see [INF CopyFiles Directive](https://go.microsoft.com/fwlink/p/?LinkId=298510).
+- You can't use **CopyFiles** to copy a file to another place on your hard drive, it can only copy files from the source disk to the destination directory. For information, see [INF CopyFiles Directive](/windows-hardware/drivers/install/inf-copyfiles-directive).
-
-
-
-
diff --git a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
index 771f7b3439..a216f90395 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md
@@ -23,18 +23,15 @@ ms.date: 07/27/2017
If your company is considering upgrading to the latest version of Internet Explorer, but is hesitant because of a large number of web apps that need to be tested and moved, we recommend that you consider virtualization. Virtualization lets you set up a virtual environment where you can run earlier versions of IE.
**Important**
-We strongly suggest that while you're using virtualization, you also update your web apps so they run natively in the newer version of IE. For more information about how to update your code, see the [Internet Explorer 11 Compatibility Cookbook (Windows)](https://go.microsoft.com/fwlink/p/?LinkId=279707) to learn about the developer features that have been changed or deprecated since Internet Explorer 10.
+We strongly suggest that while you're using virtualization, you also update your web apps so they run natively in the newer version of IE. For more information about how to update your code, see the [Internet Explorer 11 Compatibility Cookbook (Windows)](/previous-versions//dn384049(v=vs.85)) to learn about the developer features that have been changed or deprecated since Internet Explorer 10.
The Microsoft-supported options for virtualizing web apps are:
- **Microsoft Enterprise Desktop Virtualization (MED-V).** Uses Microsoft Virtual PC to provide an enterprise solution for desktop virtualization. With MED-V, you can easily create, deliver, and manage corporate Virtual PC images on any Windows®-based desktop. For more information, see [MED-V](https://go.microsoft.com/fwlink/p/?LinkId=271653).
-- **Client Hyper-V.** Uses the same virtualization technology previously available in Windows Server, but now installed for Windows 8.1. For more information, see [Client Hyper-V](https://go.microsoft.com/fwlink/p/?LinkId=271654).
-The Compat Inspector tool supports Windows Internet Explorer 9 through IE11. For more information, see [Compat Inspector User Guide](https://go.microsoft.com/fwlink/p/?LinkId=313189). In addition, you can use the new [F12 Developer Tools](https://go.microsoft.com/fwlink/p/?LinkId=313190) that are included with IE11, or the [modern.ie](https://go.microsoft.com/fwlink/p/?linkid=308902) website for Microsoft Edge.
+The Compat Inspector tool supports Windows Internet Explorer 9 through IE11. For more information, see [Compat Inspector User Guide](https://go.microsoft.com/fwlink/p/?LinkId=313189). In addition, you can use the new [F12 Developer Tools](/previous-versions/windows/internet-explorer/ie-developer/dev-guides/bg182632(v=vs.85)) that are included with IE11, or the [modern.ie](https://go.microsoft.com/fwlink/p/?linkid=308902) website for Microsoft Edge.
**Q: Why am I having problems launching my legacy apps with Internet Explorer 11**?
It’s most likely because IE no longer starts apps that use managed browser hosting controls, like in the .NET Framework 1.1 and 2.0. You can get IE11 to use managed browser hosting controls again, by:
@@ -78,7 +78,7 @@ It’s most likely because IE no longer starts apps that use managed browser hos
- **For x64 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
-For more information, see the [Web Applications](https://go.microsoft.com/fwlink/p/?LinkId=308903) section of the Application Compatibility in the .NET Framework 4.5 page.
+For more information, see the [Web Applications](/dotnet/framework/migration-guide/application-compatibility) section of the Application Compatibility in the .NET Framework 4.5 page.
**Q: Is there a compatibility list for IE?**
Yes. You can review the XML-based [compatibility version list](https://go.microsoft.com/fwlink/p/?LinkId=403864).
@@ -202,6 +202,6 @@ The following table displays which pages are available in IEAK 11, based on the
## Related topics
-- [Microsoft Edge - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760643)
+- [Microsoft Edge - Deployment Guide for IT Pros](/microsoft-edge/deploy/)
- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](../ie11-deploy-guide/index.md)
-- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md)
+- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md)
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
index cf59b670d6..551959c31f 100644
--- a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
+++ b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.md
@@ -40,7 +40,7 @@ A. Users running either Windows 7 with Service Pack 1 (SP1) or the 64-bit versi
A. The Blocker Toolkit is currently available from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722).
**Q. What tools can I use to manage Windows Updates and Microsoft Updates in my company?**
-A. We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You can also use the more advanced configuration management tool, [System Center 2012 Configuration Manager](https://technet.microsoft.com/library/gg682041.aspx).
+A. We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You can also use the more advanced configuration management tool, [System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682041(v=technet.10)).
**Q. How long does the blocker mechanism work?**
A. The Internet Explorer 11 Blocker Toolkit uses a registry key value to permanently turn off the automatic delivery of Internet Explorer 11. This behavior lasts as long as the registry key value isn’t removed or changed.
@@ -117,8 +117,8 @@ If these scenarios apply to your company, see [Internet Explorer 11 delivery thr
- [Internet Explorer 11 Blocker Toolkit download](https://www.microsoft.com/download/details.aspx?id=40722)
-- [Internet Explorer 11 FAQ for IT pros](https://docs.microsoft.com/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
+- [Internet Explorer 11 FAQ for IT pros](./faq-for-it-pros-ie11.md)
- [Internet Explorer 11 delivery through automatic updates](../ie11-deploy-guide/ie11-delivery-through-automatic-updates.md)
-- [Internet Explorer 11 deployment guide](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/index)
+- [Internet Explorer 11 deployment guide](../ie11-deploy-guide/index.md)
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-faq/faq-ieak11.md b/browsers/internet-explorer/ie11-faq/faq-ieak11.md
index 929acbed39..674c2a1600 100644
--- a/browsers/internet-explorer/ie11-faq/faq-ieak11.md
+++ b/browsers/internet-explorer/ie11-faq/faq-ieak11.md
@@ -59,7 +59,7 @@ Yes. You can use IEAK 11 to build custom Internet Explorer 11 packages in any of
**Q: Is there a version of the Internet Explorer Administration Kit (IEAK) supporting IE11?**
Yes. The Internet Explorer Administration Kit 11 (IEAK 11) is available for download. IEAK 11 lets you create custom versions of IE11 for use in your organization. For more information, see the following resources:
-- [Internet Explorer Administration Kit Information and Downloads](https://go.microsoft.com/fwlink/p/?LinkId=214250) on the Internet Explorer TechCenter.
+- [Internet Explorer Administration Kit Information and Downloads](../ie11-ieak/ieak-information-and-downloads.md) on the Internet Explorer TechCenter.
- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](../ie11-ieak/index.md)
@@ -118,7 +118,7 @@ IEAK 11 is available in 24 languages but can build customized Internet Explorer
## Additional resources
-[Download IEAK 11](https://technet.microsoft.com/microsoft-edge/bb219517)
-[IEAK 11 overview](https://technet.microsoft.com/microsoft-edge/dn532244)
-[IEAK 11 product documentation](https://docs.microsoft.com/internet-explorer/ie11-ieak/index)
-[IEAK 11 licensing guidelines](../ie11-ieak/licensing-version-and-features-ieak11.md)
+[Download IEAK 11](../ie11-ieak/ieak-information-and-downloads.md)
+[IEAK 11 overview](../ie11-ieak/index.md)
+[IEAK 11 product documentation](../ie11-ieak/index.md)
+[IEAK 11 licensing guidelines](../ie11-ieak/licensing-version-and-features-ieak11.md)
\ No newline at end of file
diff --git a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
index 7d4f9344c9..fadc8246a0 100644
--- a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md
@@ -40,7 +40,7 @@ Automatic detection works even if the browser wasn't originally set up or instal
**To set up automatic detection for DHCP servers**
-- Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649).
+- Open the [DHCP Administrative Tool](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd145324(v=ws.10)), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](/previous-versions/tn-archive/bb794881(v=technet.10)).
**Examples:**
`https://www.microsoft.com/webproxy.pac`
@@ -57,10 +57,9 @@ Automatic detection works even if the browser wasn't originally set up or instal
`mailserver1 IN A 192.55.200.51`
For more info about creating a WPAD entry, see Creating a WPAD entry in DNS.
+ Note
For more info about creating a WPAD entry, see Creating a WPAD entry in DNS.
2. After the database file propagates to the server, the DNS name, `wpad.
-IE11 creates a default URL template based on the host name,**wpad**. For example, `https://wpad.
DHCP
@@ -722,16 +722,16 @@ Table 8. AD DS, Azure AD and deployment resources
DNS
AD DS
@@ -765,23 +765,23 @@ Table 9. Management systems and deployment resources
Azure AD
Windows provisioning packages
Group Policy
Configuration Manager
@@ -789,14 +789,14 @@ Table 9. Management systems and deployment resources
@@ -830,23 +830,23 @@ Table 10. Management systems and app deployment resources
MDT
Group Policy
Configuration Manager
@@ -878,7 +878,7 @@ If you do no want to migrate any user or device settings from the Chromebook dev
In the [Plan for email migration](#plan-email-migrate) section, you identified the user mailboxes to migrate, identified the companion devices that access Google Apps Gmail, and identified the optimal timing for migration. You can perform this migration before or after you deploy the Windows devices.
-Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information on how to automate the migration from Google Apps Gmail to Office 365, see [Migrate Google Apps mailboxes to Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690252).
+Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information on how to automate the migration from Google Apps Gmail to Office 365, see [Migrate Google Apps mailboxes to Office 365](/Exchange/mailbox-migration/migrating-imap-mailboxes/migrate-g-suite-mailboxes).
Alternatively, if you want to migrate to Office 365 from:
@@ -886,9 +886,9 @@ Alternatively, if you want to migrate to Office 365 from:
- [Cutover Exchange Migration and Single Sign-On](https://go.microsoft.com/fwlink/p/?LinkId=690266)
- - [Step-By-Step: Migration of Exchange 2003 Server to Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690267)
+ - [Step-By-Step: Migration of Exchange 2003 Server to Office 365](/archive/blogs/canitpro/step-by-step-migration-of-exchange-2003-server-to-office-365)
- - [Step-By-Step: Migrating from Exchange 2007 to Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690268)
+ - [Step-By-Step: Migrating from Exchange 2007 to Office 365](/archive/blogs/canitpro/step-by-step-migrating-from-exchange-2007-to-office-365)
- **Another on-premises or cloud-based email service.** Follow the guidance from that vendor.
@@ -929,15 +929,15 @@ For example, if you selected to deploy Windows devices by each classroom, start
In some instances, you may receive the devices with Windows 10 already deployed, and want to use provisioning packages. In other cases, you may have a custom Windows 10 image that you want to deploy to the devices by using Configuration Manager and/or MDT. For information on how to deploy Windows 10 images to the devices, see the following resources:
-- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=733911)
+- [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)
-- [Build and apply a provisioning package](https://go.microsoft.com/fwlink/p/?LinkId=733918)
+- [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
- [MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](https://go.microsoft.com/fwlink/p/?LinkId=690324)
-- [Step-By-Step: Installing Windows 8.1 From A USB Key](https://go.microsoft.com/fwlink/p/?LinkId=690265)
+- [Step-By-Step: Installing Windows 8.1 From A USB Key](/archive/blogs/canitpro/step-by-step-installing-windows-8-1-from-a-usb-key)
-- [Operating System Deployment in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=733916)
+- [Operating System Deployment in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682018(v=technet.10))
In addition to the Windows 10 image deployment, you may need to perform the following tasks as a part of device deployment:
@@ -954,15 +954,9 @@ After you complete these steps, your management system should take over the day-
## Related topics
-[Try it out: Windows 10 deployment (for education)](https://go.microsoft.com/fwlink/p/?LinkId=623254)
+[Try it out: Windows 10 deployment (for education)](../index.yml)
-[Try it out: Windows 10 in the classroom](https://go.microsoft.com/fwlink/p/?LinkId=623255)
+[Try it out: Windows 10 in the classroom](../index.yml)
-
-
-
-
-
-
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
index 71f603bec9..f662b8ac78 100644
--- a/education/windows/configure-windows-for-education.md
+++ b/education/windows/configure-windows-for-education.md
@@ -20,7 +20,7 @@ manager: dansimp
- Windows 10
-Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](https://docs.microsoft.com/education/windows/configure-windows-for-education#setedupolicies)** enabled. See the following table for more information. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
+Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](#setedupolicies)** enabled. See the following table for more information. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305).
We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no additional charge to Windows 10 Pro Education. To learn more about the steps to configure this, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md).
@@ -28,12 +28,12 @@ In Windows 10, version 1703 (Creators Update), it is straightforward to configur
| Area | How to configure | What this does | Windows 10 Education | Windows 10 Pro Education | Windows 10 S |
| --- | --- | --- | --- | --- | --- |
-| **Diagnostic Data** | **AllowTelemetry** | Sets Diagnostic Data to [Basic](https://docs.microsoft.com/windows/configuration/configure-windows-telemetry-in-your-organization) | This is already set | This is already set | The policy must be set |
+| **Diagnostic Data** | **AllowTelemetry** | Sets Diagnostic Data to [Basic](/windows/configuration/configure-windows-telemetry-in-your-organization) | This is already set | This is already set | The policy must be set |
| **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | This is already set | This is already set | The policy must be set |
| **Cortana** | **AllowCortana** | Disables Cortana * Cortana is enabled by default on all editions in Windows 10, version 1703 | If using Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | If using Windows 10 Pro Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana. See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. |
| **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | This is already set | This is already set | The policy must be set |
| **Bing search advertising** | Ad free search with Bing | Disables ads when searching the internet with Bing in Microsoft Edge. See [Ad-free search with Bing](#ad-free-search-with-bing | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | View configuration instructions as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) |
-| **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready * Any app can detect Windows is running in an education ready configuration through [IsEducationEnvironment](https://docs.microsoft.com/uwp/api/windows.system.profile.educationsettings) | This is already set | This is already set | The policy must be set |
+| **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready * Any app can detect Windows is running in an education ready configuration through [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) | This is already set | This is already set | The policy must be set |
## Recommended configuration
@@ -50,7 +50,7 @@ It is easy to be education ready when using Microsoft products. We recommend the
3. On PCs running Windows 10, version 1703:
1. Provision the PC using one of these methods:
* [Provision PCs with the Set up School PCs app](use-set-up-school-pcs-app.md) - This will automatically set both **SetEduPolicies** to True and **AllowCortana** to False.
- * [Provision PCs with a custom package created with Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-create-package) - Make sure to set both **SetEduPolicies** to True and **AllowCortana** to False.
+ * [Provision PCs with a custom package created with Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) - Make sure to set both **SetEduPolicies** to True and **AllowCortana** to False.
2. Join the PC to Azure Active Directory.
* Use Set up School PCs or Windows Configuration Designer to bulk enroll to Azure AD.
* Manually Azure AD join the PC during the Windows device setup experience.
@@ -74,10 +74,10 @@ You can configure Windows through provisioning or management tools including ind
You can set all the education compliance areas through both provisioning and management tools. Additionally, these Microsoft education tools will ensure PCs that you set up are education ready:
- [Set up School PCs](use-set-up-school-pcs-app.md)
-- [Intune for Education](https://docs.microsoft.com/intune-education/available-settings)
+- [Intune for Education](/intune-education/available-settings)
## AllowCortana
-**AllowCortana** is a policy that enables or disables Cortana. It is a policy node in the Policy configuration service provider, [AllowCortana](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcortana).
+**AllowCortana** is a policy that enables or disables Cortana. It is a policy node in the Policy configuration service provider, [AllowCortana](/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana).
> [!NOTE]
> See the [Recommended configuration](#recommended-configuration) section for recommended Cortana settings.
@@ -103,13 +103,13 @@ Set **Computer Configuration > Administrative Templates > Windows Components > S
### Provisioning tools
- [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates.
-- [Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-create-package)
+- [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package)
- Under **Runtime settings**, click the **Policies** settings group, set **Experience > Cortana** to **No**.
## SetEduPolicies
-**SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It is a policy node in the [SharedPC configuration service provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/sharedpc-csp).
+**SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It is a policy node in the [SharedPC configuration service provider](/windows/client-management/mdm/sharedpc-csp).
Use one of these methods to set this policy.
@@ -126,7 +126,7 @@ Use one of these methods to set this policy.
### Group Policy
-**SetEduPolicies** is not natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224(v=vs.85).aspx) to set the policy in [MDM SharedPC](https://msdn.microsoft.com/library/windows/desktop/mt779129(v=vs.85).aspx).
+**SetEduPolicies** is not natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to set the policy in [MDM SharedPC](/windows/win32/dmwmibridgeprov/mdm-sharedpc).
For example:
@@ -144,7 +144,7 @@ For example:
### Provisioning tools
- [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates.
-- [Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-create-package)
+- [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package)
- Under **Runtime settings**, click the **SharedPC** settings group, set **PolicyCustomization > SetEduPolicies** to **True**.
@@ -172,4 +172,4 @@ To suppress ads only when the student signs into Bing with their Office 365 acco
## Related topics
-[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
+[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)
\ No newline at end of file
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index d2a18c7393..79c0a643ed 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -81,9 +81,9 @@ This district configuration has the following characteristics:
* The devices use Azure AD in Office 365 Education for identity management.
-* If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/).
+* If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity).
-* Use [Intune](https://docs.microsoft.com/intune/), [Mobile Device Management for Office 365](https://support.office.com/en-us/article/Set-up-Mobile-Device-Management-MDM-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy in AD DS](https://technet.microsoft.com/library/cc725828.aspx) to manage devices.
+* Use [Intune](/intune/), [Mobile Device Management for Office 365](https://support.office.com/en-us/article/Set-up-Mobile-Device-Management-MDM-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy in AD DS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725828(v=ws.10)) to manage devices.
* Each device supports a one-student-per-device or multiple-students-per-device scenario.
@@ -93,7 +93,7 @@ This district configuration has the following characteristics:
* The devices can be a mixture of different Windows 10 editions, such as Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education.
-Use these characteristics at a minimum as you deploy your schools. If your district deployment is less complex, you may want to review the guidance in [Deploy Windows 10 in a school](https://technet.microsoft.com/edu/windows/deploy-windows-10-in-a-school).
+Use these characteristics at a minimum as you deploy your schools. If your district deployment is less complex, you may want to review the guidance in [Deploy Windows 10 in a school](./deploy-windows-10-in-a-school.md).
> [!NOTE]
> This guide focuses on Intune as the mobile device management (MDM) solution. If you want to use an MDM solution other than Intune, ignore the Intune-specific content in this guide. For each section, contact your MDM provider to determine the features and management capabilities for your institution.
@@ -138,7 +138,7 @@ The primary tool you will use to deploy Windows 10 in your school is MDT, which
You can use MDT as a stand-alone tool or integrate it with Microsoft Endpoint Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as Configuration Manager) but result in fully automated deployments.
-This guide focuses on LTI deployments to deploy the reference device. You can use ZTI deployments with Configuration Manager or LTI deployments to deploy the reference images to your faculty and student devices. If you want to only use MDT, see [Deploy Windows 10 in a school](https://technet.microsoft.com/edu/windows/deploy-windows-10-in-a-school).
+This guide focuses on LTI deployments to deploy the reference device. You can use ZTI deployments with Configuration Manager or LTI deployments to deploy the reference images to your faculty and student devices. If you want to only use MDT, see [Deploy Windows 10 in a school](./deploy-windows-10-in-a-school.md).
MDT includes the Deployment Workbench, a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps, and migration of user settings on existing devices.
@@ -406,7 +406,7 @@ Record the configuration setting management methods you selected in Table 5. Alt
#### Select the app and update management products
-For a district, there are many ways to manage apps and software updates. Table 6 lists the products that this guide describes and recommends. Although you could manage updates by using [Windows Updates or Windows Server Update Services (WSUS)](https://technet.microsoft.com/windowsserver/bb332157.aspx), you still need to Configuration Manager or Intune to manage apps. Therefore, it only makes sense to use one or both of these tools for update management.
+For a district, there are many ways to manage apps and software updates. Table 6 lists the products that this guide describes and recommends. Although you could manage updates by using [Windows Updates or Windows Server Update Services (WSUS)](/windows/deployment/deploy-whats-new), you still need to Configuration Manager or Intune to manage apps. Therefore, it only makes sense to use one or both of these tools for update management.
Use the information in Table 6 to determine which combination of app and update management products is right for your district.
@@ -547,7 +547,7 @@ When you install the Windows ADK on the admin device, select the following featu
* Windows PE
* USMT
-For more information about installing the Windows ADK, see [Step 2-2: Install Windows ADK](https://technet.microsoft.com/library/dn781086.aspx#InstallWindowsADK).
+For more information about installing the Windows ADK, see [Step 2-2: Install Windows ADK](/mem/configmgr/mdt/lite-touch-installation-guide#InstallWindowsADK).
### Install MDT
@@ -557,7 +557,7 @@ You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 6
> [!NOTE]
> If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32-bit versions of the operating system.
-For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com/library/dn759415.aspx#InstallingaNewInstanceofMDT).
+For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](/mem/configmgr/mdt/use-the-mdt#InstallingaNewInstanceofMDT).
Now, you’re ready to create the MDT deployment share and populate it with the operating system, apps, and device drivers you want to deploy to your devices.
@@ -565,7 +565,7 @@ Now, you’re ready to create the MDT deployment share and populate it with the
MDT includes the Deployment Workbench, a graphical UI that you can use to manage MDT deployment shares. A *deployment share* is a shared folder that contains all the MDT deployment content. The LTI Deployment Wizard accesses the deployment content over the network or from a local copy of the deployment share (known as MDT *deployment media*).
-For more information about how to create a deployment share, see [Step 3-1: Create an MDT Deployment Share](https://technet.microsoft.com/library/dn781086.aspx#CreateMDTDeployShare).
+For more information about how to create a deployment share, see [Step 3-1: Create an MDT Deployment Share](/mem/configmgr/mdt/lite-touch-installation-guide#CreateMDTDeployShare).
### Install the Configuration Manager console
@@ -574,7 +574,7 @@ For more information about how to create a deployment share, see [Step 3-1: Crea
You can use Configuration Manager to manage Windows 10 deployments, Windows desktop apps, Microsoft Store apps, and software updates. To manage Configuration Manager, you use the Configuration Manager console. You must install the Configuration Manager console on every device you use to manage Configuration Manager (specifically, the admin device). The Configuration Manager console is automatically installed when you install Configuration Manager primary site servers.
-For more information about how to install the Configuration Manager console, see [Install Microsoft Endpoint Manager consoles](https://technet.microsoft.com/library/mt590197.aspx#bkmk_InstallConsole).
+For more information about how to install the Configuration Manager console, see [Install Microsoft Endpoint Manager consoles](/mem/configmgr/core/servers/deploy/install/installing-sites#bkmk_InstallConsole).
### Configure MDT integration with the Configuration Manager console
@@ -585,7 +585,7 @@ You can use MDT with Configuration Manager to make ZTI operating system deployme
In addition to the admin device, run the Configure ConfigMgr Integration Wizard on each device that runs the Configuration Manager console to ensure that all Configuration Manager console installation can use the power of MDT–Configuration Manager integration.
-For more information, see [Enable Configuration Manager Console Integration for Configuration Manager](https://technet.microsoft.com/library/dn759415.aspx#EnableConfigurationManagerConsoleIntegrationforConfigurationManager).
+For more information, see [Enable Configuration Manager Console Integration for Configuration Manager](/mem/configmgr/mdt/use-the-mdt#EnableConfigurationManagerConsoleIntegrationforConfigurationManager).
#### Summary
@@ -616,7 +616,7 @@ Complete the following steps to select the appropriate Office 365 Education lice
3. Determine whether students or faculty need Azure Rights Management.
- You can use Azure Rights Management to protect classroom information against unauthorized access. Azure Rights Management protects your information inside or outside the classroom through encryption, identity, and authorization policies, securing your files and email. You can retain control of the information, even when it’s shared with people outside the classroom or your educational institution. Azure Rights Management is free to use with all Office 365 Education license plans. For more information, see [Azure Rights Management Documentation](https://docs.microsoft.com/rights-management/).
+ You can use Azure Rights Management to protect classroom information against unauthorized access. Azure Rights Management protects your information inside or outside the classroom through encryption, identity, and authorization policies, securing your files and email. You can retain control of the information, even when it’s shared with people outside the classroom or your educational institution. Azure Rights Management is free to use with all Office 365 Education license plans. For more information, see [Azure Rights Management Documentation](/rights-management/).
4. Record the Office 365 Education license plans needed for the classroom in Table 9.
@@ -727,13 +727,13 @@ Although all new Office 365 Education subscriptions have automatic licensing ena
When you create your Office 365 subscription, you create an Office 365 tenant that includes an Azure AD directory, the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Azure AD-integrated apps. Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium.
-Educational institutions can obtain Azure AD Basic edition licenses at no cost if they have a volume license agreement. After your institution obtains its licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](https://azure.microsoft.com/documentation/articles/active-directory-get-started-premium/#step-3-activate-your-azure-active-directory-access).
+Educational institutions can obtain Azure AD Basic edition licenses at no cost if they have a volume license agreement. After your institution obtains its licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](/azure/active-directory/fundamentals/active-directory-get-started-premium#step-3-activate-your-azure-active-directory-access).
The following Azure AD Premium features are not in Azure AD Basic:
* Allow designated users to manage group membership
* Dynamic group membership based on user metadata
-* Azure AD Multi-Factor Authentication (MFA; see [What is Azure AD Multi-Factor Authentication](https://azure.microsoft.com/documentation/articles/multi-factor-authentication/))
+* Azure AD Multi-Factor Authentication (MFA; see [What is Azure AD Multi-Factor Authentication](/azure/active-directory/authentication/concept-mfa-howitworks))
* Identify cloud apps that your users run
* Self-service recovery of BitLocker
* Add local administrator accounts to Windows 10 devices
@@ -746,8 +746,8 @@ You can sign up for Azure AD Premium, and then assign licenses to users. In this
For more information about:
-* Azure AD editions and the features in each, see [Azure Active Directory editions](https://azure.microsoft.com/documentation/articles/active-directory-editions/).
-* How to enable Azure AD premium, see [Associate an Azure AD directory with a new Azure subscription](https://msdn.microsoft.com/library/azure/jj573650.aspx#create_tenant3).
+* Azure AD editions and the features in each, see [Azure Active Directory editions](/azure/active-directory/fundamentals/active-directory-whatis).
+* How to enable Azure AD premium, see [Associate an Azure AD directory with a new Azure subscription](/previous-versions/azure/azure-services/jj573650(v=azure.100)#create_tenant3).
#### Summary
@@ -765,7 +765,7 @@ Now that you have an Office 365 subscription, you must determine how you’ll cr
In this method, you have an on-premises AD DS domain. As shown in Figure 5, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD.
> [!NOTE]
-> Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/library/dn510997.aspx).
+> Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](/previous-versions/mim/dn510997(v=ws.10)).
> [!div class="mx-imgBorder"]
> 
@@ -823,7 +823,7 @@ You can deploy the Azure AD Connect tool:
*Figure 8. Azure AD Connect in Azure*
-This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](https://technet.microsoft.com/library/dn635310.aspx).
+This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](/microsoft-365/enterprise/deploy-microsoft-365-directory-synchronization-dirsync-in-microsoft-azure).
### Deploy Azure AD Connect on premises
@@ -835,9 +835,9 @@ In this synchronization model (illustrated in Figure 7), you run Azure AD Connec
2. In the VM or on the physical device that will run Azure AD Connect, sign in with a domain administrator account.
-3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/#install-azure-ad-connect).
+3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](/azure/active-directory/hybrid/whatis-hybrid-identity#install-azure-ad-connect).
-4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure sync features](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/#configure-sync-features).
+4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure sync features](/azure/active-directory/hybrid/whatis-hybrid-identity#configure-sync-features).
Now that you have used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD.
@@ -885,9 +885,9 @@ Several methods are available to bulk-import user accounts into AD DS domains. T
|Method |Description and reason to select this method |
|-------|---------------------------------------------|
-|Ldifde.exe|This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren't comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).|
-|VBScript|This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com/scriptcenter/dd939958.aspx).|
-|Windows PowerShell|This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
+|Ldifde.exe|This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren't comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816781(v=ws.10)), and [LDIFDE](/previous-versions/orphan-topics/ws.10/cc755456(v=ws.10)).|
+|VBScript|This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)) and [ADSI Scriptomatic](https://technet.microsoft.com/scriptcenter/dd939958.aspx).|
+|Windows PowerShell|This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](/archive/blogs/technet/bettertogether/import-bulk-users-to-active-directory) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
*Table 12. AD DS bulk-import account methods*
@@ -897,9 +897,9 @@ After you have selected your user and group account bulk import method, you’re
|Method |Source file format |
|-------|-------------------|
-|Ldifde.exe |Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).|
-|VBScript |VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx).|
-|Windows PowerShell |Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). |
+|Ldifde.exe |Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816781(v=ws.10)), and [LDIFDE](/previous-versions/orphan-topics/ws.10/cc755456(v=ws.10)).|
+|VBScript |VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)).|
+|Windows PowerShell |Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](/archive/blogs/technet/bettertogether/import-bulk-users-to-active-directory) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). |
*Table 13. Source file format for each bulk import method*
@@ -912,9 +912,9 @@ With the bulk-import source file finished, you’re ready to import the user and
For more information about how to import user accounts into AD DS by using:
-* Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).
-* VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx).
-* Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).
+* Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816781(v=ws.10)), and [LDIFDE](/previous-versions/orphan-topics/ws.10/cc755456(v=ws.10)).
+* VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)).
+* Windows PowerShell, see [Import Bulk Users to Active Directory](/archive/blogs/technet/bettertogether/import-bulk-users-to-active-directory) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).
#### Summary
@@ -987,7 +987,7 @@ Microsoft Store for Business allows you to create your own private portal to man
* Distribute apps to your users.
-For more information about Microsoft Store for Business, see [Microsoft Store for Business overview](https://technet.microsoft.com/itpro/windows/whats-new/windows-store-for-business-overview).
+For more information about Microsoft Store for Business, see [Microsoft Store for Business overview](/microsoft-store/microsoft-store-for-business-overview).
This section shows you how to create a Microsoft Store for Business portal and configure it for your school.
@@ -1011,13 +1011,13 @@ After you create the Microsoft Store for Business portal, configure it by using
|Menu selection|What can you do in this menu|
|--------------|----------------------------|
-|Account information |Displays information about your Microsoft Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure Management Portal. For more information, see [Update Microsoft Store for Business account settings](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings).|
-|Device Guard signing |Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide).|
-|LOB publishers |Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](https://technet.microsoft.com/itpro/windows/manage/working-with-line-of-business-apps).|
-|Management tools |Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-with-management-tool).|
-|Offline licensing|Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see the “Licensing model: online and offline licenses” section in [Apps in Microsoft Store for Business](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).|
-|Permissions |Allows you to grant other users in your organization the ability to buy, manage, and administer your Microsoft Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Microsoft Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business).|
-|Private store |Allows you to change the organization name used in your Microsoft Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store).|
+|Account information |Displays information about your Microsoft Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure Management Portal. For more information, see [Update Microsoft Store for Business account settings](/microsoft-store/update-microsoft-store-for-business-account-settings).|
+|Device Guard signing |Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).|
+|LOB publishers |Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](/microsoft-store/working-with-line-of-business-apps).|
+|Management tools |Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](/microsoft-store/distribute-apps-with-management-tool).|
+|Offline licensing|Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see the “Licensing model: online and offline licenses” section in [Apps in Microsoft Store for Business](/microsoft-store/apps-in-microsoft-store-for-business#licensing-model).|
+|Permissions |Allows you to grant other users in your organization the ability to buy, manage, and administer your Microsoft Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Microsoft Store for Business](/microsoft-store/roles-and-permissions-microsoft-store-for-business).|
+|Private store |Allows you to change the organization name used in your Microsoft Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store).|
*Table 14. Menu selections to configure Microsoft Store for Business settings*
@@ -1030,7 +1030,7 @@ Now that you have created your Microsoft Store for Business portal, you’re rea
You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users to install the apps.
-For more information about how to find, acquire, and distribute apps in the portal, see [App inventory management for Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/app-inventory-management-microsoft-store-for-business).
+For more information about how to find, acquire, and distribute apps in the portal, see [App inventory management for Microsoft Store for Business](/microsoft-store/app-inventory-management-microsoft-store-for-business).
#### Summary
@@ -1059,7 +1059,7 @@ Depending on your school’s requirements, you may need any combination of the f
* Deploy new instances of Windows 10 Education so that new devices have a known configuration.
> [!NOTE]
-> Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business—features not available in Windows 10 Home. For more information about how to upgrade Windows 10 Home to Windows 10 Pro or Windows 10 Education, see [Windows 10 edition upgrade](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades).
+> Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business—features not available in Windows 10 Home. For more information about how to upgrade Windows 10 Home to Windows 10 Pro or Windows 10 Education, see [Windows 10 edition upgrade](/windows/deployment/upgrade/windows-10-edition-upgrades).
For more information about the Windows 10 editions, see [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
@@ -1078,7 +1078,7 @@ The advantage to a thin image is that the final deployment configuration is dyna
The advantage of a thick image is that the deployment takes less time than it would for a thin image. The disadvantage of a thick image is that you need to capture a new image each time you want to make a change to the operating system, apps, or other software in the image.
-This guide discusses thick image deployment. For information about thin image deployments, see [Deploy Windows 10 in a school](https://technet.microsoft.com/edu/windows/deploy-windows-10-in-a-school).
+This guide discusses thick image deployment. For information about thin image deployments, see [Deploy Windows 10 in a school](./deploy-windows-10-in-a-school.md).
### Select a method to initiate deployment
The LTI deployment process is highly automated: it requires minimal information to deploy or upgrade Windows 10. The ZTI deployment process is fully automated, but you must manually initiate it. To do so, use the method listed in Table 15 that best meets the needs of your institution.
@@ -1172,13 +1172,13 @@ The first step in preparing for Windows 10 deployment is to configure—that is,
Intune
1. Import operating systems
-Import the operating systems that you selected in the Select the operating systems section into the deployment share. For more information about how to import operating systems, see Import an Operating System into the Deployment Workbench.
+Import the operating systems that you selected in the Select the operating systems section into the deployment share. For more information about how to import operating systems, see Import an Operating System into the Deployment Workbench.
@@ -1194,8 +1194,8 @@ Import device drivers for each device in your institution. For more information
If you have Intune or Microsoft Endpoint Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune and Deploy and manage apps by using Microsoft Endpoint Configuration Manager sections. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.2. Import device drivers
Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.
-Import device drivers for each device in your institution. For more information about how to import device drivers, see Import Device Drivers into the Deployment Workbench.
+Import device drivers for each device in your institution. For more information about how to import device drivers, see Import Device Drivers into the Deployment Workbench.
In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:
-
@@ -1204,12 +1204,12 @@ In addition, you must prepare your environment for sideloading Microsoft Store a
@@ -1223,7 +1223,7 @@ For more information about how to create an MDT application for Window desktop a
4. Create MDT applications for Windows desktop apps
You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.
-To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool.
+To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool.
If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.
Note You can also deploy Windows desktop apps after you deploy Windows 10, as described in the Deploy and manage apps by using Intune section.
-For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx).
+For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt).
Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see Create a New Task Sequence in the Deployment Workbench.
+
Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see Create a New Task Sequence in the Deployment Workbench.
@@ -1231,7 +1231,7 @@ For more information about how to create an MDT application for Window desktop a
@@ -1251,30 +1251,30 @@ Before you can use Configuration Manager to deploy Windows 10 and manage your ap
Deploying a new Configuration Manager infrastructure is beyond the scope of this guide, but the following resources can help you deploy a new Configuration Manager infrastructure:
-* [Get ready for Configuration Manager](https://technet.microsoft.com/library/mt608540.aspx)
-* [Start using Configuration Manager](https://technet.microsoft.com/library/mt608544.aspx)
+* [Get ready for Configuration Manager](/mem/configmgr/core/plan-design/get-ready)
+* [Start using Configuration Manager](/mem/configmgr/core/servers/deploy/start-using)
#### To configure an existing Microsoft Endpoint Manager infrastructure for operating system deployment
1. Perform any necessary infrastructure remediation.
- Ensure that your existing infrastructure can support the operating system deployment feature. For more information, see [Infrastructure requirements for operating system deployment in Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt627936.aspx).
+ Ensure that your existing infrastructure can support the operating system deployment feature. For more information, see [Infrastructure requirements for operating system deployment in Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/plan-design/infrastructure-requirements-for-operating-system-deployment).
2. Add the Windows PE boot images, Windows 10 operating systems, and other content.
You need to add the Windows PE boot images, Windows 10 operating system images, and other deployment content that you will use to deploy Windows 10 with ZTI. To add this content, use the Create MDT Task Sequence Wizard.
- You can add this content by using Microsoft Endpoint Manager only (without MDT), but the Create MDT Task Sequence Wizard is the preferred method because the wizard prompts you for all the deployment content you need for a task sequence and provides a much more intuitive user experience. For more information, see [Create ZTI Task Sequences Using the Create MDT Task Sequence Wizard in Configuration Manager](https://technet.microsoft.com/library/dn759415.aspx#CreateZTITaskSequencesUsingtheCreateMDTTaskSequenceWizardinConfigurationManager).
+ You can add this content by using Microsoft Endpoint Manager only (without MDT), but the Create MDT Task Sequence Wizard is the preferred method because the wizard prompts you for all the deployment content you need for a task sequence and provides a much more intuitive user experience. For more information, see [Create ZTI Task Sequences Using the Create MDT Task Sequence Wizard in Configuration Manager](/mem/configmgr/mdt/use-the-mdt#CreateZTITaskSequencesUsingtheCreateMDTTaskSequenceWizardinConfigurationManager).
3. Add device drivers.
You must add device drivers for the different device types in your district. For example, if you have a mixture of Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you must have the device drivers for each device.
- Create a Microsoft Endpoint Manager driver package for each device type in your district. For more information, see [Manage drivers in Configuration Manager](https://technet.microsoft.com/library/mt627934.aspx).
+ Create a Microsoft Endpoint Manager driver package for each device type in your district. For more information, see [Manage drivers in Configuration Manager](/mem/configmgr/osd/get-started/manage-drivers).
4. Add Windows apps.
Install the Windows apps (Windows desktop and Microsoft Store apps) that you want to deploy after the task sequence deploys your customized image (a thick, reference image that include Windows 10 and your core Windows desktop apps). These apps are in addition to the apps included in your reference image. You can only deploy Microsoft Store apps after you deploy Windows 10 because you cannot capture Microsoft Store apps in a reference image. Microsoft Store apps target users, not devices.
- Create a Configuration Manager application for each Windows desktop or Microsoft Store app that you want to deploy after you apply the reference image to a device. For more information, see [Deploy and manage applications with Configuration Manager](https://technet.microsoft.com/library/mt627959.aspx).
+ Create a Configuration Manager application for each Windows desktop or Microsoft Store app that you want to deploy after you apply the reference image to a device. For more information, see [Deploy and manage applications with Configuration Manager](/mem/configmgr/apps/deploy-use/deploy-applications).
### Configure Window Deployment Services for MDT
@@ -1288,15 +1288,15 @@ You can use Windows Deployment Services in conjunction with MDT to automatically
For more information about how to perform this step, see the following resources:
- * [Windows Deployment Services Overview](https://technet.microsoft.com/library/hh831764.aspx)
+ * [Windows Deployment Services Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831764(v=ws.11))
* The Windows Deployment Services Help file, included in Windows Deployment Services
- * [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx)
+ * [Windows Deployment Services Getting Started Guide for Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj648426(v=ws.11))
2. Add LTI boot images (Windows PE images) to Windows Deployment Services.
The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the deployment share’s Boot subfolder.
- For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](https://technet.microsoft.com/library/dn759415.aspx#AddLTIBootImagestoWindowsDeploymentServices).
+ For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](/mem/configmgr/mdt/use-the-mdt#AddLTIBootImagestoWindowsDeploymentServices).
### Configure Window Deployment Services for Microsoft Endpoint Configuration Manager
@@ -1312,19 +1312,19 @@ You can use Windows Deployment Services in conjunction with Configuration Manage
Windows Deployment Services is a server role available in all Windows Server editions. You can enable the Windows Deployment Services server role on a new server or on any server running Windows Server in your institution.
For more information about how to perform this step, see the following resources:
- * [Windows Deployment Services Overview](https://technet.microsoft.com/library/hh831764.aspx)
+ * [Windows Deployment Services Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831764(v=ws.11))
* The Windows Deployment Services Help file, included in Windows Deployment Services
- * [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx)
+ * [Windows Deployment Services Getting Started Guide for Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj648426(v=ws.11))
2. Configure a distribution point to accept PXE requests in Configuration Manager.
To support PXE boot requests, you install the PXE service point site system role. Then, you must configure one or more distribution points to respond to PXE boot request.
- For more information about how to perform this step, see [Install site system roles for Configuration Manager](https://technet.microsoft.com/library/mt704036.aspx), [Use PXE to deploy Windows over the network with Configuration Manager](https://technet.microsoft.com/library/mt627940.aspx), and [Configuring distribution points to accept PXE requests](https://technet.microsoft.com/library/mt627944.aspx#BKMK_PXEDistributionPoint).
+ For more information about how to perform this step, see [Install site system roles for Configuration Manager](/mem/configmgr/core/servers/deploy/configure/install-site-system-roles), [Use PXE to deploy Windows over the network with Configuration Manager](/mem/configmgr/osd/deploy-use/use-pxe-to-deploy-windows-over-the-network), and [Configuring distribution points to accept PXE requests](/mem/configmgr/osd/get-started/prepare-site-system-roles-for-operating-system-deployments#BKMK_PXEDistributionPoint).
3. Configure the appropriate boot images (Windows PE images) to deploy from the PXE-enabled distribution point.
Before a device can start a boot image from a PXE-enabled distribution point, you must change the properties of the boot image to enable PXE booting. Typically, you create this boot image when you created your MDT task sequence in the Configuration Manager console.
- For more information about how to perform this step, see [Configure a boot image to deploy from a PXE-enabled distribution point](https://technet.microsoft.com/library/mt627946.aspx#BKMK_BootImagePXE) and [Manage boot images with Configuration Manager](https://technet.microsoft.com/library/mt627946.aspx).
+ For more information about how to perform this step, see [Configure a boot image to deploy from a PXE-enabled distribution point](/mem/configmgr/osd/get-started/manage-boot-images#BKMK_BootImagePXE) and [Manage boot images with Configuration Manager](/mem/configmgr/osd/get-started/manage-boot-images).
#### Summary
@@ -1351,27 +1351,27 @@ You initially configured the MDT deployment share in the [Configure the MDT depl
A task sequence can deploy only one Windows 10 edition or version, which means that you must create a task sequence for each Windows 10 edition and version you selected in the [Select the operating systems](#select-the-operating-systems) section earlier in this guide. To create task sequences, use the New Task Sequence Wizard.
- For more information, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench).
+ For more information, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).
2. Create an MDT application for each desktop app you want to include in your reference image.
- You create MDT applications by using the New Application Wizard in the Deployment Workbench. As part of creating the MDT application, specify the command-line parameters used to install the app without user intervention (unattended installation). For more information, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
+ You create MDT applications by using the New Application Wizard in the Deployment Workbench. As part of creating the MDT application, specify the command-line parameters used to install the app without user intervention (unattended installation). For more information, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).
3. Customize the task sequence to install the MDT applications that you created in step 2.
You can add an **Install Application** task sequence step to your task sequence. Then, you can customize the **Install Application** task sequence step to install a specific app, which automatically installs the app with no user interaction required when your run the task sequence.
- You need to add an **Install Application** task sequence step for each app you want to include in your reference image. For more information, see [Customize Application Installation in Task Sequences](https://technet.microsoft.com/library/dn759415.aspx#CustomizeApplicationInstallationinTaskSequences).
+ You need to add an **Install Application** task sequence step for each app you want to include in your reference image. For more information, see [Customize Application Installation in Task Sequences](/mem/configmgr/mdt/use-the-mdt#CustomizeApplicationInstallationinTaskSequences).
4. Create a selection profile that contains the drivers for the device.
A *selection profile* lets you select specific device drivers. For example, if you want to deploy the device drivers for a Surface Pro 4 device, you can create a selection profile that contains only the Surface Pro 4 device drivers.
First, in the Out-of-Box Drivers node in the Deployment Workbench, create a folder that will contain your device drivers. Next, import the device drivers into the folder you just created. Finally, create the selection profile and specify the folder that contains the device drivers. For more information, see the following resources:
- * [Create Folders to Organize Device Drivers for LTI Deployments](https://technet.microsoft.com/library/dn759415.aspx#CreateFolderstoOrganizeDeviceDriversforLTIDeployments)
- * [Create Selection Profiles to Select the Device Drivers for LTI Deployments](https://technet.microsoft.com/library/dn759415.aspx#CreateSelectionProfilestoSelecttheDeviceDriversforLTIDeployments)
+ * [Create Folders to Organize Device Drivers for LTI Deployments](/mem/configmgr/mdt/use-the-mdt#CreateFolderstoOrganizeDeviceDriversforLTIDeployments)
+ * [Create Selection Profiles to Select the Device Drivers for LTI Deployments](/mem/configmgr/mdt/use-the-mdt#CreateSelectionProfilestoSelecttheDeviceDriversforLTIDeployments)
5. Customize the task sequence to use the selection profile that you created in step 4.
- You can customize the **Inject Driver** task sequence step in the **Preinstall** task sequence group in your task sequence to deploy only the device drivers in the selection profile. For more information, see [Configure Task Sequences to Deploy Device Drivers in Selection Profiles for LTI Deployments](https://technet.microsoft.com/library/dn759415.aspx#ConfigureTaskSequencestoDeployDeviceDriversinSelectionProfilesforLTIDeployments).
+ You can customize the **Inject Driver** task sequence step in the **Preinstall** task sequence group in your task sequence to deploy only the device drivers in the selection profile. For more information, see [Configure Task Sequences to Deploy Device Drivers in Selection Profiles for LTI Deployments](/mem/configmgr/mdt/use-the-mdt#ConfigureTaskSequencestoDeployDeviceDriversinSelectionProfilesforLTIDeployments).
### Capture reference image
@@ -1380,7 +1380,7 @@ To capture the reference image, run the LTI task sequence that you created in th
Use the Deployment Wizard to deploy Windows 10, your apps, and device drivers to the device, and then capture the .wim file. The LTI deployment process is almost fully automated: you provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated.
> [!NOTE]
-> To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section of [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com/library/dn781089.aspx#Anchor_6).
+> To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section of [Microsoft Deployment Toolkit Samples Guide](/mem/configmgr/mdt/samples-guide#Anchor_6).
In most instances, deployments occur without incident. Only in rare occasions do deployments experience problems.
@@ -1388,7 +1388,7 @@ In most instances, deployments occur without incident. Only in rare occasions do
1. **Initiate the LTI deployment process.** Initiate the LTI deployment process booting over the network (PXE boot) or from local media. You selected the method for initiating the LTI deployment process in the [Select method to initiate deployment](#select-a-method-to-initiate-deployment) section earlier in this guide.
-2. **Complete the Deployment Wizard.** For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” section in [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com/library/dn759415.aspx#Anchor_5).
+2. **Complete the Deployment Wizard.** For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” section in [Using the Microsoft Deployment Toolkit](/mem/configmgr/mdt/use-the-mdt#Anchor_5).
### Import reference image
@@ -1398,8 +1398,8 @@ Both the Deployment Workbench and the Configuration Manager console have wizards
For more information about how to import the reference image into:
-* An MDT deployment share, see [Import a Previously Captured Image of a Reference Computer](https://technet.microsoft.com/library/dn759415.aspx#ImportaPreviouslyCapturedImageofaReferenceComputer).
-* Microsoft Endpoint Configuration Manager, see [Manage operating system images with Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt627939.aspx) and [Customize operating system images with Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt627938.aspx).
+* An MDT deployment share, see [Import a Previously Captured Image of a Reference Computer](/mem/configmgr/mdt/use-the-mdt#ImportaPreviouslyCapturedImageofaReferenceComputer).
+* Microsoft Endpoint Configuration Manager, see [Manage operating system images with Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/get-started/manage-operating-system-images) and [Customize operating system images with Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/get-started/customize-operating-system-images).
### Create a task sequence to deploy the reference image
@@ -1409,8 +1409,8 @@ As you might expect, both the Deployment Workbench and the Configuration Manager
For more information about how to create a task sequence in the:
-* Deployment Workbench for a deployment share, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench).
-* Configuration Manager console, see [Create a task sequence to install an operating system in Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt627927.aspx).
+* Deployment Workbench for a deployment share, see [Create a New Task Sequence in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewTaskSequenceintheDeploymentWorkbench).
+* Configuration Manager console, see [Create a task sequence to install an operating system in Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/create-a-task-sequence-to-install-an-operating-system).
#### Summary
In this section, you customized the MDT deployment share to deploy Windows 10 and desktop apps to one or more reference devices by creating and customizing MDT applications, device drivers, and applications. Next, you ran the task sequence, which deploys Windows 10, deploys your apps, deploys the appropriate device drivers, and captures an image of the reference device. Then, you imported the captured reference image into a deployment share or Microsoft Endpoint Configuration Manager. Finally, you created a task sequence to deploy your captured reference image to faculty and student devices. At this point in the process, you’re ready to deploy Windows 10 and your apps to your devices.
@@ -1450,7 +1450,7 @@ Use the information in Table 17 to help you determine whether you need to config
6. Update the deployment share
Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.
-For more information about how to update a deployment share, see Update a Deployment Share in the Deployment Workbench.
+For more information about how to update a deployment share, see Update a Deployment Share in the Deployment Workbench.
You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.
@@ -1468,7 +1468,7 @@ Use the information in Table 17 to help you determine whether you need to config
**Note** Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.
-**Group Policy.** Configure the [Accounts: Block Microsoft accounts](https://technet.microsoft.com/library/jj966262.aspx) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.
+**Group Policy.** Configure the [Accounts: Block Microsoft accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj966262(v=ws.11)) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.
**Intune.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy.
Manage the built-in administrator account created during device deployment
When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it.
@@ -1477,7 +1477,7 @@ Use the information in Table 17 to help you determine whether you need to config
-Group Policy. To rename the built-in Administrator account, use the Accounts: Rename administrator account Group Policy setting. For more information about how to rename the built-in Administrator account, see To rename the Administrator account using the Group Policy Management Console. You specify the new name for the Administrator account. To disable the built-in Administrator account, use the Accounts: Administrator account status Group Policy setting. For more information about how to disable the built-in Administrator account, see Accounts: Administrator account status.
+Group Policy. To rename the built-in Administrator account, use the Accounts: Rename administrator account Group Policy setting. For more information about how to rename the built-in Administrator account, see To rename the Administrator account using the Group Policy Management Console. You specify the new name for the Administrator account. To disable the built-in Administrator account, use the Accounts: Administrator account status Group Policy setting. For more information about how to disable the built-in Administrator account, see Accounts: Administrator account status.
Intune. Not available.
Control Microsoft Store access
You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.
@@ -1505,7 +1505,7 @@ Use the information in Table 17 to help you determine whether you need to config
-Group Policy. To disable the Microsoft Store app, use the Turn off the Store Application group policy setting. To prevent Microsoft Store apps from receiving updates, use the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment?.
+Group Policy. To disable the Microsoft Store app, use the Turn off the Store Application group policy setting. To prevent Microsoft Store apps from receiving updates, use the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment?.
Intune. To enable or disable Microsoft Store access, use the Allow application store policy setting in the Apps section of a Windows 10 General Configuration policy.
Use of audio recording
Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.
@@ -1547,31 +1547,31 @@ Use the information in Table 17 to help you determine whether you need to config
Now, you’re ready to use Group Policy to configure settings. The steps in this section assume that you have an AD DS infrastructure. Here, you configure the Group Policy settings you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
-For more information about Group Policy, see [Group Policy Planning and Deployment Guide](https://technet.microsoft.com/library/cc754948.aspx).
+For more information about Group Policy, see [Group Policy Planning and Deployment Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754948(v=ws.10)).
#### To configure Group Policy settings
-1. Create a Group Policy object (GPO) to contain your Group Policy settings by completing the steps in [Create a new Group Policy object](https://technet.microsoft.com/library/cc738830.aspx).
+1. Create a Group Policy object (GPO) to contain your Group Policy settings by completing the steps in [Create a new Group Policy object](/previous-versions/windows/it-pro/windows-server-2003/cc738830(v=ws.10)).
-2. Configure the settings in the GPO by completing the steps in [Edit a Group Policy object](https://technet.microsoft.com/library/cc739902.aspx).
+2. Configure the settings in the GPO by completing the steps in [Edit a Group Policy object](/previous-versions/windows/it-pro/windows-server-2003/cc739902(v=ws.10)).
-3. Link the GPO to the appropriate AD DS site, domain, or organizational unit by completing the steps in [Link a Group Policy object to a site, domain, or organizational unit](https://technet.microsoft.com/library/cc738954.aspx).
+3. Link the GPO to the appropriate AD DS site, domain, or organizational unit by completing the steps in [Link a Group Policy object to a site, domain, or organizational unit](/previous-versions/windows/it-pro/windows-server-2003/cc738954(v=ws.10)).
### Configure settings by using Intune
Now, you’re ready to use Intune to configure settings. The steps in this section assume that you have an Office 365 subscription. Here, you configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
-For more information about Intune, see [Microsoft Intune Documentation](https://docs.microsoft.com/intune/).
+For more information about Intune, see [Microsoft Intune Documentation](/intune/).
#### To configure Intune settings
-1. Add Intune to your Office 365 subscription by completing the steps in [Manage Intune licenses](https://docs.microsoft.com/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune-step-4).
+1. Add Intune to your Office 365 subscription by completing the steps in [Manage Intune licenses](/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune-step-4).
-2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/get-ready-to-enroll-devices-in-microsoft-intune).
+2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](/intune/deploy-use/get-ready-to-enroll-devices-in-microsoft-intune).
-3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](https://docs.microsoft.com/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies).
+3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies).
-4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-windows-pcs-with-microsoft-intune).
+4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](/intune/deploy-use/manage-windows-pcs-with-microsoft-intune).
### Deploy and manage apps by using Intune
@@ -1581,11 +1581,11 @@ You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune pr
For more information about how to configure Intune to manage your apps, see the following resources:
-- [Add apps with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/add-apps)
-- [Deploy apps with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/deploy-apps)
-- [Update apps using Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/update-apps-using-microsoft-intune)
-- [Protect apps and data with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/protect-apps-and-data-with-microsoft-intune)
-- [Help protect your data with full or selective wipe using Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/use-remote-wipe-to-help-protect-data-using-microsoft-intune)
+- [Add apps with Microsoft Intune](/intune/deploy-use/add-apps)
+- [Deploy apps with Microsoft Intune](/intune/deploy-use/deploy-apps)
+- [Update apps using Microsoft Intune](/intune/deploy-use/update-apps-using-microsoft-intune)
+- [Protect apps and data with Microsoft Intune](/intune/deploy-use/protect-apps-and-data-with-microsoft-intune)
+- [Help protect your data with full or selective wipe using Microsoft Intune](/intune/deploy-use/use-remote-wipe-to-help-protect-data-using-microsoft-intune)
### Deploy and manage apps by using Microsoft Endpoint Configuration Manager
@@ -1598,7 +1598,7 @@ For example, you could create a Skype application that contains a deployment typ
Configuration Manager helps you manage apps by monitoring app installation. You can determine how many of your devices have a specific app installed. Finally, you can allow users to install apps at their discretion or make apps mandatory.
-For more information about how to configure Configuration Manager to deploy and manage your apps, see [Deploy and manage applications with Configuration Manager](https://technet.microsoft.com/library/mt627959.aspx).
+For more information about how to configure Configuration Manager to deploy and manage your apps, see [Deploy and manage applications with Configuration Manager](/mem/configmgr/apps/deploy-use/deploy-applications).
### Manage updates by using Intune
@@ -1611,8 +1611,8 @@ To help ensure that your users have the most current features and security prote
For more information about how to configure Intune to manage updates and malware protection, see the following resources:
-- [Keep Windows PCs up to date with software updates in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune)
-- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)
+- [Keep Windows PCs up to date with software updates in Microsoft Intune](/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune)
+- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)
### Manage updates by using Microsoft Endpoint Configuration Manager
@@ -1623,7 +1623,7 @@ You configure the software updates feature to manage updates for specific versio
> [!NOTE]
> When you configure Configuration Manager and Intune in a hybrid model, you use Configuration manager to manage updates as described in this section.
-For more information about how to configure Configuration Manager to manage Windows 10 and app updates, see [Deploy and manage software updates in Configuration Manager](https://technet.microsoft.com/library/mt634340.aspx).
+For more information about how to configure Configuration Manager to manage Windows 10 and app updates, see [Deploy and manage software updates in Configuration Manager](/mem/configmgr/sum/understand/software-updates-introduction).
#### Summary
@@ -1651,7 +1651,7 @@ Prior to deployment of Windows 10, complete the tasks in Table 18. Most of these
Use the Deployment Wizard to deploy Windows 10. With the LTI deployment process, you provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated.
> [!NOTE]
-> To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com/library/dn781089.aspx#Anchor_6).
+> To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](/mem/configmgr/mdt/samples-guide#Anchor_6).
In most instances, deployments occur without incident. Only in rare occasions do deployments experience problems.
@@ -1660,7 +1660,7 @@ In most instances, deployments occur without incident. Only in rare occasions do
1. **Initiate the LTI deployment process.** Initiate the LTI deployment process by booting over the network (PXE boot) or from local media. You selected the method for initiating the LTI deployment process in the [Select a method to initiate deployment](#select-a-method-to-initiate-deployment) section earlier in this guide.
-2. **Complete the Deployment Wizard.** For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” section of [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com/library/dn759415.aspx#Anchor_5).
+2. **Complete the Deployment Wizard.** For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” section of [Using the Microsoft Deployment Toolkit](/mem/configmgr/mdt/use-the-mdt#Anchor_5).
#### To use ZTI to deploy Windows 10
@@ -1739,9 +1739,9 @@ Table 19 lists the school and individual classroom maintenance tasks, the resour
-Group Policy. To disable the Sound Recorder app, use the Do not allow Sound Recorder to run Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in Editing an AppLocker Policy and Create Your AppLocker Policies.
+Group Policy. To disable the Sound Recorder app, use the Do not allow Sound Recorder to run Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in Editing an AppLocker Policy and Create Your AppLocker Policies.
Intune. To enable or disable audio recording, use the Allow voice recording policy setting in the Features section of a Windows 10 General Configuration policy.
Verify that Windows Update is active and current with operating system and software updates.
@@ -1783,7 +1783,7 @@ For more information, see:
For more information about completing this task when you have:
-
Verify that you’re using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).
-For more information about Windows 10 servicing options for updates and upgrades, see Windows 10 servicing options.
+For more information about Windows 10 servicing options for updates and upgrades, see Windows 10 servicing options.
x
@@ -1835,7 +1835,7 @@ You can also deploy Microsoft Store apps directly to devices by using Intune, Mi
Remove unnecessary user accounts (and corresponding licenses) from AD DS and Office 365 (if you have an on-premises AD DS infrastructure).
@@ -1899,7 +1899,7 @@ For more information about how to:
For more information about how to:
-
@@ -924,7 +924,7 @@ Microsoft has several recommended settings for educational institutions. Table 1
Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.
-For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see Create and manage distribution groups and Create, edit, or delete a security group.
+For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see Create and manage distribution groups and Create, edit, or delete a security group.
x
@@ -1927,13 +1927,13 @@ You have now identified the tasks you need to perform monthly, at the end of an
## Related topics
-* [Try it out: Windows 10 deployment (for educational institutions)](https://technet.microsoft.com/windows/mt574244.aspx)
-* [Try it out: Windows 10 in the classroom](https://technet.microsoft.com/windows/mt574243.aspx)
-* [Chromebook migration guide](https://technet.microsoft.com/edu/windows/chromebook-migration-guide)
-* [Deploy Windows 10 in a school](https://technet.microsoft.com/edu/windows/deploy-windows-10-in-a-school)
-* [Automate common Windows 10 deployment and configuration tasks for a school environment (video)](https://technet.microsoft.com/windows/mt723345)
-* [Deploy a custom Windows 10 Start menu layout for a school (video)](https://technet.microsoft.com/windows/mt723346)
-* [Manage Windows 10 updates and upgrades in a school environment (video)](https://technet.microsoft.com/windows/mt723347)
-* [Reprovision devices at the end of the school year (video)](https://technet.microsoft.com/windows/mt723344)
-* [Use MDT to deploy Windows 10 in a school (video)](https://technet.microsoft.com/windows/mt723343)
-* [Use Microsoft Store for Business in a school environment (video)](https://technet.microsoft.com/windows/mt723348)
+* [Try it out: Windows 10 deployment (for educational institutions)](../index.yml)
+* [Try it out: Windows 10 in the classroom](../index.yml)
+* [Chromebook migration guide](./chromebook-migration-guide.md)
+* [Deploy Windows 10 in a school](./deploy-windows-10-in-a-school.md)
+* [Automate common Windows 10 deployment and configuration tasks for a school environment (video)](./index.md)
+* [Deploy a custom Windows 10 Start menu layout for a school (video)](./index.md)
+* [Manage Windows 10 updates and upgrades in a school environment (video)](./index.md)
+* [Reprovision devices at the end of the school year (video)](./index.md)
+* [Use MDT to deploy Windows 10 in a school (video)](./index.md)
+* [Use Microsoft Store for Business in a school environment (video)](./index.md)
\ No newline at end of file
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index 5631f3e6ab..7608e698f0 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -56,8 +56,8 @@ This school configuration has the following characteristics:
**Note** In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2.
- The devices use Azure AD in Office 365 Education for identity management.
-- If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/).
-- Use [Intune](https://technet.microsoft.com/library/jj676587.aspx), [compliance settings in Office 365](https://support.office.com/en-us/article/Manage-mobile-devices-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy](https://technet.microsoft.com/library/cc725828%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396) in AD DS to manage devices.
+- If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](/azure/active-directory/hybrid/whatis-hybrid-identity).
+- Use [Intune](/mem/intune/), [compliance settings in Office 365](https://support.office.com/en-us/article/Manage-mobile-devices-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725828(v=ws.10)?f=255&MSPPError=-2147217396) in AD DS to manage devices.
- Each device supports a one-student-per-device or multiple-students-per-device scenario.
- The devices can be a mixture of different make, model, and processor architecture (32 bit or 64 bit) or be identical.
- To initiate Windows 10 deployment, use a USB flash drive, DVD-ROM or CD-ROM, or Pre-Boot Execution Environment Boot (PXE Boot).
@@ -136,7 +136,7 @@ When you install the Windows ADK on the admin device, select the following featu
- Windows Preinstallation Environment (Windows PE)
- User State Migration Tool (USMT)
-For more information about installing the Windows ADK, see [Step 2-2: Install the Windows ADK](https://technet.microsoft.com/library/dn781086.aspx?f=255&MSPPError=-2147217396#InstallWindowsADK).
+For more information about installing the Windows ADK, see [Step 2-2: Install the Windows ADK](/mem/configmgr/mdt/lite-touch-installation-guide?f=255&MSPPError=-2147217396#InstallWindowsADK).
### Install MDT
@@ -146,7 +146,7 @@ You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 6
**Note** If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32 bit versions of the operating system.
-For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com/library/dn759415.aspx#InstallingaNewInstanceofMDT).
+For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](/mem/configmgr/mdt/use-the-mdt#InstallingaNewInstanceofMDT).
Now, you’re ready to create the MDT deployment share and populate it with the operating system, apps, and device drivers you want to deploy to your devices.
@@ -154,7 +154,7 @@ Now, you’re ready to create the MDT deployment share and populate it with the
MDT includes the Deployment Workbench, a graphical user interface that you can use to manage MDT deployment shares. A deployment share is a shared folder that contains all the MDT deployment content. The LTI Deployment Wizard accesses the deployment content over the network or from a local copy of the deployment share (known as MDT deployment media).
-For more information about how to create a deployment share, see [Step 3-1: Create an MDT Deployment Share](https://technet.microsoft.com/library/dn781086.aspx?f=255&MSPPError=-2147217396#CreateMDTDeployShare).
+For more information about how to create a deployment share, see [Step 3-1: Create an MDT Deployment Share](/mem/configmgr/mdt/lite-touch-installation-guide?f=255&MSPPError=-2147217396#CreateMDTDeployShare).
### Summary
@@ -199,7 +199,7 @@ Complete the following steps to select the appropriate Office 365 Education lice
The best user experience is to run Microsoft 365 Apps for enterprise or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device.
-
You can use Azure Rights Management to protect classroom information against unauthorized access. Azure Rights Management protects your information inside or outside the classroom through encryption, identity, and authorization policies, securing your files and email. You can retain control of the information, even when it’s shared with people outside the classroom or your educational institution. Azure Rights Management is free to use with all Office 365 Education license plans. For more information, see Azure Rights Management.
You can use Azure Rights Management to protect classroom information against unauthorized access. Azure Rights Management protects your information inside or outside the classroom through encryption, identity, and authorization policies, securing your files and email. You can retain control of the information, even when it’s shared with people outside the classroom or your educational institution. Azure Rights Management is free to use with all Office 365 Education license plans. For more information, see Azure Rights Management.
*Table 2. Office 365 Education license plans needed for the classroom*
@@ -306,7 +306,7 @@ Although all new Office 365 Education subscriptions have automatic licensing ena
When you create your Office 365 subscription, you create an Office 365 tenant that includes an Azure AD directory. Azure AD is the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Azure AD–integrated apps. Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium.
-Educational institutions can obtain Azure AD Basic edition licenses at no cost. After you obtain your licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](https://azure.microsoft.com/documentation/articles/active-directory-get-started-premium/#step-3-activate-your-azure-active-directory-access).
+Educational institutions can obtain Azure AD Basic edition licenses at no cost. After you obtain your licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](/azure/active-directory/fundamentals/active-directory-get-started-premium#step-3-activate-your-azure-active-directory-access).
The Azure AD Premium features that are not in Azure AD Basic include:
@@ -326,8 +326,8 @@ You can sign up for Azure AD Premium, and then assign licenses to users. In this
For more information about:
-- Azure AD editions and the features in each, see [Azure Active Directory editions](https://azure.microsoft.com/documentation/articles/active-directory-editions/).
-- How to enable Azure AD premium, see [Associate an Azure AD directory with a new Azure subscription](https://msdn.microsoft.com/library/azure/jj573650.aspx#create_tenant3).
+- Azure AD editions and the features in each, see [Azure Active Directory editions](/azure/active-directory/fundamentals/active-directory-whatis).
+- How to enable Azure AD premium, see [Associate an Azure AD directory with a new Azure subscription](/previous-versions/azure/azure-services/jj573650(v=azure.100)#create_tenant3).
### Summary
You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if required), you’re ready to select the method you will use to create user accounts in Office 365.
@@ -344,7 +344,7 @@ Now that you have an Office 365 subscription, you need to determine how you will
In this method, you have an on-premises AD DS domain. As shown in Figure 4, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD.
-**Note** Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/library/dn510997.aspx?f=255&MSPPError=-2147217396).
+**Note** Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](/previous-versions/mim/dn510997(v=ws.10)?f=255&MSPPError=-2147217396).
@@ -393,7 +393,7 @@ You can deploy the Azure AD Connect tool by using one of the following methods:
*Figure 7. Azure AD Connect in Azure*
-This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](https://technet.microsoft.com/library/dn635310.aspx).
+This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](/microsoft-365/enterprise/deploy-microsoft-365-directory-synchronization-dirsync-in-microsoft-azure).
### Deploy Azure AD Connect on premises
@@ -403,8 +403,8 @@ In this synchronization model (illustrated in Figure 6), you run Azure AD Connec
1. Configure your environment to meet the prerequisites for installing Azure AD Connect by performing the steps in [Prerequisites for Azure AD Connect](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect-prerequisites/).
2. On the VM or physical device that will run Azure AD Connect, sign in with a domain administrator account.
-3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/#install-azure-ad-connect).
-4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure features](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/#configure-sync-features).
+3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](/azure/active-directory/hybrid/whatis-hybrid-identity#install-azure-ad-connect).
+4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure features](/azure/active-directory/hybrid/whatis-hybrid-identity#configure-sync-features).
Now that you have used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD.
@@ -445,9 +445,9 @@ Several methods are available to bulk-import user accounts into AD DS domains. T
| Method | Description and reason to select this method |
|--------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Ldifde.exe | This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx). |
-| VBScript | This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com/scriptcenter/dd939958.aspx). |
-| Windows PowerShell | This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). |
+| Ldifde.exe | This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816781(v=ws.10)), and [LDIFDE](/previous-versions/orphan-topics/ws.10/cc755456(v=ws.10)). |
+| VBScript | This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](/previous-versions/windows/it-pro/windows-2000-server/bb727091(v=technet.10)) and [ADSI Scriptomatic](https://technet.microsoft.com/scriptcenter/dd939958.aspx). |
+| Windows PowerShell | This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](/archive/blogs/technet/bettertogether/import-bulk-users-to-active-directory) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). |
1. Import operating systems
-Import the operating systems that you selected in the Select operating systems section into the deployment share. For more information about how to import operating systems, see Import an Operating System into the Deployment Workbench.
+Import the operating systems that you selected in the Select operating systems section into the deployment share. For more information about how to import operating systems, see Import an Operating System into the Deployment Workbench.
@@ -741,8 +741,8 @@ If you have Intune, you can deploy Microsoft Store apps after you deploy Windows
In addition, you must prepare your environment for sideloading (deploying) Microsoft Store apps. For more information about how to:2. Import device drives
Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.
-Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#ImportDeviceDriversintotheDeploymentWorkbench).
+Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#ImportDeviceDriversintotheDeploymentWorkbench).
-
@@ -754,13 +754,13 @@ In addition, you must prepare your environment for sideloading (deploying) Micro
You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.
@@ -776,7 +776,7 @@ For more information about how to create an MDT application for Window desktop a
-To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/library/jj219423.aspx?f=255&MSPPError=-2147217396).
+To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](/deployoffice/deploy-microsoft-365-apps-local-source?f=255&MSPPError=-2147217396).
If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.
**Note** You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.
-For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
+For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#CreateaNewApplicationintheDeploymentWorkbench).
Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32 bit and 64 bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.
+For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](/mem/configmgr/mdt/use-the-mdt#UpdateaDeploymentShareintheDeploymentWorkbench).
@@ -799,11 +799,11 @@ You can use Windows Deployment Services in conjunction with MDT to automatically
1. Set up and configure Windows Deployment Services.
-For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#UpdateaDeploymentShareintheDeploymentWorkbench).Use of Microsoft accounts
You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.
Note Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.
-Group Policy. Configure the Accounts: Block Microsoft accounts Group Policy setting to use the Users can’t add Microsoft accounts setting option.
+Group Policy. Configure the Accounts: Block Microsoft accounts Group Policy setting to use the Users can’t add Microsoft accounts setting option.
Intune. Enable or disable the camera by using the Allow Microsoft account, Allow adding non-Microsoft accounts manually, and Allow settings synchronization for Microsoft accounts policy settings under the Accounts and Synchronization section of a Windows 10 General Configuration policy.
@@ -932,7 +932,7 @@ Microsoft has several recommended settings for educational institutions. Table 1
Restrict local administrator accounts on the devices
Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
-Group Policy. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.
+Group Policy. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.
Intune. Not available.
@@ -940,7 +940,7 @@ Microsoft has several recommended settings for educational institutions. Table 1
Restrict the local administrator accounts on the devices
Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.
-Group Policy. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.
+Group Policy. Create a Local Group Group Policy preference to limit the local administrators group membership. Select the Delete all member users and Delete all member groups check boxes to remove any existing members. For more information about how to configure Local Group preferences, see Configure a Local Group Item.
Intune. Not available.
@@ -948,7 +948,7 @@ Microsoft has several recommended settings for educational institutions. Table 1
Manage the built-in administrator account created during device deployment
When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.
-Group Policy. Rename the built-in Administrator account by using the Accounts: Rename administrator account Group Policy setting. For more information about how to rename the built-in Administrator account, see To rename the Administrator account using the Group Policy Management Console. You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the Accounts: Administrator account status Group Policy setting. For more information about how to disable the built-in Administrator account, see Accounts: Administrator account status.
+Group Policy. Rename the built-in Administrator account by using the Accounts: Rename administrator account Group Policy setting. For more information about how to rename the built-in Administrator account, see To rename the Administrator account using the Group Policy Management Console. You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the Accounts: Administrator account status Group Policy setting. For more information about how to disable the built-in Administrator account, see Accounts: Administrator account status.
Intune. Not available.
@@ -972,7 +972,7 @@ Microsoft has several recommended settings for educational institutions. Table 1
Control Microsoft Store access
You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.
-Group Policy. You can disable the Microsoft Store app by using the Turn off the Store Application Group Policy setting. You can prevent Microsoft Store apps from receiving updates by using the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment?.
+Group Policy. You can disable the Microsoft Store app by using the Turn off the Store Application Group Policy setting. You can prevent Microsoft Store apps from receiving updates by using the Turn off Automatic Download and Install of updates Group Policy setting. For more information about configuring these settings, see Can I use Group Policy to control the Microsoft Store in my enterprise environment?.
Intune. You can enable or disable the camera by using the Allow application store policy setting in the Apps section of a Windows 10 General Configuration policy.
@@ -1008,23 +1008,23 @@ Microsoft has several recommended settings for educational institutions. Table 1
Now, you’re ready to configure settings by using Group Policy. The steps in this section assume that you have an AD DS infrastructure. You will configure the Group Policy settings you select in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
-For more information about Group Policy, see [Group Policy Planning and Deployment Guide](https://technet.microsoft.com/library/cc754948.aspx).
+For more information about Group Policy, see [Group Policy Planning and Deployment Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754948(v=ws.10)).
#### To configure Group Policy settings
-1. Create a Group Policy object (GPO) that will contain the Group Policy settings by completing the steps in [Create a new Group Policy object](https://technet.microsoft.com/library/cc738830.aspx).
-2. Configure the settings in the GPO by completing the steps in [Edit a Group Policy object](https://technet.microsoft.com/library/cc739902.aspx).
-3. Link the GPO to the appropriate AD DS site, domain, or organizational unit by completing the steps in [Link a Group Policy object to a site, domain, or organizational unit](https://technet.microsoft.com/library/cc738954(v=ws.10).aspx).
+1. Create a Group Policy object (GPO) that will contain the Group Policy settings by completing the steps in [Create a new Group Policy object](/previous-versions/windows/it-pro/windows-server-2003/cc738830(v=ws.10)).
+2. Configure the settings in the GPO by completing the steps in [Edit a Group Policy object](/previous-versions/windows/it-pro/windows-server-2003/cc739902(v=ws.10)).
+3. Link the GPO to the appropriate AD DS site, domain, or organizational unit by completing the steps in [Link a Group Policy object to a site, domain, or organizational unit](/previous-versions/windows/it-pro/windows-server-2003/cc738954(v=ws.10)).
### Configure settings by using Intune
Now, you’re ready to configure settings by using Intune. The steps in this section assume that you have an Office 365 subscription. You will configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section.
-For more information about Intune, see [Documentation for Microsoft Intune](https://docs.microsoft.com/intune/).
+For more information about Intune, see [Documentation for Microsoft Intune](/intune/).
#### To configure Intune settings
-1. Add Intune to your Office 365 subscription by completing the steps in [Get started with a paid subscription to Microsoft Intune](https://docs.microsoft.com/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune).
+1. Add Intune to your Office 365 subscription by completing the steps in [Get started with a paid subscription to Microsoft Intune](/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune).
2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](https://technet.microsoft.com/library/dn646962.aspx).
3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](https://technet.microsoft.com/library/dn646984.aspx).
4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](https://technet.microsoft.com/library/dn646959.aspx).
@@ -1033,7 +1033,7 @@ For more information about Intune, see [Documentation for Microsoft Intune](http
You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you deploy apps to companion devices (such as Windows 10 Mobile, iOS, or Android devices) Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or are managed by another solution.
-For more information about how to configure Intune to manage your apps, see [Deploy and configure apps with Microsoft Intune](https://docs.microsoft.com/intune/).
+For more information about how to configure Intune to manage your apps, see [Deploy and configure apps with Microsoft Intune](/intune/).
### Summary
@@ -1063,14 +1063,14 @@ Prior to deployment of Windows 10, ensure that you complete the tasks listed in
Use the Deployment Wizard to deploy Windows 10. The LTI deployment process is almost fully automated: You provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated.
-**Note** To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com/library/dn781089.aspx).
+**Note** To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](/mem/configmgr/mdt/samples-guide).
In most instances, deployments occur without incident. Only in rare occasions do deployments experience problems.
#### To deploy Windows 10
1. **Initiate the LTI deployment process**. Initiate the LTI deployment process booting over the network (PXE boot) or from local media. You selected the method for initiating the LTI deployment process in the [Select a method to initiate deployment](#select-a-method-to-initiate-deployment) section earlier in this guide.
-2. **Complete the Deployment Wizard**. For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” topic in [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com/library/dn759415.aspx#Running%20the%20Deployment%20Wizard).
+2. **Complete the Deployment Wizard**. For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” topic in [Using the Microsoft Deployment Toolkit](/mem/configmgr/mdt/use-the-mdt#Running%20the%20Deployment%20Wizard).
### Set up printers
@@ -1141,9 +1141,9 @@ Table 13 lists the school and individual classroom maintenance tasks, the resour
Use of audio recording
Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.
-Group Policy. You can disable the Sound Recorder app by using the Do not allow Sound Recorder to run Group Policy setting. You can disable other audio recording apps by using AppLocker policies. Create AppLocker policies by using the information in Editing an AppLocker Policy and Create Your AppLocker Policies.
+Group Policy. You can disable the Sound Recorder app by using the Do not allow Sound Recorder to run Group Policy setting. You can disable other audio recording apps by using AppLocker policies. Create AppLocker policies by using the information in Editing an AppLocker Policy and Create Your AppLocker Policies.
Intune. You can enable or disable the camera by using the Allow voice recording policy setting in the Features section of a Windows 10 General Configuration policy.
Verify that Windows Update is active and current with operating system and software updates.
@@ -1171,7 +1171,7 @@ For more information about completing this task, see Windows 10 servicing options for updates and upgrades.
+For more information about Windows 10 servicing options for updates and upgrades, see Windows 10 servicing options for updates and upgrades.
For more information about completing this task when you have:
-
X
X
@@ -1251,7 +1251,7 @@ For more information about how to:
Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.
-For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see Manage Distribution Groups and Groups in Exchange Online and SharePoint Online.
+For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see Manage Distribution Groups and Groups in Exchange Online and SharePoint Online.
@@ -1279,7 +1279,7 @@ Now, you have identified the tasks you need to perform monthly, at the end of an
## Related resources
-
+
\ No newline at end of file
diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md
index 1f3bcffff3..268f6d2d8b 100644
--- a/education/windows/edu-deployment-recommendations.md
+++ b/education/windows/edu-deployment-recommendations.md
@@ -34,8 +34,8 @@ Keep these best practices in mind when deploying any edition of Windows 10 in sc
## Windows 10 Contacts privacy settings
If you’re an IT administrator who deploys Windows 10 in a school or district, we recommend that you review these deployment resources to make informed decisions about how you can configure telemetry for your school or district:
-* [Configure Windows telemetry in your organization](https://go.microsoft.com/fwlink/?LinkId=817241) - Describes the types of telemetry we gather and the ways you can manage this data.
-* [Manage connections from Windows operating system components to Microsoft services](https://go.microsoft.com/fwlink/?LinkId=817240) - Learn about network connections that Windows components make to Microsoft and also the privacy settings (such as location, camera, messaging, and more) that affect data that is shared with either Microsoft or apps and how you can manage this data.
+* [Configure Windows telemetry in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization) - Describes the types of telemetry we gather and the ways you can manage this data.
+* [Manage connections from Windows operating system components to Microsoft services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services) - Learn about network connections that Windows components make to Microsoft and also the privacy settings (such as location, camera, messaging, and more) that affect data that is shared with either Microsoft or apps and how you can manage this data.
In particular, the **Contacts** area in the **Settings** > **Privacy** section lets you choose which apps can access a student’s contacts list. By default, this setting is turned on.
@@ -133,4 +133,4 @@ If you need help deleting the account, you can contact Skype customer service by
To delete an Xbox account, you can follow the instructions here: [How to delete your Microsoft account and personal information associated with it](https://go.microsoft.com/fwlink/?LinkId=816521).
## Related topics
-[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
+[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
\ No newline at end of file
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
index de941be3c6..586d6ea6b8 100644
--- a/education/windows/education-scenarios-store-for-business.md
+++ b/education/windows/education-scenarios-store-for-business.md
@@ -19,7 +19,7 @@ manager: dansimp
Learn about education scenarios for Microsoft Store for Education. IT admins and teachers can use Microsoft Store to find, acquire, distribute, and manage apps.
-Many of the [settings in Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/settings-reference-microsoft-store-for-business) also apply in Microsoft Store for Education. Several of the items in this topic are unique to Microsoft Store for Education.
+Many of the [settings in Microsoft Store for Business](/microsoft-store/settings-reference-microsoft-store-for-business) also apply in Microsoft Store for Education. Several of the items in this topic are unique to Microsoft Store for Education.
## Basic Purchaser role
Applies to: IT admins
@@ -91,22 +91,22 @@ Applies to: IT admins and teachers
Find apps for your school using Microsoft Store for Business. Admins in an education setting can use the same processes as Admins in an enterprise setting to find and acquire apps.
**To acquire apps**
-- For info on how to acquire apps, see [Acquire apps in Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/acquire-apps-windows-store-for-business#acquire-apps)
+- For info on how to acquire apps, see [Acquire apps in Microsoft Store for Business](/microsoft-store/acquire-apps-windows-store-for-business#acquire-apps)
**To add a payment method - debit or credit card**
If the app you purchase has a price, you’ll need to provide a payment method.
- During your purchase, click **Get started! Add a way to pay.** Provide the info needed for your debit or credit card.
-For more information on payment options, see [payment options](https://docs.microsoft.com/microsoft-store/acquire-apps-windows-store-for-business#payment-options).
+For more information on payment options, see [payment options](/microsoft-store/acquire-apps-windows-store-for-business#payment-options).
-For more information on tax rates, see [tax information](https://docs.microsoft.com/microsoft-store/update-windows-store-for-business-account-settings#organization-tax-information).
+For more information on tax rates, see [tax information](/microsoft-store/update-windows-store-for-business-account-settings#organization-tax-information).
### Get started with Minecraft: Education Edition
Teachers and IT administrators can now get trials or subscriptions to Minecraft: Education Edition and add it to Microsoft Store for Business for distribution.
-- [Get started with Minecraft: Education Edition](https://docs.microsoft.com/education/windows/get-minecraft-for-education)
-- [For IT admins – Minecraft: Education Edition](https://docs.microsoft.com/education/windows/school-get-minecraft)
-- [For teachers – Minecraft: Education Edition](https://docs.microsoft.com/education/windows/teacher-get-minecraft)
+- [Get started with Minecraft: Education Edition](./get-minecraft-for-education.md)
+- [For IT admins – Minecraft: Education Edition](./school-get-minecraft.md)
+- [For teachers – Minecraft: Education Edition](./teacher-get-minecraft.md)
## Manage apps and software
Applies to: IT admins and teachers
@@ -135,12 +135,12 @@ Manage and distribute apps to students and others in your organization. Differen
Applies to: IT admins
**To manage and distribute apps**
-- For info on how to distribute **Minecraft: Education Edition**, see [For IT admins – Minecraft: Education Edition](https://docs.microsoft.com/education/windows/school-get-minecraft#distribute-minecraft)
-- For info on how to manage and distribute other apps, see [App inventory management - Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/app-inventory-management-windows-store-for-business)
+- For info on how to distribute **Minecraft: Education Edition**, see [For IT admins – Minecraft: Education Edition](./school-get-minecraft.md#distribute-minecraft)
+- For info on how to manage and distribute other apps, see [App inventory management - Microsoft Store for Business](/microsoft-store/app-inventory-management-windows-store-for-business)
Applies to: Teachers
-For info on how to distribute **Minecraft: Education Edition**, see [For teachers – Minecraft: Education Edition](https://docs.microsoft.com/education/windows/teacher-get-minecraft#distribute-minecraft).
+For info on how to distribute **Minecraft: Education Edition**, see [For teachers – Minecraft: Education Edition](./teacher-get-minecraft.md#distribute-minecraft).
**To assign an app to a student**
@@ -169,9 +169,9 @@ Similarly, you can purchase additional subscriptions of **Minecraft: Education E
## Manage order history
Applies to: IT admins and teachers
-You can manage your orders through Microsoft Store for Business. For info on order history and how to refund an order, see [Manage app orders in Microsoft Store for Business](https://technet.microsoft.com/itpro/windows/manage/manage-orders-windows-store-for-business).
+You can manage your orders through Microsoft Store for Business. For info on order history and how to refund an order, see [Manage app orders in Microsoft Store for Business](/microsoft-store/manage-orders-microsoft-store-for-business).
It can take up to 24 hours after a purchase, before a receipt is available on your **Order history page**.
> [!NOTE]
-> For **Minecraft: Education Edition**, you can request a refund through Microsoft Store for Business for two months from the purchase date. After two months, refunds require a support call.
+> For **Minecraft: Education Edition**, you can request a refund through Microsoft Store for Business for two months from the purchase date. After two months, refunds require a support call.
\ No newline at end of file
diff --git a/education/windows/enable-s-mode-on-surface-go-devices.md b/education/windows/enable-s-mode-on-surface-go-devices.md
index 0b7fc8c617..e7dce928ea 100644
--- a/education/windows/enable-s-mode-on-surface-go-devices.md
+++ b/education/windows/enable-s-mode-on-surface-go-devices.md
@@ -25,16 +25,16 @@ Here are some things you’ll need before attempting any of these procedures:
- A Surface Go device or Surface Go device image based on Windows 10 Pro
(1803)
- General understanding of [Windows deployment scenarios and related
- tools](https://docs.microsoft.com/windows/deployment/windows-deployment-scenarios-and-tools)
+ tools](/windows/deployment/windows-deployment-scenarios-and-tools)
- [Windows ADK for Windows 10
- 1803](https://docs.microsoft.com/windows/deployment/windows-adk-scenarios-for-it-pros)
+ 1803](/windows/deployment/windows-adk-scenarios-for-it-pros)
- [Bootable Windows Preinstall Environment
- (WinPE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive)
+ (WinPE)](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive)
## Enabling S Mode – Windows Image (WIM)
Like enterprise administrators performing large-scale deployment of customized Windows images, education customers can create their own customized Windows images for deployment to multiple classroom devices. An education customer who plans to follow [a traditional image-based deployment
-process](https://docs.microsoft.com/windows/deployment/windows-10-deployment-scenarios#traditional-deployment) using a Windows 10 Pro (1803) image for Surface Go devices can enable S mode as follows:
+process](/windows/deployment/windows-10-deployment-scenarios#traditional-deployment) using a Windows 10 Pro (1803) image for Surface Go devices can enable S mode as follows:
1. Use DISM to mount your offline Windows 10 Pro (1803) image.
@@ -87,7 +87,7 @@ Your Windows 10 Pro (1803) image now has S mode enabled and is ready to deploy t
Education customers who wish to avoid the additional overhead associated with Windows image creation, customization, and deployment can enable S mode on a per-device basis. Performing the following steps on a Surface Go device will enable S mode on an existing installation of Windows 10 Pro (1803).
1. Create a bootable WinPE media. See [Create a bootable Windows PE USB
- drive](https://msdn.microsoft.com/library/windows/hardware/dn938386.aspx) for details.
+ drive](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive) for details.
2. Create an unattend.xml answer file, adding the
amd64_Microsoft_Windows_CodeIntegrity component to Pass 2 offline Servicing
@@ -130,17 +130,16 @@ Upon reboot, you should find your Surface Go device now is now in S mode.
## Additional Info
-[Windows 10 deployment scenarios](https://docs.microsoft.com/windows/deployment/windows-10-deployment-scenarios)
+[Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios)
-[Windows 10 deployment scenarios and tools](https://docs.microsoft.com/windows/deployment/windows-deployment-scenarios-and-tools)
+[Windows 10 deployment scenarios and tools](/windows/deployment/windows-deployment-scenarios-and-tools)
-[Download and install the Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install)
+[Download and install the Windows ADK](/windows-hardware/get-started/adk-install)
-[Windows ADK for Windows 10 scenarios for IT Pros](https://docs.microsoft.com/windows/deployment/windows-adk-scenarios-for-it-pros)
+[Windows ADK for Windows 10 scenarios for IT Pros](/windows/deployment/windows-adk-scenarios-for-it-pros)
-[Modify a Windows Image Using DISM](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism)
+[Modify a Windows Image Using DISM](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism)
-[Service a Windows Image Using DISM](https://docs.microsoft.com/windows-hardware/manufacture/desktop/service-a-windows-image-using-dism)
-
-[DISM Image Management Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14)
+[Service a Windows Image Using DISM](/windows-hardware/manufacture/desktop/service-a-windows-image-using-dism)
+[DISM Image Management Command-Line Options](/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14)
\ No newline at end of file
diff --git a/education/windows/get-minecraft-device-promotion.md b/education/windows/get-minecraft-device-promotion.md
index bafc4ed6ae..258525651d 100644
--- a/education/windows/get-minecraft-device-promotion.md
+++ b/education/windows/get-minecraft-device-promotion.md
@@ -24,7 +24,7 @@ manager: dansimp
The **Minecraft: Education Edition** with Windows 10 device promotion ended January 31, 2018.
Qualifying customers that received one-year subscriptions for Minecraft: Education Edition as part of this program and wish to continue using the game in their schools can purchase new subscriptions in Microsoft Store for Education.
-For more information on purchasing Minecraft: Education Edition, see [Add Minecraft to your Store for Education](https://docs.microsoft.com/education/windows/school-get-minecraft?toc=/microsoft-store/education/toc.json).
+For more information on purchasing Minecraft: Education Edition, see [Add Minecraft to your Store for Education](./school-get-minecraft.md?toc=%2fmicrosoft-store%2feducation%2ftoc.json).
>[!Note]
>**Minecraft: Education Edition** with Windows 10 device promotion subscriptions are valid for 1 year from the time
@@ -87,4 +87,4 @@ After that, we’ll add the appropriate number of Minecraft: Education Edition l
Teachers or admins can distribute the licenses:
- [Learn how teachers can distribute **Minecraft: Education Edition**](teacher-get-minecraft.md#distribute-minecraft)
- [Learn how IT administrators can distribute **Minecraft: Education Edition**](school-get-minecraft.md#distribute-minecraft)
--->
+-->
\ No newline at end of file
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index 7037b5ce14..78f1759c45 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -37,7 +37,7 @@ Teachers and IT administrators can now get early access to **Minecraft: Educatio
- Trials or subscriptions of **Minecraft: Education Edition** are offered to education tenants that are managed by Azure Active Directory (Azure AD).
- If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft: Education Edition**.
- Office 365 Education, which includes online versions of Office apps plus 1 TB online storage. [Sign up your school for Office 365 Education.](https://products.office.com/academic/office-365-education-plan)
- - If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](https://msdn.microsoft.com/library/windows/hardware/mt703369%28v=vs.85%29.aspx)
+ - If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](/windows/client-management/mdm/register-your-free-azure-active-directory-subscription)
@@ -46,5 +46,4 @@ Teachers and IT administrators can now get early access to **Minecraft: Educatio
-[Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft.
-
+[Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft.
\ No newline at end of file
diff --git a/education/windows/index.md b/education/windows/index.md
index b40b009575..81e3f97634 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -46,18 +46,18 @@ ms.date: 10/13/2017
Follow these links to find step-by-step guidance on how to deploy Windows 8.1 in an academic environment.
-
Explore key considerations and questions that should be answered when planning for Windows 8.1 deployment.
Get an overview of Windows 8.1 deployment to PCs in an educational environment.
Explore Bring Your Own Device (BYOD) considerations, including device types, infrastructure, and deployment models.
Get step-by-step instructions on how to configure and deploy Windows RT devices (like Surface and other tablets) in educational environments.
Learn how to address challenges related to BYOD scenarios using Virtual Desktop Infrastructure (VDI).
Explore Microsoft Store app deployment strategies and considerations for educational institutions running Windows 8.1.
Learn about the benefits, limitations, and processes involved in deploying Windows To Go.
Explore key considerations and questions that should be answered when planning for Windows 8.1 deployment.
Get an overview of Windows 8.1 deployment to PCs in an educational environment.
Explore Bring Your Own Device (BYOD) considerations, including device types, infrastructure, and deployment models.
Get step-by-step instructions on how to configure and deploy Windows RT devices (like Surface and other tablets) in educational environments.
Learn how to address challenges related to BYOD scenarios using Virtual Desktop Infrastructure (VDI).
Explore Microsoft Store app deployment strategies and considerations for educational institutions running Windows 8.1.
Learn about the benefits, limitations, and processes involved in deploying Windows To Go.
Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.
For the best experience, use this guide in tandem with the TechNet Virtual Lab: IT Pro Try-It-Out.
Tenant-wide Windows 10 Pro > Pro Education
> [!IMPORTANT]
-> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to roll back this kind of switch is through a [bare metal recovery (BMR)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
+> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to roll back this kind of switch is through a [bare metal recovery (BMR)](/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
### Devices running Windows 10, version 1709
@@ -71,4 +71,4 @@ Tenant-wide Windows 10 Pro > Pro Education
[FAQs](https://support.microsoft.com/help/4020089/windows-10-in-s-mode-faq)
[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
-[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
+[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
\ No newline at end of file
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
index 515bfff44f..e3900603b6 100644
--- a/education/windows/school-get-minecraft.md
+++ b/education/windows/school-get-minecraft.md
@@ -70,7 +70,7 @@ If you’ve been approved and are part of the Enrollment for Education Solutions
Now that the app is in your Microsoft Store for Education inventory, you can choose how to distribute Minecraft. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft).
-If you need additional licenses for **Minecraft: Education Edition**, see [Purchase additional licenses](https://technet.microsoft.com/edu/windows/education-scenarios-store-for-business#purchase-additional-licenses).
+If you need additional licenses for **Minecraft: Education Edition**, see [Purchase additional licenses](./education-scenarios-store-for-business.md#purchase-additional-licenses).
### Minecraft: Education Edition - volume licensing
Qualified education institutions can purchase Minecraft: Education Edition licenses through their Microsoft channel partner. Schools need to be part of the Enrollment for Education Solutions (EES) volume licensing program. Educational institutions should work with their channel partner to determine which Minecraft: Education Edition licensing offer is best for their institution. The process looks like this:
@@ -128,7 +128,7 @@ After Minecraft: Education Edition is added to your Microsoft Store for Educatio
- You can assign the app to others.
- You can download the app to distribute.
-Admins can also add Minecraft: Education Edition to the private store. This allows people in your organization to install the app from the private store. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store).
+Admins can also add Minecraft: Education Edition to the private store. This allows people in your organization to install the app from the private store. For more information, see [Distribute apps using your private store](/microsoft-store/distribute-apps-from-your-private-store).
+For more information, see [Distribute apps to your employees from Microsoft Store for Business](distribute-apps-with-management-tool.md). -->
\ No newline at end of file
diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md
index 8d06648a0d..40a8600f07 100644
--- a/store-for-business/whats-new-microsoft-store-business-education.md
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@@ -23,15 +23,15 @@ Microsoft Store for Business and Education regularly releases new and improved f
| | |
|-----------------------|---------------------------------|
-|  |**Use security groups with Private store apps**
On the details page for apps in your private store, you can set **Private store availability**. This allows you to choose which security groups can see an app in the private store.
[Get more info](https://docs.microsoft.com/microsoft-store/app-inventory-management-microsoft-store-for-business#private-store-availability)
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education |
+|  |**Use security groups with Private store apps**
On the details page for apps in your private store, you can set **Private store availability**. This allows you to choose which security groups can see an app in the private store.
[Get more info](./app-inventory-management-microsoft-store-for-business.md#private-store-availability)
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education |
@@ -88,4 +88,4 @@ We’ve been working on bug fixes and performance improvements to provide you a
- Manage prepaid Office 365 subscriptions
- Manage Office 365 subscriptions acquired by partners
- Edge extensions in Microsoft Store
-- Search results in Microsoft Store for Business
+- Search results in Microsoft Store for Business
\ No newline at end of file
diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md
index 3085320530..eeb38598ee 100644
--- a/store-for-business/working-with-line-of-business-apps.md
+++ b/store-for-business/working-with-line-of-business-apps.md
@@ -26,7 +26,7 @@ Your company or school can make line-of-business (LOB) applications available th
Developers within your organization, or ISVs that you invite, can become LOB publishers and submit apps to Microsoft Store for your company or school. Once an LOB publisher submits an app for your company, the app is only available to your company. LOB publishers submit apps through the Windows Dev Center using the same process as all apps that are in Microsoft Store, and then can be managed or deployed using the same process as any other app that has been acquired through Microsoft Store.
-One advantage of making apps available through Microsoft Store for Business is that the app has been signed by Microsoft Store, and uses the standard Microsoft Store policies. For organizations that can’t submit their application through the Windows Dev Center (for example, those needing additional capabilities or due to compliance purposes), [Sideloading](https://go.microsoft.com/fwlink/p/?LinkId=623433) is also supported on Windows 10.
+One advantage of making apps available through Microsoft Store for Business is that the app has been signed by Microsoft Store, and uses the standard Microsoft Store policies. For organizations that can’t submit their application through the Windows Dev Center (for example, those needing additional capabilities or due to compliance purposes), [Sideloading](/windows/application-management/sideload-apps-in-windows-10) is also supported on Windows 10.
## Adding LOB apps to your private store
@@ -61,7 +61,7 @@ Admins need to invite developer or ISVs to become an LOB publisher.
The developer receives an email invite to become an LOB publisher for your company. Once they accept the invite, they can log in to the Windows Dev Center to create an app submission for your company. The info here assumes that devs or ISVs have an active developer account.
-After an app is published and available in the Store, ISVs publish an updated version by creating another submission in their dashboard. Creating a new submission allows the ISV to make the changes required to create a LOB app for your company. To learn more about updates to an app submission, see [App submissions](https://go.microsoft.com/fwlink/p/?LinkId=623463) and [Distributing LOB apps to enterprises](https://go.microsoft.com/fwlink/p/?LinkId=627543).
+After an app is published and available in the Store, ISVs publish an updated version by creating another submission in their dashboard. Creating a new submission allows the ISV to make the changes required to create a LOB app for your company. To learn more about updates to an app submission, see [App submissions](/windows/uwp/publish/app-submissions) and [Distributing LOB apps to enterprises](/windows/uwp/publish/distribute-lob-apps-to-enterprises).
**To create a new submission for an app**
@@ -70,7 +70,7 @@ After an app is published and available in the Store, ISVs publish an updated ve
-OR-
- Submit your app following the guidelines in [App submissions](https://go.microsoft.com/fwlink/p/?LinkId=623463). Be sure to completed steps 3 and 4 when you set app pricing and availability options.
+ Submit your app following the guidelines in [App submissions](/windows/uwp/publish/app-submissions). Be sure to completed steps 3 and 4 when you set app pricing and availability options.
3. On the **Pricing and availability** page, under **Distribution and visibility**, click **Line-of-business (LOB) distribution**, and then choose the enterprise(s) who will get the LOB app. No one else will have access to the app.
4. Under **Organizational licensing**, click **Show options**.
@@ -83,10 +83,10 @@ After an app is published and available in the Store, ISVs publish an updated ve
5. Click **Save** to save your changes and start the app submission process.
-For more information, see [Organizational licensing options]( https://go.microsoft.com/fwlink/p/?LinkId=708615) and [Distributing LOB apps to enterprises](https://go.microsoft.com/fwlink/p/?LinkId=627543).
+For more information, see [Organizational licensing options]( https://go.microsoft.com/fwlink/p/?LinkId=708615) and [Distributing LOB apps to enterprises](/windows/uwp/publish/distribute-lob-apps-to-enterprises).
>[!Note]
- > In order to get the LOB app, the organization must be located in a [supported market](https://docs.microsoft.com/microsoft-store/microsoft-store-for-business-overview#supported-markets), and you must not have excluded that market when submitting your app.
+ > In order to get the LOB app, the organization must be located in a [supported market](./microsoft-store-for-business-overview.md#supported-markets), and you must not have excluded that market when submitting your app.
## Add app to inventory (admin)
@@ -102,4 +102,4 @@ After you add the app to your inventory, you can choose how to distribute the ap
- [Distribute apps to your employees from the Microsoft Store for Business](distribute-apps-to-your-employees-microsoft-store-for-business.md)
- [Distribute apps from your private store](distribute-apps-from-your-private-store.md)
- [Assign apps to employees](assign-apps-to-employees.md)
-- [Distribute offline apps](distribute-offline-apps.md)
+- [Distribute offline apps](distribute-offline-apps.md)
\ No newline at end of file
diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json
index 3f6ef46e23..2f90a93cf1 100644
--- a/windows/access-protection/docfx.json
+++ b/windows/access-protection/docfx.json
@@ -49,7 +49,7 @@
"jborsecnik",
"tiburd",
"garycentric"
- ],
+ ]
},
"fileMetadata": {},
"template": [],
diff --git a/windows/application-management/TOC.md b/windows/application-management/TOC.md
deleted file mode 100644
index 0bd3d8166a..0000000000
--- a/windows/application-management/TOC.md
+++ /dev/null
@@ -1,112 +0,0 @@
-# [Manage applications in Windows 10](index.md)
-## [Sideload apps](sideload-apps-in-windows-10.md)
-## [Remove background task resource restrictions](enterprise-background-activity-controls.md)
-## [Enable or block Windows Mixed Reality apps in the enterprise](manage-windows-mixed-reality.md)
-## [Understand apps in Windows 10](apps-in-windows-10.md)
-## [Add apps and features in Windows 10](add-apps-and-features.md)
-## [Repackage win32 apps in the MSIX format](msix-app-packaging-tool.md)
-## [Application Virtualization (App-V) for Windows](app-v/appv-for-windows.md)
-### [Getting Started with App-V](app-v/appv-getting-started.md)
-#### [What's new in App-V for Windows 10, version 1703 and earlier](app-v/appv-about-appv.md)
-##### [Release Notes for App-V for Windows 10, version 1607](app-v/appv-release-notes-for-appv-for-windows.md)
-##### [Release Notes for App-V for Windows 10, version 1703](app-v/appv-release-notes-for-appv-for-windows-1703.md)
-#### [Evaluating App-V](app-v/appv-evaluating-appv.md)
-#### [High Level Architecture for App-V](app-v/appv-high-level-architecture.md)
-### [Planning for App-V](app-v/appv-planning-for-appv.md)
-#### [Preparing Your Environment for App-V](app-v/appv-preparing-your-environment.md)
-##### [App-V Prerequisites](app-v/appv-prerequisites.md)
-##### [App-V Security Considerations](app-v/appv-security-considerations.md)
-#### [Planning to Deploy App-V](app-v/appv-planning-to-deploy-appv.md)
-##### [App-V Supported Configurations](app-v/appv-supported-configurations.md)
-##### [App-V Capacity Planning](app-v/appv-capacity-planning.md)
-##### [Planning for High Availability with App-V](app-v/appv-planning-for-high-availability-with-appv.md)
-##### [Planning to Deploy App-V with an Electronic Software Distribution System](app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md)
-##### [Planning for the App-V Server Deployment](app-v/appv-planning-for-appv-server-deployment.md)
-##### [Planning for the App-V Sequencer and Client Deployment](app-v/appv-planning-for-sequencer-and-client-deployment.md)
-##### [Planning for Using App-V with Office](app-v/appv-planning-for-using-appv-with-office.md)
-##### [Planning to Use Folder Redirection with App-V](app-v/appv-planning-folder-redirection-with-appv.md)
-#### [App-V Planning Checklist](app-v/appv-planning-checklist.md)
-### [Deploying App-V](app-v/appv-deploying-appv.md)
-#### [Deploying the App-V Sequencer and Configuring the Client](app-v/appv-deploying-the-appv-sequencer-and-client.md)
-##### [About Client Configuration Settings](app-v/appv-client-configuration-settings.md)
-##### [Enable the App-V desktop client](app-v/appv-enable-the-app-v-desktop-client.md)
-##### [How to Install the Sequencer](app-v/appv-install-the-sequencer.md)
-#### [Deploying the App-V Server](app-v/appv-deploying-the-appv-server.md)
-##### [How to Deploy the App-V Server](app-v/appv-deploy-the-appv-server.md)
-##### [How to Deploy the App-V Server Using a Script](app-v/appv-deploy-the-appv-server-with-a-script.md)
-##### [How to Deploy the App-V Databases by Using SQL Scripts](app-v/appv-deploy-appv-databases-with-sql-scripts.md)
-##### [How to Install the Publishing Server on a Remote Computer](app-v/appv-install-the-publishing-server-on-a-remote-computer.md)
-##### [How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services](app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md)
-##### [How to install the Management Server on a Standalone Computer and Connect it to the Database](app-v/appv-install-the-management-server-on-a-standalone-computer.md)
-##### [About App-V Reporting](app-v/appv-reporting.md)
-##### [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](app-v/appv-install-the-reporting-server-on-a-standalone-computer.md)
-#### [App-V Deployment Checklist](app-v/appv-deployment-checklist.md)
-#### [Deploying Microsoft Office 2016 by Using App-V](app-v/appv-deploying-microsoft-office-2016-with-appv.md)
-#### [Deploying Microsoft Office 2013 by Using App-V](app-v/appv-deploying-microsoft-office-2013-with-appv.md)
-#### [Deploying Microsoft Office 2010 by Using App-V](app-v/appv-deploying-microsoft-office-2010-wth-appv.md)
-### [Operations for App-V](app-v/appv-operations.md)
-#### [Creating and Managing App-V Virtualized Applications](app-v/appv-creating-and-managing-virtualized-applications.md)
-##### [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](app-v/appv-auto-provision-a-vm.md)
-##### [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](app-v/appv-auto-batch-sequencing.md)
-##### [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](app-v/appv-auto-batch-updating.md)
-##### [Manually sequence a new app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](app-v/appv-sequence-a-new-application.md)
-##### [How to Modify an Existing Virtual Application Package](app-v/appv-modify-an-existing-virtual-application-package.md)
-##### [How to Create and Use a Project Template](app-v/appv-create-and-use-a-project-template.md)
-##### [How to Create a Package Accelerator](app-v/appv-create-a-package-accelerator.md)
-##### [How to Create a Virtual Application Package Using an App-V Package Accelerator](app-v/appv-create-a-virtual-application-package-package-accelerator.md)
-#### [Administering App-V Virtual Applications by Using the Management Console](app-v/appv-administering-virtual-applications-with-the-management-console.md)
-##### [About App-V Dynamic Configuration](app-v/appv-dynamic-configuration.md)
-##### [How to Connect to the Management Console](app-v/appv-connect-to-the-management-console.md)
-##### [How to Add or Upgrade Packages by Using the Management Console](app-v/appv-add-or-upgrade-packages-with-the-management-console.md)
-##### [How to Configure Access to Packages by Using the Management Console](app-v/appv-configure-access-to-packages-with-the-management-console.md)
-##### [How to Publish a Package by Using the Management Console](app-v/appv-publish-a-packages-with-the-management-console.md)
-##### [How to Delete a Package in the Management Console](app-v/appv-delete-a-package-with-the-management-console.md)
-##### [How to Add or Remove an Administrator by Using the Management Console](app-v/appv-add-or-remove-an-administrator-with-the-management-console.md)
-##### [How to Register and Unregister a Publishing Server by Using the Management Console](app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md)
-##### [How to Create a Custom Configuration File by Using the App-V Management Console](app-v/appv-create-a-custom-configuration-file-with-the-management-console.md)
-##### [How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console](app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md)
-##### [How to Customize Virtual Applications Extensions for a Specific AD Group by Using the Management Console](app-v/appv-customize-virtual-application-extensions-with-the-management-console.md)
-##### [How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console](app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md)
-#### [Managing Connection Groups](app-v/appv-managing-connection-groups.md)
-##### [About the Connection Group Virtual Environment](app-v/appv-connection-group-virtual-environment.md)
-##### [About the Connection Group File](app-v/appv-connection-group-file.md)
-##### [How to Create a Connection Group](app-v/appv-create-a-connection-group.md)
-##### [How to Create a Connection Group with User-Published and Globally Published Packages](app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md)
-##### [How to Delete a Connection Group](app-v/appv-delete-a-connection-group.md)
-##### [How to Publish a Connection Group](app-v/appv-publish-a-connection-group.md)
-##### [How to Make a Connection Group Ignore the Package Version](app-v/appv-configure-connection-groups-to-ignore-the-package-version.md)
-##### [How to Allow Only Administrators to Enable Connection Groups](app-v/appv-allow-administrators-to-enable-connection-groups.md)
-#### [Deploying App-V Packages by Using Electronic Software Distribution (ESD)](app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md)
-##### [How to deploy App-V Packages Using Electronic Software Distribution](app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md)
-##### [How to Enable Only Administrators to Publish Packages by Using an ESD](app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md)
-#### [Using the App-V Client Management Console](app-v/appv-using-the-client-management-console.md)
-##### [Automatically clean-up unpublished packages on the App-V client](app-v/appv-auto-clean-unpublished-packages.md)
-#### [Migrating to App-V from a Previous Version](app-v/appv-migrating-to-appv-from-a-previous-version.md)
-##### [How to Convert a Package Created in a Previous Version of App-V](app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md)
-#### [Maintaining App-V](app-v/appv-maintaining-appv.md)
-##### [How to Move the App-V Server to Another Computer](app-v/appv-move-the-appv-server-to-another-computer.md)
-#### [Administering App-V by Using Windows PowerShell](app-v/appv-administering-appv-with-powershell.md)
-##### [How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help](app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md)
-##### [How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md)
-##### [How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell](app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md)
-##### [How to Modify Client Configuration by Using Windows PowerShell](app-v/appv-modify-client-configuration-with-powershell.md)
-##### [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server](app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md)
-##### [How to Apply the User Configuration File by Using Windows PowerShell](app-v/appv-apply-the-user-configuration-file-with-powershell.md)
-##### [How to Apply the Deployment Configuration File by Using Windows PowerShell](app-v/appv-apply-the-deployment-configuration-file-with-powershell.md)
-##### [How to Sequence a Package by Using Windows PowerShell](app-v/appv-sequence-a-package-with-powershell.md)
-##### [How to Create a Package Accelerator by Using Windows PowerShell](app-v/appv-create-a-package-accelerator-with-powershell.md)
-##### [How to Enable Reporting on the App-V Client by Using Windows PowerShell](app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md)
-##### [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell](app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md)
-### [Troubleshooting App-V](app-v/appv-troubleshooting.md)
-### [Technical Reference for App-V](app-v/appv-technical-reference.md)
-#### [Available Mobile Device Management (MDM) settings for App-V](app-v/appv-available-mdm-settings.md)
-#### [Performance Guidance for Application Virtualization](app-v/appv-performance-guidance.md)
-#### [Application Publishing and Client Interaction](app-v/appv-application-publishing-and-client-interaction.md)
-#### [Viewing App-V Server Publishing Metadata](app-v/appv-viewing-appv-server-publishing-metadata.md)
-#### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md)
-## [Service Host process refactoring](svchost-service-refactoring.md)
-## [Per-user services in Windows](per-user-services-in-windows.md)
-## [Disabling System Services in Windows Server](https://docs.microsoft.com/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server)
-## [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md)
-## [Change history for Application management](change-history-for-application-management.md)
-## [How to keep apps removed from Windows 10 from returning during an update](remove-provisioned-apps-during-update.md)
\ No newline at end of file
diff --git a/windows/application-management/TOC.yml b/windows/application-management/TOC.yml
new file mode 100644
index 0000000000..0235d54cc0
--- /dev/null
+++ b/windows/application-management/TOC.yml
@@ -0,0 +1,244 @@
+- name: Manage applications in Windows 10
+ href: index.md
+ items:
+ - name: Sideload apps
+ href: sideload-apps-in-windows-10.md
+ - name: Remove background task resource restrictions
+ href: enterprise-background-activity-controls.md
+ - name: Enable or block Windows Mixed Reality apps in the enterprise
+ href: manage-windows-mixed-reality.md
+ - name: Understand apps in Windows 10
+ href: apps-in-windows-10.md
+ - name: Add apps and features in Windows 10
+ href: add-apps-and-features.md
+ - name: Repackage win32 apps in the MSIX format
+ href: msix-app-packaging-tool.md
+ - name: Application Virtualization (App-V) for Windows
+ href: app-v/appv-for-windows.md
+ items:
+ - name: Getting Started with App-V
+ href: app-v/appv-getting-started.md
+ items:
+ - name: What's new in App-V for Windows 10, version 1703 and earlier
+ href: app-v/appv-about-appv.md
+ items:
+ - name: Release Notes for App-V for Windows 10, version 1607
+ href: app-v/appv-release-notes-for-appv-for-windows.md
+ - name: Release Notes for App-V for Windows 10, version 1703
+ href: app-v/appv-release-notes-for-appv-for-windows-1703.md
+ - name: Evaluating App-V
+ href: app-v/appv-evaluating-appv.md
+ - name: High Level Architecture for App-V
+ href: app-v/appv-high-level-architecture.md
+ - name: Planning for App-V
+ href: app-v/appv-planning-for-appv.md
+ items:
+ - name: Preparing Your Environment for App-V
+ href: app-v/appv-preparing-your-environment.md
+ items:
+ - name: App-V Prerequisites
+ href: app-v/appv-prerequisites.md
+ - name: App-V Security Considerations
+ href: app-v/appv-security-considerations.md
+ - name: Planning to Deploy App-V
+ href: app-v/appv-planning-to-deploy-appv.md
+ items:
+ - name: App-V Supported Configurations
+ href: app-v/appv-supported-configurations.md
+ - name: App-V Capacity Planning
+ href: app-v/appv-capacity-planning.md
+ - name: Planning for High Availability with App-V
+ href: app-v/appv-planning-for-high-availability-with-appv.md
+ - name: Planning to Deploy App-V with an Electronic Software Distribution System
+ href: app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
+ - name: Planning for the App-V Server Deployment
+ href: app-v/appv-planning-for-appv-server-deployment.md
+ - name: Planning for the App-V Sequencer and Client Deployment
+ href: app-v/appv-planning-for-sequencer-and-client-deployment.md
+ - name: Planning for Using App-V with Office
+ href: app-v/appv-planning-for-using-appv-with-office.md
+ - name: Planning to Use Folder Redirection with App-V
+ href: app-v/appv-planning-folder-redirection-with-appv.md
+ - name: App-V Planning Checklist
+ href: app-v/appv-planning-checklist.md
+ - name: Deploying App-V
+ href: app-v/appv-deploying-appv.md
+ items:
+ - name: Deploying the App-V Sequencer and Configuring the Client
+ href: app-v/appv-deploying-the-appv-sequencer-and-client.md
+ items:
+ - name: About Client Configuration Settings
+ href: app-v/appv-client-configuration-settings.md
+ - name: Enable the App-V desktop client
+ href: app-v/appv-enable-the-app-v-desktop-client.md
+ - name: How to Install the Sequencer
+ href: app-v/appv-install-the-sequencer.md
+ - name: Deploying the App-V Server
+ href: app-v/appv-deploying-the-appv-server.md
+ items:
+ - name: How to Deploy the App-V Server
+ href: app-v/appv-deploy-the-appv-server.md
+ - name: How to Deploy the App-V Server Using a Script
+ href: app-v/appv-deploy-the-appv-server-with-a-script.md
+ - name: How to Deploy the App-V Databases by Using SQL Scripts
+ href: app-v/appv-deploy-appv-databases-with-sql-scripts.md
+ - name: How to Install the Publishing Server on a Remote Computer
+ href: app-v/appv-install-the-publishing-server-on-a-remote-computer.md
+ - name: How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services
+ href: app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
+ - name: How to install the Management Server on a Standalone Computer and Connect it to the Database
+ href: app-v/appv-install-the-management-server-on-a-standalone-computer.md
+ - name: About App-V Reporting
+ href: app-v/appv-reporting.md
+ - name: How to install the Reporting Server on a Standalone Computer and Connect it to the Database
+ href: app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
+ - name: App-V Deployment Checklist
+ href: app-v/appv-deployment-checklist.md
+ - name: Deploying Microsoft Office 2016 by Using App-V
+ href: app-v/appv-deploying-microsoft-office-2016-with-appv.md
+ - name: Deploying Microsoft Office 2013 by Using App-V
+ href: app-v/appv-deploying-microsoft-office-2013-with-appv.md
+ - name: Deploying Microsoft Office 2010 by Using App-V
+ href: app-v/appv-deploying-microsoft-office-2010-wth-appv.md
+ - name: Operations for App-V
+ href: app-v/appv-operations.md
+ items:
+ - name: Creating and Managing App-V Virtualized Applications
+ href: app-v/appv-creating-and-managing-virtualized-applications.md
+ items:
+ - name: Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)
+ href: app-v/appv-auto-provision-a-vm.md
+ - name: Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)
+ href: app-v/appv-auto-batch-sequencing.md
+ - name: Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)
+ href: app-v/appv-auto-batch-updating.md
+ - name: Manually sequence a new app using Microsoft Application Virtualization Sequencer (App-V Sequencer)
+ href: app-v/appv-sequence-a-new-application.md
+ - name: How to Modify an Existing Virtual Application Package
+ href: app-v/appv-modify-an-existing-virtual-application-package.md
+ - name: How to Create and Use a Project Template
+ href: app-v/appv-create-and-use-a-project-template.md
+ - name: How to Create a Package Accelerator
+ href: app-v/appv-create-a-package-accelerator.md
+ - name: How to Create a Virtual Application Package Using an App-V Package Accelerator
+ href: app-v/appv-create-a-virtual-application-package-package-accelerator.md
+ - name: Administering App-V Virtual Applications by Using the Management Console
+ href: app-v/appv-administering-virtual-applications-with-the-management-console.md
+ items:
+ - name: About App-V Dynamic Configuration
+ href: app-v/appv-dynamic-configuration.md
+ - name: How to Connect to the Management Console
+ href: app-v/appv-connect-to-the-management-console.md
+ - name: How to Add or Upgrade Packages by Using the Management Console
+ href: app-v/appv-add-or-upgrade-packages-with-the-management-console.md
+ - name: How to Configure Access to Packages by Using the Management Console
+ href: app-v/appv-configure-access-to-packages-with-the-management-console.md
+ - name: How to Publish a Package by Using the Management Console
+ href: app-v/appv-publish-a-packages-with-the-management-console.md
+ - name: How to Delete a Package in the Management Console
+ href: app-v/appv-delete-a-package-with-the-management-console.md
+ - name: How to Add or Remove an Administrator by Using the Management Console
+ href: app-v/appv-add-or-remove-an-administrator-with-the-management-console.md
+ - name: How to Register and Unregister a Publishing Server by Using the Management Console
+ href: app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
+ - name: How to Create a Custom Configuration File by Using the App-V Management Console
+ href: app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
+ - name: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console
+ href: app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
+ - name: How to Customize Virtual Applications Extensions for a Specific AD Group by Using the Management Console
+ href: app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
+ - name: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console
+ href: app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
+ - name: Managing Connection Groups
+ href: app-v/appv-managing-connection-groups.md
+ items:
+ - name: About the Connection Group Virtual Environment
+ href: app-v/appv-connection-group-virtual-environment.md
+ - name: About the Connection Group File
+ href: app-v/appv-connection-group-file.md
+ - name: How to Create a Connection Group
+ href: app-v/appv-create-a-connection-group.md
+ - name: How to Create a Connection Group with User-Published and Globally Published Packages
+ href: app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
+ - name: How to Delete a Connection Group
+ href: app-v/appv-delete-a-connection-group.md
+ - name: How to Publish a Connection Group
+ href: app-v/appv-publish-a-connection-group.md
+ - name: How to Make a Connection Group Ignore the Package Version
+ href: app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
+ - name: How to Allow Only Administrators to Enable Connection Groups
+ href: app-v/appv-allow-administrators-to-enable-connection-groups.md
+ - name: Deploying App-V Packages by Using Electronic Software Distribution (ESD)
+ href: app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
+ items:
+ - name: How to deploy App-V Packages Using Electronic Software Distribution
+ href: app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
+ - name: How to Enable Only Administrators to Publish Packages by Using an ESD
+ href: app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
+ - name: Using the App-V Client Management Console
+ href: app-v/appv-using-the-client-management-console.md
+ items:
+ - name: Automatically clean-up unpublished packages on the App-V client
+ href: app-v/appv-auto-clean-unpublished-packages.md
+ - name: Migrating to App-V from a Previous Version
+ href: app-v/appv-migrating-to-appv-from-a-previous-version.md
+ items:
+ - name: How to Convert a Package Created in a Previous Version of App-V
+ href: app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
+ - name: Maintaining App-V
+ href: app-v/appv-maintaining-appv.md
+ items:
+ - name: How to Move the App-V Server to Another Computer
+ href: app-v/appv-move-the-appv-server-to-another-computer.md
+ - name: Administering App-V by Using Windows PowerShell
+ href: app-v/appv-administering-appv-with-powershell.md
+ items:
+ - name: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help
+ href: app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
+ - name: How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell
+ href: app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
+ - name: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell
+ href: app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
+ - name: How to Modify Client Configuration by Using Windows PowerShell
+ href: app-v/appv-modify-client-configuration-with-powershell.md
+ - name: How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server
+ href: app-v/appv-configure-the-client-to-receive-updates-from-the-publishing-server.md
+ - name: How to Apply the User Configuration File by Using Windows PowerShell
+ href: app-v/appv-apply-the-user-configuration-file-with-powershell.md
+ - name: How to Apply the Deployment Configuration File by Using Windows PowerShell
+ href: app-v/appv-apply-the-deployment-configuration-file-with-powershell.md
+ - name: How to Sequence a Package by Using Windows PowerShell
+ href: app-v/appv-sequence-a-package-with-powershell.md
+ - name: How to Create a Package Accelerator by Using Windows PowerShell
+ href: app-v/appv-create-a-package-accelerator-with-powershell.md
+ - name: How to Enable Reporting on the App-V Client by Using Windows PowerShell
+ href: app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
+ - name: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell
+ href: app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
+ - name: Troubleshooting App-V
+ href: app-v/appv-troubleshooting.md
+ - name: Technical Reference for App-V
+ href: app-v/appv-technical-reference.md
+ items:
+ - name: Available Mobile Device Management (MDM) settings for App-V
+ href: app-v/appv-available-mdm-settings.md
+ - name: Performance Guidance for Application Virtualization
+ href: app-v/appv-performance-guidance.md
+ - name: Application Publishing and Client Interaction
+ href: app-v/appv-application-publishing-and-client-interaction.md
+ - name: Viewing App-V Server Publishing Metadata
+ href: app-v/appv-viewing-appv-server-publishing-metadata.md
+ - name: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications
+ href: app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
+ - name: Service Host process refactoring
+ href: svchost-service-refactoring.md
+ - name: Per-user services in Windows
+ href: per-user-services-in-windows.md
+ - name: Disabling System Services in Windows Server
+ href: /windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server
+ - name: Deploy app upgrades on Windows 10 Mobile
+ href: deploy-app-upgrades-windows-10-mobile.md
+ - name: Change history for Application management
+ href: change-history-for-application-management.md
+ - name: How to keep apps removed from Windows 10 from returning during an update
+ href: remove-provisioned-apps-during-update.md
diff --git a/windows/application-management/add-apps-and-features.md b/windows/application-management/add-apps-and-features.md
index 81f0da756e..89fdaaf04c 100644
--- a/windows/application-management/add-apps-and-features.md
+++ b/windows/application-management/add-apps-and-features.md
@@ -16,7 +16,7 @@ ms.topic: article
# How to add apps and features to Windows 10
> Applies to: Windows 10
-Windows 10 includes a range of [applications](apps-in-windows-10.md), from [system apps](apps-in-windows-10.md#system-apps) that support the operating system (like Settings) to ["provisioned" apps](apps-in-windows-10.md#provisioned-windows-apps) (like Feedback Hub) that are installed the first time you run Windows. We also provide additional apps and features, called Features on Demand (like language packs or handwriting recognition), that you can install at any time. If you're working in a managed environment (like at work, where you have an administrator who manages your systems and resources), your admin can use [Windows Update to install Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you're working on your own device, you can add apps and features from the Settings app.
+Windows 10 includes a range of [applications](apps-in-windows-10.md), from [system apps](apps-in-windows-10.md#system-apps) that support the operating system (like Settings) to ["provisioned" apps](apps-in-windows-10.md#provisioned-windows-apps) (like Feedback Hub) that are installed the first time you run Windows. We also provide additional apps and features, called Features on Demand (like language packs or handwriting recognition), that you can install at any time. If you're working in a managed environment (like at work, where you have an administrator who manages your systems and resources), your admin can use [Windows Update to install Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you're working on your own device, you can add apps and features from the Settings app.
Here's how you do that:
@@ -27,4 +27,4 @@ Here's how you do that:
And that's it. You can see the apps you have installed on the **Apps & features** page and the features on **Manage optional features**.
-You can manage and uninstall apps and features from the same Settings page. Just select the app or feature, and then select **Uninstall**.
+You can manage and uninstall apps and features from the same Settings page. Just select the app or feature, and then select **Uninstall**.
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-about-appv.md b/windows/application-management/app-v/appv-about-appv.md
index 910454c958..b1dcf3d7f6 100644
--- a/windows/application-management/app-v/appv-about-appv.md
+++ b/windows/application-management/app-v/appv-about-appv.md
@@ -44,7 +44,7 @@ Previous versions of App-V have required you to manually remove your unpublished
With Windows 10, version 1607 and later releases, App-V is now included with [Windows 10 for Enterprise and Windows 10 for Education](https://www.microsoft.com/WindowsForBusiness/windows-product-home) and is no longer part of the Microsoft Desktop Optimization Pack.
-To learn more about earlier versions of App-V, see [MDOP Information Experience](https://docs.microsoft.com/microsoft-desktop-optimization-pack/index).
+To learn more about earlier versions of App-V, see [MDOP Information Experience](/microsoft-desktop-optimization-pack/index).
The changes in App-V for Windows 10, version 1607 impact existing implementations of App-V in the following ways:
@@ -61,7 +61,7 @@ For more information about how to configure an existing App-V installation after
## Support for System Center
-App-V supports System Center 2016 and System Center 2012 R2 Configuration Manager SP1. See [Planning for App-V Integration with Configuration Manager](https://technet.microsoft.com/library/jj822982.aspx) to learn more about how to integrate your App-V environment with Configuration Manager.
+App-V supports System Center 2016 and System Center 2012 R2 Configuration Manager SP1. See [Planning for App-V Integration with Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj822982(v=technet.10)) to learn more about how to integrate your App-V environment with Configuration Manager.
@@ -70,4 +70,4 @@ App-V supports System Center 2016 and System Center 2012 R2 Configuration Manage
## Related topics
* [Release Notes for App-V for Windows 10, version 1607](../app-v/appv-release-notes-for-appv-for-windows.md)
-* [Release Notes for App-V for Windows 10, version 1703](../app-v/appv-release-notes-for-appv-for-windows-1703.md)
+* [Release Notes for App-V for Windows 10, version 1703](../app-v/appv-release-notes-for-appv-for-windows-1703.md)
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
index 88430660e3..ace2fb67c1 100644
--- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
+++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
@@ -85,7 +85,7 @@ To change the default location of the package store during setup, see [Enable th
### Shared Content Store
-If the App-V Client is configured in Shared Content Store mode, no data is written to disk when a stream fault occurs, which means that the packages require minimal local disk space (publishing data). In VDI environments where local storage can be limited, it's important to use as little disk space as possible. You can minimize disk space usage by streaming applications from a high-performance network location (such as a SAN). For more information, see [Shared Content Store in Microsoft App-V 5.0 - Behind the Scenes](https://blogs.technet.microsoft.com/appv/2013/07/22/shared-content-store-in-microsoft-app-v-5-0-behind-the-scenes/).
+If the App-V Client is configured in Shared Content Store mode, no data is written to disk when a stream fault occurs, which means that the packages require minimal local disk space (publishing data). In VDI environments where local storage can be limited, it's important to use as little disk space as possible. You can minimize disk space usage by streaming applications from a high-performance network location (such as a SAN). For more information, see [Shared Content Store in Microsoft App-V 5.0 - Behind the Scenes](/archive/blogs/appv/shared-content-store-in-microsoft-app-v-5-0-behind-the-scenes).
>[!NOTE]
>The machine and package store must be located on a local drive, even when you’re using Shared Content Store configurations for the App-V Client.
@@ -694,7 +694,7 @@ The App-V Client supports publishing applications with support for COM integrati
App-V supports registering COM objects from the package to the local operating system with two process types: Out-of-process and In-process. Registering COM objects is accomplished with one or a combination of multiple modes of operation for a specific App-V package that includes Off, Isolated, and Integrated. Integrated mode is configured for either the Out-of-process or In-process type. Configuration of COM modes and types is accomplished with dynamic configuration files (deploymentconfig.xml or userconfig.xml).
-For details on App-V integration, see [Microsoft Application Virtualization 5.0 Integration](https://blogs.technet.microsoft.com/appv/2013/01/03/microsoft-application-virtualization-5-0-integration).
+For details on App-V integration, see [Microsoft Application Virtualization 5.0 Integration](/archive/blogs/appv/microsoft-application-virtualization-5-0-integration).
### Software clients and application capabilities
@@ -758,7 +758,7 @@ For situations where there is more than one application that could register the
The AppPath extension point supports calling App-V applications directly from the operating system. Administrators can provide access to App-V applications from operating system commands or scripts without calling the specific path to the executable from either the Run or Start Screen, depending on the operating system. It therefore avoids modifying the system path environment variable on all systems, as it is accomplished during publishing.
-The AppPath extension point is configured either in the manifest or in the dynamic configuration files and is stored in the registry on the local machine during publishing for the user. For additional information on AppPath review: [App Paths - A Virtual Application Extension in App-V 5.0](https://blogs.technet.microsoft.com/virtualworld/2012/12/12/app-paths-a-virtual-application-extension-in-app-v-5-0/).
+The AppPath extension point is configured either in the manifest or in the dynamic configuration files and is stored in the registry on the local machine during publishing for the user. For additional information on AppPath review: [App Paths - A Virtual Application Extension in App-V 5.0](/archive/blogs/virtualworld/app-paths-a-virtual-application-extension-in-app-v-5-0).
### Virtual application
@@ -895,7 +895,4 @@ There are three specific categories of events recorded:
- **Admin** logs events for configurations applied to the App-V Client and also contains the primary warnings and errors.
- **Operational** logs the general App-V execution and usage of individual components, creating an audit log of the App-V Client's completed App-V operations.
-- **Virtual Application** logs virtual application launches and use of virtualization subsystems.
-
-
-
+- **Virtual Application** logs virtual application launches and use of virtualization subsystems.
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-auto-batch-sequencing.md b/windows/application-management/app-v/appv-auto-batch-sequencing.md
index 67f5ad1826..a1e082c4bb 100644
--- a/windows/application-management/app-v/appv-auto-batch-sequencing.md
+++ b/windows/application-management/app-v/appv-auto-batch-sequencing.md
@@ -97,12 +97,8 @@ There are 3 types of log files that occur when you sequence multiple apps at the
- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
- [How to install the App-V Sequencer](appv-install-the-sequencer.md)
-- [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server)
+- [Learn about Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/Hyper-V-on-Windows-Server)
- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md)
- [Manually sequence a single app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md)
- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md)
-- [Automatically clean up unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md)
-
-
-
-
+- [Automatically clean up unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md)
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md
index 4a8dd9f493..18506158bf 100644
--- a/windows/application-management/app-v/appv-auto-batch-updating.md
+++ b/windows/application-management/app-v/appv-auto-batch-updating.md
@@ -151,12 +151,8 @@ There are three types of log files that occur when you sequence multiple apps at
- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
- [How to install the App-V Sequencer](appv-install-the-sequencer.md)
-- [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server)
+- [Learn about Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/Hyper-V-on-Windows-Server)
- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md)
- [Manually sequence a single app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md)
- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md)
-- [Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md)
-
-
-
-
+- [Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md)
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-auto-provision-a-vm.md b/windows/application-management/app-v/appv-auto-provision-a-vm.md
index ddb1c30871..1cb284903c 100644
--- a/windows/application-management/app-v/appv-auto-provision-a-vm.md
+++ b/windows/application-management/app-v/appv-auto-provision-a-vm.md
@@ -55,7 +55,7 @@ For this process to work, you must have a base operating system available as a V
After you have a VHD file, you must provision your VM for auto-sequencing.
1. On the Host device, install Windows 10, version 1703 and the **Microsoft Application Virtualization (App-V) Auto Sequencer** component from the matching version of the Windows Assessment and Deployment Kit (ADK). For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md).
-2. Make sure that Hyper-V is turned on. For more info about turning on and using Hyper-V, see [Hyper-V on Windows Server 2016](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server).
+2. Make sure that Hyper-V is turned on. For more info about turning on and using Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/Hyper-V-on-Windows-Server).
3. Open PowerShell as an admin and run the **New-AppVSequencerVM** cmdlet, using the following parameters:
```PowerShell
@@ -127,7 +127,4 @@ After you sequence your packages, you can automatically clean up any unpublished
- [Download the **Convert-WindowsImage** tool](https://www.powershellgallery.com/packages/Convert-WindowsImage/10.0)
- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
- [How to install the App-V Sequencer](appv-install-the-sequencer.md)
-- [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server)
-
-
-
+- [Learn about Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/Hyper-V-on-Windows-Server)
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md
index 8c4f4b2b2d..e0089bc26a 100644
--- a/windows/application-management/app-v/appv-available-mdm-settings.md
+++ b/windows/application-management/app-v/appv-available-mdm-settings.md
@@ -14,7 +14,7 @@ ms.topic: article
---
# Available Mobile Device Management (MDM) settings for App-V
-With Windows 10, version 1703, you can configure, deploy, and manage your App-V apps with the following Mobile Device Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) page.
+With Windows 10, version 1703, you can configure, deploy, and manage your App-V apps with the following Mobile Device Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](/windows/client-management/mdm/enterpriseappvmanagement-csp) page.
|Policy name|Supported versions|URI full path|Data type|Values|
|---|---|---|---|---|
@@ -32,4 +32,4 @@ With Windows 10, version 1703, you can configure, deploy, and manage your App-V
|SyncStatusDescription|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncStatusDescription|String|- **0**: App-V publishing is idle.
- **1**: App-V connection groups publish in progress.
- **2**: App-V packages (non-connection group) publish in progress.
- **3**: App-V packages (connection group) publish in progress.
- **4**: App-V packages unpublish in progress.|
|SyncProgress|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/ AppVPublishing/LastSync/SyncProgress|String|- **0**: App-V Sync is idle.
- **1**: App-V Sync is initializing.
- **2**: App-V Sync is in progress.
- **3**: App-V Sync is complete.
- **4**: App-V Sync requires device reboot.|
|PublishXML|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/
AppVPublishing/Sync/PublishXML|String|Custom value, entered by admin.|
-|Policy|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/
AppVDynamicPolicy/configurationid/Policy|String|Custom value, entered by admin.|
+|Policy|Windows 10, version 1703|./Vendor/MSFT/EnterpriseAppVManagement/
AppVDynamicPolicy/configurationid/Policy|String|Custom value, entered by admin.|
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
index 52632f558e..ea6f204d50 100644
--- a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
+++ b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md
@@ -50,13 +50,13 @@ For more about adding or upgrading packages, see [How to add or upgrade packages
Add-AppvClientConnectionGroup
```
- For more information about how to use the **Add-AppvClientConnectionGroup** cmdlet, see [**Add-AppvClientConnectionGroup**](https://docs.microsoft.com/powershell/module/appvclient/add-appvclientconnectiongroup?view=win10-ps).
+ For more information about how to use the **Add-AppvClientConnectionGroup** cmdlet, see [**Add-AppvClientConnectionGroup**](/powershell/module/appvclient/add-appvclientconnectiongroup?view=win10-ps).
4. When you upgrade a package, use the following cmdlets to remove the old package, add the upgraded package, and publish the upgraded package:
- - [**Remove-AppvClientPackage**](https://docs.microsoft.com/powershell/module/appvclient/remove-appvclientpackage?view=win10-ps)
- - [**Add-AppvClientPackage**](https://docs.microsoft.com/powershell/module/appvclient/add-appvclientpackage?view=win10-ps)
- - [**Publish-AppvClientPackage**](https://docs.microsoft.com/powershell/module/appvclient/publish-appvclientpackage?view=win10-ps)
+ - [**Remove-AppvClientPackage**](/powershell/module/appvclient/remove-appvclientpackage?view=win10-ps)
+ - [**Add-AppvClientPackage**](/powershell/module/appvclient/add-appvclientpackage?view=win10-ps)
+ - [**Publish-AppvClientPackage**](/powershell/module/appvclient/publish-appvclientpackage?view=win10-ps)
For more information, see [How to manage App-V packages running on a stand-alone computer by using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md).
@@ -66,4 +66,4 @@ For more information, see [How to manage App-V packages running on a stand-alone
## Related topics
-- [Managing connection groups](appv-managing-connection-groups.md)
+- [Managing connection groups](appv-managing-connection-groups.md)
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-connect-to-the-management-console.md b/windows/application-management/app-v/appv-connect-to-the-management-console.md
index dd38c101dd..d585386b76 100644
--- a/windows/application-management/app-v/appv-connect-to-the-management-console.md
+++ b/windows/application-management/app-v/appv-connect-to-the-management-console.md
@@ -9,7 +9,7 @@ ms.prod: w10
ms.date: 06/25/2018
ms.reviewer:
manager: dansimp
-ms.author: lomayor
+ms.author: dansimp
ms.topic: article
---
# How to connect to the Management Console
diff --git a/windows/application-management/app-v/appv-create-and-use-a-project-template.md b/windows/application-management/app-v/appv-create-and-use-a-project-template.md
index 0af67b340d..21bfd31f68 100644
--- a/windows/application-management/app-v/appv-create-and-use-a-project-template.md
+++ b/windows/application-management/app-v/appv-create-and-use-a-project-template.md
@@ -53,11 +53,7 @@ After creating the template, you can apply it to all of your new virtual app pac
- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
- [How to install the App-V Sequencer](appv-install-the-sequencer.md)
-- [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server)
+- [Learn about Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/Hyper-V-on-Windows-Server)
- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md)
- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md)
-- [Manually sequence a new app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md)
-
-
-
-
+- [Manually sequence a new app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md)
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
index d4567acef0..9a10805448 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
@@ -39,7 +39,7 @@ Before you deploy Office with App-V, review the following requirements.
|---|---|
|Packaging|All Office applications you wish to deploy to users must be in a single package.
In App-V and later, you must use the Office Deployment Tool to create packages. The Sequencer doesn't support package creation.
If you're deploying Microsoft Visio 2013 and Microsoft Project 2013 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2013 and Project 2013 with Office](#deploying-visio-2013-and-project-2013-with-office).|
|Publishing|You can only publish one Office package per client computer.
You must publish the Office package globally, not to the user.|
-|Deploying Microsoft 365 Apps for enterprise, Visio Pro for Office 365, or Project Pro for Office 365 to a shared computer using Remote Desktop Services.|You must enable [shared computer activation](https://docs.microsoft.com/DeployOffice/overview-of-shared-computer-activation-for-office-365-proplus).
You don’t need to use shared computer activation if you’re deploying a volume licensed product, such as Office Professional Plus 2013, Visio Professional 2013, or Project Professional 2013.|
+|Deploying Microsoft 365 Apps for enterprise, Visio Pro for Office 365, or Project Pro for Office 365 to a shared computer using Remote Desktop Services.|You must enable [shared computer activation](/DeployOffice/overview-of-shared-computer-activation-for-office-365-proplus).
You don’t need to use shared computer activation if you’re deploying a volume licensed product, such as Office Professional Plus 2013, Visio Professional 2013, or Project Professional 2013.|
### Excluding Office applications from a package
@@ -47,7 +47,7 @@ The following table describes the recommended methods for excluding specific Off
|Task|Details|
|---|---|
-|Use the **ExcludeApp** setting when you create the package by using the Office Deployment Tool.|Enables you to exclude specific Office applications from the package when the Office Deployment Tool creates the package. For example, you can use this setting to create a package that contains only Microsoft Word.
For more information, see [ExcludeApp element](https://docs.microsoft.com/DeployOffice/configuration-options-for-the-office-2016-deployment-tool?ui=en-US&rs=en-US&ad=US#excludeapp-element).|
+|Use the **ExcludeApp** setting when you create the package by using the Office Deployment Tool.|Enables you to exclude specific Office applications from the package when the Office Deployment Tool creates the package. For example, you can use this setting to create a package that contains only Microsoft Word.
For more information, see [ExcludeApp element](/DeployOffice/configuration-options-for-the-office-2016-deployment-tool?ad=US&rs=en-US&ui=en-US#excludeapp-element).|
|Modify the **DeploymentConfig.xml** file|Modify the **DeploymentConfig.xml** file after creating the package. This file contains the default package settings for all users on a computer running the App-V Client.
For more information, see [Disabling Office 2013 applications](#disabling-office-2013-applications).|
## Creating an Office 2013 package for App-V with the Office Deployment Tool
@@ -306,7 +306,7 @@ Use the steps in this section to enable Office plug-ins with your Office package
You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2013 App-V package has been published, you will save the changes, add the Office 2013 App-V package, then republish it with the new Deployment Configuration File to apply the new settings to Office 2013 App-V Package applications.
>[!NOTE]
->To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting. For more information, see [Reference for Click-to-Run configuration.xml file](https://docs.microsoft.com/DeployOffice/configuration-options-for-the-office-2016-deployment-tool#excludeapp-element).
+>To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting. For more information, see [Reference for Click-to-Run configuration.xml file](/DeployOffice/configuration-options-for-the-office-2016-deployment-tool#excludeapp-element).
#### To disable an Office 2013 application
@@ -412,7 +412,7 @@ This section describes the requirements and options for deploying Visio 2013 and
|Goal|Method|
|---|---|
|Create two different packages and deploy each one to a different group of users|Create and deploy the following packages:
A package that contains only Office—deploy to computers whose users need only Office.
A package that contains Office, Visio, and Project—deploy to computers whose users need all three applications.|
-|Create just one package for the whole organization, or for users who share computers|Follow these steps:
1. Create a package that contains Office, Visio, and Project.
2. Deploy the package to all users.
3. Use [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/applocker/applocker-overview) to prevent specific users from using Visio and Project.|
+|Create just one package for the whole organization, or for users who share computers|Follow these steps:
1. Create a package that contains Office, Visio, and Project.
2. Deploy the package to all users.
3. Use [AppLocker](/windows/security/threat-protection/applocker/applocker-overview) to prevent specific users from using Visio and Project.|
## Additional resources
@@ -434,7 +434,4 @@ This section describes the requirements and options for deploying Visio 2013 and
### Additional resources for Dynamic Configuration
-* [About App-V Dynamic Configuration](appv-dynamic-configuration.md)
-
-
-
+* [About App-V Dynamic Configuration](appv-dynamic-configuration.md)
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
index 5a7bb4a95a..1cc721db34 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
@@ -39,7 +39,7 @@ Before you deploy Office with App-V, review the following requirements.
|-----------|-------------------|
| Packaging. | All Office applications that you deploy to users must be in a single package.
In App-V 5.0 and later, you must use the Office Deployment Tool to create packages. The Sequencer doesn't support package creation.
If you're deploying Microsoft Visio 2016 and Microsoft Project 2016 at the same time as Office, you must put them all in the same package. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office). |
| Publishing. | You can only publish one Office package per client computer.
You must publish the Office package globally, not to the user. |
-| Deploying Microsoft 365 Apps for enterprise, Visio Pro for Office 365, or Project Pro for Office 365 to a shared computer with Remote Desktop Services. | You must enable [shared computer activation](https://docs.microsoft.com/DeployOffice/overview-of-shared-computer-activation-for-office-365-proplus). |
+| Deploying Microsoft 365 Apps for enterprise, Visio Pro for Office 365, or Project Pro for Office 365 to a shared computer with Remote Desktop Services. | You must enable [shared computer activation](/DeployOffice/overview-of-shared-computer-activation-for-office-365-proplus). |
### Excluding Office applications from a package
@@ -47,7 +47,7 @@ The following table describes the recommended methods for excluding specific Off
|Task|Details|
|-------------|---------------|
-| Use the **ExcludeApp** setting when you create the package by using the Office Deployment Tool. | With this setting, you can exclude specific Office applications from the package that the Office Deployment Tool creates. For example, you can use this setting to create a package that contains only Microsoft Word.
For more information, see [ExcludeApp element](https://docs.microsoft.com/DeployOffice/configuration-options-for-the-office-2016-deployment-tool?ui=en-US&rs=en-US&ad=US#excludeapp-element). |
+| Use the **ExcludeApp** setting when you create the package by using the Office Deployment Tool. | With this setting, you can exclude specific Office applications from the package that the Office Deployment Tool creates. For example, you can use this setting to create a package that contains only Microsoft Word.
For more information, see [ExcludeApp element](/DeployOffice/configuration-options-for-the-office-2016-deployment-tool?ad=US&rs=en-US&ui=en-US#excludeapp-element). |
| Modify the DeploymentConfig.xml file | Modify the DeploymentConfig.xml file after the package has been created. This file contains the default package settings for all users on a computer that is running the App-V Client.
For more information, see [Disabling Office 2016 applications](#disabling-office-2016-applications). |
## Creating an Office 2016 package for App-V with the Office Deployment Tool
@@ -124,7 +124,7 @@ The XML file included in the Office Deployment Tool specifies the product detail
| Language element | Specifies which language the applications support. | `Language ID="en-us"` |
| Version (attribute of **Add** element) | Optional. Specifies which build the package will use.
Defaults to latest advertised build (as defined in v32.CAB at the Office source). | `16.1.2.3` |
| SourcePath (attribute of **Add** element) | Specifies the location the applications will be saved to. | `Sourcepath = "\\Server\Office2016"` |
- | Channel (part of **Add** element) | Optional. Defines which channel will be used to update Office after installation.
The default is **Deferred** for Microsoft 365 Apps for enterprise and **Current** for Visio Pro for Office 365 and Project Desktop Client.
For more information about update channels, see [Overview of update channels for Microsoft 365 Apps for enterprise](https://docs.microsoft.com/DeployOffice/overview-of-update-channels-for-office-365-proplus). | `Channel="Current"`
`Channel="Deferred"`
`Channel="FirstReleaseDeferred"`
`Channel="FirstReleaseCurrent"` |
+ | Channel (part of **Add** element) | Optional. Defines which channel will be used to update Office after installation.
The default is **Deferred** for Microsoft 365 Apps for enterprise and **Current** for Visio Pro for Office 365 and Project Desktop Client.
For more information about update channels, see [Overview of update channels for Microsoft 365 Apps for enterprise](/DeployOffice/overview-of-update-channels-for-office-365-proplus). | `Channel="Current"`
`Channel="Deferred"`
`Channel="FirstReleaseDeferred"`
`Channel="FirstReleaseCurrent"` |
After editing the **configuration.xml** file to specify the desired product, languages, and the location where the Office 2016 applications will be saved to, you can save the configuration file under a name of your choice, such as "Customconfig.xml."
2. **Download the applications into the specified location:** Use an elevated command prompt and a 64-bit operating system to download the Office 2016 applications that will later be converted into an App-V package. The following is an example command:
@@ -373,14 +373,11 @@ The following table describes the requirements and options for deploying Visio 2
| Task | Details |
|---------------------|---------------|
| How do I package and publish Visio 2016 and Project 2016 with Office? | You must include Visio 2016 and Project 2016 in the same package with Office.
If you are not deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the packaging, publishing, and deployment requirements described in this topic. |
-| How can I deploy Visio 2016 and Project 2016 to specific users? | Use one of the following methods:
**To create two different packages and deploy each one to a different group of users**:
Create and deploy the following packages:
- A package that contains only Office—deploy to computers whose users need only Office.
- A package that contains Office, Visio, and Project—deploy to computers whose users need all three applications.
**To create only one package for the whole organization, or to create a package intended for users who share computers**:
1. Create a package that contains Office, Visio, and Project.
2. Deploy the package to all users.
3. Use [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/applocker/applocker-overview) to prevent specific users from using Visio and Project. |
+| How can I deploy Visio 2016 and Project 2016 to specific users? | Use one of the following methods:
**To create two different packages and deploy each one to a different group of users**:
Create and deploy the following packages:
- A package that contains only Office—deploy to computers whose users need only Office.
- A package that contains Office, Visio, and Project—deploy to computers whose users need all three applications.
**To create only one package for the whole organization, or to create a package intended for users who share computers**:
1. Create a package that contains Office, Visio, and Project.
2. Deploy the package to all users.
3. Use [AppLocker](/windows/security/threat-protection/applocker/applocker-overview) to prevent specific users from using Visio and Project. |
## Related topics
* [Deploying App-V for Windows 10](appv-deploying-appv.md)
* [Deploying Microsoft Office 2013 by using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
* [Deploying Microsoft Office 2010 by using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
-* [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117)
-
-
-
+* [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117)
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
index 5e3c484a69..6164ddf1fb 100644
--- a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
@@ -18,7 +18,7 @@ ms.topic: article
You can deploy App-V packages using an electronic software distribution (ESD) solution. For information about planning to deploy App-V packages with an ESD, see [Planning to deploy App-V with an electronic software distribution system](appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md).
-To learn how to deploy App-V packages with Microsoft System Center 2012 Configuration Manager, see [Introduction to application management in Configuration Manager](https://technet.microsoft.com/library/gg682125.aspx#BKMK_Appv)
+To learn how to deploy App-V packages with Microsoft System Center 2012 Configuration Manager, see [Introduction to application management in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682125(v=technet.10)#BKMK_Appv)
## How to deploy virtualized packages using an ESD
@@ -31,7 +31,4 @@ To learn how to configure the App-V client to enable only administrators to publ
## Related topics
- [App-V and Citrix integration](https://www.microsoft.com/download/details.aspx?id=40885)
-- [Operations for App-V](appv-operations.md)
-
-
-
+- [Operations for App-V](appv-operations.md)
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md
index 8fc9117868..d689d83a5b 100644
--- a/windows/application-management/app-v/appv-getting-started.md
+++ b/windows/application-management/app-v/appv-getting-started.md
@@ -25,7 +25,7 @@ If you’re already using App-V, performing an in-place upgrade to Windows 10 on
>[!IMPORTANT]
>You can upgrade your existing App-V installation to App-V for Windows from App-V versions 5.0 SP2 and higher only. If you are using an earlier version of App-V, you’ll need to upgrade your existing App-V installation to App-V 5.0 SP2 before upgrading to App-V for Windows.
-To learn more about previous versions of App-V, see [MDOP information experience](https://docs.microsoft.com/microsoft-desktop-optimization-pack/index).
+To learn more about previous versions of App-V, see [MDOP information experience](/microsoft-desktop-optimization-pack/index).
## Getting started with App-V for Windows 10 (new installations)
@@ -58,4 +58,4 @@ If you're new to App-V, it's a good idea to read the documentation thoroughly. B
* [Deploying App-V](appv-deploying-appv.md)
* [Operations for App-V](appv-operations.md)
* [Troubleshooting App-V](appv-troubleshooting.md)
-* [Technical reference for App-V](appv-technical-reference.md)
+* [Technical reference for App-V](appv-technical-reference.md)
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
index 4c3530ae6b..febbd0b2da 100644
--- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
+++ b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
@@ -82,7 +82,7 @@ Starting in App-V 5.0 SP3, cmdlet help is available in two formats:
|App-V Sequencer|**Update-Help -Module AppvSequencer**|
|App-V Client|**Update-Help -Module AppvClient**|
-* Online in the [Microsoft Desktop Optimization Pack](https://docs.microsoft.com/powershell/mdop/get-started?view=win-mdop2-ps).
+* Online in the [Microsoft Desktop Optimization Pack](/powershell/mdop/get-started?view=win-mdop2-ps).
## Displaying the help for a Windows PowerShell cmdlet
@@ -92,7 +92,4 @@ To display help for a specific Windows PowerShell cmdlet:
2. Enter **Get-Help** followed by the cmdlet you need help with. For example:
```PowerShell
Get-Help Publish-AppvClientPackage
- ```
-
-
-
+ ```
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
index 78190c4689..964437cc18 100644
--- a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
@@ -128,7 +128,7 @@ Remove-AppvClientPackage "ContosoApplication"
```
> [!NOTE]
-> App-V cmdlets have been assigned to variables for the previous examples for clarity only; assignment is not a requirement. Most cmdlets can be combined as displayed in [Add and publish a package](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#add-and-publish-a-package). For a detailed tutorial, see [App-V 5.0 Client PowerShell Deep Dive](https://blogs.technet.microsoft.com/appv/2012/12/03/app-v-5-0-client-powershell-deep-dive/).
+> App-V cmdlets have been assigned to variables for the previous examples for clarity only; assignment is not a requirement. Most cmdlets can be combined as displayed in [Add and publish a package](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#add-and-publish-a-package). For a detailed tutorial, see [App-V 5.0 Client PowerShell Deep Dive](/archive/blogs/appv/app-v-5-0-client-powershell-deep-dive).
## Enable only administrators to publish or unpublish packages
@@ -172,4 +172,4 @@ For more information about pending tasks, see [Upgrading an in-use App-V package
## Related topics
- [Operations for App-V](appv-operations.md)
-- [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md)
+- [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md)
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
index 63e362cc4c..c852fb9f1a 100644
--- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
+++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
@@ -259,4 +259,4 @@ There is no direct method to upgrade to a full App-V infrastructure. Use the inf
- [Operations for App-V](appv-operations.md)
-- [A simplified Microsoft App-V 5.1 Management Server upgrade procedure](https://blogs.technet.microsoft.com/appv/2015/09/23/a-simplified-microsoft-app-v-5-1-management-server-upgrade-procedure/)
+- [A simplified Microsoft App-V 5.1 Management Server upgrade procedure](/archive/blogs/appv/a-simplified-microsoft-app-v-5-1-management-server-upgrade-procedure)
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md
index d7c8078b33..bb51e1fee6 100644
--- a/windows/application-management/app-v/appv-performance-guidance.md
+++ b/windows/application-management/app-v/appv-performance-guidance.md
@@ -457,7 +457,7 @@ The following section contains lists with information about Microsoft documentat
Server Performance Tuning Guidelines for
-- [Microsoft Windows Server 2012 R2](https://msdn.microsoft.com/library/windows/hardware/dn529133.aspx)
+- [Microsoft Windows Server 2012 R2](/previous-versions//dn529133(v=vs.85))
- [Microsoft Windows Server 2012](https://download.microsoft.com/download/0/0/B/00BE76AF-D340-4759-8ECD-C80BC53B6231/performance-tuning-guidelines-windows-server-2012.docx)
@@ -465,23 +465,23 @@ Server Performance Tuning Guidelines for
**Server Roles**
-- [Remote Desktop Virtualization Host](https://msdn.microsoft.com/library/windows/hardware/dn567643.aspx)
+- [Remote Desktop Virtualization Host](/previous-versions//dn567643(v=vs.85))
-- [Remote Desktop Session Host](https://msdn.microsoft.com/library/windows/hardware/dn567648.aspx)
+- [Remote Desktop Session Host](/previous-versions//dn567648(v=vs.85))
-- [IIS Relevance: App-V Management, Publishing, Reporting Web Services](https://msdn.microsoft.com/library/windows/hardware/dn567678.aspx)
+- [IIS Relevance: App-V Management, Publishing, Reporting Web Services](/previous-versions//dn567678(v=vs.85))
-- [File Server (SMB) Relevance: If used for App-V Content Storage and Delivery in SCS Mode](https://technet.microsoft.com/library/jj134210.aspx)
+- [File Server (SMB) Relevance: If used for App-V Content Storage and Delivery in SCS Mode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134210(v=ws.11))
**Windows Client (Guest OS) Performance Tuning Guidance**
- [Microsoft Windows 7](https://download.microsoft.com/download/E/5/7/E5783D68-160B-4366-8387-114FC3E45EB4/Performance Tuning Guidelines for Windows 7 Desktop Virtualization v1.9.docx)
-- [Optimization Script: (Provided by Microsoft Support)](https://blogs.technet.com/b/jeff_stokes/archive/2012/10/15/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density.aspx)
+- [Optimization Script: (Provided by Microsoft Support)](/archive/blogs/jeff_stokes/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density)
- [Microsoft Windows 8](https://download.microsoft.com/download/6/0/1/601D7797-A063-4FA7-A2E5-74519B57C2B4/Windows_8_VDI_Image_Client_Tuning_Guide.pdf)
-- [Optimization Script: (Provided by Microsoft Support)](https://blogs.technet.com/b/jeff_stokes/archive/2013/04/09/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe.aspx)
+- [Optimization Script: (Provided by Microsoft Support)](/archive/blogs/jeff_stokes/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe)
## Sequencing Steps to Optimize Packages for Publishing Performance
@@ -742,4 +742,4 @@ The following terms are used when describing concepts and actions related to App
## Related topics
-[Application Virtualization (App-V) overview](appv-for-windows.md)
+[Application Virtualization (App-V) overview](appv-for-windows.md)
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
index 9f01735aab..daa0698829 100644
--- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
@@ -34,12 +34,12 @@ Review the following articles to learn more about configuring IIS and NLB for co
* [Achieving High Availability and Scalability - ARR and NLB](https://www.iis.net/learn/extensions/configuring-application-request-routing-arr/achieving-high-availability-and-scalability-arr-and-nlb) describes how to configure IIS 7.0.
-* [Network load balancing overview](
Default: AppVManagement|
|Management server location|Machine account on which the Management server is deployed.
Format to use: **Domain\MachineAccount**|
|Management server installation administrator|Account used to install the Management server.
Format to use: **Domain\AdministratorLoginName**|
-|Microsoft SQL Server Service Agent|Configure the Management database computer so that the Microsoft SQL Server Agent service is restarted automatically. For instructions, see [Configure SQL Server Agent to restart services automatically](https://technet.microsoft.com/magazine/gg313742.aspx).|
+|Microsoft SQL Server Service Agent|Configure the Management database computer so that the Microsoft SQL Server Agent service is restarted automatically. For instructions, see [Configure SQL Server Agent to restart services automatically](/previous-versions/technet-magazine/gg313742(v=msdn.10)).|
### Publishing server prerequisite software
@@ -163,4 +163,4 @@ What to know before installing the prerequisites:
## Related topics
* [Planning for App-V](appv-planning-for-appv.md)
-* [App-V Supported Configurations](appv-supported-configurations.md)
+* [App-V Supported Configurations](appv-supported-configurations.md)
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-publish-a-connection-group.md b/windows/application-management/app-v/appv-publish-a-connection-group.md
index e48f4c43c6..e7fb9c1327 100644
--- a/windows/application-management/app-v/appv-publish-a-connection-group.md
+++ b/windows/application-management/app-v/appv-publish-a-connection-group.md
@@ -1,7 +1,7 @@
---
title: How to Publish a Connection Group (Windows 10)
description: Learn how to publish a connection group to computers that run the Application Virtualization (App-V) client.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
index 565f150699..0bd0ff8e80 100644
--- a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
@@ -1,7 +1,7 @@
---
title: How to publish a package by using the Management console (Windows 10)
description: Learn how the Management console in App-V can help you enable admin controls as well as publish App-V packages.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
index 2134edc7bb..74a2712705 100644
--- a/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
@@ -1,7 +1,7 @@
---
title: How to Register and Unregister a Publishing Server by Using the Management Console (Windows 10)
description: How to Register and Unregister a Publishing Server by Using the Management Console
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
index dc744d16c2..e8e1893c11 100644
--- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
+++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
@@ -1,7 +1,7 @@
---
title: Release Notes for App-V for Windows 10, version 1703 (Windows 10)
description: A list of known issues and workarounds for App-V running on Windows 10, version 1703.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -109,9 +109,9 @@ The following are known issues and workarounds for Application Virtualization (A
For information that can help with troubleshooting App-V for Windows 10, see:
- [Application Virtualization (App-V): List of Microsoft Support Knowledge Base Articles](https://social.technet.microsoft.com/wiki/contents/articles/14272.app-v-v5-x-list-of-microsoft-support-knowledge-base-articles.aspx)
-- [The Official Microsoft App-V Team Blog](https://blogs.technet.microsoft.com/appv/)
+- [The Official Microsoft App-V Team Blog](/archive/blogs/appv/)
-- [Technical Reference for App-V](https://technet.microsoft.com/itpro/windows/manage/appv-technical-reference)
+- [Technical Reference for App-V](./appv-technical-reference.md)
- [App-V TechNet Forum](https://social.technet.microsoft.com/forums/en-us/home?forum=mdopappv)
@@ -121,4 +121,4 @@ For information that can help with troubleshooting App-V for Windows 10, see:
## Related topics
- [What's new in App-V for Windows 10](appv-about-appv.md)
-- [Release Notes for App-V for Windows 10, version 1607](appv-release-notes-for-appv-for-windows-1703.md)
+- [Release Notes for App-V for Windows 10, version 1607](appv-release-notes-for-appv-for-windows-1703.md)
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
index 704d0954f7..cfbb33c0ae 100644
--- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
+++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
@@ -1,7 +1,7 @@
---
title: Release Notes for App-V for Windows 10, version 1607 (Windows 10)
description: A list of known issues and workarounds for App-V running on Windows 10, version 1607.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -155,12 +155,11 @@ The App-V Sequencer cannot sequence applications with filenames matching "CO_<
## Related resources list
For information that can help with troubleshooting App-V for Windows 10, see:
- [Application Virtualization (App-V): List of Microsoft Support Knowledge Base Articles](https://social.technet.microsoft.com/wiki/contents/articles/14272.app-v-v5-x-list-of-microsoft-support-knowledge-base-articles.aspx)
-- [The Official Microsoft App-V Team Blog](https://blogs.technet.microsoft.com/appv/)
-- [Technical Reference for App-V](https://technet.microsoft.com/itpro/windows/manage/appv-technical-reference)
+- [The Official Microsoft App-V Team Blog](/archive/blogs/appv/)
+- [Technical Reference for App-V](./appv-technical-reference.md)
- [App-V TechNet Forum](https://social.technet.microsoft.com/forums/en-us/home?forum=mdopappv)
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-Help us to improve
-
+Help us to improve
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md
index 41c995543f..7597734e85 100644
--- a/windows/application-management/app-v/appv-reporting.md
+++ b/windows/application-management/app-v/appv-reporting.md
@@ -1,7 +1,7 @@
---
title: About App-V Reporting (Windows 10)
description: Learn how the App-V reporting feature collects information about computers running the App-V client and virtual application package usage.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -194,7 +194,7 @@ You can also use the **Send-AppVClientReport** cmdlet to manually collect data.
To retrieve report information and create reports using App-V you must use one of the following methods:
-* Microsoft SQL Server Reporting Services (SSRS)—Microsoft SSRS is available with Microsoft SQL Server. SSRS is not installed when you install the App-V reporting server. It must be deployed separately to generate the associated reports. For more information, see the [What is SQL Server Reporting Services (SSRS)?](https://docs.microsoft.com/sql/reporting-services/create-deploy-and-manage-mobile-and-paginated-reports) article.
+* Microsoft SQL Server Reporting Services (SSRS)—Microsoft SSRS is available with Microsoft SQL Server. SSRS is not installed when you install the App-V reporting server. It must be deployed separately to generate the associated reports. For more information, see the [What is SQL Server Reporting Services (SSRS)?](/sql/reporting-services/create-deploy-and-manage-mobile-and-paginated-reports) article.
* Scripting—You can generate reports by scripting directly against the App-V reporting database. For example:
@@ -202,7 +202,7 @@ To retrieve report information and create reports using App-V you must use one o
**spProcessClientReport** is scheduled to run at midnight or 12:00 AM.
- To run the Microsoft SQL Server Scheduled Stored procedure, the Microsoft SQL Server Agent must be running. Make sure the Microsoft SQL Server Agent is set to **AutoStart**. For more information, see [Autostart SQL Server Agent (SQL Server Management Studio)](https://docs.microsoft.com/sql/ssms/agent/autostart-sql-server-agent-sql-server-management-studio).
+ To run the Microsoft SQL Server Scheduled Stored procedure, the Microsoft SQL Server Agent must be running. Make sure the Microsoft SQL Server Agent is set to **AutoStart**. For more information, see [Autostart SQL Server Agent (SQL Server Management Studio)](/sql/ssms/agent/autostart-sql-server-agent-sql-server-management-studio).
The stored procedure is also created when you use the App-V database scripts.
@@ -215,4 +215,4 @@ You should also ensure that the reporting server web service’s **Maximum Concu
## Related topics
* [Deploying the App-V server](appv-deploying-the-appv-server.md)
-* [How to install the reporting server on a standalone computer and connect it to the database](appv-install-the-reporting-server-on-a-standalone-computer.md)
+* [How to install the reporting server on a standalone computer and connect it to the database](appv-install-the-reporting-server-on-a-standalone-computer.md)
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
index 3138fa3ab3..e3b0a072c7 100644
--- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
+++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
@@ -1,7 +1,7 @@
---
title: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications (Windows 10)
description: Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md
index d2dd484a97..32f77084f6 100644
--- a/windows/application-management/app-v/appv-security-considerations.md
+++ b/windows/application-management/app-v/appv-security-considerations.md
@@ -1,7 +1,7 @@
---
title: App-V Security Considerations (Windows 10)
description: Learn about accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V).
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -33,7 +33,7 @@ Effective as of June, 2014, the PackageStoreAccessControl (PSAC) feature introdu
**Apply the most recent security updates to all computers**. To stay informed about the latest updates for operating systems, Microsoft SQL Server, and App-V, see the [Microsoft Security TechCenter](https://technet.microsoft.com/security/bb291012). (THIS LINK NEEDS TO BE UPDATED)
-**Use strong passwords or pass phrases**. Always use strong passwords with 15 or more characters for all App-V and App-V administrator accounts. Never use blank passwords. For more information about password concepts, see [Password Policy](https://docs.microsoft.com/sql/relational-databases/security/password-policy) and [Strong Passwords](https://docs.microsoft.com/sql/relational-databases/security/strong-passwords). (THIS LINK NEEDS TO BE UPDATED)
+**Use strong passwords or pass phrases**. Always use strong passwords with 15 or more characters for all App-V and App-V administrator accounts. Never use blank passwords. For more information about password concepts, see [Password Policy](/sql/relational-databases/security/password-policy) and [Strong Passwords](/sql/relational-databases/security/strong-passwords). (THIS LINK NEEDS TO BE UPDATED)
## Accounts and groups in App-V
@@ -72,4 +72,4 @@ During App-V setup, setup log files are created in the **%temp%** folder of the
## Related topics
-[Preparing Your Environment for App-V](appv-preparing-your-environment.md)
+[Preparing Your Environment for App-V](appv-preparing-your-environment.md)
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-sequence-a-new-application.md b/windows/application-management/app-v/appv-sequence-a-new-application.md
index 2eb919d9b5..d0cf44c341 100644
--- a/windows/application-management/app-v/appv-sequence-a-new-application.md
+++ b/windows/application-management/app-v/appv-sequence-a-new-application.md
@@ -1,7 +1,7 @@
---
title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10)
description: Learn how to manually sequence a new app by using the App-V Sequencer that's included with the Windows ADK.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
index 2a353b9121..823392d02d 100644
--- a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
+++ b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
@@ -1,7 +1,7 @@
---
title: How to sequence a package by using Windows PowerShell (Windows 10)
description: Learn how to sequence a new Microsoft Application Virtualization (App-V) package by using Windows PowerShell.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md
index 340244864b..d834a9d19e 100644
--- a/windows/application-management/app-v/appv-supported-configurations.md
+++ b/windows/application-management/app-v/appv-supported-configurations.md
@@ -1,7 +1,7 @@
---
title: App-V Supported Configurations (Windows 10)
description: Learn the requirements to install and run App-V supported configurations in your Windows 10 environment.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -104,7 +104,7 @@ Similarly, the App-V Remote Desktop Services (RDS) client is included with Windo
## Sequencer system requirements
-Sequencer is now part of the Windows Assessment and Deployment Kit (Windows ADK). [Download the latest Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) that is recommended for your version of the Windows OS.
+Sequencer is now part of the Windows Assessment and Deployment Kit (Windows ADK). [Download the latest Windows ADK](/windows-hardware/get-started/adk-install) that is recommended for your version of the Windows OS.
### Sequencer hardware requirements
@@ -117,4 +117,4 @@ The App-V client works with Configuration Manager versions starting with Technic
## Related topics
* [Planning to deploy App-V](appv-planning-to-deploy-appv.md)
-* [App-V prerequisites](appv-prerequisites.md)
+* [App-V prerequisites](appv-prerequisites.md)
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md
index 8cd6653c77..19f2f4b499 100644
--- a/windows/application-management/app-v/appv-technical-reference.md
+++ b/windows/application-management/app-v/appv-technical-reference.md
@@ -1,7 +1,7 @@
---
title: Technical Reference for App-V (Windows 10)
-description: Learn strategy and context for a number of performance optimization practices in this techincal reference for Application Virtualization (App-V).
-author: lomayor
+description: Learn strategy and context for many performance optimization practices in this technical reference for Application Virtualization (App-V).
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -25,11 +25,21 @@ This section provides reference information related to managing App-V.
- [Performance Guidance for Application Virtualization](appv-performance-guidance.md)
- Provides strategy and context for a number of performance optimization practices. Not all practices will be applicable although they are supported and have been tested. Using all suggested practices that are applicable to your organization will provide the optimal end-user experience.
+ Provides strategy and context for many performance optimizations. Not all practices will be applicable. However, these are tested and supported. Using all suggested practices that are applicable to your organization will provide the optimal end-user experience.
- [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md)
- Describes how the following App-V client operations affect the local operating system: App-V files and data storage locations, package registry, package store behavior, roaming registry and data, client application lifecycle management, integration of App-V packages, dynamic configuration, side-by-side assemblies, and client logging.
+Describes how the following App-V client operations affect the local operating system:
+
+- App-V files and data storage locations
+- package registry
+- package store behavior
+- roaming registry and data
+- client application lifecycle management
+- integration of App-V packages
+- dynamic configuration
+- side-by-side assemblies
+- client logging
- [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md)
@@ -44,10 +54,10 @@ This section provides reference information related to managing App-V.
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-## Related topics
+## Related articles
[How to Deploy the App-V Databases by Using SQL Scripts](appv-deploy-appv-databases-with-sql-scripts.md)
[Administering App-V by Using Windows PowerShell](appv-administering-appv-with-powershell.md)
-[Windows PowerShell reference for App-V](https://technet.microsoft.com/library/dn903534.aspx)
+[Windows PowerShell reference for App-V](/previous-versions/)
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
index a085b22759..7e1aad87e1 100644
--- a/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
@@ -1,7 +1,7 @@
---
title: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console (Windows 10)
description: How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-troubleshooting.md b/windows/application-management/app-v/appv-troubleshooting.md
index 29240949b5..1da98e9c7d 100644
--- a/windows/application-management/app-v/appv-troubleshooting.md
+++ b/windows/application-management/app-v/appv-troubleshooting.md
@@ -1,7 +1,7 @@
---
title: Troubleshooting App-V (Windows 10)
description: Learn how to find information about troubleshooting Application Virtualization (App-V) and information about other App-V topics.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -22,7 +22,7 @@ For information that can help with troubleshooting App-V for Windows 10, see:
- [Application Virtualization (App-V): List of Microsoft Support Knowledge Base Articles](https://social.technet.microsoft.com/wiki/contents/articles/14272.app-v-v5-x-list-of-microsoft-support-knowledge-base-articles.aspx)
-- [Microsoft App-V Team Blog](https://blogs.technet.microsoft.com/appv/)
+- [Microsoft App-V Team Blog](/archive/blogs/appv/)
- [Release Notes for App-V](appv-release-notes-for-appv-for-windows.md)
@@ -45,4 +45,4 @@ For information that can help with troubleshooting App-V for Windows 10, see:
-
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
index 8660d86846..c1a66569fb 100644
--- a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
+++ b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
@@ -1,7 +1,7 @@
---
title: Upgrading to App-V for Windows 10 from an existing installation (Windows 10)
description: Learn about upgrading to Application Virtualization (App-V) for Windows 10 from an existing installation.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -33,7 +33,7 @@ These steps are explained in more detail below.
## Upgrade user devices to Windows 10
-Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings. See the [Windows 10 and Windows 10 Mobile document set](https://technet.microsoft.com/itpro/windows/index) for information about upgrading user devices to Windows 10.
+Performing an in-place upgrade automatically installs the App-V client and migrates users’ App-V applications and settings. See the [Windows 10 and Windows 10 Mobile document set](/windows/windows-10/) for information about upgrading user devices to Windows 10.
## Verify that App-V applications and settings were migrated correctly
@@ -99,4 +99,4 @@ Type the following cmdlet in a Windows PowerShell window:
-
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md
index 7dc0a15d0a..63ec292b62 100644
--- a/windows/application-management/app-v/appv-using-the-client-management-console.md
+++ b/windows/application-management/app-v/appv-using-the-client-management-console.md
@@ -1,7 +1,7 @@
---
title: Using the App-V Client Management Console (Windows 10)
description: Learn how to use the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
index e949a9406e..b7879ce0c2 100644
--- a/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
@@ -1,7 +1,7 @@
---
title: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console (Windows 10)
description: How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
index acbd96ca6e..94aa4195ee 100644
--- a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
+++ b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
@@ -1,7 +1,7 @@
---
title: Viewing App-V Server Publishing Metadata (Windows 10)
description: Use this procedure to view App-V Server publishing metadata, which can help you resolve publishing-related issues.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/deploy-app-upgrades-windows-10-mobile.md b/windows/application-management/deploy-app-upgrades-windows-10-mobile.md
index cab2bb9669..96be5ecfc1 100644
--- a/windows/application-management/deploy-app-upgrades-windows-10-mobile.md
+++ b/windows/application-management/deploy-app-upgrades-windows-10-mobile.md
@@ -58,4 +58,4 @@ You don't need to delete the deployment associated with the older version of the
-If you haven't deployed an app through Configuration Manager before, check out [Deploy applications with Microsoft Endoint Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications). You can also see how to delete deployments (although you don't have to) and notify users about the upgraded app.
+If you haven't deployed an app through Configuration Manager before, check out [Deploy applications with Microsoft Endoint Configuration Manager](/configmgr/apps/deploy-use/deploy-applications). You can also see how to delete deployments (although you don't have to) and notify users about the upgraded app.
\ No newline at end of file
diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md
index dc56d686c7..5b90927126 100644
--- a/windows/application-management/enterprise-background-activity-controls.md
+++ b/windows/application-management/enterprise-background-activity-controls.md
@@ -33,7 +33,7 @@ Here is the set of available controls for mobile devices:
-Although the user interface differs across editions of the operating system, the policy and developer interface is consistent across Windows 10. For more information about these controls, see [Optimize background activity](https://docs.microsoft.com/windows/uwp/debug-test-perf/optimize-background-activity).
+Although the user interface differs across editions of the operating system, the policy and developer interface is consistent across Windows 10. For more information about these controls, see [Optimize background activity](/windows/uwp/debug-test-perf/optimize-background-activity).
## Enterprise background activity controls
@@ -44,9 +44,9 @@ Starting with Windows 10, version 1703, enterprises can control background activ
`./Vendor/Microsoft/Policy/Config/Privacy/LetAppsRunInBackground_ForceDenyTheseApps`
`./Vendor/Microsoft/Policy/Config/Privacy/LetAppsRunInBackground_UserInControlOfTheseApps`
-These policies control the background activity battery settings for Universal Windows Platform (UWP) apps. They enable apps to not be managed by the Windows system policies and not be restricted when battery saver is active. Applying these policies to a device will disable the user controls for the applications specified in the policies in the **Settings** app. See [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsruninbackground) for more information about these policies.
+These policies control the background activity battery settings for Universal Windows Platform (UWP) apps. They enable apps to not be managed by the Windows system policies and not be restricted when battery saver is active. Applying these policies to a device will disable the user controls for the applications specified in the policies in the **Settings** app. See [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider#privacy-letappsruninbackground) for more information about these policies.
-An app can determine which settings are in place for itself by using [BackgroundExecutionManager.RequestAccessAsync](https://docs.microsoft.com/uwp/api/Windows.ApplicationModel.Background.BackgroundAccessStatus) before any background activity is attempted, and then examining the returned [BackgroundAccessStatus](https://docs.microsoft.com/uwp/api/windows.applicationmodel.background.backgroundaccessstatus) enumeration. The values of this enumeration correspond to settings in the **battery usage by App** settings page:
+An app can determine which settings are in place for itself by using [BackgroundExecutionManager.RequestAccessAsync](/uwp/api/Windows.ApplicationModel.Background.BackgroundAccessStatus) before any background activity is attempted, and then examining the returned [BackgroundAccessStatus](/uwp/api/windows.applicationmodel.background.backgroundaccessstatus) enumeration. The values of this enumeration correspond to settings in the **battery usage by App** settings page:
- **AlwaysAllowed**: Corresponds to **Always Allowed in Background** and **Managed By User**. This enables apps to run as much as possible in the background, including while the device is in battery saver mode.
@@ -60,6 +60,6 @@ The Universal Windows Platform ensures that consumers will have great battery li
## See also
-- [Run in the background indefinitely](https://docs.microsoft.com/windows/uwp/launch-resume/run-in-the-background-indefinetly)
-- [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsruninbackground)
-[Optimize background activity](https://docs.microsoft.com/windows/uwp/debug-test-perf/optimize-background-activity)
+- [Run in the background indefinitely](/windows/uwp/launch-resume/run-in-the-background-indefinetly)
+- [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider#privacy-letappsruninbackground)
+[Optimize background activity](/windows/uwp/debug-test-perf/optimize-background-activity)
\ No newline at end of file
diff --git a/windows/application-management/index.md b/windows/application-management/index.md
index f9a00fdc84..a294e75581 100644
--- a/windows/application-management/index.md
+++ b/windows/application-management/index.md
@@ -25,7 +25,7 @@ Learn about managing applications in Windows 10 and Windows 10 Mobile clients.
|[App-V](app-v/appv-getting-started.md)| Microsoft Application Virtualization (App-V) for Windows 10 enables organizations to deliver Win32 applications to users as virtual applications|
| [Service Host process refactoring](svchost-service-refactoring.md) | Changes to Service Host grouping in Windows 10 |
|[Per User services in Windows 10](per-user-services-in-windows.md)| Overview of per user services and instructions for viewing and disabling them in Windows 10 and Windows 2016|
-[Disabling System Services in Windows Server](https://docs.microsoft.com/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server) | Security guidelines for disabling services in Windows Server 2016 with Desktop Experience
+[Disabling System Services in Windows Server](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server) | Security guidelines for disabling services in Windows Server 2016 with Desktop Experience
|[Understand apps in Windows 10](apps-in-windows-10.md)| Overview of the different apps included by default in Windows 10 Enterprise|
| [Deploy app upgrades on Windows 10 Mobile](deploy-app-upgrades-windows-10-mobile.md) | How to upgrade apps on Windows 10 Mobile |
-[Change history for Application management](change-history-for-application-management.md) | This topic lists new and updated topics in the Application management documentation for Windows 10 and Windows 10 Mobile.
+[Change history for Application management](change-history-for-application-management.md) | This topic lists new and updated topics in the Application management documentation for Windows 10 and Windows 10 Mobile.
\ No newline at end of file
diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md
index 4414bb6e96..505a840ba1 100644
--- a/windows/application-management/manage-windows-mixed-reality.md
+++ b/windows/application-management/manage-windows-mixed-reality.md
@@ -20,7 +20,7 @@ ms.topic: article
- Windows 10
-[Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/) was introduced in Windows 10, version 1709 (also known as the Fall Creators Update), as a [Windows 10 Feature on Demand (FOD)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). Features on Demand are Windows feature packages that can be added at any time. When a Windows 10 PC needs a new feature, it can request the feature package from Windows Update.
+[Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/) was introduced in Windows 10, version 1709 (also known as the Fall Creators Update), as a [Windows 10 Feature on Demand (FOD)](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). Features on Demand are Windows feature packages that can be added at any time. When a Windows 10 PC needs a new feature, it can request the feature package from Windows Update.
Organizations that use Windows Server Update Services (WSUS) must take action to [enable Windows Mixed Reality](#enable-windows-mixed-reality-in-wsus). Any organization that wants to prohibit use of Windows Mixed Reality can [block the installation of the Mixed Reality Portal](#block-the-mixed-reality-portal).
@@ -50,11 +50,11 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
1. In **Settings** > **Update & Security** > **Windows Update**, select **Check for updates**.
-IT admins can also create [Side by side feature store (shared folder)](https://technet.microsoft.com/library/jj127275.aspx) to allow access to the Windows Mixed Reality FOD.
+IT admins can also create [Side by side feature store (shared folder)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127275(v=ws.11)) to allow access to the Windows Mixed Reality FOD.
## Block the Mixed Reality Portal
-You can use the [AppLocker configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) to block the Mixed Reality software.
+You can use the [AppLocker configuration service provider (CSP)](/windows/client-management/mdm/applocker-csp) to block the Mixed Reality software.
In the following example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app.
@@ -99,4 +99,4 @@ In the following example, the **Id** can be any generated GUID and the **Name**
## Related topics
-- [Mixed reality](https://developer.microsoft.com/windows/mixed-reality/mixed_reality)
+- [Mixed reality](https://developer.microsoft.com/windows/mixed-reality/mixed_reality)
\ No newline at end of file
diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md
index b1c60124ea..030d1c6a31 100644
--- a/windows/application-management/msix-app-packaging-tool.md
+++ b/windows/application-management/msix-app-packaging-tool.md
@@ -16,13 +16,13 @@ author: msfttracyp
# Repackage existing win32 applications to the MSIX format
-MSIX is a packaging format built to be safe, secure and reliable, based on a combination of .msi, .appx, App-V and ClickOnce installation technologies. You can [use the MSIX packaging tool](https://docs.microsoft.com/windows/msix/packaging-tool/create-app-package-msi-vm) to repackage your existing Win32 applications to the MSIX format.
+MSIX is a packaging format built to be safe, secure and reliable, based on a combination of .msi, .appx, App-V and ClickOnce installation technologies. You can [use the MSIX packaging tool](/windows/msix/packaging-tool/create-app-package-msi-vm) to repackage your existing Win32 applications to the MSIX format.
You can either run your installer interactively (through the UI) or create a package from the command line. Either way, you can convert an application without having the source code. Then, you can make your app available through the Microsoft Store.
-- [Package your favorite application installer](https://docs.microsoft.com/windows/msix/packaging-tool/create-app-package-msi-vm) interactively (msi, exe, App-V 5.x and ClickOnce) in MSIX format.
-- Create a [modification package](https://docs.microsoft.com/windows/msix/packaging-tool/package-editor) to update an existing MSIX package.
-- [Bundle multiple MSIX packages](https://docs.microsoft.com/windows/msix/packaging-tool/bundle-msix-packages) for distribution.
+- [Package your favorite application installer](/windows/msix/packaging-tool/create-app-package-msi-vm) interactively (msi, exe, App-V 5.x and ClickOnce) in MSIX format.
+- Create a [modification package](/windows/msix/packaging-tool/package-editor) to update an existing MSIX package.
+- [Bundle multiple MSIX packages](/windows/msix/packaging-tool/bundle-msix-packages) for distribution.
## Installing the MSIX Packaging Tool
@@ -37,4 +37,4 @@ You can either run your installer interactively (through the UI) or create a pac
1. Use the Microsoft work or school account login associated with your Windows Insider Program credentials in the [Microsoft Store](https://www.microsoft.com/store/r/9N5LW3JBCXKF).
2. Open the product description page.
-3. Click the install icon to begin installation.
+3. Click the install icon to begin installation.
\ No newline at end of file
diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md
index 4245e9fb23..cd68824109 100644
--- a/windows/application-management/per-user-services-in-windows.md
+++ b/windows/application-management/per-user-services-in-windows.md
@@ -27,7 +27,7 @@ You can set the template service's **Startup Type** to **Disabled** to create pe
> Carefully test any changes to the template service's Startup Type before deploying to a production environment.
Use the following information to understand per-user services, change the template service Startup Type, and manage per-user services through Group Policy and security templates.
-For more information about disabling system services for Windows Server, see [Guidance on disabling system services on Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server).
+For more information about disabling system services for Windows Server, see [Guidance on disabling system services on Windows Server with Desktop Experience](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server).
## Per-user services
@@ -157,14 +157,14 @@ If you're using custom images to deploy Windows, you can modify the Startup Type
You can create a script to change the Startup Type for the per-user services. Then use Group Policy or another management solution to deploy the script in your environment.
-Sample script using [sc.exe](https://technet.microsoft.com/library/cc990290%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396):
+Sample script using [sc.exe](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc990290(v=ws.11)?f=255&MSPPError=-2147217396):
```
sc.exe configure
@@ -69,7 +69,7 @@ By default, this log isn't enabled. To enable this log, expand **Event Viewer (L
For information about how to analyze CAPI2 event logs, see
-[Troubleshooting PKI Problems on Windows Vista](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29).
+[Troubleshooting PKI Problems on Windows Vista](/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29).
When troubleshooting complex 802.1X authentication issues, it's important to understand the 802.1X authentication process. Here's an example of wireless connection process with 802.1X authentication:
@@ -85,7 +85,7 @@ If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both
> [!NOTE]
-> If you have a wireless trace, you can also [view ETL files with network monitor](https://docs.microsoft.com/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. If you need to load the required [parser](https://blogs.technet.microsoft.com/netmon/2010/06/04/parser-profiles-in-network-monitor-3-4/), see the instructions under the **Help** menu in Network Monitor. Here's an example:
+> If you have a wireless trace, you can also [view ETL files with network monitor](/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. If you need to load the required [parser](/archive/blogs/netmon/parser-profiles-in-network-monitor-3-4), see the instructions under the **Help** menu in Network Monitor. Here's an example:
@@ -115,5 +115,5 @@ Even if audit policy appears to be fully enabled, it sometimes helps to disable
## Additional references
-[Troubleshooting Windows Vista 802.11 Wireless Connections](https://technet.microsoft.com/library/cc766215%28v=ws.10%29.aspx)
-[Troubleshooting Windows Vista Secure 802.3 Wired Connections](https://technet.microsoft.com/library/cc749352%28v=ws.10%29.aspx)
+[Troubleshooting Windows Vista 802.11 Wireless Connections](/previous-versions/windows/it-pro/windows-vista/cc766215(v=ws.10))
+[Troubleshooting Windows Vista Secure 802.3 Wired Connections](/previous-versions/windows/it-pro/windows-vista/cc749352(v=ws.10))
\ No newline at end of file
diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md
index 29e2d01d30..f1594dd088 100644
--- a/windows/client-management/advanced-troubleshooting-boot-problems.md
+++ b/windows/client-management/advanced-troubleshooting-boot-problems.md
@@ -99,7 +99,7 @@ The Startup Repair tool automatically fixes many common problems. The tool also
To do this, follow these steps.
> [!NOTE]
-> For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre).
+> For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre).
1. Start the system to the installation media for the installed version of Windows. For more information, see [Create installation media for Windows](https://support.microsoft.com/help/15088).
@@ -231,7 +231,7 @@ If the system gets stuck during the kernel phase, you experience multiple sympto
- Specific error code is displayed.
For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on.
- - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device)
+ - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md)
- [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md)
- The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon.
@@ -274,7 +274,7 @@ Disable any service that you find to be faulty, and try to start the computer ag
For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135/how-to-perform-a-clean-boot-in-windows).
If the computer starts in Disable Driver Signature mode, start the computer in Disable Driver Signature Enforcement mode, and then follow the steps that are documented in the following article to determine which drivers or files require driver signature enforcement:
-[Troubleshooting boot problem caused by missing driver signature (x64)](https://blogs.technet.microsoft.com/askcore/2012/04/15/troubleshooting-boot-issues-due-to-missing-driver-signature-x64/)
+[Troubleshooting boot problem caused by missing driver signature (x64)](/archive/blogs/askcore/troubleshooting-boot-issues-due-to-missing-driver-signature-x64)
> [!NOTE]
> If the computer is a domain controller, try Directory Services Restore mode (DSRM).
@@ -310,7 +310,7 @@ To troubleshoot this Stop error, follow these steps to filter the drivers:
For additional troubleshooting steps, see the following articles:
-- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device)
+- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md)
To fix problems that occur after you install Windows updates, check for pending updates by using these steps:
@@ -361,13 +361,13 @@ If the computer does not start, follow these steps:
If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For details, see the following articles:
-- [Generate a kernel or complete crash dump](https://docs.microsoft.com/windows/client-management/generate-kernel-or-complete-crash-dump)
+- [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md)
For more information about page file problems in Windows 10 or Windows Server 2016, see the following:
-- [Introduction to page files](https://docs.microsoft.com/windows/client-management/introduction-page-file)
+- [Introduction to page files](./introduction-page-file.md)
For more information about Stop errors, see the following Knowledge Base article:
-- [Advanced troubleshooting for Stop error or blue screen error issue](https://docs.microsoft.com/windows/client-management/troubleshoot-stop-errors)
+- [Advanced troubleshooting for Stop error or blue screen error issue](./troubleshoot-stop-errors.md)
If the dump file shows an error that is related to a driver (for example, windows\system32\drivers\stcvsm.sys is missing or corrupted), follow these guidelines:
@@ -381,7 +381,7 @@ If the dump file shows an error that is related to a driver (for example, window
```dos
SFC /Scannow /OffBootDir=C:\ /OffWinDir=E:\Windows
```
- For more information, see [Using System File Checker (SFC) To Fix Issues](https://blogs.technet.microsoft.com/askcore/2007/12/18/using-system-file-checker-sfc-to-fix-issues/)
+ For more information, see [Using System File Checker (SFC) To Fix Issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues)
- If there is disk corruption, run the check disk command:
```dos
@@ -397,4 +397,4 @@ If the dump file shows an error that is related to a driver (for example, window
5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode.
> [!NOTE]
-> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](https://support.microsoft.com/en-us/help/4509719/the-system-registry-is-no-longer-backed-up-to-the-regback-folder-start).
+> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](https://support.microsoft.com/en-us/help/4509719/the-system-registry-is-no-longer-backed-up-to-the-regback-folder-start).
\ No newline at end of file
diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
index ff1064cbbf..a024756b85 100644
--- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
+++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
@@ -29,7 +29,7 @@ This workflow involves knowledge and use of [TextAnalysisTool](https://github.co
This article applies to any scenario in which Wi-Fi connections fail to establish. The troubleshooter is developed with Windows 10 clients in focus, but also may be useful with traces as far back as Windows 7.
> [!NOTE]
-> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component [Event Tracing for Windows](https://docs.microsoft.com/windows/desktop/etw/event-tracing-portal) (ETW). It is not meant to be representative of every wireless problem scenario.
+> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component [Event Tracing for Windows](/windows/desktop/etw/event-tracing-portal) (ETW). It is not meant to be representative of every wireless problem scenario.
Wireless ETW is incredibly verbose and calls out a lot of innocuous errors (rather flagged behaviors that have little or nothing to do with the problem scenario). Simply searching for or filtering on "err", "error", and "fail" will seldom lead you to the root cause of a problematic Wi-Fi scenario. Instead it will flood the screen with meaningless logs that will obfuscate the context of the actual problem.
@@ -237,8 +237,8 @@ This is followed by **PHY_STATE_CHANGE** and **PORT_DOWN** events due to a disas
### Resources
-[802.11 Wireless Tools and Settings](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc755892(v%3dws.10))
-[Understanding 802.1X authentication for wireless networks](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc759077%28v%3dws.10%29)
+[802.11 Wireless Tools and Settings](/previous-versions/windows/it-pro/windows-server-2003/cc755892(v%3dws.10))
+[Understanding 802.1X authentication for wireless networks](/previous-versions/windows/it-pro/windows-server-2003/cc759077%28v%3dws.10%29)
## Example ETW capture
@@ -327,4 +327,4 @@ Copy and paste all the lines below and save them into a text file named "wifi.ta
In the following example, the **View** settings are configured to **Show Only Filtered Lines**.
-
+
\ No newline at end of file
diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md
index 3e360929de..89776f9222 100644
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@@ -22,14 +22,14 @@ ms.topic: article
- Windows 10
-From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-join). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics).
+From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](/azure/active-directory/devices/concept-azure-ad-join). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics).
## Set up
- Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported.
-- Your local PC (where you are connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device are not supported.
+- Your local PC (where you are connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device are not supported.
- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests are not supported for Remote desktop.
Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you are using to connect to the remote PC.
@@ -64,7 +64,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
- Adding users using policy
- Starting in Windows 10, version 2004, you can add users or Azure AD groups to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](https://docs.microsoft.com/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
+ Starting in Windows 10, version 2004, you can add users or Azure AD groups to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
> [!TIP]
> When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com.
@@ -83,8 +83,8 @@ The table below lists the supported configurations for remotely connecting to an
> [!NOTE]
-> If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure Active Directory-joined PCs, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities).
+> If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure Active Directory-joined PCs, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities).
## Related topics
-[How to use Remote Desktop](https://support.microsoft.com/instantanswers/ff521c86-2803-4bc0-a5da-7df445788eb9/how-to-use-remote-desktop)
+[How to use Remote Desktop](https://support.microsoft.com/instantanswers/ff521c86-2803-4bc0-a5da-7df445788eb9/how-to-use-remote-desktop)
\ No newline at end of file
diff --git a/windows/client-management/generate-kernel-or-complete-crash-dump.md b/windows/client-management/generate-kernel-or-complete-crash-dump.md
index 835007dc33..ac31619d20 100644
--- a/windows/client-management/generate-kernel-or-complete-crash-dump.md
+++ b/windows/client-management/generate-kernel-or-complete-crash-dump.md
@@ -102,12 +102,12 @@ To do this, follow these steps:
9. Test this method on the server by using the NMI switch to generate a dump file. You will see a STOP 0x00000080 hardware malfunction.
-If you want to run NMI in Microsoft Azure using Serial Console, see [Use Serial Console for SysRq and NMI calls](https://docs.microsoft.com/azure/virtual-machines/linux/serial-console-nmi-sysrq).
+If you want to run NMI in Microsoft Azure using Serial Console, see [Use Serial Console for SysRq and NMI calls](/azure/virtual-machines/linux/serial-console-nmi-sysrq).
### Use the keyboard
-[Forcing a System Crash from the Keyboard](https://docs.microsoft.com/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard)
+[Forcing a System Crash from the Keyboard](/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard)
### Use Debugger
-[Forcing a System Crash from the Debugger](https://docs.microsoft.com/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-debugger)
+[Forcing a System Crash from the Debugger](/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-debugger)
\ No newline at end of file
diff --git a/windows/client-management/introduction-page-file.md b/windows/client-management/introduction-page-file.md
index b1964db01a..376916c1d3 100644
--- a/windows/client-management/introduction-page-file.md
+++ b/windows/client-management/introduction-page-file.md
@@ -66,5 +66,5 @@ The system commit charge is the total committed or "promised" memory of all comm
The system committed charge and system committed limit can be measured on the **Performance** tab in Task Manager or by using the "\Memory\Committed Bytes" and "\Memory\Commit Limit" performance counters. The \Memory\% Committed Bytes In Use counter is a ratio of \Memory\Committed Bytes to \Memory\Commit Limit values.
->[!Note]
->System-managed page files automatically grow up to three times the physical memory or 4 GB (whichever is larger) when the system commit charge reaches 90 percent of the system commit limit. This assumes that enough free disk space is available to accommodate the growth.
+> [!NOTE]
+> System-managed page files automatically grow up to three times the physical memory or 4 GB (whichever is larger, but no more than one-eighth of the volume size) when the system commit charge reaches 90 percent of the system commit limit. This assumes that enough free disk space is available to accommodate the growth.
diff --git a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
index 0511eea424..a7d84c9fb8 100644
--- a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
+++ b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md
@@ -63,7 +63,7 @@ Even though Azure AD Join on Windows 10 Mobile provides the best overall experi
- You can add access to Azure AD-backed resources on the device without resetting the device.
-However, neither of these methods provides SSO in the Microsoft Store or SSO to resources on-premises, and does not provide the ability to roam settings based on the Azure AD account using enterprise roaming. [Learn about enterprise state roaming in Azure AD.](https://go.microsoft.com/fwlink/p/?LinkId=734996)
+However, neither of these methods provides SSO in the Microsoft Store or SSO to resources on-premises, and does not provide the ability to roam settings based on the Azure AD account using enterprise roaming. [Learn about enterprise state roaming in Azure AD.](/azure/active-directory/devices/enterprise-state-roaming-overview)
Using **Settings** > **Accounts** > **Your email and accounts** > **Add work or school account**, users can add their Azure AD account to the device. Alternatively, a work account can be added when the user signs in to an application like Mail, Word, etc. If you [enable auto-enrollment in your MDM settings](https://go.microsoft.com/fwlink/p/?LinkID=691615), the device will automatically be enrolled in MDM.
@@ -88,7 +88,7 @@ An added work account provides the same SSO experience in browser apps like Offi
- **Windows Hello**
- Creating a Windows Hello (PIN) is required on Windows 10 Mobile by default and cannot be disabled. You can control Windows Hello policies using controls in MDM, such as Intune. Because the device is joined using organizational credentials, the device must have a PIN to unlock the device. Biometrics such as fingerprint or iris can be used for authentication. Creating a Windows Hello requires the user to perform an multi-factor authentication since the PIN is a strong authentication credential. [Learn more about Windows Hello for Azure AD.](https://go.microsoft.com/fwlink/p/?LinkId=735004)
+ Creating a Windows Hello (PIN) is required on Windows 10 Mobile by default and cannot be disabled. You can control Windows Hello policies using controls in MDM, such as Intune. Because the device is joined using organizational credentials, the device must have a PIN to unlock the device. Biometrics such as fingerprint or iris can be used for authentication. Creating a Windows Hello requires the user to perform an multi-factor authentication since the PIN is a strong authentication credential. [Learn more about Windows Hello for Azure AD.](/windows/security/identity-protection/hello-for-business/hello-identity-verification)
- **Conditional access**
@@ -202,9 +202,4 @@ To see the Notebooks that your Azure AD account has access to, tap **More Notebo
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md
index 7d344924f1..f725f87044 100644
--- a/windows/client-management/manage-corporate-devices.md
+++ b/windows/client-management/manage-corporate-devices.md
@@ -42,11 +42,11 @@ You can use the same management tools to manage all device types running Windows
## Learn more
-[How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt627898.aspx)
+[How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](/mem/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm)
[Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility](https://blogs.technet.microsoft.com/enterprisemobility/2015/06/12/azure-ad-microsoft-intune-and-windows-10-using-the-cloud-to-modernize-enterprise-mobility/)
-[Microsoft Intune End User Enrollment Guide](https://go.microsoft.com/fwlink/p/?LinkID=617169)
+[Microsoft Intune End User Enrollment Guide](/samples/browse/?redirectedfrom=TechNet-Gallery)
[Azure AD Join on Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=616791)
@@ -58,16 +58,11 @@ You can use the same management tools to manage all device types running Windows
[Using Intune alone and with Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=613207)
-Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager & Windows Intune](https://go.microsoft.com/fwlink/p/?LinkId=613208)
+Microsoft Virtual Academy course: [System Center 2012 R2 Configuration Manager & Windows Intune](/learn/)
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md
index 2950a6c6d9..a177277d07 100644
--- a/windows/client-management/manage-settings-app-with-group-policy.md
+++ b/windows/client-management/manage-settings-app-with-group-policy.md
@@ -39,7 +39,7 @@ Policy paths:
## Configuring the Group Policy
-The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon-delimited list of URIs in **Settings Page Visibility**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference).
+The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon-delimited list of URIs in **Settings Page Visibility**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference).
>[!NOTE]
> When you specify the URI in the Settings Page Visibility textbox, don't include **ms-settings:** in the string.
@@ -47,6 +47,4 @@ The Group Policy can be configured in one of two ways: specify a list of pages t
Here are some examples:
- To show only the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **ShowOnly:Network-Proxy;Network-Ethernet**.
-- To hide the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **Hide:Network-Proxy;Network-Ethernet**.
-
-
+- To hide the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **Hide:Network-Proxy;Network-Ethernet**.
\ No newline at end of file
diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
index f4a048f445..22ba2d74a8 100644
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@@ -28,7 +28,7 @@ This six-minute video demonstrates how users can bring in a new retail device an
> [!VIDEO https://www.youtube.com/embed/g1rIcBhhxpA]
>[!NOTE]
- >The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](https://docs.microsoft.com/information-protection/deploy-use/migrate-portal)
+ >The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal)
This topic offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. The topic covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle:
@@ -53,42 +53,42 @@ As indicated in the diagram, Microsoft continues to provide support for deep man
With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully-configured, fully-managed devices, you can:
-- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/).
+- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](/mem/intune/fundamentals/).
-- Create self-contained provisioning packages built with the [Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages).
+- Create self-contained provisioning packages built with the [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-packages).
-- Use traditional imaging techniques such as deploying custom images using [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/understand/introduction).
+- Use traditional imaging techniques such as deploying custom images using [Microsoft Endpoint Configuration Manager](/configmgr/core/understand/introduction).
-You have multiple options for [upgrading to Windows 10](https://technet.microsoft.com/itpro/windows/deploy/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This can mean significantly lower deployment costs, as well as improved productivity as end users can be immediately productive – everything is right where they left it. Of course, you can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7.
+You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This can mean significantly lower deployment costs, as well as improved productivity as end users can be immediately productive – everything is right where they left it. Of course, you can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7.
## Identity and Authentication
-You can use Windows 10 and services like [Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-whatis/) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **“bring your own device” (BYOD)** or to **“choose your own device” (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
+You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **“bring your own device” (BYOD)** or to **“choose your own device” (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them.
You can envision user and device management as falling into these two categories:
- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
- - For corporate devices, they can set up corporate access with [Azure AD Join](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-overview/). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.
Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
+ - For corporate devices, they can set up corporate access with [Azure AD Join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.
Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
- - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-windows10-devices/) to add their work account to Windows, then access work resources on the device.
+ - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device.
- **Domain joined PCs and tablets used for traditional applications and access to important resources.** These may be traditional applications and resources that require authentication or accessing highly sensitive or classified resources on-premises.
- With Windows 10, if you have an on-premises [Active Directory](https://technet.microsoft.com/windows-server-docs/identity/whats-new-active-directory-domain-services) domain that’s [integrated with Azure AD](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/), when employee devices are joined, they automatically register with Azure AD. This provides:
+ With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that’s [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This provides:
- Single sign-on to cloud and on-premises resources from everywhere
- - [Enterprise roaming of settings](https://azure.microsoft.com/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/)
+ - [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-overview)
- - [Conditional access](https://azure.microsoft.com/documentation/articles/active-directory-conditional-access/) to corporate resources based on the health or configuration of the device
+ - [Conditional access](/azure/active-directory/conditional-access/overview) to corporate resources based on the health or configuration of the device
- - [Windows Hello for Business](https://technet.microsoft.com/itpro/windows/keep-secure/manage-identity-verification-using-microsoft-passport)
+ - [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification)
- Windows Hello
- Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](https://docs.microsoft.com/configmgr/core/understand/introduction) client or Group Policy.
+ Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](/configmgr/core/understand/introduction) client or Group Policy.
-For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-windows10-devices/).
+For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](/azure/active-directory/devices/overview).
As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD.
@@ -109,7 +109,7 @@ Your configuration requirements are defined by multiple factors, including the l
## Updating and Servicing
-With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple – often automatic – patching processes. For more information, see [Windows 10 deployment scenarios](https://technet.microsoft.com/itpro/windows/deploy/windows-10-deployment-scenarios).
+With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple – often automatic – patching processes. For more information, see [Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios).
MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules.
@@ -123,18 +123,18 @@ There are a variety of steps you can take to begin the process of modernizing de
**Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario.
-**Take incremental steps.** Moving towards modern device management doesn’t have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. Starting with Windows 10, version 1803, the new policy [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-mdmwinsovergp) was added to allow MDM policies to take precedence over GP when both GP and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your GP environment. Here is the list of MDM policies with equivalent GP - [Policies supported by GP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#policies-supported-by-gp)
+**Take incremental steps.** Moving towards modern device management doesn’t have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. Starting with Windows 10, version 1803, the new policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) was added to allow MDM policies to take precedence over GP when both GP and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your GP environment. Here is the list of MDM policies with equivalent GP - [Policies supported by GP](./mdm/policy-configuration-service-provider.md)
**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Starting with Configuration Manager 1710, co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. See these topics for details:
-- [Co-management for Windows 10 devices](https://docs.microsoft.com/configmgr/core/clients/manage/co-management-overview)
-- [Prepare Windows 10 devices for co-management](https://docs.microsoft.com/configmgr/core/clients/manage/co-management-prepare)
-- [Switch Configuration Manager workloads to Intune](https://docs.microsoft.com/configmgr/core/clients/manage/co-management-switch-workloads)
-- [Co-management dashboard in Configuration Manager](https://docs.microsoft.com/configmgr/core/clients/manage/co-management-dashboard)
+- [Co-management for Windows 10 devices](/configmgr/core/clients/manage/co-management-overview)
+- [Prepare Windows 10 devices for co-management](/configmgr/core/clients/manage/co-management-prepare)
+- [Switch Configuration Manager workloads to Intune](/configmgr/core/clients/manage/co-management-switch-workloads)
+- [Co-management dashboard in Configuration Manager](/configmgr/core/clients/manage/co-management-dashboard)
## Related topics
-- [What is Intune?](https://docs.microsoft.com//mem/intune/fundamentals/what-is-intune)
-- [Windows 10 Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)
-- [Windows 10 Configuration service Providers](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference)
+- [What is Intune?](//mem/intune/fundamentals/what-is-intune)
+- [Windows 10 Policy CSP](./mdm/policy-configuration-service-provider.md)
+- [Windows 10 Configuration service Providers](./mdm/configuration-service-provider-reference.md)
diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md
index 68d135449d..b5b30659d6 100644
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@@ -39,7 +39,7 @@ The name of the folder in which you store the mandatory profile must use the cor
| Windows 10, versions 1507 and 1511 | N/A | v5 |
| Windows 10, versions 1607, 1703, 1709, 1803, 1809, 1903 and 1909 | Windows Server 2016 and Windows Server 2019 | v6 |
-For more information, see [Deploy Roaming User Profiles, Appendix B](https://docs.microsoft.com/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198).
+For more information, see [Deploy Roaming User Profiles, Appendix B](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198).
## Mandatory user profile
@@ -57,9 +57,9 @@ First, you create a default user profile with the customizations that you want,
> [!NOTE]
> Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics).
-1. [Create an answer file (Unattend.xml)](https://docs.microsoft.com/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](https://docs.microsoft.com/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file.
+1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file.
-1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](https://docs.microsoft.com/windows/application-management/apps-in-windows-10).
+1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](/windows/application-management/apps-in-windows-10).
> [!NOTE]
> It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times.
@@ -77,7 +77,7 @@ First, you create a default user profile with the customizations that you want,
>
> 
>
- > Use the [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log.
+ > Use the [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true) and [Remove-AppxPackage -AllUsers](/powershell/module/appx/remove-appxpackage?view=win10-ps&preserve-view=true) cmdlet in Windows PowerShell to uninstall the app that is listed in the log.
1. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the set up, and then sign in to the computer using an account that has local administrator privileges.
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
deleted file mode 100644
index 149457d576..0000000000
--- a/windows/client-management/mdm/TOC.md
+++ /dev/null
@@ -1,433 +0,0 @@
-# [Mobile device management](index.md)
-## [What's new in MDM enrollment and management](new-in-windows-mdm-enrollment-management.md)
-### [Change history for MDM documentation](change-history-for-mdm-documentation.md)
-## [Mobile device enrollment](mobile-device-enrollment.md)
-### [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md)
-#### [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md)
-### [Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)
-### [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
-### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
-### [On-premises authentication device enrollment](on-premise-authentication-device-enrollment.md)
-## [Understanding ADMX-backed policies](understanding-admx-backed-policies.md)
-## [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md)
-## [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)
-## [Implement server-side support for mobile application management on Windows](implement-server-side-mobile-application-management.md)
-## [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)
-## [Deploy and configure App-V apps using MDM](appv-deploy-and-config.md)
-## [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md)
-### [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md)
-### [Register your free Azure Active Directory subscription](register-your-free-azure-active-directory-subscription.md)
-## [Enterprise app management](enterprise-app-management.md)
-## [Mobile device management (MDM) for device updates](device-update-management.md)
-## [Bulk enrollment](bulk-enrollment-using-windows-provisioning-tool.md)
-## [Management tool for the Microsoft Store for Business](management-tool-for-windows-store-for-business.md)
-### [REST API reference for Microsoft Store for Business](rest-api-reference-windows-store-for-business.md)
-#### [Data structures for Microsoft Store for Business](data-structures-windows-store-for-business.md)
-#### [Get Inventory](get-inventory.md)
-#### [Get product details](get-product-details.md)
-#### [Get localized product details](get-localized-product-details.md)
-#### [Get offline license](get-offline-license.md)
-#### [Get product packages](get-product-packages.md)
-#### [Get product package](get-product-package.md)
-#### [Get seats](get-seats.md)
-#### [Get seat](get-seat.md)
-#### [Assign seats](assign-seats.md)
-#### [Reclaim seat from user](reclaim-seat-from-user.md)
-#### [Bulk assign and reclaim seats from users](bulk-assign-and-reclaim-seats-from-user.md)
-#### [Get seats assigned to a user](get-seats-assigned-to-a-user.md)
-## [Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices](enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md)
-## [Certificate renewal](certificate-renewal-windows-mdm.md)
-## [Disconnecting from the management infrastructure (unenrollment)](disconnecting-from-mdm-unenrollment.md)
-## [Enterprise settings, policies, and app management](windows-mdm-enterprise-settings.md)
-## [Push notification support for device management](push-notification-windows-mdm.md)
-## [OMA DM protocol support](oma-dm-protocol-support.md)
-## [Structure of OMA DM provisioning files](structure-of-oma-dm-provisioning-files.md)
-## [Server requirements for OMA DM](server-requirements-windows-mdm.md)
-## [DMProcessConfigXMLFiltered](dmprocessconfigxmlfiltered.md)
-## [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md)
-## [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md)
-## [Configuration service provider reference](configuration-service-provider-reference.md)
-### [AccountManagement CSP](accountmanagement-csp.md)
-#### [AccountManagement DDF file](accountmanagement-ddf.md)
-### [Accounts CSP](accounts-csp.md)
-#### [Accounts DDF file](accounts-ddf-file.md)
-### [ActiveSync CSP](activesync-csp.md)
-#### [ActiveSync DDF file](activesync-ddf-file.md)
-### [AllJoynManagement CSP](alljoynmanagement-csp.md)
-#### [AllJoynManagement DDF](alljoynmanagement-ddf.md)
-### [APPLICATION CSP](application-csp.md)
-### [ApplicationControl CSP](applicationcontrol-csp.md)
-#### [ApplicationControl DDF file](applicationcontrol-csp-ddf.md)
-### [AppLocker CSP](applocker-csp.md)
-#### [AppLocker DDF file](applocker-ddf-file.md)
-#### [AppLocker XSD](applocker-xsd.md)
-### [AssignedAccess CSP](assignedaccess-csp.md)
-#### [AssignedAccess DDF file](assignedaccess-ddf.md)
-### [BitLocker CSP](bitlocker-csp.md)
-#### [BitLocker DDF file](bitlocker-ddf-file.md)
-### [BOOTSTRAP CSP](bootstrap-csp.md)
-### [BrowserFavorite CSP](browserfavorite-csp.md)
-### [CellularSettings CSP](cellularsettings-csp.md)
-### [CertificateStore CSP](certificatestore-csp.md)
-#### [CertificateStore DDF file](certificatestore-ddf-file.md)
-### [CleanPC CSP](cleanpc-csp.md)
-#### [CleanPC DDF](cleanpc-ddf.md)
-### [ClientCertificateInstall CSP](clientcertificateinstall-csp.md)
-#### [ClientCertificateInstall DDF file](clientcertificateinstall-ddf-file.md)
-### [CM_CellularEntries CSP](cm-cellularentries-csp.md)
-### [CM_ProxyEntries CSP](cm-proxyentries-csp.md)
-### [CMPolicy CSP](cmpolicy-csp.md)
-### [CMPolicyEnterprise CSP](cmpolicyenterprise-csp.md)
-#### [CMPolicyEnterprise DDF file](cmpolicyenterprise-ddf-file.md)
-### [CustomDeviceUI CSP](customdeviceui-csp.md)
-#### [CustomDeviceUI DDF file](customdeviceui-ddf.md)
-### [Defender CSP](defender-csp.md)
-#### [Defender DDF file](defender-ddf.md)
-### [DevDetail CSP](devdetail-csp.md)
-#### [DevDetail DDF file](devdetail-ddf-file.md)
-### [DeveloperSetup CSP](developersetup-csp.md)
-#### [DeveloperSetup DDF](developersetup-ddf.md)
-### [DeviceInstanceService CSP](deviceinstanceservice-csp.md)
-### [DeviceLock CSP](devicelock-csp.md)
-#### [DeviceLock DDF file](devicelock-ddf-file.md)
-### [DeviceManageability CSP](devicemanageability-csp.md)
-#### [DeviceManageability DDF](devicemanageability-ddf.md)
-### [DeviceStatus CSP](devicestatus-csp.md)
-#### [DeviceStatus DDF](devicestatus-ddf.md)
-### [DevInfo CSP](devinfo-csp.md)
-#### [DevInfo DDF file](devinfo-ddf-file.md)
-### [DiagnosticLog CSP](diagnosticlog-csp.md)
-#### [DiagnosticLog DDF file](diagnosticlog-ddf.md)
-### [DMAcc CSP](dmacc-csp.md)
-#### [DMAcc DDF file](dmacc-ddf-file.md)
-### [DMClient CSP](dmclient-csp.md)
-#### [DMClient DDF file](dmclient-ddf-file.md)
-### [DMSessionActions CSP](dmsessionactions-csp.md)
-#### [DMSessionActions DDF file](dmsessionactions-ddf.md)
-### [DynamicManagement CSP](dynamicmanagement-csp.md)
-#### [DynamicManagement DDF file](dynamicmanagement-ddf.md)
-### [EMAIL2 CSP](email2-csp.md)
-#### [EMAIL2 DDF file](email2-ddf-file.md)
-### [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md)
-#### [EnrollmentStatusTracking DDF file](enrollmentstatustracking-csp-ddf.md)
-### [EnterpriseAPN CSP](enterpriseapn-csp.md)
-#### [EnterpriseAPN DDF](enterpriseapn-ddf.md)
-### [EnterpriseAppManagement CSP](enterpriseappmanagement-csp.md)
-### [EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md)
-#### [EnterpriseAppVManagement DDF file](enterpriseappvmanagement-ddf.md)
-### [EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md)
-#### [EnterpriseAssignedAccess DDF file](enterpriseassignedaccess-ddf.md)
-#### [EnterpriseAssignedAccess XSD](enterpriseassignedaccess-xsd.md)
-### [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
-#### [EnterpriseDataProtection DDF file](enterprisedataprotection-ddf-file.md)
-### [EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md)
-#### [EnterpriseDesktopAppManagement DDF](enterprisedesktopappmanagement-ddf-file.md)
-#### [EnterpriseDesktopAppManagement XSD](enterprisedesktopappmanagement2-xsd.md)
-### [EnterpriseExt CSP](enterpriseext-csp.md)
-#### [EnterpriseExt DDF file](enterpriseext-ddf.md)
-### [EnterpriseExtFileSystem CSP](enterpriseextfilessystem-csp.md)
-#### [EnterpriseExtFileSystem DDF file](enterpriseextfilesystem-ddf.md)
-### [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)
-#### [EnterpriseModernAppManagement DDF](enterprisemodernappmanagement-ddf.md)
-#### [EnterpriseModernAppManagement XSD](enterprisemodernappmanagement-xsd.md)
-### [eUICCs CSP](euiccs-csp.md)
-#### [eUICCs DDF file](euiccs-ddf-file.md)
-### [FileSystem CSP](filesystem-csp.md)
-### [Firewall CSP](firewall-csp.md)
-#### [Firewall DDF file](firewall-ddf-file.md)
-### [HealthAttestation CSP](healthattestation-csp.md)
-#### [HealthAttestation DDF](healthattestation-ddf.md)
-### [HotSpot CSP](hotspot-csp.md)
-### [Maps CSP](maps-csp.md)
-#### [Maps DDF](maps-ddf-file.md)
-### [Messaging CSP](messaging-csp.md)
-#### [Messaging DDF file](messaging-ddf.md)
-### [MultiSIM CSP](multisim-csp.md)
-#### [MultiSIM DDF file](multisim-ddf.md)
-### [NAP CSP](nap-csp.md)
-### [NAPDEF CSP](napdef-csp.md)
-### [NetworkProxy CSP](networkproxy-csp.md)
-#### [NetworkProxy DDF file](networkproxy-ddf.md)
-### [NetworkQoSPolicy CSP](networkqospolicy-csp.md)
-#### [NetworkQoSPolicy DDF file](networkqospolicy-ddf.md)
-### [NodeCache CSP](nodecache-csp.md)
-#### [NodeCache DDF file](nodecache-ddf-file.md)
-### [Office CSP](office-csp.md)
-#### [Office DDF](office-ddf.md)
-### [PassportForWork CSP](passportforwork-csp.md)
-#### [PassportForWork DDF file](passportforwork-ddf.md)
-### [Personalization CSP](personalization-csp.md)
-#### [Personalization DDF file](personalization-ddf.md)
-### [Policy CSP](policy-configuration-service-provider.md)
-#### [Policy CSP DDF file](policy-ddf-file.md)
-#### [Policies in Policy CSP supported by Group Policy](policies-in-policy-csp-supported-by-group-policy.md)
-#### [ADMX-backed policies in Policy CSP](policies-in-policy-csp-admx-backed.md)
-#### [Policies in Policy CSP supported by HoloLens 2](policies-in-policy-csp-supported-by-hololens2.md)
-#### [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md)
-#### [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md)
-#### [Policies in Policy CSP supported by Windows 10 IoT Enterprise](policies-in-policy-csp-supported-by-iot-enterprise.md)
-#### [Policies in Policy CSP supported by Windows 10 IoT Core](policies-in-policy-csp-supported-by-iot-core.md)
-#### [Policies in Policy CSP supported by Microsoft Surface Hub](policies-in-policy-csp-supported-by-surface-hub.md)
-#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policies-in-policy-csp-that-can-be-set-using-eas.md)
-#### [AboveLock](policy-csp-abovelock.md)
-#### [Accounts](policy-csp-accounts.md)
-#### [ActiveXControls](policy-csp-activexcontrols.md)
-#### [ADMX_ActiveXInstallService](policy-csp-admx-activexinstallservice.md)
-#### [ADMX_AddRemovePrograms](policy-csp-admx-addremoveprograms.md)
-#### [ADMX_AppCompat](policy-csp-admx-appcompat.md)
-#### [ADMX_AppxPackageManager](policy-csp-admx-appxpackagemanager.md)
-#### [ADMX_AppXRuntime](policy-csp-admx-appxruntime.md)
-#### [ADMX_AttachmentManager](policy-csp-admx-attachmentmanager.md)
-#### [ADMX_AuditSettings](policy-csp-admx-auditsettings.md)
-#### [ADMX_Bits](policy-csp-admx-bits.md)
-#### [ADMX_CipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md)
-#### [ADMX_COM](policy-csp-admx-com.md)
-#### [ADMX_ControlPanel](policy-csp-admx-controlpanel.md)
-#### [ADMX_ControlPanelDisplay](policy-csp-admx-controlpaneldisplay.md)
-#### [ADMX_Cpls](policy-csp-admx-cpls.md)
-#### [ADMX_CredentialProviders](policy-csp-admx-credentialproviders.md)
-#### [ADMX_CredSsp](policy-csp-admx-credssp.md)
-#### [ADMX_CredUI](policy-csp-admx-credui.md)
-#### [ADMX_CtrlAltDel](policy-csp-admx-ctrlaltdel.md)
-#### [ADMX_DataCollection](policy-csp-admx-datacollection.md)
-#### [ADMX_Desktop](policy-csp-admx-desktop.md)
-#### [ADMX_DeviceInstallation](policy-csp-admx-deviceinstallation.md)
-#### [ADMX_DeviceSetup](policy-csp-admx-devicesetup.md)
-#### [ADMX_DigitalLocker](policy-csp-admx-digitallocker.md)
-#### [ADMX_DnsClient](policy-csp-admx-dnsclient.md)
-#### [ADMX_DWM](policy-csp-admx-dwm.md)
-#### [ADMX_EAIME](policy-csp-admx-eaime.md)
-#### [ADMX_EncryptFilesonMove](policy-csp-admx-encryptfilesonmove.md)
-#### [ADMX_EnhancedStorage](policy-csp-admx-enhancedstorage.md)
-#### [ADMX_ErrorReporting](policy-csp-admx-errorreporting.md)
-#### [ADMX_EventForwarding](policy-csp-admx-eventforwarding.md)
-#### [ADMX_EventLog](policy-csp-admx-eventlog.md)
-#### [ADMX_Explorer](policy-csp-admx-explorer.md)
-#### [ADMX_FileRecovery](policy-csp-admx-filerecovery.md)
-#### [ADMX_FileServerVSSProvider](policy-csp-admx-fileservervssprovider.md)
-#### [ADMX_FileSys](policy-csp-admx-filesys.md)
-#### [ADMX_FolderRedirection](policy-csp-admx-folderredirection.md)
-#### [ADMX_Globalization](policy-csp-admx-globalization.md)
-#### [ADMX_GroupPolicy](policy-csp-admx-grouppolicy.md)
-#### [ADMX_Help](policy-csp-admx-help.md)
-#### [ADMX_HelpAndSupport](policy-csp-admx-helpandsupport.md)
-#### [ADMX_ICM](policy-csp-admx-icm.md)
-#### [ADMX_kdc](policy-csp-admx-kdc.md)
-#### [ADMX_Kerberos](policy-csp-admx-kerberos.md)
-#### [ADMX_LanmanServer](policy-csp-admx-lanmanserver.md)
-#### [ADMX_LanmanWorkstation](policy-csp-admx-lanmanworkstation.md)
-#### [ADMX_LinkLayerTopologyDiscovery](policy-csp-admx-linklayertopologydiscovery.md)
-#### [ADMX_Logon](policy-csp-admx-logon.md)
-#### [ADMX_MicrosoftDefenderAntivirus](policy-csp-admx-microsoftdefenderantivirus.md)
-#### [ADMX_MMC](policy-csp-admx-mmc.md)
-#### [ADMX_MMCSnapins](policy-csp-admx-mmcsnapins.md)
-#### [ADMX_MSAPolicy](policy-csp-admx-msapolicy.md)
-#### [ADMX_msched](policy-csp-admx-msched.md)
-#### [ADMX_MSDT](policy-csp-admx-msdt.md)
-#### [ADMX_MSI](policy-csp-admx-msi.md)
-#### [ADMX_nca](policy-csp-admx-nca.md)
-#### [ADMX_NCSI](policy-csp-admx-ncsi.md)
-#### [ADMX_Netlogon](policy-csp-admx-netlogon.md)
-#### [ADMX_NetworkConnections](policy-csp-admx-networkconnections.md)
-#### [ADMX_OfflineFiles](policy-csp-admx-offlinefiles.md)
-#### [ADMX_PeerToPeerCaching](policy-csp-admx-peertopeercaching.md)
-#### [ADMX_PerformanceDiagnostics](policy-csp-admx-performancediagnostics.md)
-#### [ADMX_Power](policy-csp-admx-power.md)
-#### [ADMX_PowerShellExecutionPolicy](policy-csp-admx-powershellexecutionpolicy.md)
-#### [ADMX_Printing](policy-csp-admx-printing.md)
-#### [ADMX_Printing2](policy-csp-admx-printing2.md)
-#### [ADMX_Programs](policy-csp-admx-programs.md)
-#### [ADMX_Reliability](policy-csp-admx-reliability.md)
-#### [ADMX_RemoteAssistance](policy-csp-admx-remoteassistance.md)
-#### [ADMX_RemovableStorage](policy-csp-admx-removablestorage.md)
-#### [ADMX_RPC](policy-csp-admx-rpc.md)
-#### [ADMX_Scripts](policy-csp-admx-scripts.md)
-#### [ADMX_sdiageng](policy-csp-admx-sdiageng.md)
-#### [ADMX_Securitycenter](policy-csp-admx-securitycenter.md)
-#### [ADMX_Sensors](policy-csp-admx-sensors.md)
-#### [ADMX_Servicing](policy-csp-admx-servicing.md)
-#### [ADMX_SettingSync](policy-csp-admx-settingsync.md)
-#### [ADMX_SharedFolders](policy-csp-admx-sharedfolders.md)
-#### [ADMX_Sharing](policy-csp-admx-sharing.md)
-#### [ADMX_ShellCommandPromptRegEditTools](policy-csp-admx-shellcommandpromptregedittools.md)
-#### [ADMX_SkyDrive](policy-csp-admx-skydrive.md)
-#### [ADMX_Smartcard](policy-csp-admx-smartcard.md)
-#### [ADMX_Snmp](policy-csp-admx-snmp.md)
-#### [ADMX_StartMenu](policy-csp-admx-startmenu.md)
-#### [ADMX_SystemRestore](policy-csp-admx-systemrestore.md)
-#### [ADMX_Taskbar](policy-csp-admx-taskbar.md)
-#### [ADMX_tcpip](policy-csp-admx-tcpip.md)
-#### [ADMX_Thumbnails](policy-csp-admx-thumbnails.md)
-#### [ADMX_TPM](policy-csp-admx-tpm.md)
-#### [ADMX_UserExperienceVirtualization](policy-csp-admx-userexperiencevirtualization.md)
-#### [ADMX_UserProfiles](policy-csp-admx-userprofiles.md)
-#### [ADMX_W32Time](policy-csp-admx-w32time.md)
-#### [ADMX_WCM](policy-csp-admx-wcm.md)
-#### [ADMX_WinCal](policy-csp-admx-wincal.md)
-#### [ADMX_WindowsAnytimeUpgrade](policy-csp-admx-windowsanytimeupgrade.md)
-#### [ADMX_WindowsConnectNow](policy-csp-admx-windowsconnectnow.md)
-#### [ADMX_WindowsExplorer](policy-csp-admx-windowsexplorer.md)
-#### [ADMX_WindowsFileProtection](policy-csp-admx-windowsfileprotection.md)
-#### [ADMX_WindowsMediaDRM](policy-csp-admx-windowsmediadrm.md)
-#### [ADMX_WindowsMediaPlayer](policy-csp-admx-windowsmediaplayer.md)
-#### [ADMX_WindowsRemoteManagement](policy-csp-admx-windowsremotemanagement.md)
-#### [ADMX_WindowsStore](policy-csp-admx-windowsstore.md)
-#### [ADMX_WinInit](policy-csp-admx-wininit.md)
-#### [ADMX_WinLogon](policy-csp-admx-winlogon.md)
-#### [ADMX_wlansvc](policy-csp-admx-wlansvc.md)
-#### [ADMX_WPN](policy-csp-admx-wpn.md)
-#### [ApplicationDefaults](policy-csp-applicationdefaults.md)
-#### [ApplicationManagement](policy-csp-applicationmanagement.md)
-#### [AppRuntime](policy-csp-appruntime.md)
-#### [AppVirtualization](policy-csp-appvirtualization.md)
-#### [AttachmentManager](policy-csp-attachmentmanager.md)
-#### [Audit](policy-csp-audit.md)
-#### [Authentication](policy-csp-authentication.md)
-#### [Autoplay](policy-csp-autoplay.md)
-#### [BitLocker](policy-csp-bitlocker.md)
-#### [BITS](policy-csp-bits.md)
-#### [Bluetooth](policy-csp-bluetooth.md)
-#### [Browser](policy-csp-browser.md)
-#### [Camera](policy-csp-camera.md)
-#### [Cellular](policy-csp-cellular.md)
-#### [Connectivity](policy-csp-connectivity.md)
-#### [ControlPolicyConflict](policy-csp-controlpolicyconflict.md)
-#### [CredentialsDelegation](policy-csp-credentialsdelegation.md)
-#### [CredentialProviders](policy-csp-credentialproviders.md)
-#### [CredentialsUI](policy-csp-credentialsui.md)
-#### [Cryptography](policy-csp-cryptography.md)
-#### [DataProtection](policy-csp-dataprotection.md)
-#### [DataUsage](policy-csp-datausage.md)
-#### [Defender](policy-csp-defender.md)
-#### [DeliveryOptimization](policy-csp-deliveryoptimization.md)
-#### [Desktop](policy-csp-desktop.md)
-#### [DeviceGuard](policy-csp-deviceguard.md)
-#### [DeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md)
-#### [DeviceInstallation](policy-csp-deviceinstallation.md)
-#### [DeviceLock](policy-csp-devicelock.md)
-#### [Display](policy-csp-display.md)
-#### [DmaGuard](policy-csp-dmaguard.md)
-#### [Education](policy-csp-education.md)
-#### [EnterpriseCloudPrint](policy-csp-enterprisecloudprint.md)
-#### [ErrorReporting](policy-csp-errorreporting.md)
-#### [EventLogService](policy-csp-eventlogservice.md)
-#### [Experience](policy-csp-experience.md)
-#### [ExploitGuard](policy-csp-exploitguard.md)
-#### [FileExplorer](policy-csp-fileexplorer.md)
-#### [Games](policy-csp-games.md)
-#### [Handwriting](policy-csp-handwriting.md)
-#### [InternetExplorer](policy-csp-internetexplorer.md)
-#### [Kerberos](policy-csp-kerberos.md)
-#### [KioskBrowser](policy-csp-kioskbrowser.md)
-#### [LanmanWorkstation](policy-csp-lanmanworkstation.md)
-#### [Licensing](policy-csp-licensing.md)
-#### [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)
-#### [LocalUsersAndGroups](policy-csp-localusersandgroups.md)
-#### [LockDown](policy-csp-lockdown.md)
-#### [Maps](policy-csp-maps.md)
-#### [Messaging](policy-csp-messaging.md)
-#### [MixedReality](policy-csp-mixedreality.md)
-#### [MSSecurityGuide](policy-csp-mssecurityguide.md)
-#### [MSSLegacy](policy-csp-msslegacy.md)
-#### [Multitasking](policy-csp-multitasking.md)
-#### [NetworkIsolation](policy-csp-networkisolation.md)
-#### [Notifications](policy-csp-notifications.md)
-#### [Power](policy-csp-power.md)
-#### [Printers](policy-csp-printers.md)
-#### [Privacy](policy-csp-privacy.md)
-#### [RemoteAssistance](policy-csp-remoteassistance.md)
-#### [RemoteDesktopServices](policy-csp-remotedesktopservices.md)
-#### [RemoteManagement](policy-csp-remotemanagement.md)
-#### [RemoteProcedureCall](policy-csp-remoteprocedurecall.md)
-#### [RemoteShell](policy-csp-remoteshell.md)
-#### [RestrictedGroups](policy-csp-restrictedgroups.md)
-#### [Search](policy-csp-search.md)
-#### [Security](policy-csp-security.md)
-#### [ServiceControlManager](policy-csp-servicecontrolmanager.md)
-#### [Settings](policy-csp-settings.md)
-#### [Speech](policy-csp-speech.md)
-#### [Start](policy-csp-start.md)
-#### [Storage](policy-csp-storage.md)
-#### [System](policy-csp-system.md)
-#### [SystemServices](policy-csp-systemservices.md)
-#### [TaskManager](policy-csp-taskmanager.md)
-#### [TaskScheduler](policy-csp-taskscheduler.md)
-#### [TextInput](policy-csp-textinput.md)
-#### [TimeLanguageSettings](policy-csp-timelanguagesettings.md)
-#### [Troubleshooting](policy-csp-troubleshooting.md)
-#### [Update](policy-csp-update.md)
-#### [UserRights](policy-csp-userrights.md)
-#### [Wifi](policy-csp-wifi.md)
-#### [WindowsConnectionManager](policy-csp-windowsconnectionmanager.md)
-#### [WindowsDefenderSecurityCenter](policy-csp-windowsdefendersecuritycenter.md)
-#### [WindowsDefenderSmartScreen](policy-csp-smartscreen.md)
-#### [WindowsInkWorkspace](policy-csp-windowsinkworkspace.md)
-#### [WindowsLogon](policy-csp-windowslogon.md)
-#### [WindowsPowerShell](policy-csp-windowspowershell.md)
-#### [WindowsSandbox](policy-csp-windowssandbox.md)
-#### [WirelessDisplay](policy-csp-wirelessdisplay.md)
-### [PolicyManager CSP](policymanager-csp.md)
-### [Provisioning CSP](provisioning-csp.md)
-### [PROXY CSP](proxy-csp.md)
-### [PXLOGICAL CSP](pxlogical-csp.md)
-### [Reboot CSP](reboot-csp.md)
-#### [Reboot DDF file](reboot-ddf-file.md)
-### [Registry CSP](registry-csp.md)
-#### [Registry DDF file](registry-ddf-file.md)
-### [RemoteFind CSP](remotefind-csp.md)
-#### [RemoteFind DDF file](remotefind-ddf-file.md)
-### [RemoteLock CSP](remotelock-csp.md)
-#### [RemoteLock DDF file](remotelock-ddf-file.md)
-### [RemoteRing CSP](remotering-csp.md)
-#### [RemoteRing DDF file](remotering-ddf-file.md)
-### [RemoteWipe CSP](remotewipe-csp.md)
-#### [RemoteWipe DDF file](remotewipe-ddf-file.md)
-### [Reporting CSP](reporting-csp.md)
-#### [Reporting DDF file](reporting-ddf-file.md)
-### [RootCATrustedCertificates CSP](rootcacertificates-csp.md)
-#### [RootCATrustedCertificates DDF file](rootcacertificates-ddf-file.md)
-### [SecureAssessment CSP](secureassessment-csp.md)
-#### [SecureAssessment DDF file](secureassessment-ddf-file.md)
-### [SecurityPolicy CSP](securitypolicy-csp.md)
-### [SharedPC CSP](sharedpc-csp.md)
-#### [SharedPC DDF file](sharedpc-ddf-file.md)
-### [Storage CSP](storage-csp.md)
-#### [Storage DDF file](storage-ddf-file.md)
-### [SUPL CSP](supl-csp.md)
-#### [SUPL DDF file](supl-ddf-file.md)
-### [SurfaceHub CSP](surfacehub-csp.md)
-#### [SurfaceHub DDF file](surfacehub-ddf-file.md)
-### [TenantLockdown CSP](tenantlockdown-csp.md)
-#### [TenantLockdown DDF file](tenantlockdown-ddf.md)
-### [TPMPolicy CSP](tpmpolicy-csp.md)
-#### [TPMPolicy DDF file](tpmpolicy-ddf-file.md)
-### [UEFI CSP](uefi-csp.md)
-#### [UEFI DDF file](uefi-ddf.md)
-### [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)
-#### [UnifiedWriteFilter DDF file](unifiedwritefilter-ddf.md)
-### [Update CSP](update-csp.md)
-#### [Update DDF file](update-ddf-file.md)
-### [VPN CSP](vpn-csp.md)
-#### [VPN DDF file](vpn-ddf-file.md)
-### [VPNv2 CSP](vpnv2-csp.md)
-#### [VPNv2 DDF file](vpnv2-ddf-file.md)
-#### [ProfileXML XSD](vpnv2-profile-xsd.md)
-#### [EAP configuration](eap-configuration.md)
-### [w4 APPLICATION CSP](w4-application-csp.md)
-### [w7 APPLICATION CSP](w7-application-csp.md)
-### [WiFi CSP](wifi-csp.md)
-#### [WiFi DDF file](wifi-ddf-file.md)
-### [Win32AppInventory CSP](win32appinventory-csp.md)
-#### [Win32AppInventory DDF file](win32appinventory-ddf-file.md)
-### [Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md)
-#### [Win32CompatibilityAppraiser DDF file](win32compatibilityappraiser-ddf.md)
-### [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)
-#### [WindowsAdvancedThreatProtection DDF file](windowsadvancedthreatprotection-ddf.md)
-### [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)
-#### [WindowsDefenderApplicationGuard DDF file](windowsdefenderapplicationguard-ddf-file.md)
-### [WindowsLicensing CSP](windowslicensing-csp.md)
-#### [WindowsLicensing DDF file](windowslicensing-ddf-file.md)
-### [WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md)
-#### [WindowsSecurityAuditing DDF file](windowssecurityauditing-ddf-file.md)
-### [WiredNetwork CSP](wirednetwork-csp.md)
-#### [WiredNetwork DDF file](wirednetwork-ddf-file.md)
diff --git a/windows/client-management/mdm/TOC.yml b/windows/client-management/mdm/TOC.yml
new file mode 100644
index 0000000000..8a50f6ccd9
--- /dev/null
+++ b/windows/client-management/mdm/TOC.yml
@@ -0,0 +1,954 @@
+- name: Mobile device management
+ href: index.md
+ items:
+ - name: What's new in MDM enrollment and management
+ href: new-in-windows-mdm-enrollment-management.md
+ items:
+ - name: Change history for MDM documentation
+ href: change-history-for-mdm-documentation.md
+ - name: Mobile device enrollment
+ href: mobile-device-enrollment.md
+ items:
+ - name: MDM enrollment of Windows devices
+ href: mdm-enrollment-of-windows-devices.md
+ items:
+ - name: "Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal"
+ href: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
+ - name: Enroll a Windows 10 device automatically using Group Policy
+ href: enroll-a-windows-10-device-automatically-using-group-policy.md
+ - name: Federated authentication device enrollment
+ href: federated-authentication-device-enrollment.md
+ - name: Certificate authentication device enrollment
+ href: certificate-authentication-device-enrollment.md
+ - name: On-premises authentication device enrollment
+ href: on-premise-authentication-device-enrollment.md
+ - name: Understanding ADMX-backed policies
+ href: understanding-admx-backed-policies.md
+ - name: Enable ADMX-backed policies in MDM
+ href: enable-admx-backed-policies-in-mdm.md
+ - name: Win32 and Desktop Bridge app policy configuration
+ href: win32-and-centennial-app-policy-configuration.md
+ - name: Implement server-side support for mobile application management on Windows
+ href: implement-server-side-mobile-application-management.md
+ - name: Diagnose MDM failures in Windows 10
+ href: diagnose-mdm-failures-in-windows-10.md
+ - name: Deploy and configure App-V apps using MDM
+ href: appv-deploy-and-config.md
+ - name: Azure Active Directory integration with MDM
+ href: azure-active-directory-integration-with-mdm.md
+ items:
+ - name: Add an Azure AD tenant and Azure AD subscription
+ href: add-an-azure-ad-tenant-and-azure-ad-subscription.md
+ - name: Register your free Azure Active Directory subscription
+ href: register-your-free-azure-active-directory-subscription.md
+ - name: Enterprise app management
+ href: enterprise-app-management.md
+ - name: Mobile device management (MDM) for device updates
+ href: device-update-management.md
+ - name: Bulk enrollment
+ href: bulk-enrollment-using-windows-provisioning-tool.md
+ - name: Management tool for the Microsoft Store for Business
+ href: management-tool-for-windows-store-for-business.md
+ items:
+ - name: REST API reference for Microsoft Store for Business
+ href: rest-api-reference-windows-store-for-business.md
+ items:
+ - name: Data structures for Microsoft Store for Business
+ href: data-structures-windows-store-for-business.md
+ - name: Get Inventory
+ href: get-inventory.md
+ - name: Get product details
+ href: get-product-details.md
+ - name: Get localized product details
+ href: get-localized-product-details.md
+ - name: Get offline license
+ href: get-offline-license.md
+ - name: Get product packages
+ href: get-product-packages.md
+ - name: Get product package
+ href: get-product-package.md
+ - name: Get seats
+ href: get-seats.md
+ - name: Get seat
+ href: get-seat.md
+ - name: Assign seats
+ href: assign-seats.md
+ - name: Reclaim seat from user
+ href: reclaim-seat-from-user.md
+ - name: Bulk assign and reclaim seats from users
+ href: bulk-assign-and-reclaim-seats-from-user.md
+ - name: Get seats assigned to a user
+ href: get-seats-assigned-to-a-user.md
+ - name: Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices
+ href: enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
+ - name: Certificate renewal
+ href: certificate-renewal-windows-mdm.md
+ - name: Disconnecting from the management infrastructure (unenrollment)
+ href: disconnecting-from-mdm-unenrollment.md
+ - name: Enterprise settings, policies, and app management
+ href: windows-mdm-enterprise-settings.md
+ - name: Push notification support for device management
+ href: push-notification-windows-mdm.md
+ - name: OMA DM protocol support
+ href: oma-dm-protocol-support.md
+ - name: Structure of OMA DM provisioning files
+ href: structure-of-oma-dm-provisioning-files.md
+ - name: Server requirements for OMA DM
+ href: server-requirements-windows-mdm.md
+ - name: DMProcessConfigXMLFiltered
+ href: dmprocessconfigxmlfiltered.md
+ - name: Using PowerShell scripting with the WMI Bridge Provider
+ href: using-powershell-scripting-with-the-wmi-bridge-provider.md
+ - name: WMI providers supported in Windows 10
+ href: wmi-providers-supported-in-windows.md
+ - name: Configuration service provider reference
+ href: configuration-service-provider-reference.md
+ items:
+ - name: AccountManagement CSP
+ href: accountmanagement-csp.md
+ items:
+ - name: AccountManagement DDF file
+ href: accountmanagement-ddf.md
+ - name: Accounts CSP
+ href: accounts-csp.md
+ items:
+ - name: Accounts DDF file
+ href: accounts-ddf-file.md
+ - name: ActiveSync CSP
+ href: activesync-csp.md
+ items:
+ - name: ActiveSync DDF file
+ href: activesync-ddf-file.md
+ - name: AllJoynManagement CSP
+ href: alljoynmanagement-csp.md
+ items:
+ - name: AllJoynManagement DDF
+ href: alljoynmanagement-ddf.md
+ - name: APPLICATION CSP
+ href: application-csp.md
+ - name: ApplicationControl CSP
+ href: applicationcontrol-csp.md
+ items:
+ - name: ApplicationControl DDF file
+ href: applicationcontrol-csp-ddf.md
+ - name: AppLocker CSP
+ href: applocker-csp.md
+ items:
+ - name: AppLocker DDF file
+ href: applocker-ddf-file.md
+ - name: AppLocker XSD
+ href: applocker-xsd.md
+ - name: AssignedAccess CSP
+ href: assignedaccess-csp.md
+ items:
+ - name: AssignedAccess DDF file
+ href: assignedaccess-ddf.md
+ - name: BitLocker CSP
+ href: bitlocker-csp.md
+ items:
+ - name: BitLocker DDF file
+ href: bitlocker-ddf-file.md
+ - name: BOOTSTRAP CSP
+ href: bootstrap-csp.md
+ - name: BrowserFavorite CSP
+ href: browserfavorite-csp.md
+ - name: CellularSettings CSP
+ href: cellularsettings-csp.md
+ - name: CertificateStore CSP
+ href: certificatestore-csp.md
+ items:
+ - name: CertificateStore DDF file
+ href: certificatestore-ddf-file.md
+ - name: CleanPC CSP
+ href: cleanpc-csp.md
+ items:
+ - name: CleanPC DDF
+ href: cleanpc-ddf.md
+ - name: ClientCertificateInstall CSP
+ href: clientcertificateinstall-csp.md
+ items:
+ - name: ClientCertificateInstall DDF file
+ href: clientcertificateinstall-ddf-file.md
+ - name: CM_CellularEntries CSP
+ href: cm-cellularentries-csp.md
+ - name: CM_ProxyEntries CSP
+ href: cm-proxyentries-csp.md
+ - name: CMPolicy CSP
+ href: cmpolicy-csp.md
+ - name: CMPolicyEnterprise CSP
+ href: cmpolicyenterprise-csp.md
+ items:
+ - name: CMPolicyEnterprise DDF file
+ href: cmpolicyenterprise-ddf-file.md
+ - name: CustomDeviceUI CSP
+ href: customdeviceui-csp.md
+ items:
+ - name: CustomDeviceUI DDF file
+ href: customdeviceui-ddf.md
+ - name: Defender CSP
+ href: defender-csp.md
+ items:
+ - name: Defender DDF file
+ href: defender-ddf.md
+ - name: DevDetail CSP
+ href: devdetail-csp.md
+ items:
+ - name: DevDetail DDF file
+ href: devdetail-ddf-file.md
+ - name: DeveloperSetup CSP
+ href: developersetup-csp.md
+ items:
+ - name: DeveloperSetup DDF
+ href: developersetup-ddf.md
+ - name: DeviceInstanceService CSP
+ href: deviceinstanceservice-csp.md
+ - name: DeviceLock CSP
+ href: devicelock-csp.md
+ items:
+ - name: DeviceLock DDF file
+ href: devicelock-ddf-file.md
+ - name: DeviceManageability CSP
+ href: devicemanageability-csp.md
+ items:
+ - name: DeviceManageability DDF
+ href: devicemanageability-ddf.md
+ - name: DeviceStatus CSP
+ href: devicestatus-csp.md
+ items:
+ - name: DeviceStatus DDF
+ href: devicestatus-ddf.md
+ - name: DevInfo CSP
+ href: devinfo-csp.md
+ items:
+ - name: DevInfo DDF file
+ href: devinfo-ddf-file.md
+ - name: DiagnosticLog CSP
+ href: diagnosticlog-csp.md
+ items:
+ - name: DiagnosticLog DDF file
+ href: diagnosticlog-ddf.md
+ - name: DMAcc CSP
+ href: dmacc-csp.md
+ items:
+ - name: DMAcc DDF file
+ href: dmacc-ddf-file.md
+ - name: DMClient CSP
+ href: dmclient-csp.md
+ items:
+ - name: DMClient DDF file
+ href: dmclient-ddf-file.md
+ - name: DMSessionActions CSP
+ href: dmsessionactions-csp.md
+ items:
+ - name: DMSessionActions DDF file
+ href: dmsessionactions-ddf.md
+ - name: DynamicManagement CSP
+ href: dynamicmanagement-csp.md
+ items:
+ - name: DynamicManagement DDF file
+ href: dynamicmanagement-ddf.md
+ - name: EMAIL2 CSP
+ href: email2-csp.md
+ items:
+ - name: EMAIL2 DDF file
+ href: email2-ddf-file.md
+ - name: EnrollmentStatusTracking CSP
+ href: enrollmentstatustracking-csp.md
+ items:
+ - name: EnrollmentStatusTracking DDF file
+ href: enrollmentstatustracking-csp-ddf.md
+ - name: EnterpriseAPN CSP
+ href: enterpriseapn-csp.md
+ items:
+ - name: EnterpriseAPN DDF
+ href: enterpriseapn-ddf.md
+ - name: EnterpriseAppManagement CSP
+ href: enterpriseappmanagement-csp.md
+ - name: EnterpriseAppVManagement CSP
+ href: enterpriseappvmanagement-csp.md
+ items:
+ - name: EnterpriseAppVManagement DDF file
+ href: enterpriseappvmanagement-ddf.md
+ - name: EnterpriseAssignedAccess CSP
+ href: enterpriseassignedaccess-csp.md
+ items:
+ - name: EnterpriseAssignedAccess DDF file
+ href: enterpriseassignedaccess-ddf.md
+ - name: EnterpriseAssignedAccess XSD
+ href: enterpriseassignedaccess-xsd.md
+ - name: EnterpriseDataProtection CSP
+ href: enterprisedataprotection-csp.md
+ items:
+ - name: EnterpriseDataProtection DDF file
+ href: enterprisedataprotection-ddf-file.md
+ - name: EnterpriseDesktopAppManagement CSP
+ href: enterprisedesktopappmanagement-csp.md
+ items:
+ - name: EnterpriseDesktopAppManagement DDF
+ href: enterprisedesktopappmanagement-ddf-file.md
+ - name: EnterpriseDesktopAppManagement XSD
+ href: enterprisedesktopappmanagement2-xsd.md
+ - name: EnterpriseExt CSP
+ href: enterpriseext-csp.md
+ items:
+ - name: EnterpriseExt DDF file
+ href: enterpriseext-ddf.md
+ - name: EnterpriseExtFileSystem CSP
+ href: enterpriseextfilessystem-csp.md
+ items:
+ - name: EnterpriseExtFileSystem DDF file
+ href: enterpriseextfilesystem-ddf.md
+ - name: EnterpriseModernAppManagement CSP
+ href: enterprisemodernappmanagement-csp.md
+ items:
+ - name: EnterpriseModernAppManagement DDF
+ href: enterprisemodernappmanagement-ddf.md
+ - name: EnterpriseModernAppManagement XSD
+ href: enterprisemodernappmanagement-xsd.md
+ - name: eUICCs CSP
+ href: euiccs-csp.md
+ items:
+ - name: eUICCs DDF file
+ href: euiccs-ddf-file.md
+ - name: FileSystem CSP
+ href: filesystem-csp.md
+ - name: Firewall CSP
+ href: firewall-csp.md
+ items:
+ - name: Firewall DDF file
+ href: firewall-ddf-file.md
+ - name: HealthAttestation CSP
+ href: healthattestation-csp.md
+ items:
+ - name: HealthAttestation DDF
+ href: healthattestation-ddf.md
+ - name: HotSpot CSP
+ href: hotspot-csp.md
+ - name: Maps CSP
+ href: maps-csp.md
+ items:
+ - name: Maps DDF
+ href: maps-ddf-file.md
+ - name: Messaging CSP
+ href: messaging-csp.md
+ items:
+ - name: Messaging DDF file
+ href: messaging-ddf.md
+ - name: MultiSIM CSP
+ href: multisim-csp.md
+ items:
+ - name: MultiSIM DDF file
+ href: multisim-ddf.md
+ - name: NAP CSP
+ href: nap-csp.md
+ - name: NAPDEF CSP
+ href: napdef-csp.md
+ - name: NetworkProxy CSP
+ href: networkproxy-csp.md
+ items:
+ - name: NetworkProxy DDF file
+ href: networkproxy-ddf.md
+ - name: NetworkQoSPolicy CSP
+ href: networkqospolicy-csp.md
+ items:
+ - name: NetworkQoSPolicy DDF file
+ href: networkqospolicy-ddf.md
+ - name: NodeCache CSP
+ href: nodecache-csp.md
+ items:
+ - name: NodeCache DDF file
+ href: nodecache-ddf-file.md
+ - name: Office CSP
+ href: office-csp.md
+ items:
+ - name: Office DDF
+ href: office-ddf.md
+ - name: PassportForWork CSP
+ href: passportforwork-csp.md
+ items:
+ - name: PassportForWork DDF file
+ href: passportforwork-ddf.md
+ - name: Personalization CSP
+ href: personalization-csp.md
+ items:
+ - name: Personalization DDF file
+ href: personalization-ddf.md
+ - name: Policy CSP
+ href: policy-configuration-service-provider.md
+ items:
+ - name: Policy CSP DDF file
+ href: policy-ddf-file.md
+ - name: Policies in Policy CSP supported by Group Policy
+ href: policies-in-policy-csp-supported-by-group-policy.md
+ - name: ADMX-backed policies in Policy CSP
+ href: policies-in-policy-csp-admx-backed.md
+ - name: Policies in Policy CSP supported by HoloLens 2
+ href: policies-in-policy-csp-supported-by-hololens2.md
+ - name: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite
+ href: policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md
+ - name: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition
+ href: policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md
+ - name: Policies in Policy CSP supported by Windows 10 IoT Enterprise
+ href: ./configuration-service-provider-reference.md
+ - name: Policies in Policy CSP supported by Windows 10 IoT Core
+ href: policies-in-policy-csp-supported-by-iot-core.md
+ - name: Policies in Policy CSP supported by Microsoft Surface Hub
+ href: policies-in-policy-csp-supported-by-surface-hub.md
+ - name: Policy CSPs that can be set using Exchange Active Sync (EAS)
+ href: policies-in-policy-csp-that-can-be-set-using-eas.md
+ - name: AboveLock
+ href: policy-csp-abovelock.md
+ - name: Accounts
+ href: policy-csp-accounts.md
+ - name: ActiveXControls
+ href: policy-csp-activexcontrols.md
+ - name: ADMX_ActiveXInstallService
+ href: policy-csp-admx-activexinstallservice.md
+ - name: ADMX_AddRemovePrograms
+ href: policy-csp-admx-addremoveprograms.md
+ - name: ADMX_AppCompat
+ href: policy-csp-admx-appcompat.md
+ - name: ADMX_AppxPackageManager
+ href: policy-csp-admx-appxpackagemanager.md
+ - name: ADMX_AppXRuntime
+ href: policy-csp-admx-appxruntime.md
+ - name: ADMX_AttachmentManager
+ href: policy-csp-admx-attachmentmanager.md
+ - name: ADMX_AuditSettings
+ href: policy-csp-admx-auditsettings.md
+ - name: ADMX_Bits
+ href: policy-csp-admx-bits.md
+ - name: ADMX_CipherSuiteOrder
+ href: policy-csp-admx-ciphersuiteorder.md
+ - name: ADMX_COM
+ href: policy-csp-admx-com.md
+ - name: ADMX_ControlPanel
+ href: policy-csp-admx-controlpanel.md
+ - name: ADMX_ControlPanelDisplay
+ href: policy-csp-admx-controlpaneldisplay.md
+ - name: ADMX_Cpls
+ href: policy-csp-admx-cpls.md
+ - name: ADMX_CredentialProviders
+ href: policy-csp-admx-credentialproviders.md
+ - name: ADMX_CredSsp
+ href: policy-csp-admx-credssp.md
+ - name: ADMX_CredUI
+ href: policy-csp-admx-credui.md
+ - name: ADMX_CtrlAltDel
+ href: policy-csp-admx-ctrlaltdel.md
+ - name: ADMX_DataCollection
+ href: policy-csp-admx-datacollection.md
+ - name: ADMX_Desktop
+ href: policy-csp-admx-desktop.md
+ - name: ADMX_DeviceInstallation
+ href: policy-csp-admx-deviceinstallation.md
+ - name: ADMX_DeviceSetup
+ href: policy-csp-admx-devicesetup.md
+ - name: ADMX_DigitalLocker
+ href: policy-csp-admx-digitallocker.md
+ - name: ADMX_DistributedLinkTracking
+ href: policy-csp-admx-distributedlinktracking.md
+ - name: ADMX_DnsClient
+ href: policy-csp-admx-dnsclient.md
+ - name: ADMX_DWM
+ href: policy-csp-admx-dwm.md
+ - name: ADMX_EAIME
+ href: policy-csp-admx-eaime.md
+ - name: ADMX_EncryptFilesonMove
+ href: policy-csp-admx-encryptfilesonmove.md
+ - name: ADMX_EnhancedStorage
+ href: policy-csp-admx-enhancedstorage.md
+ - name: ADMX_ErrorReporting
+ href: policy-csp-admx-errorreporting.md
+ - name: ADMX_EventForwarding
+ href: policy-csp-admx-eventforwarding.md
+ - name: ADMX_EventLog
+ href: policy-csp-admx-eventlog.md
+ - name: ADMX_Explorer
+ href: policy-csp-admx-explorer.md
+ - name: ADMX_FileRecovery
+ href: policy-csp-admx-filerecovery.md
+ - name: ADMX_FileServerVSSProvider
+ href: policy-csp-admx-fileservervssprovider.md
+ - name: ADMX_FileSys
+ href: policy-csp-admx-filesys.md
+ - name: ADMX_FolderRedirection
+ href: policy-csp-admx-folderredirection.md
+ - name: ADMX_Globalization
+ href: policy-csp-admx-globalization.md
+ - name: ADMX_GroupPolicy
+ href: policy-csp-admx-grouppolicy.md
+ - name: ADMX_Help
+ href: policy-csp-admx-help.md
+ - name: ADMX_HelpAndSupport
+ href: policy-csp-admx-helpandsupport.md
+ - name: ADMX_ICM
+ href: policy-csp-admx-icm.md
+ - name: ADMX_kdc
+ href: policy-csp-admx-kdc.md
+ - name: ADMX_Kerberos
+ href: policy-csp-admx-kerberos.md
+ - name: ADMX_LanmanServer
+ href: policy-csp-admx-lanmanserver.md
+ - name: ADMX_LanmanWorkstation
+ href: policy-csp-admx-lanmanworkstation.md
+ - name: ADMX_LinkLayerTopologyDiscovery
+ href: policy-csp-admx-linklayertopologydiscovery.md
+ - name: ADMX_Logon
+ href: policy-csp-admx-logon.md
+ - name: ADMX_MicrosoftDefenderAntivirus
+ href: policy-csp-admx-microsoftdefenderantivirus.md
+ - name: ADMX_MMC
+ href: policy-csp-admx-mmc.md
+ - name: ADMX_MMCSnapins
+ href: policy-csp-admx-mmcsnapins.md
+ - name: ADMX_MSAPolicy
+ href: policy-csp-admx-msapolicy.md
+ - name: ADMX_msched
+ href: policy-csp-admx-msched.md
+ - name: ADMX_MSDT
+ href: policy-csp-admx-msdt.md
+ - name: ADMX_MSI
+ href: policy-csp-admx-msi.md
+ - name: ADMX_nca
+ href: policy-csp-admx-nca.md
+ - name: ADMX_NCSI
+ href: policy-csp-admx-ncsi.md
+ - name: ADMX_Netlogon
+ href: policy-csp-admx-netlogon.md
+ - name: ADMX_NetworkConnections
+ href: policy-csp-admx-networkconnections.md
+ - name: ADMX_OfflineFiles
+ href: policy-csp-admx-offlinefiles.md
+ - name: ADMX_PeerToPeerCaching
+ href: policy-csp-admx-peertopeercaching.md
+ - name: ADMX_PerformanceDiagnostics
+ href: policy-csp-admx-performancediagnostics.md
+ - name: ADMX_Power
+ href: policy-csp-admx-power.md
+ - name: ADMX_PowerShellExecutionPolicy
+ href: policy-csp-admx-powershellexecutionpolicy.md
+ - name: ADMX_Printing
+ href: policy-csp-admx-printing.md
+ - name: ADMX_Printing2
+ href: policy-csp-admx-printing2.md
+ - name: ADMX_Programs
+ href: policy-csp-admx-programs.md
+ - name: ADMX_Reliability
+ href: policy-csp-admx-reliability.md
+ - name: ADMX_RemoteAssistance
+ href: policy-csp-admx-remoteassistance.md
+ - name: ADMX_RemovableStorage
+ href: policy-csp-admx-removablestorage.md
+ - name: ADMX_RPC
+ href: policy-csp-admx-rpc.md
+ - name: ADMX_Scripts
+ href: policy-csp-admx-scripts.md
+ - name: ADMX_sdiageng
+ href: policy-csp-admx-sdiageng.md
+ - name: ADMX_Securitycenter
+ href: policy-csp-admx-securitycenter.md
+ - name: ADMX_Sensors
+ href: policy-csp-admx-sensors.md
+ - name: ADMX_Servicing
+ href: policy-csp-admx-servicing.md
+ - name: ADMX_SettingSync
+ href: policy-csp-admx-settingsync.md
+ - name: ADMX_SharedFolders
+ href: policy-csp-admx-sharedfolders.md
+ - name: ADMX_Sharing
+ href: policy-csp-admx-sharing.md
+ - name: ADMX_ShellCommandPromptRegEditTools
+ href: policy-csp-admx-shellcommandpromptregedittools.md
+ - name: ADMX_SkyDrive
+ href: policy-csp-admx-skydrive.md
+ - name: ADMX_Smartcard
+ href: policy-csp-admx-smartcard.md
+ - name: ADMX_Snmp
+ href: policy-csp-admx-snmp.md
+ - name: ADMX_StartMenu
+ href: policy-csp-admx-startmenu.md
+ - name: ADMX_SystemRestore
+ href: policy-csp-admx-systemrestore.md
+ - name: ADMX_Taskbar
+ href: policy-csp-admx-taskbar.md
+ - name: ADMX_tcpip
+ href: policy-csp-admx-tcpip.md
+ - name: ADMX_Thumbnails
+ href: policy-csp-admx-thumbnails.md
+ - name: ADMX_TPM
+ href: policy-csp-admx-tpm.md
+ - name: ADMX_UserExperienceVirtualization
+ href: policy-csp-admx-userexperiencevirtualization.md
+ - name: ADMX_UserProfiles
+ href: policy-csp-admx-userprofiles.md
+ - name: ADMX_W32Time
+ href: policy-csp-admx-w32time.md
+ - name: ADMX_WCM
+ href: policy-csp-admx-wcm.md
+ - name: ADMX_WinCal
+ href: policy-csp-admx-wincal.md
+ - name: ADMX_WindowsAnytimeUpgrade
+ href: policy-csp-admx-windowsanytimeupgrade.md
+ - name: ADMX_WindowsConnectNow
+ href: policy-csp-admx-windowsconnectnow.md
+ - name: ADMX_WindowsExplorer
+ href: policy-csp-admx-windowsexplorer.md
+ - name: ADMX_WindowsFileProtection
+ href: policy-csp-admx-windowsfileprotection.md
+ - name: ADMX_WindowsMediaDRM
+ href: policy-csp-admx-windowsmediadrm.md
+ - name: ADMX_WindowsMediaPlayer
+ href: policy-csp-admx-windowsmediaplayer.md
+ - name: ADMX_WindowsRemoteManagement
+ href: policy-csp-admx-windowsremotemanagement.md
+ - name: ADMX_WindowsStore
+ href: policy-csp-admx-windowsstore.md
+ - name: ADMX_WinInit
+ href: policy-csp-admx-wininit.md
+ - name: ADMX_WinLogon
+ href: policy-csp-admx-winlogon.md
+ - name: ADMX-Winsrv
+ href: policy-csp-admx-winsrv.md
+ - name: ADMX_wlansvc
+ href: policy-csp-admx-wlansvc.md
+ - name: ADMX_WPN
+ href: policy-csp-admx-wpn.md
+ - name: ApplicationDefaults
+ href: policy-csp-applicationdefaults.md
+ - name: ApplicationManagement
+ href: policy-csp-applicationmanagement.md
+ - name: AppRuntime
+ href: policy-csp-appruntime.md
+ - name: AppVirtualization
+ href: policy-csp-appvirtualization.md
+ - name: AttachmentManager
+ href: policy-csp-attachmentmanager.md
+ - name: Audit
+ href: policy-csp-audit.md
+ - name: Authentication
+ href: policy-csp-authentication.md
+ - name: Autoplay
+ href: policy-csp-autoplay.md
+ - name: BitLocker
+ href: policy-csp-bitlocker.md
+ - name: BITS
+ href: policy-csp-bits.md
+ - name: Bluetooth
+ href: policy-csp-bluetooth.md
+ - name: Browser
+ href: policy-csp-browser.md
+ - name: Camera
+ href: policy-csp-camera.md
+ - name: Cellular
+ href: policy-csp-cellular.md
+ - name: Connectivity
+ href: policy-csp-connectivity.md
+ - name: ControlPolicyConflict
+ href: policy-csp-controlpolicyconflict.md
+ - name: CredentialsDelegation
+ href: policy-csp-credentialsdelegation.md
+ - name: CredentialProviders
+ href: policy-csp-credentialproviders.md
+ - name: CredentialsUI
+ href: policy-csp-credentialsui.md
+ - name: Cryptography
+ href: policy-csp-cryptography.md
+ - name: DataProtection
+ href: policy-csp-dataprotection.md
+ - name: DataUsage
+ href: policy-csp-datausage.md
+ - name: Defender
+ href: policy-csp-defender.md
+ - name: DeliveryOptimization
+ href: policy-csp-deliveryoptimization.md
+ - name: Desktop
+ href: policy-csp-desktop.md
+ - name: DeviceGuard
+ href: policy-csp-deviceguard.md
+ - name: DeviceHealthMonitoring
+ href: policy-csp-devicehealthmonitoring.md
+ - name: DeviceInstallation
+ href: policy-csp-deviceinstallation.md
+ - name: DeviceLock
+ href: policy-csp-devicelock.md
+ - name: Display
+ href: policy-csp-display.md
+ - name: DmaGuard
+ href: policy-csp-dmaguard.md
+ - name: Education
+ href: policy-csp-education.md
+ - name: EnterpriseCloudPrint
+ href: policy-csp-enterprisecloudprint.md
+ - name: ErrorReporting
+ href: policy-csp-errorreporting.md
+ - name: EventLogService
+ href: policy-csp-eventlogservice.md
+ - name: Experience
+ href: policy-csp-experience.md
+ - name: ExploitGuard
+ href: policy-csp-exploitguard.md
+ - name: FileExplorer
+ href: policy-csp-fileexplorer.md
+ - name: Games
+ href: policy-csp-games.md
+ - name: Handwriting
+ href: policy-csp-handwriting.md
+ - name: InternetExplorer
+ href: policy-csp-internetexplorer.md
+ - name: Kerberos
+ href: policy-csp-kerberos.md
+ - name: KioskBrowser
+ href: policy-csp-kioskbrowser.md
+ - name: LanmanWorkstation
+ href: policy-csp-lanmanworkstation.md
+ - name: Licensing
+ href: policy-csp-licensing.md
+ - name: LocalPoliciesSecurityOptions
+ href: policy-csp-localpoliciessecurityoptions.md
+ - name: LocalUsersAndGroups
+ href: policy-csp-localusersandgroups.md
+ - name: LockDown
+ href: policy-csp-lockdown.md
+ - name: Maps
+ href: policy-csp-maps.md
+ - name: Messaging
+ href: policy-csp-messaging.md
+ - name: MixedReality
+ href: policy-csp-mixedreality.md
+ - name: MSSecurityGuide
+ href: policy-csp-mssecurityguide.md
+ - name: MSSLegacy
+ href: policy-csp-msslegacy.md
+ - name: Multitasking
+ href: policy-csp-multitasking.md
+ - name: NetworkIsolation
+ href: policy-csp-networkisolation.md
+ - name: Notifications
+ href: policy-csp-notifications.md
+ - name: Power
+ href: policy-csp-power.md
+ - name: Printers
+ href: policy-csp-printers.md
+ - name: Privacy
+ href: policy-csp-privacy.md
+ - name: RemoteAssistance
+ href: policy-csp-remoteassistance.md
+ - name: RemoteDesktopServices
+ href: policy-csp-remotedesktopservices.md
+ - name: RemoteManagement
+ href: policy-csp-remotemanagement.md
+ - name: RemoteProcedureCall
+ href: policy-csp-remoteprocedurecall.md
+ - name: RemoteShell
+ href: policy-csp-remoteshell.md
+ - name: RestrictedGroups
+ href: policy-csp-restrictedgroups.md
+ - name: Search
+ href: policy-csp-search.md
+ - name: Security
+ href: policy-csp-security.md
+ - name: ServiceControlManager
+ href: policy-csp-servicecontrolmanager.md
+ - name: Settings
+ href: policy-csp-settings.md
+ - name: Speech
+ href: policy-csp-speech.md
+ - name: Start
+ href: policy-csp-start.md
+ - name: Storage
+ href: policy-csp-storage.md
+ - name: System
+ href: policy-csp-system.md
+ - name: SystemServices
+ href: policy-csp-systemservices.md
+ - name: TaskManager
+ href: policy-csp-taskmanager.md
+ - name: TaskScheduler
+ href: policy-csp-taskscheduler.md
+ - name: TextInput
+ href: policy-csp-textinput.md
+ - name: TimeLanguageSettings
+ href: policy-csp-timelanguagesettings.md
+ - name: Troubleshooting
+ href: policy-csp-troubleshooting.md
+ - name: Update
+ href: policy-csp-update.md
+ - name: UserRights
+ href: policy-csp-userrights.md
+ - name: Wifi
+ href: policy-csp-wifi.md
+ - name: WindowsConnectionManager
+ href: policy-csp-windowsconnectionmanager.md
+ - name: WindowsDefenderSecurityCenter
+ href: policy-csp-windowsdefendersecuritycenter.md
+ - name: WindowsDefenderSmartScreen
+ href: policy-csp-smartscreen.md
+ - name: WindowsInkWorkspace
+ href: policy-csp-windowsinkworkspace.md
+ - name: WindowsLogon
+ href: policy-csp-windowslogon.md
+ - name: WindowsPowerShell
+ href: policy-csp-windowspowershell.md
+ - name: WindowsSandbox
+ href: policy-csp-windowssandbox.md
+ - name: WirelessDisplay
+ href: policy-csp-wirelessdisplay.md
+ - name: PolicyManager CSP
+ href: policymanager-csp.md
+ - name: Provisioning CSP
+ href: provisioning-csp.md
+ - name: PROXY CSP
+ href: proxy-csp.md
+ - name: PXLOGICAL CSP
+ href: pxlogical-csp.md
+ - name: Reboot CSP
+ href: reboot-csp.md
+ items:
+ - name: Reboot DDF file
+ href: reboot-ddf-file.md
+ - name: Registry CSP
+ href: registry-csp.md
+ items:
+ - name: Registry DDF file
+ href: registry-ddf-file.md
+ - name: RemoteFind CSP
+ href: remotefind-csp.md
+ items:
+ - name: RemoteFind DDF file
+ href: remotefind-ddf-file.md
+ - name: RemoteLock CSP
+ href: remotelock-csp.md
+ items:
+ - name: RemoteLock DDF file
+ href: remotelock-ddf-file.md
+ - name: RemoteRing CSP
+ href: remotering-csp.md
+ items:
+ - name: RemoteRing DDF file
+ href: remotering-ddf-file.md
+ - name: RemoteWipe CSP
+ href: remotewipe-csp.md
+ items:
+ - name: RemoteWipe DDF file
+ href: remotewipe-ddf-file.md
+ - name: Reporting CSP
+ href: reporting-csp.md
+ items:
+ - name: Reporting DDF file
+ href: reporting-ddf-file.md
+ - name: RootCATrustedCertificates CSP
+ href: rootcacertificates-csp.md
+ items:
+ - name: RootCATrustedCertificates DDF file
+ href: rootcacertificates-ddf-file.md
+ - name: SecureAssessment CSP
+ href: secureassessment-csp.md
+ items:
+ - name: SecureAssessment DDF file
+ href: secureassessment-ddf-file.md
+ - name: SecurityPolicy CSP
+ href: securitypolicy-csp.md
+ - name: SharedPC CSP
+ href: sharedpc-csp.md
+ items:
+ - name: SharedPC DDF file
+ href: sharedpc-ddf-file.md
+ - name: Storage CSP
+ href: storage-csp.md
+ items:
+ - name: Storage DDF file
+ href: storage-ddf-file.md
+ - name: SUPL CSP
+ href: supl-csp.md
+ items:
+ - name: SUPL DDF file
+ href: supl-ddf-file.md
+ - name: SurfaceHub CSP
+ href: surfacehub-csp.md
+ items:
+ - name: SurfaceHub DDF file
+ href: surfacehub-ddf-file.md
+ - name: TenantLockdown CSP
+ href: tenantlockdown-csp.md
+ items:
+ - name: TenantLockdown DDF file
+ href: tenantlockdown-ddf.md
+ - name: TPMPolicy CSP
+ href: tpmpolicy-csp.md
+ items:
+ - name: TPMPolicy DDF file
+ href: tpmpolicy-ddf-file.md
+ - name: UEFI CSP
+ href: uefi-csp.md
+ items:
+ - name: UEFI DDF file
+ href: uefi-ddf.md
+ - name: UnifiedWriteFilter CSP
+ href: unifiedwritefilter-csp.md
+ items:
+ - name: UnifiedWriteFilter DDF file
+ href: unifiedwritefilter-ddf.md
+ - name: Update CSP
+ href: update-csp.md
+ items:
+ - name: Update DDF file
+ href: update-ddf-file.md
+ - name: VPN CSP
+ href: vpn-csp.md
+ items:
+ - name: VPN DDF file
+ href: vpn-ddf-file.md
+ - name: VPNv2 CSP
+ href: vpnv2-csp.md
+ items:
+ - name: VPNv2 DDF file
+ href: vpnv2-ddf-file.md
+ - name: ProfileXML XSD
+ href: vpnv2-profile-xsd.md
+ - name: EAP configuration
+ href: eap-configuration.md
+ - name: w4 APPLICATION CSP
+ href: w4-application-csp.md
+ - name: w7 APPLICATION CSP
+ href: w7-application-csp.md
+ - name: WiFi CSP
+ href: wifi-csp.md
+ items:
+ - name: WiFi DDF file
+ href: wifi-ddf-file.md
+ - name: Win32AppInventory CSP
+ href: win32appinventory-csp.md
+ items:
+ - name: Win32AppInventory DDF file
+ href: win32appinventory-ddf-file.md
+ - name: Win32CompatibilityAppraiser CSP
+ href: win32compatibilityappraiser-csp.md
+ items:
+ - name: Win32CompatibilityAppraiser DDF file
+ href: win32compatibilityappraiser-ddf.md
+ - name: WindowsAdvancedThreatProtection CSP
+ href: windowsadvancedthreatprotection-csp.md
+ items:
+ - name: WindowsAdvancedThreatProtection DDF file
+ href: windowsadvancedthreatprotection-ddf.md
+ - name: WindowsDefenderApplicationGuard CSP
+ href: windowsdefenderapplicationguard-csp.md
+ items:
+ - name: WindowsDefenderApplicationGuard DDF file
+ href: windowsdefenderapplicationguard-ddf-file.md
+ - name: WindowsLicensing CSP
+ href: windowslicensing-csp.md
+ items:
+ - name: WindowsLicensing DDF file
+ href: windowslicensing-ddf-file.md
+ - name: WindowsSecurityAuditing CSP
+ href: windowssecurityauditing-csp.md
+ items:
+ - name: WindowsSecurityAuditing DDF file
+ href: windowssecurityauditing-ddf-file.md
+ - name: WiredNetwork CSP
+ href: wirednetwork-csp.md
+ items:
+ - name: WiredNetwork DDF file
+ href: wirednetwork-ddf-file.md
diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md
index 04edf1f24d..930343209f 100644
--- a/windows/client-management/mdm/accountmanagement-csp.md
+++ b/windows/client-management/mdm/accountmanagement-csp.md
@@ -5,7 +5,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
-author: lomayor
+author: dansimp
ms.date: 03/23/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/accountmanagement-ddf.md b/windows/client-management/mdm/accountmanagement-ddf.md
index 35fd257acb..c4c26237bc 100644
--- a/windows/client-management/mdm/accountmanagement-ddf.md
+++ b/windows/client-management/mdm/accountmanagement-ddf.md
@@ -5,7 +5,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
-author: lomayor
+author: dansimp
ms.date: 03/23/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md
index 498abd7018..1269c2797e 100644
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@@ -5,7 +5,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
-author: lomayor
+author: dansimp
ms.date: 03/27/2020
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/accounts-ddf-file.md b/windows/client-management/mdm/accounts-ddf-file.md
index c1b570d222..9d91061818 100644
--- a/windows/client-management/mdm/accounts-ddf-file.md
+++ b/windows/client-management/mdm/accounts-ddf-file.md
@@ -5,7 +5,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
-author: lomayor
+author: dansimp
ms.date: 04/17/2018
ms.reviewer:
manager: dansimp
diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md
index 927e9b9e0a..e69eef0c44 100644
--- a/windows/client-management/mdm/activesync-csp.md
+++ b/windows/client-management/mdm/activesync-csp.md
@@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
-author: lomayor
+author: dansimp
ms.date: 06/26/2017
---
diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md
index 1b1ae61c78..dae70c2133 100644
--- a/windows/client-management/mdm/activesync-ddf-file.md
+++ b/windows/client-management/mdm/activesync-ddf-file.md
@@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
-author: lomayor
+author: dansimp
ms.date: 12/05/2017
---
diff --git a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
index 79b168c90e..34f60116f4 100644
--- a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
+++ b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
@@ -8,7 +8,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
-author: lomayor
+author: dansimp
ms.date: 06/26/2017
---
@@ -19,37 +19,37 @@ Here's a step-by-step guide to adding an Azure Active Directory tenant, adding a
> **Note** If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. For step-by-step guide to register this free subscription, see [Register your free Azure Active Directory subscription.](#register-your-free-azure-active-directory-subscription)
-1. Sign-up for Azure AD tenant from [this website](https://account.windowsazure.com/organization) by creating an administrator account for your organization.
+1. Sign up for Azure AD tenant from [this website](https://account.windowsazure.com/organization) by creating an administrator account for your organization.
-2. Enter the information for your organization. Click **check availability** to verify that domain name that you selected is available.
+2. Enter the information for your organization. Select **check availability** to verify that domain name that you selected is available.
-3. Complete the login and country information. You must provide a valid phone number, then click **Send text message** or **Call me**.
+3. Complete the login and country information. Enter a valid phone number, then select **Send text message** or **Call me**.
-4. Enter the code that you receive and then click **Verify code**. After the code is verified and the continue button turns green, click **continue**.
+4. Enter the code that you receive and then select **Verify code**. After the code is verified and the continue button turns green, select **continue**.
-5. After you finish creating your Azure account, you are ready to add an Azure AD subscription.
+5. After you finish creating your Azure account, you can add an Azure AD subscription.
- If you don't have a paid subscription to any Microsoft service, you can purchase an Azure AD premium subscription. Go to Office 356 portal,
-
@@ -918,7 +918,7 @@ This article lists new and updated articles for the Mobile Device Management (MD
-
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md
index 7f3e3f9aea..1e66232f8b 100644
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@@ -117,7 +117,7 @@ If a blob already exists, the Add operation will fail. If Replace is called on t
If Add is called on this node for a new PFX, the certificate will be added. When a certificate does not exist, Replace operation on this node will fail.
-In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in CRYPT_INTEGER_BLOB.
+In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in CRYPT_INTEGER_BLOB.
**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword**
Password that protects the PFX blob. This is required if the PFX is password protected.
@@ -216,7 +216,7 @@ Required. Specifies the subject name.
The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;” ).
-For more details, see [CertNameToStrA function](https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
+For more details, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
Data type is string.
@@ -700,4 +700,4 @@ Add a PFX certificate. The PFX certificate password is encrypted with a custom c
## Related topics
-[Configuration service provider reference](configuration-service-provider-reference.md)
+[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index dcf8eec173..3227294e86 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -16,7 +16,7 @@ ms.date: 09/18/2020
A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used over–the–air for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used over–the–air for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot.
-For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224). For CSP DDF files, see [CSP DDF files download](#csp-ddf-files-download).
+For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). For CSP DDF files, see [CSP DDF files download](#csp-ddf-files-download).
Additional lists:
@@ -2817,4 +2817,4 @@ The following list shows the CSPs supported in HoloLens devices:
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
- 9 - Added in Windows 10 Team 2020 Update
-- 10 - Added in [Windows Holographic, version 20H2](https://docs.microsoft.com/hololens/hololens-release-notes#windows-holographic-version-20h2)
+- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2)
\ No newline at end of file
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 8a3242f3d3..8e18c596ad 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -309,7 +309,7 @@ Supported operation is Get.
**Health/QuickScanOverdue**
Indicates whether a Windows Defender quick scan is overdue for the device.
-A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and [catchup Quick scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupquickscan) are disabled (default).
+A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and [catchup Quick scans](./policy-csp-defender.md#defender-disablecatchupquickscan) are disabled (default).
The data type is a Boolean.
@@ -318,7 +318,7 @@ Supported operation is Get.
**Health/FullScanOverdue**
Indicates whether a Windows Defender full scan is overdue for the device.
-A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and [catchup Full scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupfullscan) are disabled (default).
+A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and [catchup Full scans](./policy-csp-defender.md#defender-disablecatchupfullscan) are disabled (default).
The data type is a Boolean.
@@ -457,8 +457,8 @@ The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Valid values are:
-- 1 – Enable.
-- 0 (default) – Disable.
+- 1 (default) – Enable.
+- 0 – Disable.
**Configuration/MeteredConnectionUpdates**The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2
+The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2
Allow managed devices to update through metered connections. Data charges may apply.
@@ -518,8 +518,8 @@ When enabled or disabled exists on the client and admin moves the setting to not
More details:
-- [Microsoft Defender AV diagnostic data](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data)
-- [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices)
+- [Microsoft Defender AV diagnostic data](/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data)
+- [Collect investigation package from devices](/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices)
**Scan**
Node that can be used to start a Windows Defender scan on a device.
diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md
index 382d2d379a..2f1ccdb53c 100644
--- a/windows/client-management/mdm/developersetup-csp.md
+++ b/windows/client-management/mdm/developersetup-csp.md
@@ -14,7 +14,7 @@ ms.date: 06/26/2018
# DeveloperSetup CSP
-The DeveloperSetup configuration service provider (CSP) is used to configure Developer Mode on the device and connect to the Windows Device Portal. For more information about the Windows Device Portal, see [Windows Device Portal overview](https://msdn.microsoft.com/windows/uwp/debug-test-perf/device-portal). This CSP was added in Windows 10, version 1703.
+The DeveloperSetup configuration service provider (CSP) is used to configure Developer Mode on the device and connect to the Windows Device Portal. For more information about the Windows Device Portal, see [Windows Device Portal overview](/windows/uwp/debug-test-perf/device-portal). This CSP was added in Windows 10, version 1703.
> [!NOTE]
> The DeveloperSetup configuration service provider (CSP) is only supported in Windows 10 Holographic Enterprise edition and with runtime provisioning via provisioning packages. It is not supported in MDM.
@@ -79,4 +79,4 @@ If authentication is enabled, HttpPort will redirect the user t
**DevicePortal/Connection/HttpsPort**
-
@@ -224,12 +224,5 @@ if ( bstr != NULL )
## See also
-[**SysFreeString**](https://msdn.microsoft.com/library/windows/hardware/ms221481)
-
-
-
-
-
-
-
+[**SysFreeString**](/windows/win32/api/oleauto/nf-oleauto-sysfreestring)
diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md
index 7ccca3fe88..43882781ec 100644
--- a/windows/client-management/mdm/eap-configuration.md
+++ b/windows/client-management/mdm/eap-configuration.md
@@ -28,31 +28,31 @@ To get the EAP configuration from your desktop using the rasphone tool that is s
1. If you don't currently have a VPN connection and you see the following message, select **OK**.
- 
+ 
1. In the wizard, select **Workplace network**.
- 
+ 
1. Enter an Internet address and connection name. These can be fake since it does not impact the authentication parameters.
- 
+ 
1. Create a fake VPN connection. In the UI shown here, select **Properties**.
- 
+ 
1. In the **Test Properties** dialog, select the **Security** tab.
- 
+ 
1. On the **Security** tab, select **Use Extensible Authentication Protocol (EAP)**.
- 
+ 
1. From the drop-down menu, select the EAP method that you want to configure, and then select **Properties** to configure as needed.
- 
+ 
1. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML.
@@ -288,16 +288,10 @@ Alternatively, you can use the following procedure to create an EAP configuratio
1. Continue following the procedure in the EAP configuration article from step 9 to get an EAP TLS profile with appropriate filtering.
> [!NOTE]
-> You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](https://technet.microsoft.com/library/hh945104.aspx) article.
+> You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)) article.
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
index d79b428c0e..d6a0127bab 100644
--- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
+++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
@@ -17,7 +17,7 @@ manager: dansimp
This is a step-by-step guide to configuring ADMX-backed policies in MDM.
-Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX-backed policies)](https://docs.microsoft.com/windows/client-management/mdm/policy-csps-admx-backed) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX-backed policies in Policy CSP is different from the typical way you configure a traditional MDM policy.
+Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX-backed policies)](./policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX-backed policies in Policy CSP is different from the typical way you configure a traditional MDM policy.
Summary of steps to enable a policy:
- Find the policy from the list ADMX-backed policies.
@@ -25,17 +25,17 @@ Summary of steps to enable a policy:
- Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy.
- Create the data payload for the SyncML.
-See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) and [Deploying ADMX-Backed policies using Microsoft Intune](https://blogs.technet.microsoft.com/senthilkumar/2018/05/21/intune-deploying-admx-backed-policies-using-microsoft-intune/) for a walk-through using Intune.
+See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) and [Deploying ADMX-Backed policies using Microsoft Intune](/archive/blogs/senthilkumar/intune-deploying-admx-backed-policies-using-microsoft-intune) for a walk-through using Intune.
>[!TIP]
->Intune has added a number of ADMX-backed administrative templates in public preview. Check if the policy settings you need are available in a template before using the SyncML method described below. [Learn more about Intune's administrative templates.](https://docs.microsoft.com/intune/administrative-templates-windows)
+>Intune has added a number of ADMX-backed administrative templates in public preview. Check if the policy settings you need are available in a template before using the SyncML method described below. [Learn more about Intune's administrative templates.](/intune/administrative-templates-windows)
## Enable a policy
> [!NOTE]
-> See [Understanding ADMX-backed policies in Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/understanding-admx-backed-policies).
+> See [Understanding ADMX-backed policies in Policy CSP](./understanding-admx-backed-policies.md).
-1. Find the policy from the list [ADMX-backed policies](policy-csps-admx-backed.md). You need the following information listed in the policy description.
+1. Find the policy from the list [ADMX-backed policies](./policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description.
- GP English name
- GP name
- GP ADMX file name
@@ -308,5 +308,4 @@ The \ payload is empty. Here an example to set AppVirtualization/Publishin
Microsoft.XboxApp_8wekyb3d8bbwe!Microsoft.XboxApp
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md
index 8e674ed1e6..3b596b6652 100644
--- a/windows/client-management/mdm/enterprisedataprotection-csp.md
+++ b/windows/client-management/mdm/enterprisedataprotection-csp.md
@@ -14,7 +14,7 @@ ms.date: 08/09/2017
# EnterpriseDataProtection CSP
-The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip).
+The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip).
> [!Note]
> To make WIP functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md).
@@ -26,8 +26,8 @@ While WIP has no hard dependency on VPN, for best results you should configure V
To learn more about WIP, see the following articles:
-- [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy)
-- [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip)
+- [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy)
+- [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip)
The following shows the EnterpriseDataProtection CSP in tree format.
```
@@ -76,8 +76,8 @@ Changing the primary enterprise ID is not supported and may cause unexpected beh
Here are the steps to create canonical domain names:
1. Transform the ASCII characters (A-Z only) to lowercase. For example, Microsoft.COM -> microsoft.com.
-2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags.
-3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0).
+2. Call [IdnToAscii](/windows/win32/api/winnls/nf-winnls-idntoascii) with IDN\_USE\_STD3\_ASCII\_RULES as the flags.
+3. Call [IdnToUnicode](/windows/win32/api/winnls/nf-winnls-idntounicode) with no flags set (dwFlags = 0).
Supported operations are Add, Get, Replace, and Delete. Value type is string.
@@ -353,9 +353,3 @@ Supported operation is Get. Value type is integer.
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
index 6a9673e330..60cff29616 100644
--- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
@@ -541,7 +541,7 @@ Properties can be specified in the package, passed through the command line, mod
Here's a list of references:
-- [Using Windows Installer](https://technet.microsoft.com/library/cc782896.aspx)
+- [Using Windows Installer](/previous-versions/windows/it-pro/windows-server-2003/cc782896(v=ws.10))
- [Authoring a single package for Per-User or Per-Machine Installation context in Windows 7](https://blogs.msdn.com/b/windows_installer_team/archive/2009/09/02/authoring-a-single-package-for-per-user-or-per-machine-installation-context-in-windows-7.aspx)
- SyncML Representation Protocol, Draft Version 1.3 - 27 Aug 2009 (OMA-TS-SyncML\_RepPro-V1\_3-20090827-D)
@@ -568,10 +568,3 @@ Here's a list of references:
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md
index 01d4daf010..858a51a88b 100644
--- a/windows/client-management/mdm/federated-authentication-device-enrollment.md
+++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md
@@ -18,7 +18,7 @@ This section provides an example of the mobile device enrollment protocol using
The <AuthenticationServiceURL> element the discovery response message specifies web authentication broker page start URL.
-For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347).
+For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692).
## In this topic
@@ -627,4 +627,4 @@ The following code shows sample provisioning XML (presented in the preceding pac
- Detailed descriptions of these settings are located in the [Enterprise settings, policies and app management](windows-mdm-enterprise-settings.md) section of this document.
- The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique.
- Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate.
-- CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it.
+- CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it.
\ No newline at end of file
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index 0e039ef35a..19fbe15c22 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -11,14 +11,14 @@ ms.reviewer:
manager: dansimp
---
-# Firewall CSP
+# Firewall configuration service provider (CSP)
The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709.
Firewall rules in the FirewallRules section must be wrapped in an Atomic block in SyncML, either individually or collectively.
-For detailed information on some of the fields below see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](https://msdn.microsoft.com/library/mt620101.aspx).
+For detailed information on some of the fields below see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](/openspecs/windows_protocols/ms-winerrata/6521c5c4-1f76-4003-9ade-5cccfc27c8ac).
The following shows the Firewall configuration service provider in tree format.
```
@@ -118,7 +118,7 @@ Firewall
-
Current channel
+Current channel
Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.
March 9 2017
- Deferred channel
+Deferred channel
Provide users with new features of Office only a few times a year.
October 10 2017
Microsoft 365 Apps for enterprise
-
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md
index aef061ccd2..4339466ef0 100644
--- a/windows/client-management/mdm/index.md
+++ b/windows/client-management/mdm/index.md
@@ -22,7 +22,7 @@ There are two parts to the Windows 10 management component:
- The enrollment client, which enrolls and configures the device to communicate with the enterprise management server.
- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT.
-Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347).
+Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692).
## MDM security baseline
@@ -48,7 +48,7 @@ For more details about the MDM policies defined in the MDM security baseline and
- [MDM Security baseline for Windows 10, version 1809](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip)
-For information about the MDM policies defined in the Intune security baseline public preview, see [Windows security baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-windows).
+For information about the MDM policies defined in the Intune security baseline public preview, see [Windows security baseline settings for Intune](/intune/security-baseline-settings-windows).
@@ -83,14 +83,7 @@ When an organization wants to move to MDM to manage devices, they should prepare
- [Configuration service provider reference](configuration-service-provider-reference.md)
- [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md)
- [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md)
-- [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224)
+- [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal)
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
index f1f4f5b05f..12e50c7af7 100644
--- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
+++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
@@ -28,7 +28,7 @@ Here's the list of the available capabilities:
- Custom Line of Business app support –Enables management and distribution of enterprise applications through the Store for Business.
- Support for Windows desktop and mobile devices - The Store for Business supports both desktop and mobile devices.
-For additional information about Store for Business, see the TechNet topics in [Microsoft Store for Business](https://technet.microsoft.com/library/mt606951.aspx).
+For additional information about Store for Business, see the TechNet topics in [Microsoft Store for Business](/microsoft-store/).
## Management services
@@ -74,14 +74,14 @@ The Store for Business services rely on Azure Active Directory for authenticatio
To learn more about Azure AD and how to register your application within Azure AD, here are some topics to get you started:
- Adding an application to Azure Active Directory - [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md)
-- Accessing other Web applications and configuring your application to access other APIs - [Integrating Applications with Azure Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=623021)
-- Authenticating to the Store for Business services via Azure AD - [Authentication Scenarios for Azure Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=623023)
+- Accessing other Web applications and configuring your application to access other APIs - [Integrating Applications with Azure Active Directory](/azure/active-directory/develop/quickstart-register-app)
+- Authenticating to the Store for Business services via Azure AD - [Authentication Scenarios for Azure Active Directory](/azure/active-directory/develop/authentication-vs-authorization)
For code samples, see [Microsoft Azure Active Directory Samples and Documentation](https://go.microsoft.com/fwlink/p/?LinkId=623024) in GitHub. Patterns are very similar to [Daemon-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=623025) and [ConsoleApp-GraphAPI-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=623026).
## Configure your Azure AD application
-See [Quickstart: Register an application with the Microsoft identity platform](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app) for the steps to configure your Azure AD app.
+See [Quickstart: Register an application with the Microsoft identity platform](/azure/active-directory/develop/quickstart-register-app) for the steps to configure your Azure AD app.
## Azure AD Authentication for MTS
@@ -122,9 +122,3 @@ The diagram below shows the call patterns for acquiring a new or updated applica
- [Bulk assign and reclaim seats for users](bulk-assign-and-reclaim-seats-from-user.md)
- [Get seats assigned to a user](get-seats-assigned-to-a-user.md)
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
index f74caeda09..d1e7b033f2 100644
--- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
@@ -11,8 +11,7 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
-author: manikadhiman
-ms.date: 11/19/2020
+author: dansimp
---
# MDM enrollment of Windows 10-based devices
@@ -169,10 +168,10 @@ There are a few instances where your device cannot be connected to an Azure AD d
-## Connect personally-owned devices
+## Connect personally owned devices
-Personally-owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows 10 does not require a personal Microsoft account on devices to connect to work or school.
+Personally owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows 10 does not require a personal Microsoft account on devices to connect to work or school.
### Connect to a work or school account
@@ -248,7 +247,7 @@ To create a local account and connect the device:
After you complete the flow, your device will be connected to your organization’s MDM.
-### Help with connecting personally-owned devices
+### Help with connecting personally owned devices
There are a few instances where your device may not be able to connect to work.
@@ -280,7 +279,7 @@ The deep link used for connecting your device to work will always use the follow
| accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string |
| deviceidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to pass in a unique device identifier. Added in Windows 10, version 1703. | GUID |
| tenantidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to identify which tenant the device or user belongs to. Added in Windows 10, version 1703. | GUID or string |
-| ownership | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3 |
+| ownership | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3. Where "1" means ownership is unknown, "2" means the device is personally owned, and "3" means the device is corporate-owned |
> [!NOTE]
> AWA and AADJ values for mode are only supported on Windows 10, version 1709 and later.
diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md
index 061a5abdb2..32f9b5ee66 100644
--- a/windows/client-management/mdm/mobile-device-enrollment.md
+++ b/windows/client-management/mdm/mobile-device-enrollment.md
@@ -32,7 +32,7 @@ The enrollment process includes the following steps:
## Enrollment protocol
-There are a number of changes made to the enrollment protocol to better support a variety of scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
+There are a number of changes made to the enrollment protocol to better support a variety of scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
The enrollment process involves the following steps:
@@ -40,7 +40,7 @@ The enrollment process involves the following steps:
The discovery request is a simple HTTP post call that returns XML over HTTP. The returned XML includes the authentication URL, the management service URL, and the user credential type.
### Certificate enrollment policy
-The certificate enrollment policy configuration is an implementation of the MS-XCEP protocol, which is described in \[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol Specification. Section 4 of the specification provides an example of the policy request and response. The X.509 Certificate Enrollment Policy Protocol is a minimal messaging protocol that includes a single client request message (GetPolicies) with a matching server response message (GetPoliciesResponse). For more information, see [\[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619345)
+The certificate enrollment policy configuration is an implementation of the MS-XCEP protocol, which is described in \[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol Specification. Section 4 of the specification provides an example of the policy request and response. The X.509 Certificate Enrollment Policy Protocol is a minimal messaging protocol that includes a single client request message (GetPolicies) with a matching server response message (GetPoliciesResponse). For more information, see [\[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol](/openspecs/windows_protocols/ms-xcep/08ec4475-32c2-457d-8c27-5a176660a210)
### Certificate enrollment
The certificate enrollment is an implementation of the MS-WSTEP protocol.
@@ -291,4 +291,4 @@ TraceID is a freeform text node which is logged. It should identify the server s
- [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)
- [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
-- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
+- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
\ No newline at end of file
diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md
index dcaef76767..89d18c8eff 100644
--- a/windows/client-management/mdm/nap-csp.md
+++ b/windows/client-management/mdm/nap-csp.md
@@ -23,10 +23,44 @@ The NAP (Network Access Point) Configuration Service Provider is used to manage
For the NAP CSP, you cannot use the Replace command unless the node already exists.
-The following diagram shows the NAP configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
-
-
-
+The following shows the NAP configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
+```
+./Vendor/MSFT
+NAP
+----*
+--------NapId
+--------Name
+--------Addr
+--------AddrType
+--------IPv4
+------------AutoConfig
+------------LocalAddr
+------------NetMask
+------------Gateway
+------------DNS
+----------------*
+--------------------DNSAddr
+--------IPv6
+------------AutoConfig
+------------LocalAddr
+--------Linger
+--------AuthInfo
+------------AuthType
+------------AuthName
+------------AuthSecret
+------------AuthEntities
+----------------*
+--------------------AuthEntity
+------------SPI
+--------Bearer
+------------BearerType
+--------Ext
+------------Microsoft
+----------------Guid
+----------------AlwaysOn
+----------------Secure
+----------------SecureLevel
+```
**./Vendor/MSFT/NAP**
Root node.
diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md
index 43aff61d37..4fa1f6289f 100644
--- a/windows/client-management/mdm/networkproxy-csp.md
+++ b/windows/client-management/mdm/networkproxy-csp.md
@@ -28,10 +28,18 @@ How the settings work:
-The following diagram shows the NetworkProxy configuration service provider in tree format.
-
-
-
+The following shows the NetworkProxy configuration service provider in tree format.
+```
+./Vendor/MSFT
+NetworkProxy
+----ProxySettingsPerUser
+----AutoDetect
+----SetupScriptUrl
+----ProxyServer
+--------ProxyAddress
+--------Exceptions
+--------UseProxyForLocalAddresses
+```
**./Vendor/MSFT/NetworkProxy**
The root node for the NetworkProxy configuration service provider..
diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md
index 19a52ed0be..3c523ba304 100644
--- a/windows/client-management/mdm/networkqospolicy-csp.md
+++ b/windows/client-management/mdm/networkqospolicy-csp.md
@@ -27,10 +27,19 @@ The following actions are supported:
> [!NOTE]
> The NetworkQoSPolicy configuration service provider is officially supported for devices that are Intune managed and Azure AD joined. Currently, this CSP is not supported on Azure AD Hybrid joined devices and for devices using GPO and CSP at the same time. The minimum operating system requirement for this CSP is Windows 10, version 2004. This CSP is supported only in Microsoft Surface Hub prior to Window 10, version 2004.
-The following diagram shows the NetworkQoSPolicy configuration service provider in tree format.
-
-
-
+The following shows the NetworkQoSPolicy configuration service provider in tree format.
+```
+./Device/Vendor/MSFT
+NetworkQoSPolicy
+----Version
+----Name
+--------IPProtocolMatchCondition
+--------AppPathNameMatchCondition
+--------SourcePortMatchCondition
+--------DestinationPortMatchCondition
+--------PriorityValue8021Action
+--------DSCPAction
+```
**NetworkQoSPolicy**
First release for Deferred channel
+First release for Deferred channel
Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.
June 13 2017
- UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.
-ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.
- DomainName - fully qualified domain name if the device is domain-joined. |
+| The [The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692) | The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:
- UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.
-ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.
- DomainName - fully qualified domain name if the device is domain-joined. |
| [Firewall CSP](firewall-csp.md) | Added new CSP in Windows 10, version 1709. |
| [eUICCs CSP](euiccs-csp.md) | Added new CSP in Windows 10, version 1709. |
| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)
[WindowsDefenderApplicationGuard DDF file](windowsdefenderapplicationguard-ddf-file.md) | New CSP added in Windows 10, version 1709. Also added the DDF topic. |
@@ -116,9 +116,9 @@ For details about Microsoft mobile device management protocols for Windows 10 s
| [Office CSP](office-csp.md) | Added the following setting in Windows 10, version 1709:
- Installation/CurrentStatus |
| [DMClient CSP](dmclient-csp.md) | Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF articles. |
| [Bitlocker CSP](bitlocker-csp.md) | Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709. |
-| [ADMX-backed policies in Policy CSP](policy-csps-admx-backed.md) | Added new policies. |
+| [ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) | Added new policies. |
| Microsoft Store for Business and Microsoft Store | Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store. |
-| [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) | New features in the Settings app:
- User sees installation progress of critical policies during MDM enrollment.
- User knows what policies, profiles, apps MDM has configured
- IT helpdesk can get detailed MDM diagnostic information using client tools
For details, see [Managing connection](https://docs.microsoft.com/windows/client-management/mdm/mdm-enrollment-of-windows-devices#manage-connections) and [Collecting diagnostic logs](https://docs.microsoft.com/windows/client-management/mdm/mdm-enrollment-of-windows-devices#collecting-diagnostic-logs).|
+| [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) | New features in the Settings app:
- User sees installation progress of critical policies during MDM enrollment.
- User knows what policies, profiles, apps MDM has configured
- IT helpdesk can get detailed MDM diagnostic information using client tools
For details, see [Managing connection](./mdm-enrollment-of-windows-devices.md#manage-connections) and [Collecting diagnostic logs](./mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs).|
| [Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md) | Added new topic to introduce a new Group Policy for automatic MDM enrollment. |
| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies for Windows 10, version 1709:
- Authentication/AllowAadPasswordReset
- Authentication/AllowFidoDeviceSignon
- Browser/LockdownFavorites
- Browser/ProvisionFavorites
- Cellular/LetAppsAccessCellularData
- Cellular/LetAppsAccessCellularData_ForceAllowTheseApps
- Cellular/LetAppsAccessCellularData_ForceDenyTheseApps
- Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps
- CredentialProviders/DisableAutomaticReDeploymentCredentials
- DeviceGuard/EnableVirtualizationBasedSecurity
- DeviceGuard/RequirePlatformSecurityFeatures
- DeviceGuard/LsaCfgFlags
- DeviceLock/MinimumPasswordAge
- ExploitGuard/ExploitProtectionSettings
- Games/AllowAdvancedGamingServices
- Handwriting/PanelDefaultModeDocked
- LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
- LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
- LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
- LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
- LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
- LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
- LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
- LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
- LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
- LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
- LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
- LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM
- LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
- LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
- LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
- LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
- LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
- LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
- LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
- LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
- LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
- LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
- Power/DisplayOffTimeoutOnBattery
- Power/DisplayOffTimeoutPluggedIn
- Power/HibernateTimeoutOnBattery
- Power/HibernateTimeoutPluggedIn
- Power/StandbyTimeoutOnBattery
- Power/StandbyTimeoutPluggedIn
- Privacy/EnableActivityFeed
- Privacy/PublishUserActivities
- Defender/AttackSurfaceReductionOnlyExclusions
- Defender/AttackSurfaceReductionRules
- Defender/CloudBlockLevel
- Defender/CloudExtendedTimeout
- Defender/ControlledFolderAccessAllowedApplications
- Defender/ControlledFolderAccessProtectedFolders
- Defender/EnableControlledFolderAccess
- Defender/EnableNetworkProtection
- Education/DefaultPrinterName
- Education/PreventAddingNewPrinters
- Education/PrinterNames
- Search/AllowCloudSearch
- Security/ClearTPMIfNotReady
- Settings/AllowOnlineTips
- Start/HidePeopleBar
- Storage/AllowDiskHealthModelUpdates
- System/DisableEnterpriseAuthProxy
- System/LimitEnhancedDiagnosticDataWindowsAnalytics
- Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork
- Update/DisableDualScan
- Update/ManagePreviewBuilds
- Update/ScheduledInstallEveryWeek
- Update/ScheduledInstallFirstWeek
- Update/ScheduledInstallFourthWeek
- Update/ScheduledInstallSecondWeek
- Update/ScheduledInstallThirdWeek
- WindowsDefenderSecurityCenter/CompanyName
- WindowsDefenderSecurityCenter/DisableAppBrowserUI
- WindowsDefenderSecurityCenter/DisableEnhancedNotifications
- WindowsDefenderSecurityCenter/DisableFamilyUI
- WindowsDefenderSecurityCenter/DisableHealthUI
- WindowsDefenderSecurityCenter/DisableNetworkUI
- WindowsDefenderSecurityCenter/DisableNotifications
- WindowsDefenderSecurityCenter/DisableVirusUI
- WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride
- WindowsDefenderSecurityCenter/Email
- WindowsDefenderSecurityCenter/EnableCustomizedToasts
- WindowsDefenderSecurityCenter/EnableInAppCustomization
- WindowsDefenderSecurityCenter/Phone
- WindowsDefenderSecurityCenter/URL
- WirelessDisplay/AllowMdnsAdvertisement
- WirelessDisplay/AllowMdnsDiscovery |
@@ -145,7 +145,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
| [BitLocker CSP](bitlocker-csp.md) | Added the new CSP.
- AllowWarningForOtherDiskEncryption |
| [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) | Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.
Added the following settings:
- RevokeOnMDMHandoff
- SMBAutoEncryptedFileExtensions |
| [DynamicManagement CSP](dynamicmanagement-csp.md) | Added the new CSP. |
-| [Implement server-side support for mobile application management on Windows](https://docs.microsoft.com/windows/client-management/mdm/implement-server-side-mobile-application-management) | New mobile application management (MAM) support added in Windows 10, version 1703. |
+| [Implement server-side support for mobile application management on Windows](./implement-server-side-mobile-application-management.md) | New mobile application management (MAM) support added in Windows 10, version 1703. |
| [PassportForWork CSP](passportforwork-csp.md) | Added the following new node and settings:
- _TenantId_/Policies/ExcludeSecurityDevices (only for ./Device/Vendor/MSFT)
- _TenantId_/Policies/ExcludeSecurityDevices/TPM12 (only for ./Device/Vendor/MSFT)
- _TenantId_/Policies/EnablePinRecovery |
| [Office CSP](office-csp.md) | Added the new CSP. |
| [Personalization CSP](personalization-csp.md) | Added the new CSP. |
@@ -161,13 +161,13 @@ For details about Microsoft mobile device management protocols for Windows 10 s
| [NodeCache CSP](nodecache-csp.md) | Added following settings:
- ChangedNodesData
- AutoSetExpectedValue |
| [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) | Added a zip file containing the DDF XML files of the CSPs. The link to the download is available in the DDF articles of various CSPs. |
| [RemoteWipe CSP](remotewipe-csp.md) | Added new setting in Windows 10, version 1703:
- doWipeProtected |
-| [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224) | Added new classes and properties. |
-| [Understanding ADMX-backed policies](https://docs.microsoft.com/windows/client-management/mdm/understanding-admx-backed-policies) | Added a section describing SyncML examples of various ADMX elements. |
-| [Win32 and Desktop Bridge app policy configuration](https://docs.microsoft.com/windows/client-management/mdm/win32-and-centennial-app-policy-configuration) | New article. |
-| [Deploy and configure App-V apps using MDM](https://docs.microsoft.com/windows/client-management/mdm/appv-deploy-and-config) | Added a new article describing how to deploy and configure App-V apps using MDM. |
+| [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) | Added new classes and properties. |
+| [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md) | Added a section describing SyncML examples of various ADMX elements. |
+| [Win32 and Desktop Bridge app policy configuration](./win32-and-centennial-app-policy-configuration.md) | New article. |
+| [Deploy and configure App-V apps using MDM](./appv-deploy-and-config.md) | Added a new article describing how to deploy and configure App-V apps using MDM. |
| [EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md) | Added new setting in the March service release of Windows 10, version 1607.
- MSI/UpgradeCode/[Guid] |
| [Reporting CSP](reporting-csp.md) | Added new settings in Windows 10, version 1703.
- EnterpriseDataProtection/RetrieveByTimeRange/Type
- EnterpriseDataProtection/RetrieveByCount/Type |
-| [Connect your Windows 10-based device to work using a deep link](https://docs.microsoft.com/windows/client-management/mdm/mdm-enrollment-of-windows-devices#connect-your-windows-10-based-device-to-work-using-a-deep-link) | Added following deep link parameters to the table:
- Username
- Servername
- Accesstoken
- Deviceidentifier
- Tenantidentifier
- Ownership |
+| [Connect your Windows 10-based device to work using a deep link](./mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link) | Added following deep link parameters to the table:
- Username
- Servername
- Accesstoken
- Deviceidentifier
- Tenantidentifier
- Ownership |
| MDM support for Windows 10 S | Updated the following articles to indicate MDM support in Windows 10 S.
- [Configuration service provider reference](configuration-service-provider-reference.md)
- [Policy CSP](policy-configuration-service-provider.md) |
| [TPMPolicy CSP](tpmpolicy-csp.md) | Added the new CSP. |
@@ -192,7 +192,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
| [Win32AppInventory CSP](win32appinventory-csp.md) | New CSP. |
| [SharedPC CSP](sharedpc-csp.md) | New CSP. |
| [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) | New CSP. |
-| [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224) | Added new classes for Windows 10, version 1607. |
+| [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) | Added new classes for Windows 10, version 1607. |
| [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md) | Article renamed from "Enrollment UI".
Completely updated enrollment procedures and screenshots. |
| [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)
[UnifiedWriteFilter DDF File](unifiedwritefilter-ddf.md) | Added the following new setting for Windows 10, version 1607:
- NextSession/HORMEnabled |
| [CertificateStore CSP](certificatestore-csp.md)
[CertificateStore DDF file](certificatestore-ddf-file.md) | Added the following new settings in Windows 10, version 1607:
- My/WSTEP/Renew/LastRenewalAttemptTime
- My/WSTEP/Renew/RenewNow |
@@ -457,7 +457,7 @@ Alternatively you can use the following procedure to create an EAP Configuration
8. Continue following the procedure in the [EAP configuration](eap-configuration.md) article from Step 9 to get an EAP TLS profile with appropriate filtering.
> [!NOTE]
-> You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](https://technet.microsoft.com/library/hh945104.aspx).
+> You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)).
### Remote PIN reset not supported in Azure Active Directory joined mobile devices
@@ -478,7 +478,7 @@ If you want to use the certificate used for VPN authentication also for Kerberos
### Device management agent for the push-button reset is not working
-The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/push-button-reset-overview) keeps the registry settings for OMA DM sessions, but deletes the task schedules. The client enrollment is retained, but it never syncs with the MDM service.
+The DM agent for [push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview) keeps the registry settings for OMA DM sessions, but deletes the task schedules. The client enrollment is retained, but it never syncs with the MDM service.
## Frequently Asked Questions
@@ -506,4 +506,4 @@ How do I turn if off? | The service can be stopped from the "Services" console o
## Change history for MDM documentation
-To know what's changed in MDM documentation, see [Change history for MDM documentation](change-history-for-mdm-documentation.md).
+To know what's changed in MDM documentation, see [Change history for MDM documentation](change-history-for-mdm-documentation.md).
\ No newline at end of file
diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md
index 045b8152d9..ff47aa238d 100644
--- a/windows/client-management/mdm/nodecache-csp.md
+++ b/windows/client-management/mdm/nodecache-csp.md
@@ -27,10 +27,47 @@ application/x-nodemon-sha256
NodeCache will hash the values and compare with a hash value that was sent down by the server. This supports checking a parent node and its children recursively.
-The following diagram shows the NodeCache configuration service provider in tree format.
+The following shows the NodeCache configuration service provider in tree format.
+```
+./User/Vendor/MSFT
+NodeCache
+----ProviderID
+--------CacheVersion
+--------ChangedNodes
+--------ChangedNodesData
+--------Nodes
+------------NodeID
+----------------NodeURI
+----------------ExpectedValue
+----------------AutoSetExpectedValue
-
+./Device/Vendor/MSFT
+NodeCache
+----ProviderID
+--------CacheVersion
+--------ChangedNodes
+--------ChangedNodesData
+--------Nodes
+------------NodeID
+----------------NodeURI
+----------------ExpectedValue
+----------------AutoSetExpectedValue
+
+
+./User/Vendor/MSFT
+./Device/Vendor/MSFT
+NodeCache
+----ProviderID
+--------CacheVersion
+--------ChangedNodes
+--------ChangedNodesData
+--------Nodes
+------------NodeID
+----------------NodeURI
+----------------ExpectedValue
+----------------AutoSetExpectedValue
+```
**./Device/Vendor/MSFT and ./User/Vendor/MSFT**
Required. The root node for the NodeCache object. Supported operation is Get. This configuration service provider is used for enterprise device management only. This is a predefined MIME type to identify this managed object in OMA DM syntax.
diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md
index 58e1e0a8e9..7516e3c411 100644
--- a/windows/client-management/mdm/office-csp.md
+++ b/windows/client-management/mdm/office-csp.md
@@ -14,16 +14,38 @@ manager: dansimp
# Office CSP
-The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/library/jj219426.aspx) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/intune/apps-add-office365).
+The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/office-deployment-tool-configuration-options) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](/intune/apps-add-office365).
This CSP was added in Windows 10, version 1703.
For additional information, see [Office DDF](office-ddf.md).
-The following diagram shows the Office configuration service provider in tree format.
+The following shows the Office configuration service provider in tree format.
+```
+./Vendor/MSFT
+Office
+----Installation
+--------id
+------------Install
+------------Status
-
+./Device/Vendor/MSFT
+Office
+----Installation
+--------id
+------------Install
+------------Status
+
+
+./Vendor/MSFT
+./Device/Vendor/MSFT
+Office
+----Installation
+--------id
+------------Install
+------------Status
+```
**./Device/Vendor/MSFT/Office/ or ./User/Vendor/MSFT/Office**
The root node for the Office configuration service provider.Failure
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index fbb49aae1f..c73d5fdc8d 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -35,7 +35,7 @@ The following diagram shows the PassportForWork configuration service provider i
Root node for PassportForWork configuration service provider.
***TenantId***
-A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet [Get-AzureAccount](https://docs.microsoft.com/powershell/module/servicemanagement/azure/get-azureaccount). For more information see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell).
+A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet [Get-AzureAccount](/powershell/module/servicemanagement/azure/get-azureaccount). For more information see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell).
***TenantId*/Policies**
Node for defining the Windows Hello for Business policy settings.
@@ -271,7 +271,7 @@ Scope is permanent. Supported operation is Get.
**SecurityKey/UseSecurityKeyForSignin** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, version 1903. Enables users to sign-in to their device with a [FIDO2 security key](https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys) that is compatible with Microsoft’s implementation.
+Added in Windows 10, version 1903. Enables users to sign-in to their device with a [FIDO2 security key](/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys) that is compatible with Microsoft’s implementation.
Scope is dynamic. Supported operations are Add, Get, Replace, and Delete.
@@ -500,10 +500,4 @@ Here's an example for setting Windows Hello for Business and setting the PIN pol
-
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md
index 8d4f260502..bf3d84f0f4 100644
--- a/windows/client-management/mdm/personalization-csp.md
+++ b/windows/client-management/mdm/personalization-csp.md
@@ -20,10 +20,15 @@ This CSP was added in Windows 10, version 1703.
> [!Note]
> Personalization CSP is supported in Windows 10 Enterprise and Education SKUs. It works in Windows 10 Pro and Windows 10 Pro in S mode if SetEduPolicies in [SharedPC CSP](sharedpc-csp.md) is set.
-The following diagram shows the Personalization configuration service provider in tree format.
-
-
-
+The following shows the Personalization configuration service provider in tree format.
+```
+./Vendor/MSFT
+Personalization
+----DesktopImageUrl
+----DesktopImageStatus
+----LockScreenImageUrl
+----LockScreenImageStatus
+```
**./Vendor/MSFT/Personalization**
./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see Win32 and Desktop Bridge app policy configuration.
> [!NOTE]
-> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](https://technet.microsoft.com/library/cc179097.aspx).
+> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](/previous-versions/office/office-2013-resource-kit/cc179097(v=office.15)).
-./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}.
+./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}.
@@ -1714,7 +1722,7 @@ The following diagram shows the Policy configuration service provider in tree fo
ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications
+### ADMX_Winsrv policies
+
+
+
### ADMX_wlansvc policies
@@ -8571,26 +8587,27 @@ The following diagram shows the Policy configuration service provider in tree fo
+
## Policies in Policy CSP supported by Group Policy and ADMX-backed policies in Policy CSP
-- [Policies in Policy CSP supported by Group Policy](policy-csps-supported-by-group-policy.md)
-- [ADMX-backed policies in Policy CSP](policy-csps-admx-backed.md)
+- [Policies in Policy CSP supported by Group Policy](./policies-in-policy-csp-supported-by-group-policy.md)
+- [ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)
> [!NOTE]
> Not all Policies in Policy CSP supported by Group Policy are ADMX-backed. For more details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
## Policies in Policy CSP supported by HoloLens devices
-- [Policies in Policy CSP supported by HoloLens 2](policy-csps-supported-by-hololens2.md)
-- [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md)
-- [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md)
+- [Policies in Policy CSP supported by HoloLens 2](./policies-in-policy-csp-supported-by-hololens2.md)
+- [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](./policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md)
+- [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](./policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md)
## Policies in Policy CSP supported by Windows 10 IoT
-- [Policies in Policy CSP supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md)
+- [Policies in Policy CSP supported by Windows 10 IoT Core](./policies-in-policy-csp-supported-by-iot-core.md)
## Policies in Policy CSP supported by Microsoft Surface Hub
-- [Policies in Policy CSP supported by Microsoft Surface Hub](policy-csps-supported-by-surface-hub.md)
+- [Policies in Policy CSP supported by Microsoft Surface Hub](./policies-in-policy-csp-supported-by-surface-hub.md)
## Policies in Policy CSP that can be set using Exchange ActiveSync (EAS)
-- [Policies in Policy CSP that can be set using Exchange ActiveSync (EAS)](policy-csps-that-can-be-set-using-eas.md)
+- [Policies in Policy CSP that can be set using Exchange ActiveSync (EAS)](./policies-in-policy-csp-that-can-be-set-using-eas.md)
## Related topics
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md
index 4367ed3ed6..644ff6136e 100644
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@@ -230,7 +230,7 @@ The following list shows the supported values:
Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service.
> [!NOTE]
-> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
+> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
> [!NOTE]
> If the MSA service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the MSA ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app.
@@ -257,5 +257,4 @@ Footnotes:
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
-
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
index 2b4c414ae7..a4020d12f2 100644
--- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
+++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
@@ -104,17 +104,8 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
index 0c6e0067ac..647cff6ce4 100644
--- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
+++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
@@ -939,17 +939,8 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md
index b626e67721..ff2c292c54 100644
--- a/windows/client-management/mdm/policy-csp-admx-appcompat.md
+++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md
@@ -729,17 +729,8 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
index 086c0dafc1..9a4ac00b81 100644
--- a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
+++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
@@ -106,16 +106,7 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md
index 6d76bd5f74..de1358be57 100644
--- a/windows/client-management/mdm/policy-csp-admx-appxruntime.md
+++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md
@@ -323,17 +323,8 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md
index 895402efef..8bc9cf11ea 100644
--- a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md
+++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md
@@ -407,17 +407,7 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
-
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md
index 2564a91801..45e3546cb4 100644
--- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md
+++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md
@@ -104,17 +104,8 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md
index 35597b677e..a9c4c671d0 100644
--- a/windows/client-management/mdm/policy-csp-admx-bits.md
+++ b/windows/client-management/mdm/policy-csp-admx-bits.md
@@ -1086,17 +1086,8 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
index e8a57b01bf..b258029bba 100644
--- a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
+++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
@@ -84,7 +84,7 @@ If you enable this policy setting, SSL cipher suites are prioritized in the orde
If you disable or do not configure this policy setting, default cipher suite order is used.
-For information about supported cipher suites, see [Cipher Suites in TLS/SSL (Schannel SSP)](https://go.microsoft.com/fwlink/?LinkId=517265).
+For information about supported cipher suites, see [Cipher Suites in TLS/SSL (Schannel SSP)](/windows/win32/secauthn/cipher-suites-in-schannel).
> [!TIP]
@@ -188,17 +188,7 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
-
-
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-com.md b/windows/client-management/mdm/policy-csp-admx-com.md
index aaaa28a510..fe5fda7a65 100644
--- a/windows/client-management/mdm/policy-csp-admx-com.md
+++ b/windows/client-management/mdm/policy-csp-admx-com.md
@@ -182,17 +182,7 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
-
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md
index 4a340834f9..e2b1569c90 100644
--- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md
+++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md
@@ -348,16 +348,7 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
index a03950bfdc..970899b339 100644
--- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
+++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
@@ -1811,16 +1811,7 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-cpls.md b/windows/client-management/mdm/policy-csp-admx-cpls.md
index d198e617ff..765b443616 100644
--- a/windows/client-management/mdm/policy-csp-admx-cpls.md
+++ b/windows/client-management/mdm/policy-csp-admx-cpls.md
@@ -102,17 +102,8 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md
index dcaa5fa29f..21edb1f061 100644
--- a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md
+++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md
@@ -254,17 +254,9 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are for upcoming release.
+These policies are currently only available as part of a Windows Insider release.
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-credssp.md b/windows/client-management/mdm/policy-csp-admx-credssp.md
index 7cf1e14d14..2cc80b3bec 100644
--- a/windows/client-management/mdm/policy-csp-admx-credssp.md
+++ b/windows/client-management/mdm/policy-csp-admx-credssp.md
@@ -954,17 +954,8 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md
index cf430cc22f..f897258fbe 100644
--- a/windows/client-management/mdm/policy-csp-admx-credui.md
+++ b/windows/client-management/mdm/policy-csp-admx-credui.md
@@ -170,17 +170,8 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
index 7ec6bdd7bc..b8b9047875 100644
--- a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
+++ b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
@@ -324,17 +324,8 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md
index b550db06f6..28d46d0d21 100644
--- a/windows/client-management/mdm/policy-csp-admx-datacollection.md
+++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md
@@ -99,17 +99,8 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are for upcoming release.
diff --git a/windows/client-management/mdm/policy-csp-admx-desktop.md b/windows/client-management/mdm/policy-csp-admx-desktop.md
index 8c3fd1a932..60c1836ab2 100644
--- a/windows/client-management/mdm/policy-csp-admx-desktop.md
+++ b/windows/client-management/mdm/policy-csp-admx-desktop.md
@@ -2168,16 +2168,7 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md
index 69e459d10c..6dbde4ba7a 100644
--- a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md
@@ -605,15 +605,6 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-devicesetup.md b/windows/client-management/mdm/policy-csp-admx-devicesetup.md
index 5da6627e8f..99a7d7da64 100644
--- a/windows/client-management/mdm/policy-csp-admx-devicesetup.md
+++ b/windows/client-management/mdm/policy-csp-admx-devicesetup.md
@@ -173,16 +173,7 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-digitallocker.md b/windows/client-management/mdm/policy-csp-admx-digitallocker.md
index 08a7dab278..3bd65a3fa2 100644
--- a/windows/client-management/mdm/policy-csp-admx-digitallocker.md
+++ b/windows/client-management/mdm/policy-csp-admx-digitallocker.md
@@ -175,17 +175,8 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md
new file mode 100644
index 0000000000..d1e758c1e7
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md
@@ -0,0 +1,108 @@
+---
+title: Policy CSP - ADMX_DistributedLinkTracking
+description: Policy CSP - ADMX_DistributedLinkTracking
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 03/22/2021
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_DistributedLinkTracking
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_DistributedLinkTracking policies
+
+
+
+
+
+
+
+**ADMX_DistributedLinkTracking/DLT_AllowDomainMode**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+ 
+
+Pro
+
+
+Business
+
+
+Enterprise
+ 
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Machine
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers.
+The DLT client enables programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer.
+The DLT client can more reliably track links when allowed to use the DLT server.
+This policy should not be set unless the DLT server is running on all domain controllers in the domain.
+
+> [!NOTE]
+> This policy setting applies to all sites in Trusted zones.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow Distributed Link Tracking clients to use domain resources*
+- GP name: *DLT_AllowDomainMode*
+- GP path: *Windows\System!DLT_AllowDomainMode*
+- GP ADMX file name: *DistributedLinkTracking.admx*
+
+
+
+
+
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
index 9aba6d0482..9eab8af0c7 100644
--- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md
+++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
@@ -1710,16 +1710,7 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-dwm.md b/windows/client-management/mdm/policy-csp-admx-dwm.md
index 71f9b3638f..faa2117abe 100644
--- a/windows/client-management/mdm/policy-csp-admx-dwm.md
+++ b/windows/client-management/mdm/policy-csp-admx-dwm.md
@@ -476,16 +476,7 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-eaime.md b/windows/client-management/mdm/policy-csp-admx-eaime.md
index b56ce8c52a..8a85ec79d6 100644
--- a/windows/client-management/mdm/policy-csp-admx-eaime.md
+++ b/windows/client-management/mdm/policy-csp-admx-eaime.md
@@ -956,17 +956,7 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
-
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md
index 1dd5a4e6cb..96abbdd6f2 100644
--- a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md
+++ b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md
@@ -101,17 +101,8 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md
index 7e217f1364..01df1bdf33 100644
--- a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md
+++ b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md
@@ -461,17 +461,8 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md
index 5f3fc5e33b..3757e328fa 100644
--- a/windows/client-management/mdm/policy-csp-admx-errorreporting.md
+++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md
@@ -2187,16 +2187,7 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
index 449bed0b21..f07d3af050 100644
--- a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
+++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
@@ -185,17 +185,8 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-eventlog.md b/windows/client-management/mdm/policy-csp-admx-eventlog.md
index ea4b084c38..bdeee9c870 100644
--- a/windows/client-management/mdm/policy-csp-admx-eventlog.md
+++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md
@@ -1573,17 +1573,7 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
-
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
diff --git a/windows/client-management/mdm/policy-csp-admx-explorer.md b/windows/client-management/mdm/policy-csp-admx-explorer.md
index da74235b97..36140f5eeb 100644
--- a/windows/client-management/mdm/policy-csp-admx-explorer.md
+++ b/windows/client-management/mdm/policy-csp-admx-explorer.md
@@ -386,15 +386,6 @@ ADMX Info:
-Footnotes:
-
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
+> [!NOTE]
+> These policies are currently only available as part of a Windows Insider release.
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-filerecovery.md b/windows/client-management/mdm/policy-csp-admx-filerecovery.md
index 8a327a33a4..124a5759b8 100644
--- a/windows/client-management/mdm/policy-csp-admx-filerecovery.md
+++ b/windows/client-management/mdm/policy-csp-admx-filerecovery.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 03/02/2021
+ms.date: 03/24/2021
ms.reviewer:
manager: dansimp
---
@@ -19,8 +19,6 @@ manager: dansimp
-## ADMX_FileRecovery policies
-
-Available in the latest Windows 10 Insider Preview Build. This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault.
-
-If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters.
-
-If you disable or do not configure this policy setting, Windows displays the default alert text in the disk diagnostic message.
-
-No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately.
-
-This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
-
-> [!NOTE]
-> For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed.
> [!NOTE]
> This policy setting applies to all sites in Trusted zones.
@@ -100,9 +84,6 @@ This policy setting only takes effect if the Disk Diagnostic scenario policy set
ADMX Info:
-- GP English name: *Disk Diagnostic: Configure execution level*
-- GP name: *WdiScenarioExecutionPolicy*
-- GP path: *System\Troubleshooting and Diagnostics\Disk Diagnostic*
- GP ADMX file name: *FileRecovery.admx*
@@ -111,15 +92,5 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607
-- 2 - Available in Windows 10, version 1703
-- 3 - Available in Windows 10, version 1709
-- 4 - Available in Windows 10, version 1803
-- 5 - Available in Windows 10, version 1809
-- 6 - Available in Windows 10, version 1903
-- 7 - Available in Windows 10, version 1909
-- 8 - Available in Windows 10, version 2004
-- 9 - Available in Windows 10, version 20H2
-
diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
index 619444116c..2b47023734 100644
--- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
+++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
@@ -146,7 +146,7 @@ manager: dansimp
ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications
-
-
-**ADMX_MicrosoftDefenderAntivirus/Reporting_DisablegenericrePorts**
-
@@ -3286,7 +3284,7 @@ If you disable this setting, Watson events will not be sent.
ADMX Info:
- GP English name: *Configure Watson events*
-- GP name: *Reporting_DisablegenericrePorts*
+- GP name: *Reporting_Disablegenericreports*
- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
- GP ADMX file name: *WindowsDefender.admx*
@@ -3357,10 +3355,8 @@ ADMX Info:
+**ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout**
@@ -153,7 +153,7 @@ Modern deployment methods embrace both traditional on-prem and cloud services to
Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator.
-For more information about Windows Autopilot, see [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/).
+For more information about Windows Autopilot, see [Overview of Windows Autopilot](/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/).
### In-place upgrade
@@ -167,11 +167,11 @@ Because existing applications are preserved through the process, the upgrade pro
Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software.
-- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode.
+- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](./mbr-to-gpt.md) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode.
- **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting:
- - [Windows Setup Automation Overview](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
- - [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options)
+ - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
+ - [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options)
There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include:
@@ -189,16 +189,16 @@ The goal of dynamic provisioning is to take a new PC out of the box, turn it on,
### Windows 10 Subscription Activation
-Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation).
+Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation).
### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment
-In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
+In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
### Provisioning package configuration
-Using the [Windows Imaging and Configuration Designer (ICD)](https://go.microsoft.com/fwlink/p/?LinkId=619358), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm).
+Using the [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd), IT administrators can create a self-contained package that contains all of the configuration, settings, and apps that need to be applied to a machine. These packages can then be deployed to new PCs through a variety of means, typically by IT professionals. For more information, see [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm).
These scenarios can be used to enable “choose your own device” (CYOD) programs where the organization’s users can pick their own PC and not be restricted to a small list of approved or certified models (programs that are difficult to implement using traditional deployment scenarios).
@@ -206,7 +206,7 @@ While the initial Windows 10 release includes a variety of provisioning setting
## Traditional deployment:
-New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md), and [Microsoft Endpoint Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
+New versions of Windows have typically been deployed by organizations using an image-based process built on top of tools provided in the [Windows Assessment and Deployment Kit](windows-adk-scenarios-for-it-pros.md), Windows Deployment Services, the [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md), and [Microsoft Endpoint Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
With the release of Windows 10, all of these tools are being updated to fully support Windows 10. Although newer scenarios such as in-place upgrade and dynamic provisioning may reduce the need for traditional deployment capabilities in some organizations, these traditional methods remain important and will continue to be available to organizations that need them.
@@ -267,9 +267,9 @@ The deployment process for the replace scenario is as follows:
## Related topics
- [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-- [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
+- [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](./deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md)
- [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=620230)
-- [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
-- [Windows setup technical reference](https://go.microsoft.com/fwlink/p/?LinkId=619357)
-- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=619358)
-- [UEFI firmware](https://go.microsoft.com/fwlink/p/?LinkId=619359)
+- [Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
+- [Windows setup technical reference](/windows-hardware/manufacture/desktop/windows-setup-technical-reference)
+- [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)
+- [UEFI firmware](/windows-hardware/design/device-experiences/oem-uefi)
\ No newline at end of file
diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md
index d362478ccc..33fe4e9e80 100644
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@@ -88,7 +88,7 @@ Windows 10 Enterprise edition has a number of features that are unavailable in
-
-
-**ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout**
@@ -4250,14 +4246,10 @@ ADMX Info:
+**ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan**
-> **Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions.
+> **Windows 10 LTSC/LTSB**: Due to [naming changes](../update/waas-overview.md#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions.
>
> **Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above.
@@ -246,6 +246,6 @@ Some slightly more complex scenarios are not represented by the table above. For
## Related topics
-[Windows 10 upgrade paths](https://docs.microsoft.com/windows/deployment/upgrade/windows-10-upgrade-paths)
-**ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan**
-
-
-
-IT administrators that want to target Windows To Go images for specific systems should test their images to ensure that the necessary system drivers are in the image, especially for critical functionality like Wi-Fi that is not supported by class drivers. Some consumer devices require OEM specific driver packages, which may not be available on Windows Update. For more information on how to add a driver to a Windows Image, please refer to the [Basic Windows Deployment Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=619079).
+IT administrators that want to target Windows To Go images for specific systems should test their images to ensure that the necessary system drivers are in the image, especially for critical functionality like Wi-Fi that is not supported by class drivers. Some consumer devices require OEM specific driver packages, which may not be available on Windows Update. For more information on how to add a driver to a Windows Image, please refer to the [Basic Windows Deployment Step-by-Step Guide](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825212(v=win.10)).
### Application installation and domain join
@@ -302,4 +302,4 @@ If you choose to not use the Windows To Go startup options or are using a PC run
[Windows To Go: feature overview](windows-to-go-overview.md)
@@ -6140,11 +6132,10 @@ ADMX Info:
+**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification**
+
-**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification**
-
-
diff --git a/windows/client-management/mdm/policy-csp-admx-winsrv.md b/windows/client-management/mdm/policy-csp-admx-winsrv.md
new file mode 100644
index 0000000000..ac5a01bce6
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-winsrv.md
@@ -0,0 +1,119 @@
+---
+title: Policy CSP - ADMX_Winsrv
+description: Policy CSP - ADMX_Winsrv
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 02/25/2021
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_Winsrv
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
\ No newline at end of file
diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
index 1c9e4706d1..0c2afbd06a 100644
--- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
+++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
@@ -55,9 +55,9 @@ When a Windows To Go workspace is first used at the workplace, the Windows To Go
When the Windows To Go workspace is going to be used first on an off-premises computer, such as one at the employee's home, then the IT professional preparing the Windows To Go drives should configure the drive to be able to connect to organizational resources and to maintain the security of the workspace. In this situation, the Windows To Go workspace needs to be configured for offline domain join and BitLocker needs to be enabled before the workspace has been initialized.
> [!TIP]
-> Applying BitLocker Drive Encryption to the drives before provisioning is a much faster process than encrypting the drives after data has already been stored on them due to a new feature called used-disk space only encryption. For more information, see [What's New in BitLocker](https://go.microsoft.com/fwlink/p/?LinkId=619076).
+> Applying BitLocker Drive Encryption to the drives before provisioning is a much faster process than encrypting the drives after data has already been stored on them due to a new feature called used-disk space only encryption. For more information, see [What's New in BitLocker](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn306081(v=ws.11)).
-DirectAccess can be used to ensure that the user can login with their domain credentials without needing a local account. For instructions on setting up a DirectAccess solution, for a small pilot deployment see [Deploy a Single Remote Access Server using the Getting Started Wizard](https://go.microsoft.com/fwlink/p/?LinkId=619077) for a larger scale deployment, see [Deploy Remote Access in an Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=619078). If you do not want to use DirectAccess as an alternative users could log on using a local user account on the Windows To Go workspace and then use a virtual private network for remote access to your organizational network.
+DirectAccess can be used to ensure that the user can login with their domain credentials without needing a local account. For instructions on setting up a DirectAccess solution, for a small pilot deployment see [Deploy a Single Remote Access Server using the Getting Started Wizard](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831520(v=ws.11)) for a larger scale deployment, see [Deploy Remote Access in an Enterprise](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134200(v=ws.11)). If you do not want to use DirectAccess as an alternative users could log on using a local user account on the Windows To Go workspace and then use a virtual private network for remote access to your organizational network.
### Image deployment and drive provisioning considerations
@@ -218,7 +218,7 @@ The following list of commonly used Wi-Fi network adapters that are not supporte
+
+
+## ADMX_Winsrv policies
+
+
+
+
+
+
+
+**ADMX_Winsrv/AllowBlockingAppsAtShutdown**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows will allow console applications and GUI applications without visible top-level windows to block or cancel shutdown.
+
+By default, such applications are automatically terminated if they attempt to cancel shutdown or block it indefinitely.
+
+- If you enable this setting, console applications or GUI applications without visible top-level windows that block or cancel shutdown will not be automatically terminated during shutdown.
+- If you disable or do not configure this setting, these applications will be automatically terminated during shutdown, helping to ensure that windows can shut down faster and more smoothly.
+
+> [!NOTE]
+> This policy setting applies to all sites in Trusted zones.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off automatic termination of applications that block or cancel shutdown*
+- GP name: *AllowBlockingAppsAtShutdown*
+- GP path: *System\Shutdown Options*
+- GP ADMX file name: *Winsrv.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md
index 7d0997f275..73c539f766 100644
--- a/windows/client-management/mdm/policy-csp-audit.md
+++ b/windows/client-management/mdm/policy-csp-audit.md
@@ -929,7 +929,7 @@ The following are the supported values:
Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit events generated by special logons, such as the following:
- The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level.
-- A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [Audit Special Logon](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-special-logon).
+- A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [Audit Special Logon](/windows/security/threat-protection/auditing/audit-special-logon).
Volume: Low.
@@ -2994,7 +2994,7 @@ The following are the supported values:
-Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see [Apply a basic audit policy on a file or folder](https://docs.microsoft.com/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder).
+Added in Windows 10, version 1903. Also available in Windows 10, versions 1809 and 1803 through servicing. This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see [Apply a basic audit policy on a file or folder](/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder).
If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL.
@@ -4803,5 +4803,4 @@ Footnotes:
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
-
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index 51f56ffbbb..d62b5b232d 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -7,8 +7,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer: bobgil
manager: dansimp
---
@@ -37,6 +36,9 @@ manager: dansimp
+
+**Authentication/ConfigureWebSignInAllowedUrls**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10, version 1803. Specifies the list of domains that are allowed to be navigated to in AAD PIN reset and Web Sign-in Windows device scenarios where authentication is handled by AD FS or a third-party federated identity provider. Note this policy is required in federated environments as a mitigation to the vulnerability described in [CVE-2021-27092](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27092).
+
+**Example**: If your organization's PIN reset or Web Sign-in authentication flow is expected to navigate to two domains, accounts.contoso.com and signin.contoso.com, the policy value should be "accounts.contoso.com;signin.contoso.com".
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
**Authentication/EnableFastFirstSignIn**
@@ -579,4 +643,3 @@ Footnotes:
- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md
index 2f4c7acf11..03fcf174ca 100644
--- a/windows/client-management/mdm/policy-csp-bitlocker.md
+++ b/windows/client-management/mdm/policy-csp-bitlocker.md
@@ -17,7 +17,7 @@ manager: dansimp
> [!NOTE]
-> To manage encryption of PCs and devices, use [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp).
+> To manage encryption of PCs and devices, use [BitLocker CSP](./bitlocker-csp.md).
@@ -106,5 +106,4 @@ Footnotes:
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
-
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index e65609226d..8f0000728f 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -15,7 +15,7 @@ ms.localizationpriority: medium
# Policy CSP - Browser
> [!NOTE]
-> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).
+> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/).
## Browser policies
@@ -2129,7 +2129,7 @@ ADMX Info:
Supported values:
- 0 (default) – Prevented/not allowed. Microsoft Edge uses the search engine specified in App settings.
+
+
+**Experience/AllowNewsAndInterestsOnTheTaskbar**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Machine
+
+
+
+
+
+Specifies whether to allow "News and interests" on the Taskbar.
+
+
+
+The values for this policy are 1 and 0. This policy defaults to 1.
+
+- 1 - Default - News and interests feature will be allowed on the taskbar. The settings UI will be present in Taskbar context menu, and users will be able to turn off or switch mode.
+
+- 0 - News and interests feature will be turned off completely, and the settings UI in Taskbar context menu will be removed.
+
+
+
+
+
**Experience/AllowSaveAsOfOfficeFiles**
@@ -1344,7 +1406,7 @@ The following list shows the supported values:
[!INCLUDE [do-not-sync-browser-settings-shortdesc](../../../browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md)]
Related policy:
- [PreventUsersFromTurningOnBrowserSyncing](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing)
+ [PreventUsersFromTurningOnBrowserSyncing](#experience-preventusersfromturningonbrowsersyncing)
@@ -1438,7 +1500,7 @@ _**Turn syncing off by default but don’t disable**_
[!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../../../browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)]
Related policy:
- [DoNotSyncBrowserSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting)
+ [DoNotSyncBrowserSettings](#experience-donotsyncbrowsersetting)
@@ -1574,5 +1636,4 @@ Footnotes:
- 8 - Available in Windows 10, version 2004.
- 9 - Available in Windows 10, version 20H2.
-
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
index 92829f957e..33e976d513 100644
--- a/windows/client-management/mdm/policy-csp-exploitguard.md
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -74,7 +74,7 @@ manager: dansimp
-Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Enable Exploit Protection on Devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).
+Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Enable Exploit Protection on Devices](/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection) and [Import, export, and deploy Exploit Protection configurations](/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).
The system settings require a reboot; the application settings do not require a reboot.
@@ -129,5 +129,4 @@ Footnotes:
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
-
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index 73e6d3c865..5760215ef8 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -2414,7 +2414,7 @@ This policy setting allows the administrator to enable "Save Target As" context
- If you enable this policy, "Save Target As" will show up in the Internet Explorer mode context menu and work the same as Internet Explorer.
- If you disable or do not configure this policy setting, "Save Target As" will not show up in the Internet Explorer mode context menu.
-For more information, see [https://go.microsoft.com/fwlink/?linkid=2102115](https://go.microsoft.com/fwlink/?linkid=2102115)
+For more information, see [https://go.microsoft.com/fwlink/?linkid=2102115](/deployedge/edge-ie-mode-faq)
> [!TIP]
@@ -3144,7 +3144,7 @@ If the Windows Update for the next version of Microsoft Edge* or Microsoft Edge
- If you disable or do not configure this policy, Microsoft Edge version 45 or earlier is automatically used. This is the default behavior.
> [!NOTE]
-> For more information about the Windows update for the next version of Microsoft Edge including how to disable it, see [https://go.microsoft.com/fwlink/?linkid=2102115](https://go.microsoft.com/fwlink/?linkid=2102115). This update applies only to Windows 10 version 1709 and higher.
+> For more information about the Windows update for the next version of Microsoft Edge including how to disable it, see [https://go.microsoft.com/fwlink/?linkid=2102115](/deployedge/edge-ie-mode-faq). This update applies only to Windows 10 version 1709 and higher.
> [!TIP]
@@ -3490,7 +3490,7 @@ ADMX Info:
This setting determines whether IE automatically downloads updated versions of Microsoft’s VersionList.XML. IE uses this file to determine whether an ActiveX control should be stopped from loading.
> [!Caution]
-> If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download breaks the [out-of-date ActiveX control blocking feature](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) by not letting the version list update with newly outdated controls, potentially compromising the security of your computer.
+> If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download breaks the [out-of-date ActiveX control blocking feature](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) by not letting the version list update with newly outdated controls, potentially compromising the security of your computer.
If you disable or do not configure this setting, IE continues to download updated versions of VersionList.XML.
@@ -9550,7 +9550,7 @@ Related policies:
- [Browser/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies)
- [InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge](#internetexplorer-policies)
-For more information on how to use this policy together with other related policies to create the optimal configuration for your organization, see [https://go.microsoft.com/fwlink/?linkid=2094210.](https://go.microsoft.com/fwlink/?linkid=2094210)
+For more information on how to use this policy together with other related policies to create the optimal configuration for your organization, see [https://go.microsoft.com/fwlink/?linkid=2094210.](/DeployEdge/edge-ie-mode-policies#configure-internet-explorer-integration)
> [!TIP]
@@ -20143,5 +20143,4 @@ Footnotes:
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
-
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md
index be0176ca9b..b7c4328ba0 100644
--- a/windows/client-management/mdm/policy-csp-kioskbrowser.md
+++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md
@@ -16,7 +16,7 @@ manager: dansimp
-These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Microsoft Store app, added in Windows 10 version 1803, that provides IT a way to customize the end user's browsing experience to fulfill kiosk, signage, and shared device scenarios. Application developers can also create their own kiosk browser and read these policies using [NamedPolicy.GetPolicyFromPath(String, String) Method](https://docs.microsoft.com/uwp/api/windows.management.policies.namedpolicy.getpolicyfrompath#Windows_Management_Policies_NamedPolicy_GetPolicyFromPath_System_String_System_String_).
+These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Microsoft Store app, added in Windows 10 version 1803, that provides IT a way to customize the end user's browsing experience to fulfill kiosk, signage, and shared device scenarios. Application developers can also create their own kiosk browser and read these policies using [NamedPolicy.GetPolicyFromPath(String, String) Method](/uwp/api/windows.management.policies.namedpolicy.getpolicyfrompath#Windows_Management_Policies_NamedPolicy_GetPolicyFromPath_System_String_System_String_).
@@ -438,5 +438,4 @@ Footnotes:
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
-
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 8b0191b9c6..a0b1076deb 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -165,7 +165,7 @@ manager: dansimp
> [!NOTE]
-> To find data formats (and other policy-related details), see [Policy DDF file](https://docs.microsoft.com/windows/client-management/mdm/policy-ddf-file).
+> To find data formats (and other policy-related details), see [Policy DDF file](./policy-ddf-file.md).
**LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts**
@@ -3467,4 +3467,4 @@ Footnotes:
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md
index c320a8134e..2cd2e5f34e 100644
--- a/windows/client-management/mdm/policy-csp-localusersandgroups.md
+++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md
@@ -96,7 +96,7 @@ Here is an example of the policy definition XML for group configuration:
where:
-- `
-User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as SIDs or strings. For reference, see [Well-Known SID Structures](https://msdn.microsoft.com/library/cc980032.aspx).
+User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as SIDs or strings. For reference, see [Well-Known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab).
Even though strings are supported for well-known accounts and groups, it is better to use SIDs, because strings are localized for different languages. Some user rights allow things like AccessFromNetwork, while others disallow things, like DenyAccessFromNetwork.
@@ -1901,4 +1901,4 @@ Footnotes:
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
-
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/provisioning-csp.md b/windows/client-management/mdm/provisioning-csp.md
index 9dfabcfba3..1e6a236656 100644
--- a/windows/client-management/mdm/provisioning-csp.md
+++ b/windows/client-management/mdm/provisioning-csp.md
@@ -23,10 +23,23 @@ The Provisioning configuration service provider is used for bulk user enrollment
For bulk enrollment step-by-step guide, see [Bulk enrollment](bulk-enrollment-using-windows-provisioning-tool.md).
-The following diagram shows the Provisioning configuration service provider in tree format.
-
-
-
+The following shows the Provisioning configuration service provider in tree format.
+```
+./Vendor/MSFT/ProvisioningCommands
+ProvisioningCommands
+----DeviceContext
+--------CommandSet
+------------Default
+----------------CommandLine
+----PrimaryContext
+--------CommandSet
+------------CommandName
+----------------CommandLine
+----------------ReturnCodeSuccess
+----------------ReturnCodeRestart
+----------------RestartRequired
+----------------ContinueInstall
+```
**./Vendor/MSFT**
Root node for Provisioning CSP.
diff --git a/windows/client-management/mdm/proxy-csp.md b/windows/client-management/mdm/proxy-csp.md
index c1d9034fe8..540a52a931 100644
--- a/windows/client-management/mdm/proxy-csp.md
+++ b/windows/client-management/mdm/proxy-csp.md
@@ -25,10 +25,37 @@ This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID
For the PROXY CSP, you cannot use the Replace command unless the node already exists.
-The following diagram shows the PROXY configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
-
-
-
+The following shows the PROXY configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
+```
+./Vendor/MSFT
+Proxy
+----*
+--------ProxyId
+--------Name
+--------AddrType
+--------Addr
+--------AddrFQDN
+--------ConRefs
+------------*
+----------------ConRef
+--------Domains
+------------*
+----------------DomainName
+--------Ports
+------------*
+----------------PortNbr
+----------------Services
+--------------------*
+------------------------ServiceName
+--------ProxyType
+--------ProxyParams
+------------WAP
+----------------Trust
+----------------PushEnabled
+--------Ext
+------------Microsoft
+----------------Guid
+```
**./Vendor/MSFT/Proxy**
Root node for the proxy connection.
diff --git a/windows/client-management/mdm/push-notification-windows-mdm.md b/windows/client-management/mdm/push-notification-windows-mdm.md
index bcae3dceaf..a0a34ee244 100644
--- a/windows/client-management/mdm/push-notification-windows-mdm.md
+++ b/windows/client-management/mdm/push-notification-windows-mdm.md
@@ -18,13 +18,13 @@ ms.date: 09/22/2017
# Push notification support for device management
-The [DMClient CSP](dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](https://go.microsoft.com/fwlink/p/?linkid=528800), a management server can request a device to establish a management session with the server through a push notification. A device is configured to support push by the management server by providing the device with a PFN for an application. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting).
+The [DMClient CSP](dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](/previous-versions/windows/apps/hh913756(v=win.10)), a management server can request a device to establish a management session with the server through a push notification. A device is configured to support push by the management server by providing the device with a PFN for an application. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting).
To initiate a device management session, the management server must first authenticate with WNS using its SID and client secret. Once authenticated, the server receives a token that it can use to initiate a raw push notification for any ChannelURI. When the management server wants to initiate a device management session with a device, it can utilize its token and the device ChannelURI and begin communicating with the device.
For more information about how to get push credentials (SID and client secret) and PFN to use in WNS, see [Get WNS credentials and PFN for MDM push notification](#get-wns-credentials-and-pfn-for-mdm-push-notification).
-Because a device may not always be connected to the internet, WNS supports caching notifications for delivery to the device once it reconnects. To ensure your notification is cached for delivery, set the X-WNS-Cache-Policy header to Cache. Additionally, if the server wants to send a time-bound raw push notification, the server can use the X-WNS-TTL header that will provide WNS with a time-to-live binding so that the notification will expire after the time has passed. For more information, see [Raw notification overview (Windows Runtime apps)](https://go.microsoft.com/fwlink/p/?LinkId=733254).
+Because a device may not always be connected to the internet, WNS supports caching notifications for delivery to the device once it reconnects. To ensure your notification is cached for delivery, set the X-WNS-Cache-Policy header to Cache. Additionally, if the server wants to send a time-bound raw push notification, the server can use the X-WNS-TTL header that will provide WNS with a time-to-live binding so that the notification will expire after the time has passed. For more information, see [Raw notification overview (Windows Runtime apps)](/previous-versions/windows/apps/jj676791(v=win.10)).
Note the following restrictions related to push notifications and WNS:
@@ -52,40 +52,34 @@ To get a PFN and WNS credentials, you must create an Microsoft Store app.
1. Go to the Windows [Dashboard](https://dev.windows.com/en-US/dashboard) and sign in with your developer account.
- 
+ 
2. Create a new app.
- 
+ 
3. Reserve an app name.
- 
+ 
4. Click **Services**.
- 
+ 
5. Click **Push notifications**.
- 
+ 
6. Click **Live Services site**. A new window opens for the **Application Registration Portal** page.
- 
+ 
7. In the **Application Registration Portal** page, you will see the properties for the app that you created, such as:
- Application Id
- Application Secrets
- Microsoft Store Package SID, Application Identity, and Publisher.
- 
+ 
8. Click **Save**.
9. Close the **Application Registration Portal** window and go back to the Windows Dev Center Dashboard.
10. Select your app from the list on the left.
11. From the left nav, expand **App management** and then click **App identity**.
- 
+ 
12. In the **App identity** page, you will see the **Package Family Name (PFN)** of your app.
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md
index d906bca3da..cda7004487 100644
--- a/windows/client-management/mdm/reboot-csp.md
+++ b/windows/client-management/mdm/reboot-csp.md
@@ -17,10 +17,15 @@ ms.date: 06/26/2017
The Reboot configuration service provider is used to configure reboot settings.
-The following diagram shows the Reboot configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
-
-
-
+The following shows the Reboot configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
+```
+./Device/Vendor/MSFT
+Reboot
+----RebootNow
+----Schedule
+--------Single
+--------DailyRecurrent
+```
**./Vendor/MSFT/Reboot**
-
MDM_AppInstallJob
+MDM_AppInstallJob
-
MDM_Application
+MDM_Application
-
MDM_ApplicationFramework
+MDM_ApplicationFramework
-
MDM_ApplicationSetting
+MDM_ApplicationSetting
-
MDM_BrowserSecurityZones
+MDM_BrowserSecurityZones
-
MDM_BrowserSettings
+MDM_BrowserSettings
-
MDM_Certificate
+MDM_Certificate
-
MDM_CertificateEnrollment
+MDM_CertificateEnrollment
-
MDM_Client
+MDM_Client
-
MDM_ConfigSetting
+MDM_ConfigSetting
-
MDM_DeviceRegistrationInfo
+MDM_DeviceRegistrationInfo
-
MDM_EASPolicy
+MDM_EASPolicy
-
MDM_MgMtAuthority
+MDM_MgMtAuthority
@@ -129,39 +129,39 @@ For links to these classes, see [**MDM Bridge WMI Provider**](https://msdn.micro
-
MDM_RemoteApplication
+MDM_RemoteApplication
-
MDM_RemoteAppUseCookie
+MDM_RemoteAppUseCookie
-
MDM_Restrictions
+MDM_Restrictions
-
MDM_RestrictionsUser
+MDM_RestrictionsUser
-
MDM_SecurityStatus
+MDM_SecurityStatus
-
MDM_SideLoader
+MDM_SideLoader
-
MDM_SecurityStatusUser
+MDM_SecurityStatusUser
-
MDM_Updates
+MDM_Updates
-
MDM_VpnApplicationTrigger
+MDM_VpnApplicationTrigger
@@ -169,39 +169,39 @@ For links to these classes, see [**MDM Bridge WMI Provider**](https://msdn.micro
-
MDM_WebApplication
+MDM_WebApplication
-
MDM_WirelessProfile
+MDM_WirelessProfile
-
MDM_WirelesssProfileXML
+MDM_WirelesssProfileXML
-
MDM_WNSChannel
+MDM_WNSChannel
-
MDM_WNSConfiguration
+MDM_WNSConfiguration
-
MSFT_NetFirewallProfile
+MSFT_NetFirewallProfile
-
MSFT_VpnConnection
+MSFT_VpnConnection
-
SoftwareLicensingProduct
+SoftwareLicensingProduct
-
@@ -213,16 +213,16 @@ For links to these classes, see [**MDM Bridge WMI Provider**](https://msdn.micro
| Class | Test completed in Windows 10 for desktop |
|--------------------------------------------------------------------------|------------------------------------------|
-| [**wpcappoverride**](https://msdn.microsoft.com/library/windows/hardware/ms711334) |  |
-| [**wpcgameoverride**](https://msdn.microsoft.com/library/windows/hardware/ms711334) |  |
-| [**wpcgamessettings**](https://msdn.microsoft.com/library/windows/hardware/ms711334) |  |
-| [**wpcrating**](https://msdn.microsoft.com/library/windows/hardware/ms711334) |  |
-| [**wpcRatingsDescriptor**](https://msdn.microsoft.com/library/windows/hardware/ms711334) | |
-| [**wpcratingssystem**](https://msdn.microsoft.com/library/windows/hardware/ms711334) |  |
-| [**wpcsystemsettings**](https://msdn.microsoft.com/library/windows/hardware/ms711334) |  |
-| [**wpcurloverride**](https://msdn.microsoft.com/library/windows/hardware/ms711334) |  |
-| [**wpcusersettings**](https://msdn.microsoft.com/library/windows/hardware/ms711334) |  |
-| [**wpcwebsettings**](https://msdn.microsoft.com/library/windows/hardware/ms711334) |  |
+| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
+| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
+| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
+| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
+| [**wpcRatingsDescriptor**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | |
+| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
+| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
+| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
+| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
+| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |  |
@@ -230,73 +230,73 @@ For links to these classes, see [**MDM Bridge WMI Provider**](https://msdn.micro
| Class | Test completed in Windows 10 for desktop |
|--------------------------------------------------------------------------|------------------------------------------|
-[**Win32\_1394Controller**](https://msdn.microsoft.com/library/windows/hardware/aa394059) |
-[**Win32\_BaseBoard**](https://msdn.microsoft.com/library/windows/hardware/aa394072) |
-[**Win32\_Battery**](https://msdn.microsoft.com/library/windows/hardware/aa394074) | 
-[**Win32\_BIOS**](https://msdn.microsoft.com/library/windows/hardware/aa394077) | 
-[**Win32\_CDROMDrive**](https://msdn.microsoft.com/library/windows/hardware/aa394081) |
-[**Win32\_ComputerSystem**](https://msdn.microsoft.com/library/windows/hardware/aa394102) | 
-[**Win32\_ComputerSystemProduct**](https://msdn.microsoft.com/library/windows/hardware//aa394105) | 
-[**Win32\_CurrentTime**](https://msdn.microsoft.com/library/windows/hardware/aa394114) | 
-[**Win32\_Desktop**](https://msdn.microsoft.com/library/windows/hardware/aa394121) |
-[**Win32\_DesktopMonitor**](https://msdn.microsoft.com/library/windows/hardware/aa394122) |
-[**Win32\_DiskDrive**](https://msdn.microsoft.com/library/windows/hardware/aa394132) | 
-[**Win32\_DiskPartition**](https://msdn.microsoft.com/library/windows/hardware/aa394135) |
-[**Win32\_DisplayConfiguration**](https://msdn.microsoft.com/library/windows/hardware/aa394137) | 
-[**Win32\_DMAChannel**](https://msdn.microsoft.com/library/windows/hardware/aa394139) |
-[**Win32\_DriverVXD**](https://msdn.microsoft.com/library/windows/hardware/aa394141) |
-[**Win32\_EncryptableVolume**](https://msdn.microsoft.com/library/windows/hardware/aa376483) |
-[**Win32\_Environment**](https://msdn.microsoft.com/library/windows/hardware/aa394143) |
-[**Win32\_IDEController**](https://msdn.microsoft.com/library/windows/hardware/aa394155) |
-[**Win32\_InfraredDevice**](https://msdn.microsoft.com/library/windows/hardware/aa394158) |
-[**Win32\_IRQResource**](https://msdn.microsoft.com/library/windows/hardware/aa394164) |
-[**Win32\_Keyboard**](https://msdn.microsoft.com/library/windows/hardware/aa394166) |
-[**Win32\_LoadOrderGroup**](https://msdn.microsoft.com/library/windows/hardware/aa394168) |
-[**Win32\_LocalTime**](https://msdn.microsoft.com/library/windows/hardware/aa394171) | 
-[**Win32\_LoggedOnUser**](https://msdn.microsoft.com/library/windows/hardware/aa394172) |
-[**Win32\_LogicalDisk**](https://msdn.microsoft.com/library/windows/hardware/aa394173) | 
-[**Win32\_MotherboardDevice**](https://msdn.microsoft.com/library/windows/hardware/aa394204) |
-[**Win32\_NetworkAdapter**](https://msdn.microsoft.com/library/windows/hardware/aa394216) | 
-[**Win32\_NetworkAdapterConfiguration**](https://msdn.microsoft.com/library/windows/hardware/aa394217) |
-[**Win32\_NetworkClient**](https://msdn.microsoft.com/library/windows/hardware/aa394219) |
-[**Win32\_NetworkLoginProfile**](https://msdn.microsoft.com/library/windows/hardware/aa394221) |
-[**Win32\_NetworkProtocol**](https://msdn.microsoft.com/library/windows/hardware/aa394223) |
-[**Win32\_NTEventlogFile**](https://msdn.microsoft.com/library/windows/hardware/aa394225) |
-[**Win32\_OperatingSystem**](https://msdn.microsoft.com/library/windows/hardware/aa394239) | 
-[**Win32\_OSRecoveryConfiguration**](https://msdn.microsoft.com/library/windows/hardware/aa394242) |
-[**Win32\_PageFileSetting**](https://msdn.microsoft.com/library/windows/hardware/aa394245) |
-[**Win32\_ParallelPort**](https://msdn.microsoft.com/library/windows/hardware/aa394247) |
-[**Win32\_PCMCIAController**](https://msdn.microsoft.com/library/windows/hardware/aa394251) |
-[**Win32\_PhysicalMedia**](https://msdn.microsoft.com/library/windows/hardware/aa394346) |
-[**Win32\_PhysicalMemory**](https://msdn.microsoft.com/library/windows/hardware/aa394347) | 
-[**Win32\_PnPDevice**](https://msdn.microsoft.com/library/windows/hardware/aa394352) |
-[**Win32\_PnPEntity**](https://msdn.microsoft.com/library/windows/hardware/aa394353) |
-[**Win32\_PointingDevice**](https://msdn.microsoft.com/library/windows/hardware/aa394356) |
-[**Win32\_PortableBattery**](https://msdn.microsoft.com/library/windows/hardware/aa394357) |
-[**Win32\_PortResource**](https://msdn.microsoft.com/library/windows/hardware/aa394359) |
-[**Win32\_POTSModem**](https://msdn.microsoft.com/library/windows/hardware/aa394360) |
-[**Win32\_Printer**](https://msdn.microsoft.com/library/windows/hardware/aa394363) |
-[**Win32\_PrinterConfiguration**](https://msdn.microsoft.com/library/windows/hardware/aa394364) |
-[**Win32\_Processor**](https://msdn.microsoft.com/library/windows/hardware/aa394373) | 
-[**Win32\_QuickFixEngineering**](https://msdn.microsoft.com/library/windows/hardware/aa394391) | 
-[**Win32\_Registry**](https://msdn.microsoft.com/library/windows/hardware/aa394394) |
-[**Win32\_SCSIController**](https://msdn.microsoft.com/library/windows/hardware/aa394400) |
-[**Win32\_SerialPort**](https://msdn.microsoft.com/library/windows/hardware/aa394413) |
-[**Win32\_SerialPortConfiguration**](https://msdn.microsoft.com/library/windows/hardware/aa394414) |
-[**Win32\_ServerFeature**](https://msdn.microsoft.com/library/windows/hardware/cc280268) |
-[**Win32\_Service**](https://msdn.microsoft.com/library/windows/hardware/aa394418) | 
-[**Win32\_Share**](https://msdn.microsoft.com/library/windows/hardware/aa394435) | 
-[**Win32\_SoundDevice**](https://msdn.microsoft.com/library/windows/hardware/aa394463) |
-[**Win32\_SystemAccount**](https://msdn.microsoft.com/library/windows/hardware/aa394466) |
-[**Win32\_SystemBIOS**](https://msdn.microsoft.com/library/windows/hardware/aa394467) | 
-[**Win32\_SystemDriver**](https://msdn.microsoft.com/library/windows/hardware/aa394472) |
-[**Win32\_SystemEnclosure**](https://msdn.microsoft.com/library/windows/hardware/aa394474) | 
-[**Win32\_TapeDrive**](https://msdn.microsoft.com/library/windows/hardware/aa394491) |
-[**Win32\_TimeZone**](https://msdn.microsoft.com/library/windows/hardware/aa394498) | 
-[**Win32\_UninterruptiblePowerSupply**](https://msdn.microsoft.com/library/windows/hardware/aa394503) |
-[**Win32\_USBController**](https://msdn.microsoft.com/library/windows/hardware/aa394504) |
-[**Win32\_UTCTime**](https://msdn.microsoft.com/library/windows/hardware/aa394510) | 
-[**Win32\_VideoController**](https://docs.microsoft.com/windows/win32/cimwin32prov/win32-videocontroller) |
+[**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) |
+[**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) |
+[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | 
+[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | 
+[**Win32\_CDROMDrive**](/windows/win32/cimwin32prov/win32-cdromdrive) |
+[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | 
+[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | 
+[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | 
+[**Win32\_Desktop**](/windows/win32/cimwin32prov/win32-desktop) |
+[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |
+[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | 
+[**Win32\_DiskPartition**](/windows/win32/cimwin32prov/win32-diskpartition) |
+[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | 
+[**Win32\_DMAChannel**](/windows/win32/cimwin32prov/win32-dmachannel) |
+[**Win32\_DriverVXD**](/previous-versions//aa394141(v=vs.85)) |
+[**Win32\_EncryptableVolume**](/windows/win32/secprov/win32-encryptablevolume) |
+[**Win32\_Environment**](/windows/win32/cimwin32prov/win32-environment) |
+[**Win32\_IDEController**](/windows/win32/cimwin32prov/win32-idecontroller) |
+[**Win32\_InfraredDevice**](/windows/win32/cimwin32prov/win32-infrareddevice) |
+[**Win32\_IRQResource**](/windows/win32/cimwin32prov/win32-irqresource) |
+[**Win32\_Keyboard**](/windows/win32/cimwin32prov/win32-keyboard) |
+[**Win32\_LoadOrderGroup**](/windows/win32/cimwin32prov/win32-loadordergroup) |
+[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | 
+[**Win32\_LoggedOnUser**](/windows/win32/cimwin32prov/win32-loggedonuser) |
+[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | 
+[**Win32\_MotherboardDevice**](/windows/win32/cimwin32prov/win32-motherboarddevice) |
+[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | 
+[**Win32\_NetworkAdapterConfiguration**](/windows/win32/cimwin32prov/win32-networkadapterconfiguration) |
+[**Win32\_NetworkClient**](/windows/win32/cimwin32prov/win32-networkclient) |
+[**Win32\_NetworkLoginProfile**](/windows/win32/cimwin32prov/win32-networkloginprofile) |
+[**Win32\_NetworkProtocol**](/windows/win32/cimwin32prov/win32-networkprotocol) |
+[**Win32\_NTEventlogFile**](/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)) |
+[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | 
+[**Win32\_OSRecoveryConfiguration**](/windows/win32/cimwin32prov/win32-osrecoveryconfiguration) |
+[**Win32\_PageFileSetting**](/windows/win32/cimwin32prov/win32-pagefilesetting) |
+[**Win32\_ParallelPort**](/windows/win32/cimwin32prov/win32-parallelport) |
+[**Win32\_PCMCIAController**](/windows/win32/cimwin32prov/win32-pcmciacontroller) |
+[**Win32\_PhysicalMedia**](/previous-versions/windows/desktop/cimwin32a/win32-physicalmedia) |
+[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | 
+[**Win32\_PnPDevice**](/windows/win32/cimwin32prov/win32-pnpdevice) |
+[**Win32\_PnPEntity**](/windows/win32/cimwin32prov/win32-pnpentity) |
+[**Win32\_PointingDevice**](/windows/win32/cimwin32prov/win32-pointingdevice) |
+[**Win32\_PortableBattery**](/windows/win32/cimwin32prov/win32-portablebattery) |
+[**Win32\_PortResource**](/windows/win32/cimwin32prov/win32-portresource) |
+[**Win32\_POTSModem**](/windows/win32/cimwin32prov/win32-potsmodem) |
+[**Win32\_Printer**](/windows/win32/cimwin32prov/win32-printer) |
+[**Win32\_PrinterConfiguration**](/windows/win32/cimwin32prov/win32-printerconfiguration) |
+[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | 
+[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | 
+[**Win32\_Registry**](/windows/win32/cimwin32prov/win32-registry) |
+[**Win32\_SCSIController**](/windows/win32/cimwin32prov/win32-scsicontroller) |
+[**Win32\_SerialPort**](/windows/win32/cimwin32prov/win32-serialport) |
+[**Win32\_SerialPortConfiguration**](/windows/win32/cimwin32prov/win32-serialportconfiguration) |
+[**Win32\_ServerFeature**](/windows/win32/wmisdk/win32-serverfeature) |
+[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | 
+[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | 
+[**Win32\_SoundDevice**](/windows/win32/cimwin32prov/win32-sounddevice) |
+[**Win32\_SystemAccount**](/windows/win32/cimwin32prov/win32-systemaccount) |
+[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | 
+[**Win32\_SystemDriver**](/windows/win32/cimwin32prov/win32-systemdriver) |
+[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | 
+[**Win32\_TapeDrive**](/windows/win32/cimwin32prov/win32-tapedrive) |
+[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | 
+[**Win32\_UninterruptiblePowerSupply**](/previous-versions//aa394503(v=vs.85)) |
+[**Win32\_USBController**](/windows/win32/cimwin32prov/win32-usbcontroller) |
+[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | 
+[**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) |
**Win32\_WindowsUpdateAgentVersion** |
@@ -305,4 +305,4 @@ For links to these classes, see [**MDM Bridge WMI Provider**](https://msdn.micro
[Configuration service provider reference](configuration-service-provider-reference.md)
## Related Links
-[CIM Video Controller](https://docs.microsoft.com/windows/win32/cimwin32prov/cim-videocontroller)
+[CIM Video Controller](/windows/win32/cimwin32prov/cim-videocontroller)
\ No newline at end of file
diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md
index 239c1f1379..d13f235344 100644
--- a/windows/client-management/new-policies-for-windows-10.md
+++ b/windows/client-management/new-policies-for-windows-10.md
@@ -497,7 +497,7 @@ Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, Wind
- Security
-- [VPN](https://go.microsoft.com/fwlink/p/?LinkId=623295) and enterprise Wi-Fi management
+- [VPN](/windows/security/identity-protection/vpn/vpn-profile-options) and enterprise Wi-Fi management
- Certificate management
@@ -505,11 +505,11 @@ Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, Wind
- Consumer experiences, such as suggested apps in Start and app tiles from Microsoft dynamically inserted in the default Start menu
-Windows 10, version 1703, adds a number of [ADMX-backed policies to MDM](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed).
+Windows 10, version 1703, adds a number of [ADMX-backed policies to MDM](./mdm/policy-configuration-service-provider.md).
If you use Microsoft Intune for MDM, you can [configure custom policies](https://go.microsoft.com/fwlink/p/?LinkId=616316) to deploy Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings that can be used to control features on Windows 10. For a list of OMA-URI settings, see [Custom URI settings for Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=616317).
-No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId=613264). For more information, see the [ActiveSync configuration service provider](https://go.microsoft.com/fwlink/p/?LinkId=618944) technical reference.
+No new [Exchange ActiveSync policies](/exchange/mobile-device-mailbox-policies-exchange-2013-help). For more information, see the [ActiveSync configuration service provider](./mdm/activesync-csp.md) technical reference.
## Related topics
@@ -522,7 +522,4 @@ No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId=
[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md)
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/client-management/reset-a-windows-10-mobile-device.md b/windows/client-management/reset-a-windows-10-mobile-device.md
index e90c985fdb..8a41883885 100644
--- a/windows/client-management/reset-a-windows-10-mobile-device.md
+++ b/windows/client-management/reset-a-windows-10-mobile-device.md
@@ -25,14 +25,14 @@ ms.topic: article
There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset.
- **Factory reset** restores the state of the device back to its first-boot state plus any update packages. The reset will not return device to the original factory state. To return the device to the original factory state, you must flash it with the original factory image by using the [Windows Device Recovery Tool](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq). All the provisioning applied to the device by the enterprise will be lost and will need to be re-applied if needed. For details on what is removed or persists, see [Resetting a mobile device](https://go.microsoft.com/fwlink/p/?LinkID=703715).
-- **"Wipe and persist" reset** preserves all the provisioning applied to the device before the reset. After the "wipe and persist" reset, all the preserved provisioning packages are automatically applied on the device and the data in the enterprise shared storage folder \\Data\\SharedData\\Enterprise\\Persistent is restored in that folder. For more information on the enterprise shared storage folder, see [EnterpriseExtFileSystem CSP](https://go.microsoft.com/fwlink/p/?LinkId=703716).
+- **"Wipe and persist" reset** preserves all the provisioning applied to the device before the reset. After the "wipe and persist" reset, all the preserved provisioning packages are automatically applied on the device and the data in the enterprise shared storage folder \\Data\\SharedData\\Enterprise\\Persistent is restored in that folder. For more information on the enterprise shared storage folder, see [EnterpriseExtFileSystem CSP](./mdm/enterpriseextfilessystem-csp.md).
You can trigger a reset using your mobile device management (MDM) service, or a user can trigger a reset in the user interface (UI) or by using hardware buttons.
## Reset using MDM
-The remote wipe command is sent as an XML provisioning file to the device. Since the [RemoteWipe configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkId=703714) uses OMA DM and WAP, authentication between client and server and delivery of the XML provisioning file is handled by provisioning. The remote wipe command is implemented on the device by using the **ResetPhone** function. For more information about the data that is removed as a result of the remote wipe command, see [Resetting a mobile device](https://go.microsoft.com/fwlink/p/?LinkId=703715).
+The remote wipe command is sent as an XML provisioning file to the device. Since the [RemoteWipe configuration service provider (CSP)](./mdm/remotewipe-csp.md) uses OMA DM and WAP, authentication between client and server and delivery of the XML provisioning file is handled by provisioning. The remote wipe command is implemented on the device by using the **ResetPhone** function. For more information about the data that is removed as a result of the remote wipe command, see [Resetting a mobile device](https://go.microsoft.com/fwlink/p/?LinkId=703715).
To perform a factory reset, restoring the device back to its out-of-box state, use the following syncML.
@@ -91,9 +91,4 @@ If your phone is unresponsive and you can't reach **Settings**, you may be able
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md
index 4f7a2555e1..3fa7f1b6c8 100644
--- a/windows/client-management/system-failure-recovery-options.md
+++ b/windows/client-management/system-failure-recovery-options.md
@@ -202,4 +202,4 @@ To view system failure and recovery settings for your local computer, type **wmi
## References
-[Varieties of Kernel-Mode Dump Files](https://docs.microsoft.com/windows-hardware/drivers/debugger/varieties-of-kernel-mode-dump-files)
+[Varieties of Kernel-Mode Dump Files](/windows-hardware/drivers/debugger/varieties-of-kernel-mode-dump-files)
\ No newline at end of file
diff --git a/windows/client-management/troubleshoot-event-id-41-restart.md b/windows/client-management/troubleshoot-event-id-41-restart.md
index b774919abf..f2673f9414 100644
--- a/windows/client-management/troubleshoot-event-id-41-restart.md
+++ b/windows/client-management/troubleshoot-event-id-41-restart.md
@@ -73,8 +73,8 @@ When a computer shuts down or restarts because of a Stop error, Windows includes
After you identify the hexadecimal value, use the following references to continue troubleshooting:
- [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md).
-- [Bug Check Code Reference](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2). This page lists links to documentation for different bug check codes.
-- [How to Debug Kernel Mode Blue Screen Crashes (for beginners)](https://blogs.technet.microsoft.com/askcore/2008/10/31/how-to-debug-kernel-mode-blue-screen-crashes-for-beginners/).
+- [Bug Check Code Reference](/windows-hardware/drivers/debugger/bug-check-code-reference2). This page lists links to documentation for different bug check codes.
+- [How to Debug Kernel Mode Blue Screen Crashes (for beginners)](/archive/blogs/askcore/how-to-debug-kernel-mode-blue-screen-crashes-for-beginners).
### Scenario 2: The computer restarts because you pressed and held the power button
@@ -118,4 +118,4 @@ If you perform these checks and still cannot isolate the problem, set the system
>
> 1. Right-click **My Computer**, then select **Properties** > **Advanced system settings** > **Advanced**.
> 1. In the **Startup and Recovery** section, select **Settings**.
-> 1. Clear the **Automatically restart** check box.
+> 1. Clear the **Automatically restart** check box.
\ No newline at end of file
diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md
index bdb67e2528..e0afd3d480 100644
--- a/windows/client-management/troubleshoot-inaccessible-boot-device.md
+++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md
@@ -35,11 +35,13 @@ Any one of the following factors might cause the stop error:
* In unusual cases, the failure of the TrustedInstaller service to commit newly installed updates is because of component-based store corruptions
-* Corrupted files in the **Boot** partition (for example, corruption in the volume that's labeled **SYSTEM** when you run the `diskpart` > `list vol` command)
+* Corrupted files in the **Boot** partition (for example, corruption in the volume that's labeled **SYSTEM** when you run the `diskpart` > `list vol` command)
+
+* If there is a blank GPT entry before the entry of the **Boot** partition
## Troubleshoot this error
-Start the computer in [Windows Recovery Mode (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre). To do this, follow these steps.
+Start the computer in [Windows Recovery Mode (WinRE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre). To do this, follow these steps.
1. Start the system by using [the installation media for the installed version of Windows](https://support.microsoft.com/help/15088).
@@ -98,15 +100,17 @@ To verify the BCD entries:
If the computer is UEFI-based, here's example output:
- ```cmd
+ ```console
device partition=\Device\HarddiskVolume2
path \EFI\Microsoft\Boot\bootmgfw.efi
```
If the machine is BIOS-based, here's example output:
- ```cmd
+
+ ```console
Device partition=C:
```
+
>[!NOTE]
>This output might not contain a path.
@@ -121,7 +125,9 @@ If any of the information is wrong or missing, we recommend that you create a ba
After the backup completes, run the following command to make the changes:
-SoftwareLicensingService
+SoftwareLicensingService
bcdedit /set *{identifier}* option value
+```console
+bcdedit /set *{identifier}* option value
+```
For example, if the device under {default} is wrong or missing, run this command to set it: `bcdedit /set {default} device partition=C:`
@@ -133,20 +139,20 @@ If the files are missing, and you want to rebuild the boot files, follow these s
1. Copy all the contents under the **SYSTEM** partition to another location. Alternatively, you can use the command prompt to navigate to the OS drive, create a new folder, and then copy all the files and folders from the **SYSTEM** volume, like shown here:
- ```cmd
+ ```console
D:\> Mkdir BootBackup
R:\> Copy *.* D:\BootBackup
```
2. If you're using Windows 10, or if you're troubleshooting by using a Windows 10 ISO at the Windows Pre-Installation Environment command prompt, you can use the **bcdboot** command to re-create the boot files, like shown here:
- ```cmd
+ ```console
Bcdboot <**OSDrive* >:\windows /s <**SYSTEMdrive* >: /f ALL
```
For example, if we assign the `
-[802.1X authenticated wireless access overview](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994700(v%3dws.11))
-[Wireless cccess deployment overview](https://docs.microsoft.com/windows-server/networking/core-network-guide/cncg/wireless/b-wireless-access-deploy-overview)
-[TCP/IP technical reference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd379473(v=ws.10))
-[Network Monitor](https://docs.microsoft.com/windows/desktop/netmon2/network-monitor)
-[RPC and the network](https://docs.microsoft.com/windows/desktop/rpc/rpc-and-the-network)
-[How RPC works](https://docs.microsoft.com/windows/desktop/rpc/how-rpc-works)
-[NPS reason codes](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v=ws.10))
+[802.1X authenticated wired access overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831831(v=ws.11))
+[802.1X authenticated wireless access overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994700(v%3dws.11))
+[Wireless cccess deployment overview](/windows-server/networking/core-network-guide/cncg/wireless/b-wireless-access-deploy-overview)
+[TCP/IP technical reference](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd379473(v=ws.10))
+[Network Monitor](/windows/desktop/netmon2/network-monitor)
+[RPC and the network](/windows/desktop/rpc/rpc-and-the-network)
+[How RPC works](/windows/desktop/rpc/how-rpc-works)
+[NPS reason codes](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v=ws.10))
\ No newline at end of file
diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md
index 0ed8e1db70..c76deedcd3 100644
--- a/windows/client-management/troubleshoot-stop-errors.md
+++ b/windows/client-management/troubleshoot-stop-errors.md
@@ -35,29 +35,34 @@ Our analysis of the root causes of crashes indicates the following:
- 5 percent are caused by Microsoft code
- 15 percent have unknown causes (because the memory is too corrupted to analyze)
+> [!NOTE]
+> The root cause of Stop errors is never a user-mode process. While a user-mode process (such as Notepad or Slack) may trigger a Stop error, it is merely exposing the underlying bug which is always in a driver, hardware, or the OS.
+
## General troubleshooting steps
To troubleshoot Stop error messages, follow these general steps:
1. Review the Stop error code that you find in the event logs. Search online for the specific Stop error codes to see whether there are any known issues, resolutions, or workarounds for the problem.
+
2. As a best practice, we recommend that you do the following:
- a. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system:
- - [Windows 10, version 2004](https://support.microsoft.com/help/4555932)
- - [Windows 10, version 1909](https://support.microsoft.com/help/4529964)
- - [Windows 10, version 1903](https://support.microsoft.com/help/4498140)
- - [Windows 10, version 1809](https://support.microsoft.com/help/4464619)
- - [Windows 10, version 1803](https://support.microsoft.com/help/4099479)
- - [Windows 10, version 1709](https://support.microsoft.com/help/4043454)
- - [Windows 10, version 1703](https://support.microsoft.com/help/4018124)
- - [Windows Server 2016 and Windows 10, version 1607](https://support.microsoft.com/help/4000825)
- - [Windows 10, version 1511](https://support.microsoft.com/help/4000824)
- - [Windows Server 2012 R2 and Windows 8.1](https://support.microsoft.com/help/4009470)
- - [Windows Server 2008 R2 and Windows 7 SP1](https://support.microsoft.com/help/4009469)
+ 1. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system:
- b. Make sure that the BIOS and firmware are up-to-date.
+ - [Windows 10, version 2004](https://support.microsoft.com/help/4555932)
+ - [Windows 10, version 1909](https://support.microsoft.com/help/4529964)
+ - [Windows 10, version 1903](https://support.microsoft.com/help/4498140)
+ - [Windows 10, version 1809](https://support.microsoft.com/help/4464619)
+ - [Windows 10, version 1803](https://support.microsoft.com/help/4099479)
+ - [Windows 10, version 1709](https://support.microsoft.com/help/4043454)
+ - [Windows 10, version 1703](https://support.microsoft.com/help/4018124)
+ - [Windows Server 2016 and Windows 10, version 1607](https://support.microsoft.com/help/4000825)
+ - [Windows 10, version 1511](https://support.microsoft.com/help/4000824)
+ - [Windows Server 2012 R2 and Windows 8.1](https://support.microsoft.com/help/4009470)
+ - [Windows Server 2008 R2 and Windows 7 SP1](https://support.microsoft.com/help/4009469)
- c. Run any relevant hardware and memory tests.
+ 1. Make sure that the BIOS and firmware are up-to-date.
+
+ 1. Run any relevant hardware and memory tests.
3. Run the [Machine Memory Dump Collector](https://home.diagnostics.support.microsoft.com/selfhelp?knowledgebasearticlefilter=2027760&wa=wsignin1.0) Windows diagnostic package. This diagnostic tool is used to collect machine memory dump files and check for known solutions.
@@ -74,23 +79,29 @@ To troubleshoot Stop error messages, follow these general steps:
>[!NOTE]
>If there are no updates available from a specific manufacturer, it is recommended that you disable the related service.
>
- >To do this, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135)
+ >To do this, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135).
>
>You can disable a driver by following the steps in [How to temporarily deactivate the kernel mode filter driver in Windows](https://support.microsoft.com/help/816071).
>
- >You may also want to consider the option of rolling back changes or reverting to the last-known working state. For more information, see [Roll Back a Device Driver to a Previous Version](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732648(v=ws.11)).
+ >You may also want to consider the option of rolling back changes or reverting to the last-known working state. For more information, see [Roll Back a Device Driver to a Previous Version](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732648(v=ws.11)).
### Memory dump collection
To configure the system for memory dump files, follow these steps:
1. [Download DumpConfigurator tool](https://codeplexarchive.blob.core.windows.net/archive/projects/WinPlatTools/WinPlatTools.zip).
+
2. Extract the .zip file and navigate to **Source Code** folder.
+
3. Run the tool DumpConfigurator.hta, and then select **Elevate this HTA**.
-3. Select **Auto Config Kernel**.
-4. Restart the computer for the setting to take effect.
-5. Stop and disable Automatic System Restart Services (ASR) to prevent dump files from being written.
-6. If the server is virtualized, disable auto reboot after the memory dump file is created. This lets you take a snapshot of the server in-state and also if the problem recurs.
+
+4. Select **Auto Config Kernel**.
+
+5. Restart the computer for the setting to take effect.
+
+6. Stop and disable Automatic System Restart Services (ASR) to prevent dump files from being written.
+
+7. If the server is virtualized, disable auto reboot after the memory dump file is created. This lets you take a snapshot of the server in-state and also if the problem recurs.
The memory dump file is saved at the following locations:
@@ -103,7 +114,7 @@ The memory dump file is saved at the following locations:
| Automatic memory dump file | %SystemRoot%\MEMORY.DMP |
| Active memory dump file | %SystemRoot%\MEMORY.DMP |
-You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files are not corrupted or invalid. For more information, see the following video:
+You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files are not corrupted or invalid. For more information, see the following video:
>[!video https://www.youtube.com/embed/xN7tOfgNKag]
@@ -133,31 +144,44 @@ You can use the tools such as Windows Software Development KIT (SDK) and Symbols
### Advanced debugging references
-[Advanced Windows Debugging](https://www.amazon.com/Advanced-Windows-Debugging-Mario-Hewardt/dp/0321374460)
-[Debugging Tools for Windows (WinDbg, KD, CDB, NTSD)](https://docs.microsoft.com/windows-hardware/drivers/debugger/index)
+- [Advanced Windows Debugging](https://www.amazon.com/Advanced-Windows-Debugging-Mario-Hewardt/dp/0321374460)
+- [Debugging Tools for Windows (WinDbg, KD, CDB, NTSD)](/windows-hardware/drivers/debugger/index)
### Debugging steps
1. Verify that the computer is set up to generate a complete memory dump file when a crash occurs. See the steps [here](troubleshoot-windows-freeze.md#method-1-memory-dump) for more information.
+
2. Locate the memory.dmp file in your Windows directory on the computer that is crashing, and copy that file to another computer.
+
3. On the other computer, download the [Windows 10 SDK](https://developer.microsoft.com/windows/downloads/windows-10-sdk).
+
4. Start the install and choose **Debugging Tools for Windows**. This installs the WinDbg tool.
-5. Open the WinDbg tool and set the symbol path by clicking **File** and then clicking **Symbol File Path**.
- a. If the computer is connected to the Internet, enter the [Microsoft public symbol server](https://docs.microsoft.com/windows-hardware/drivers/debugger/microsoft-public-symbols) (https://msdl.microsoft.com/download/symbols) and click **OK**. This is the recommended method.
- b. If the computer is not connected to the Internet, you must specify a local [symbol path](https://docs.microsoft.com/windows-hardware/drivers/debugger/symbol-path).
+
+5. Open the WinDbg tool and set the symbol path by clicking **File** and then clicking **Symbol File Path**.
+
+ 1. If the computer is connected to the Internet, enter the [Microsoft public symbol server](/windows-hardware/drivers/debugger/microsoft-public-symbols) (https://msdl.microsoft.com/download/symbols) and click **OK**. This is the recommended method.
+
+ 1. If the computer is not connected to the Internet, you must specify a local [symbol path](/windows-hardware/drivers/debugger/symbol-path).
+
6. Click on **Open Crash Dump**, and then open the memory.dmp file that you copied. See the example below.
- 
+
+ 
+
7. There should be a link that says **!analyze -v** under **Bugcheck Analysis**. Click that link. This will enter the command !analyze -v in the prompt at the bottom of the page.
+
8. A detailed bugcheck analysis will appear. See the example below.
+
+
9. Scroll down to the section where it says **STACK_TEXT**. There will be rows of numbers with each row followed by a colon and some text. That text should tell you what DLL is causing the crash and if applicable what service is crashing the DLL.
-10. See [Using the !analyze Extension](https://docs.microsoft.com/windows-hardware/drivers/debugger/using-the--analyze-extension) for details about how to interpret the STACK_TEXT output.
+
+10. See [Using the !analyze Extension](/windows-hardware/drivers/debugger/using-the--analyze-extension) for details about how to interpret the STACK_TEXT output.
There are many possible causes of a bugcheck and each case is unique. In the example provided above, the important lines that can be identified from the STACK_TEXT are 20, 21, and 22:
(HEX data is removed here and lines are numbered for clarity)
-```
+```console
1 : nt!KeBugCheckEx
2 : nt!PspCatchCriticalBreak+0xff
3 : nt!PspTerminateAllThreads+0x1134cf
@@ -214,11 +238,14 @@ We estimate that about 75 percent of all Stop errors are caused by faulty driver
Use the following guidelines when you use Driver Verifier:
- Test any “suspicious” drivers (drivers that were recently updated or that are known to be problematic).
+
- If you continue to experience non-analyzable crashes, try enabling verification on all third-party and unsigned drivers.
+
- Enable concurrent verification on groups of 10–20 drivers.
+
- Additionally, if the computer cannot boot into the desktop because of Driver Verifier, you can disable the tool by starting in Safe mode. This is because the tool cannot run in Safe mode.
-For more information, see [Driver Verifier](https://docs.microsoft.com/windows-hardware/drivers/devtest/driver-verifier).
+For more information, see [Driver Verifier](/windows-hardware/drivers/devtest/driver-verifier).
## Common Windows Stop errors
@@ -234,7 +261,7 @@ PAGE_FAULT_IN_NONPAGED_AREA
Stop error code 0x000000050 | If a driver is ide
SYSTEM_SERVICE_EXCEPTION
Stop error code c000021a {Fatal System Error} The Windows SubSystem system process terminated unexpectedly with a status of 0xc0000005. The system has been shut down. | Use the System File Checker tool to repair missing or corrupted system files. The System File Checker lets users scan for corruptions in Windows system files and restore corrupted files. For more information, see [Use the System File Checker tool](https://support.microsoft.com/en-us/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files).
NTFS_FILE_SYSTEM
Stop error code 0x000000024 | This Stop error is commonly caused by corruption in the NTFS file system or bad blocks (sectors) on the hard disk. Corrupted drivers for hard disks (SATA or IDE) can also adversely affect the system's ability to read and write to disk. Run any hardware diagnostics that are provided by the manufacturer of the storage subsystem. Use the scan disk tool to verify that there are no file system errors. To do this, right-click the drive that you want to scan, select Properties, select Tools, and then select the Check now button.We also suggest that you update the NTFS file system driver (Ntfs.sys), and apply the latest cumulative updates for the current operating system that is experiencing the problem.
KMODE_EXCEPTION_NOT_HANDLED
Stop error code 0x0000001E | If a driver is identified in the Stop error message, disable or remove that driver. Disable or remove any drivers or services that were recently added.
If the error occurs during the startup sequence, and the system partition is formatted by using the NTFS file system, you might be able to use Safe mode to disable the driver in Device Manager. To do this, follow these steps:
Go to **Settings > Update & security > Recovery**. Under **Advanced startup**, select **Restart now**. After your PC restarts to the **Choose an option** screen, select **Troubleshoot > Advanced options > Startup Settings > Restart**. After the computer restarts, you'll see a list of options. Press **4** or **F4** to start the computer in Safe mode. Or, if you intend to use the Internet while in Safe mode, press **5** or **F5** for the Safe Mode with Networking option.
-DPC_WATCHDOG_VIOLATION
Stop error code 0x00000133 | This Stop error code is caused by a faulty driver that does not complete its work within the allotted time frame in certain conditions. To enable us to help mitigate this error, collect the memory dump file from the system, and then use the Windows Debugger to find the faulty driver. If a driver is identified in the Stop error message, disable the driver to isolate the problem. Check with the manufacturer for driver updates. Check the system log in Event Viewer for additional error messages that might help identify the device or driver that is causing Stop error 0x133. Verify that any new hardware that is installed is compatible with the installed version of Windows. For example, you can get information about required hardware at Windows 10 Specifications. If Windows Debugger is installed, and you have access to public symbols, you can load the c:\windows\memory.dmp file into the Debugger, and then refer to [Determining the source of Bug Check 0x133 (DPC_WATCHDOG_VIOLATION) errors on Windows Server 2012](https://blogs.msdn.microsoft.com/ntdebugging/2012/12/07/determining-the-source-of-bug-check-0x133-dpc_watchdog_violation-errors-on-windows-server-2012/) to find the problematic driver from the memory dump.
+DPC_WATCHDOG_VIOLATION
Stop error code 0x00000133 | This Stop error code is caused by a faulty driver that does not complete its work within the allotted time frame in certain conditions. To enable us to help mitigate this error, collect the memory dump file from the system, and then use the Windows Debugger to find the faulty driver. If a driver is identified in the Stop error message, disable the driver to isolate the problem. Check with the manufacturer for driver updates. Check the system log in Event Viewer for additional error messages that might help identify the device or driver that is causing Stop error 0x133. Verify that any new hardware that is installed is compatible with the installed version of Windows. For example, you can get information about required hardware at Windows 10 Specifications. If Windows Debugger is installed, and you have access to public symbols, you can load the c:\windows\memory.dmp file into the Debugger, and then refer to [Determining the source of Bug Check 0x133 (DPC_WATCHDOG_VIOLATION) errors on Windows Server 2012](/archive/blogs/ntdebugging/determining-the-source-of-bug-check-0x133-dpc_watchdog_violation-errors-on-windows-server-2012) to find the problematic driver from the memory dump.
USER_MODE_HEALTH_MONITOR
Stop error code 0x0000009E | This Stop error indicates that a user-mode health check failed in a way that prevents graceful shutdown. Therefore, Windows restores critical services by restarting or enabling application failover to other servers. The Clustering Service incorporates a detection mechanism that may detect unresponsiveness in user-mode components.
This Stop error usually occurs in a clustered environment, and the indicated faulty driver is RHS.exe.Check the event logs for any storage failures to identify the failing process. Try to update the component or process that is indicated in the event logs. You should see the following event recorded:
Event ID: 4870
Source: Microsoft-Windows-FailoverClustering
Description: User mode health monitoring has detected that the system is not being responsive. The Failover cluster virtual adapter has lost contact with the Cluster Server process with a process ID ‘%1’, for ‘%2’ seconds. Recovery action is taken. Review the Cluster logs to identify the process and investigate which items might cause the process to hang.
For more information, see ["Why is my Failover Clustering node blue screening with a Stop 0x0000009E?"](https://blogs.technet.microsoft.com/askcore/2009/06/12/why-is-my-failover-clustering-node-blue-screening-with-a-stop-0x0000009e) Also, see the following Microsoft video [What to do if a 9E occurs](https://www.youtube.com/watch?v=vOJQEdmdSgw).
## Debugging examples
@@ -243,7 +270,7 @@ USER_MODE_HEALTH_MONITOR
Stop error code 0x0000009E | This Stop error indic
This bugcheck is caused by a driver hang during upgrade, resulting in a bugcheck D1 in NDIS.sys (a Microsoft driver). The **IMAGE_NAME** tells you the faulting driver, but since this is Microsoft driver it cannot be replaced or removed. The resolution method is to disable the network device in device manager and try the upgrade again.
-```
+```console
2: kd> !analyze -v
*******************************************************************************
* *
@@ -397,12 +424,12 @@ FAILURE_ID_REPORT_LINK: https://go.microsoft.com/fwlink/?LinkID=397724&FailureHa
Followup: ndiscore
---------
```
+
### Example 2
In this example, a non-Microsoft driver caused page fault, so we don’t have symbols for this driver. However, looking at **IMAGE_NAME** and or **MODULE_NAME** indicates it’s **WwanUsbMP.sys** that caused the issue. Disconnecting the device and retrying the upgrade is a possible solution.
-```
-
+```console
1: kd> !analyze -v
*******************************************************************************
* *
@@ -576,4 +603,4 @@ ReadVirtual: 812d1248 not properly sign extended
## References
-[Bug Check Code Reference](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2)
+[Bug Check Code Reference](/windows-hardware/drivers/debugger/bug-check-code-reference2)
diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md
index ed2dc15ba1..b432191920 100644
--- a/windows/client-management/troubleshoot-tcpip-netmon.md
+++ b/windows/client-management/troubleshoot-tcpip-netmon.md
@@ -17,7 +17,7 @@ manager: dansimp
In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is a tool for capturing network traffic.
> [!NOTE]
-> Network Monitor is the archived protocol analyzer and is no longer under development. **Microsoft Message Analyzer** is the replacement for Network Monitor. For more details, see [Microsoft Message Analyzer Operating Guide](https://docs.microsoft.com/message-analyzer/microsoft-message-analyzer-operating-guide).
+> Network Monitor is the archived protocol analyzer and is no longer under development. **Microsoft Message Analyzer** is the replacement for Network Monitor. For more details, see [Microsoft Message Analyzer Operating Guide](/message-analyzer/microsoft-message-analyzer-operating-guide).
To get started, [download Network Monitor tool](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image:
@@ -61,9 +61,9 @@ Network traces which are collected using the **netsh** commands built in to Wind
## More information
-[Intro to Filtering with Network Monitor 3.0](https://blogs.technet.microsoft.com/netmon/2006/10/17/intro-to-filtering-with-network-monitor-3-0/)
+[Intro to Filtering with Network Monitor 3.0](/archive/blogs/netmon/intro-to-filtering-with-network-monitor-3-0)
[Network Monitor Filter Examples](https://blogs.technet.microsoft.com/rmilne/2016/08/11/network-monitor-filter-examples/)
[Network Monitor Wireless Filtering](https://social.technet.microsoft.com/wiki/contents/articles/1900.network-monitor-wireless-filtering.aspx)
[Network Monitor TCP Filtering](https://social.technet.microsoft.com/wiki/contents/articles/1134.network-monitor-tcp-filtering.aspx)
[Network Monitor Conversation Filtering](https://social.technet.microsoft.com/wiki/contents/articles/1829.network-monitor-conversation-filtering.aspx)
-[How to setup and collect network capture using Network Monitor tool](https://blogs.technet.microsoft.com/msindiasupp/2011/08/10/how-to-setup-and-collect-network-capture-using-network-monitor-tool/)
+[How to setup and collect network capture using Network Monitor tool](/archive/blogs/msindiasupp/how-to-setup-and-collect-network-capture-using-network-monitor-tool)
\ No newline at end of file
diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
index 40c0ff98c2..e41c64b649 100644
--- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md
+++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
@@ -146,7 +146,7 @@ If Task Manager did not help you identify the process, then use Process Explorer
Steps to use Process explorer:
-1. [Download Process Explorer](https://docs.microsoft.com/sysinternals/downloads/process-explorer) and run it **Elevated**.
+1. [Download Process Explorer](/sysinternals/downloads/process-explorer) and run it **Elevated**.
2. Alt + click the column header, select **Choose Columns**, and on the **Process Performance** tab, add **Handle Count**.
3. Select **View \ Show Lower Pane**.
4. Select **View \ Lower Pane View \ Handles**.
@@ -194,7 +194,6 @@ goto loop
## Useful links
-- [Port Exhaustion and You!](https://blogs.technet.microsoft.com/askds/2008/10/29/port-exhaustion-and-you-or-why-the-netstat-tool-is-your-friend/) - this article gives a detail on netstat states and how you can use netstat output to determine the port status
-
-- [Detecting ephemeral port exhaustion](https://blogs.technet.microsoft.com/yongrhee/2018/01/09/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes/): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10)
+- [Port Exhaustion and You!](/archive/blogs/askds/port-exhaustion-and-you-or-why-the-netstat-tool-is-your-friend) - this article gives a detail on netstat states and how you can use netstat output to determine the port status
+- [Detecting ephemeral port exhaustion](/archive/blogs/yongrhee/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10)
\ No newline at end of file
diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md
index ee292cb2a6..3b6738986f 100644
--- a/windows/client-management/troubleshoot-windows-freeze.md
+++ b/windows/client-management/troubleshoot-windows-freeze.md
@@ -129,7 +129,7 @@ If the computer is no longer frozen and now is running in a good state, use the
3. On some physical computers, you may generate a nonmakeable interruption (NMI) from the Web Interface feature (such as DRAC, iLo, and RSA). However, by default, this setting will stop the system without creating a memory dump.
- To allow the operating system to generate a memory dump file at an NMI interruption, set the value of the [NMICrashDump](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc783271(v=ws.10)) registry entry to `1` (REG_DWORD). Then, restart the computer to apply this change.
+ To allow the operating system to generate a memory dump file at an NMI interruption, set the value of the [NMICrashDump](/previous-versions/windows/it-pro/windows-server-2003/cc783271(v=ws.10)) registry entry to `1` (REG_DWORD). Then, restart the computer to apply this change.
> [!NOTE]
> This is applicable only for Windows 7, Windows Server 2008 R2, and earlier versions of Windows. For Windows 8 Windows Server 2012, and later versions of Windows, the NMICrashDump registry key is no longer required, and an NMI interruption will result in [a Stop error that follows a memory dump data collection](https://support.microsoft.com/help/2750146).
@@ -206,7 +206,7 @@ If the physical computer is still running in a frozen state, follow these steps
* `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled`
- Make sure that the [CrashDumpEnabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-2000-server/cc976050(v=technet.10)) registry entry is `1`.
+ Make sure that the [CrashDumpEnabled](/previous-versions/windows/it-pro/windows-2000-server/cc976050(v=technet.10)) registry entry is `1`.
* `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\NMICrashDump`
@@ -259,7 +259,7 @@ Use the one of the following methods for the application on which the virtual ma
#### Microsoft Hyper-V
-If the virtual machine is running Windows 8, Windows Server 2012, or a later version of Windows on Microsoft Hyper-V Server 2012, you can use the built-in NMI feature through a [Debug-VM](https://docs.microsoft.com/previous-versions/windows/powershell-scripting/dn464280(v=wps.630)) cmdlet to debug and get a memory dump.
+If the virtual machine is running Windows 8, Windows Server 2012, or a later version of Windows on Microsoft Hyper-V Server 2012, you can use the built-in NMI feature through a [Debug-VM](/previous-versions/windows/powershell-scripting/dn464280(v=wps.630)) cmdlet to debug and get a memory dump.
To debug the virtual machines on Hyper-V, run the following cmdlet in Windows PowerShell:
@@ -284,4 +284,4 @@ On Windows Server 2008, you may not have enough free disk space to generate a co
Additionally, on Windows Server 2008 Service Pack (SP2), there's a second option if the system drive doesn't have sufficient space. Namely, you can use the DedicatedDumpFile registry entry. To learn how to use the registry entry, see [New behavior in Windows Vista and Windows Server 2008](https://support.microsoft.com/help/969028).
-For more information, see [How to use the DedicatedDumpFile registry value to overcome space limitations on the system drive](https://blogs.msdn.com/b/ntdebugging/archive/2010/04/02/how-to-use-the-dedicateddumpfile-registry-value-to-overcome-space-limitations-on-the-system-drive-when-capturing-a-system-memory-dump.aspx).
+For more information, see [How to use the DedicatedDumpFile registry value to overcome space limitations on the system drive](https://blogs.msdn.com/b/ntdebugging/archive/2010/04/02/how-to-use-the-dedicateddumpfile-registry-value-to-overcome-space-limitations-on-the-system-drive-when-capturing-a-system-memory-dump.aspx).
\ No newline at end of file
diff --git a/windows/client-management/troubleshoot-windows-startup.md b/windows/client-management/troubleshoot-windows-startup.md
index bd9f09bfd0..9d9283a355 100644
--- a/windows/client-management/troubleshoot-windows-startup.md
+++ b/windows/client-management/troubleshoot-windows-startup.md
@@ -46,10 +46,10 @@ To understand the underlying cause of Windows startup problems, it's important t
These articles will walk you through the resources you need to troubleshoot Windows startup issues:
-- [Advanced troubleshooting for Windows boot problems](https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-boot-problems)
+- [Advanced troubleshooting for Windows boot problems](./advanced-troubleshooting-boot-problems.md)
-- [Advanced troubleshooting for Stop error or blue screen error](https://docs.microsoft.com/windows/client-management/troubleshoot-stop-errors)
+- [Advanced troubleshooting for Stop error or blue screen error](./troubleshoot-stop-errors.md)
-- [Advanced troubleshooting for Windows-based computer freeze issues](https://docs.microsoft.com/windows/client-management/troubleshoot-windows-freeze)
+- [Advanced troubleshooting for Windows-based computer freeze issues](./troubleshoot-windows-freeze.md)
-- [Stop error occurs when you update the in-box Broadcom network adapter driver](troubleshoot-stop-error-on-broadcom-driver-update.md)
+- [Stop error occurs when you update the in-box Broadcom network adapter driver](troubleshoot-stop-error-on-broadcom-driver-update.md)
\ No newline at end of file
diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md
index e8a8cb2a19..eb784753c2 100644
--- a/windows/client-management/windows-10-mobile-and-mdm.md
+++ b/windows/client-management/windows-10-mobile-and-mdm.md
@@ -37,7 +37,7 @@ Windows 10 supports end-to-end device lifecycle management to give companies con
## Deploy
Windows 10 Mobile has a built-in device management client to deploy, configure, maintain, and support smartphones. Common to all editions of the Windows 10 operating system, including desktop, mobile, and Internet of Things (IoT), this client provides a single interface through which mobile device management (MDM) solutions can manage any device that runs Windows 10. Because the MDM client integrates with identity management, the effort required to manage devices throughout the lifecycle is greatly reduced.
-Windows 10 includes comprehensive MDM capabilities that can be managed by Microsoft management solutions, such as Microsoft Intune or Microsoft Endpoint Configuration Manager, as well as many third-party MDM solutions. There is no need to install an additional, custom MDM app to enroll devices and bring them under MDM control. All MDM system vendors have equal access to Windows 10 Mobile device management application programming interfaces (APIs), giving IT organizations the freedom to select the system that best fits their management requirements, whether Microsoft Intune or a third-party MDM product. For more information about Windows 10 Mobile device management APIs, see [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=734050).
+Windows 10 includes comprehensive MDM capabilities that can be managed by Microsoft management solutions, such as Microsoft Intune or Microsoft Endpoint Configuration Manager, as well as many third-party MDM solutions. There is no need to install an additional, custom MDM app to enroll devices and bring them under MDM control. All MDM system vendors have equal access to Windows 10 Mobile device management application programming interfaces (APIs), giving IT organizations the freedom to select the system that best fits their management requirements, whether Microsoft Intune or a third-party MDM product. For more information about Windows 10 Mobile device management APIs, see [Mobile device management](./mdm/index.md).
### Deployment scenarios
@@ -176,16 +176,16 @@ IT can block the addition of a personal identity, such as an MSA or Google Accou
> [!NOTE]
-> In the context of [Windows-as-a-Service](https://technet.microsoft.com/itpro/windows/manage/introduction-to-windows-10-servicing), differentiation of MDM capabilities may change in the future.
+> In the context of [Windows-as-a-Service](/windows/deployment/update/), differentiation of MDM capabilities may change in the future.
### Infrastructure choices
*Applies to: Corporate and personal devices*
-For both personal and corporate deployment scenarios, an MDM system is the essential infrastructure required to deploy and manage Windows 10 Mobile devices. An Azure AD Premium subscription is recommended as an identity provider and required to support certain capabilities. Windows 10 Mobile allows you to have a pure cloud-based infrastructure or a hybrid infrastructure that combines Azure AD identity management with an on-premises management system to manage devices. Microsoft now also supports a pure on-premises solution to manage Windows 10 Mobile devices with [Configuration Manager](https://technet.microsoft.com/library/mt627908.aspx).
+For both personal and corporate deployment scenarios, an MDM system is the essential infrastructure required to deploy and manage Windows 10 Mobile devices. An Azure AD Premium subscription is recommended as an identity provider and required to support certain capabilities. Windows 10 Mobile allows you to have a pure cloud-based infrastructure or a hybrid infrastructure that combines Azure AD identity management with an on-premises management system to manage devices. Microsoft now also supports a pure on-premises solution to manage Windows 10 Mobile devices with [Configuration Manager](/mem/configmgr/mdm/understand/what-happened-to-hybrid).
**Azure Active Directory**
-Azure AD is a cloud-based directory service that provides identity and access management. You can integrate it with existing on-premises directories to create a hybrid identity solution. Organizations that use Microsoft Office 365 or Intune are already using Azure AD, which has three editions: Free Basic, and Premium (see [Azure Active Directory editions](https://azure.microsoft.com/documentation/articles/active-directory-editions/)). All editions support Azure AD device registration, but the Premium edition is required to enable MDM auto-enrollment and conditional access based on device state.
+Azure AD is a cloud-based directory service that provides identity and access management. You can integrate it with existing on-premises directories to create a hybrid identity solution. Organizations that use Microsoft Office 365 or Intune are already using Azure AD, which has three editions: Free Basic, and Premium (see [Azure Active Directory editions](/azure/active-directory/fundamentals/active-directory-whatis)). All editions support Azure AD device registration, but the Premium edition is required to enable MDM auto-enrollment and conditional access based on device state.
**Mobile Device Management**
Microsoft [Intune](https://www.microsoft.com/server-cloud/products/microsoft-intune/overview.aspx), part of the Enterprise Mobility + Security, is a cloud-based MDM system that manages devices off premises. Intune uses Azure AD for identity management so employees use the same credentials to enroll devices in Intune that they use to sign into Microsoft 365. Intune supports devices that run other operating systems, such as iOS and Android, to provide a complete MDM solution.
@@ -193,7 +193,7 @@ Multiple MDM systems support Windows 10 and most support personal and corporate
> [!NOTE]
> Although not covered in this guide, you can use Exchange ActiveSync (EAS) to manage mobile devices instead of using a full-featured MDM system. EAS is available in Microsoft Exchange Server 2010 or later and Microsoft 365.
-In addition, Microsoft recently added MDM capabilities powered by Intune to Microsoft 365, called Basic Mobility and Security for Microsoft 365. Basic Mobility and Security for Microsoft 365 supports mobile devices only, such as those running Windows 10 Mobile, iOS, and Android. Basic Mobility and Security for Microsoft 365 offers a subset of the management capabilities found in Intune, including the ability to remotely wipe a device, block a device from accessing Exchange Server email, and configure device policies (e.g., passcode requirements). For more information, see [Overview of Basic Mobility and Security for Microsoft 365](https://technet.microsoft.com/library/ms.o365.cc.devicepolicy.aspx).
+In addition, Microsoft recently added MDM capabilities powered by Intune to Microsoft 365, called Basic Mobility and Security for Microsoft 365. Basic Mobility and Security for Microsoft 365 supports mobile devices only, such as those running Windows 10 Mobile, iOS, and Android. Basic Mobility and Security for Microsoft 365 offers a subset of the management capabilities found in Intune, including the ability to remotely wipe a device, block a device from accessing Exchange Server email, and configure device policies (e.g., passcode requirements). For more information, see [Overview of Basic Mobility and Security for Microsoft 365](/microsoft-365/admin/basic-mobility-security/overview).
**Cloud services**
On mobile devices that run Windows 10 Mobile, users can easily connect to cloud services that provide user notifications and collect diagnostic and usage data. Windows 10 Mobile enables organizations to manage how devices consume these cloud services.
@@ -217,7 +217,7 @@ MDM administrators can define and implement policy settings on any personal or c
> [!NOTE]
> This guide helps IT professionals understand management options available for the Windows 10 Mobile OS. Please consult your MDM system documentation to understand how these policies are enabled by your MDM vendor.
-Not all MDM systems support every setting described in this guide. Some support custom policies through OMA-URI XML files. See [Microsoft Intune support for Custom Policies](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#custom-uri-settings-for-windows-10-devices). Naming conventions may also vary among MDM vendors.
+Not all MDM systems support every setting described in this guide. Some support custom policies through OMA-URI XML files. See [Microsoft Intune support for Custom Policies](/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#custom-uri-settings-for-windows-10-devices). Naming conventions may also vary among MDM vendors.
### Account profile
@@ -234,8 +234,8 @@ Enforcing what accounts employees can use on a corporate device is important for
Email and associated calendar and contacts are the primary apps that users access on their smartphones. Configuring them properly is key to the success of any mobility program. In both corporate and personal device deployment scenarios, these email account settings get deployed immediately after enrollment. Using your corporate MDM system, you can define corporate email account profiles, deploy them to devices, and manage inbox policies.
-- Most corporate email systems leverage **Exchange ActiveSync (EAS)**. For more details on configuring EAS email profiles, see the [Exchange ActiveSync CSP](https://msdn.microsoft.com/library/windows/hardware/dn920017(v=vs.85).aspx).
-- **Simple Mail Transfer Protocol (SMTP)** email accounts can also be configured with your MDM system. For more detailed information on SMTP email profile configuration, see the [Email CSP](https://msdn.microsoft.com/library/windows/hardware/dn904953(v=vs.85).aspx). Microsoft Intune does not currently support the creation of an SMTP email profile.
+- Most corporate email systems leverage **Exchange ActiveSync (EAS)**. For more details on configuring EAS email profiles, see the [Exchange ActiveSync CSP](./mdm/activesync-csp.md).
+- **Simple Mail Transfer Protocol (SMTP)** email accounts can also be configured with your MDM system. For more detailed information on SMTP email profile configuration, see the [Email CSP](./mdm/email2-csp.md). Microsoft Intune does not currently support the creation of an SMTP email profile.
### Device Lock restrictions
@@ -265,7 +265,7 @@ Most of the device lock restriction policies have been available through Exchang
Settings related to Windows Hello would be important device lock settings to configure if you are deploying devices using the corporate deployment scenario.
Microsoft made it a requirement for all users to create a numeric passcode as part of Azure AD Join. This policy default requires users to select a four-digit passcode, but this can be configured with an Azure AD-registered MDM system to whatever passcode complexity your organization desires. If you are using Azure AD with an automatic MDM enrollment mechanism, these policy settings are automatically applied during device enrollment.
-You may notice that some of the settings are very similar, specifically those related to passcode length, history, expiration, and complexity. If you set the policy in multiple places, both policies are applied, with the strongest policy retained. Read [PassportForWork CSP](https://msdn.microsoft.com/library/windows/hardware/dn987099(v=vs.85).aspx), [DeviceLock CSP](https://msdn.microsoft.com/library/windows/hardware/dn904945(v=vs.85).aspx) (Windows Phone 8.1), and [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#DeviceLock_AllowIdleReturnWithoutPassword) for more detailed information.
+You may notice that some of the settings are very similar, specifically those related to passcode length, history, expiration, and complexity. If you set the policy in multiple places, both policies are applied, with the strongest policy retained. Read [PassportForWork CSP](./mdm/passportforwork-csp.md), [DeviceLock CSP](./mdm/devicelock-csp.md) (Windows Phone 8.1), and [Policy CSP](./mdm/policy-configuration-service-provider.md) for more detailed information.
### Prevent changing of settings
@@ -312,7 +312,7 @@ Certificates help improve security by providing account authentication, Wi-Fi au
To install certificates manually, you can post them on Microsoft Edge website or send them directly by using email, which is ideal for testing purposes.
Using Simple Certificate Enrollment Protocol (SCEP) and MDM systems, certificate management is completely transparent and requires no user intervention, helping improve user productivity, and reduce support calls. Your MDM system can automatically deploy these certificates to the devices’ certificate stores after you enroll the device, as long as the MDM system supports the SCEP or Personal Information Exchange (PFX). The MDM server can also query and delete SCEP enrolled client certificate (including user installed certificates), or trigger a new enrollment request before the current certificate is expired.
In addition to SCEP certificate management, Windows 10 Mobile supports deployment of PFX certificates. The table below lists the Windows 10 Mobile PFX certificate deployment settings.
-For more detailed information about MDM certificate management, see [Client Certificate Install CSP](https://msdn.microsoft.com/library/windows/hardware/dn920023(v=vs.85).aspx) and [Install digital certificates on Windows 10 Mobile](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile).
+For more detailed information about MDM certificate management, see [Client Certificate Install CSP](./mdm/clientcertificateinstall-csp.md) and [Install digital certificates on Windows 10 Mobile](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile).
Use the Allow Manual Root Certificate Installation setting to prevent users from manually installing root and intermediate CA certificates intentionally or accidentally.
> [!NOTE]
@@ -359,7 +359,7 @@ In addition, you can set the following device wide Wi-Fi settings:
- **Allow Internet Sharing** Allows or disallows Internet sharing
- **WLAN Scan Mode** Specifies how actively the device scans for Wi-Fi networks
-For more detailed information about Wi-Fi connection profile settings, see [Wi-Fi CSP](https://msdn.microsoft.com/library/windows/hardware/dn904981(v=vs.85).aspx) and [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx).
+For more detailed information about Wi-Fi connection profile settings, see [Wi-Fi CSP](./mdm/wifi-csp.md) and [Policy CSP](./mdm/policy-configuration-service-provider.md).
### APN profiles
@@ -391,7 +391,7 @@ You can define and deploy APN profiles in MDM systems that configure cellular da
- **Allow user control** Allows users to connect with other APNs than the enterprise APN
- **Hide view** Specifies whether the cellular UX allows the user to view enterprise APNs
-For more detailed information about APN settings, see [APN CSP](https://msdn.microsoft.com/library/windows/hardware/dn958617(v=vs.85).aspx).
+For more detailed information about APN settings, see [APN CSP](./mdm/enterpriseapn-csp.md).
### Proxy
@@ -409,7 +409,7 @@ The following lists the Windows 10 Mobile settings for managing APN proxy settin
- **Proxy connection type** The proxy connection type, supporting: Null proxy, HTTP, WAP, SOCKS4
- **Port** The port number of the proxy connection
-For more details on proxy settings, see [CM_ProxyEntries CSP](https://msdn.microsoft.com/library/windows/hardware/dn914762(v=vs.85).aspx).
+For more details on proxy settings, see [CM_ProxyEntries CSP](./mdm/cm-proxyentries-csp.md).
### VPN
@@ -460,7 +460,7 @@ In addition, you can specify per VPN profile:
- No other VPN profiles can be connected or modified.
- **ProfileXML** In case your MDM system does not support all the VPN settings you want to configure, you can create an XML file that defines the VPN profile you want to apply to all the fields you require.
-For more details about VPN profiles, see [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776(v=vs.85).aspx).
+For more details about VPN profiles, see [VPNv2 CSP](./mdm/vpnv2-csp.md).
Some device-wide settings for managing VPN connections can help you manage VPNs over cellular data connections, which in turn helps reduce costs associated with roaming or data plan charges:
- **Allow VPN** Specifies whether users can change VPN settings
@@ -471,7 +471,7 @@ Some device-wide settings for managing VPN connections can help you manage VPNs
*Applies to: Corporate and personal devices*
-Protecting the apps and data stored on a device is critical to device security. One method for helping protect your apps and data is to encrypt internal device storage. The [device encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) in Windows 10 Mobile helps protect corporate data against unauthorized access, even when an unauthorized user has physical possession of the device.
+Protecting the apps and data stored on a device is critical to device security. One method for helping protect your apps and data is to encrypt internal device storage. The [device encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) in Windows 10 Mobile helps protect corporate data against unauthorized access, even when an unauthorized user has physical possession of the device.
Windows 10 Mobile also has the ability to install apps on a secure digital (SD) card. The operating system stores apps on a partition specifically designated for that purpose. This feature is always on so you don’t need to set a policy explicitly to enable it.
@@ -506,7 +506,7 @@ For compatibility with existing apps, Windows Phone 8.1 apps still run on Window
Microsoft also made it easier for organizations to license and purchase UWP apps via Microsoft Store for Business and deploy them to employee devices using the Microsoft Store, or an MDM system, that can be integrated with the Microsoft Store for Business. Putting apps into the hands of mobile workers is critical, but you also need an efficient way to ensure those apps comply with corporate policies for data security.
-To learn more about Universal Windows apps, see the [Guide to Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/library/windows/apps/dn894631.aspx) for additional information, or take this [Quick Start Challenge: Universal Windows Apps in Visual Studio](https://mva.microsoft.com/en-US/training-courses/quick-start-challenge-universal-windows-apps-in-visual-studio-14477?l=Be2FMfgmB_505192797). Also, see [Porting apps to Windows 10](https://msdn.microsoft.com/windows/uwp/porting/index).
+To learn more about Universal Windows apps, see the [Guide to Universal Windows Platform (UWP) apps](/windows/uwp/get-started/universal-application-platform-guide) for additional information, or take this [Quick Start Challenge: Universal Windows Apps in Visual Studio](https://mva.microsoft.com/en-US/training-courses/quick-start-challenge-universal-windows-apps-in-visual-studio-14477?l=Be2FMfgmB_505192797). Also, see [Porting apps to Windows 10](/windows/uwp/porting/).
### Microsoft Store for Business: Sourcing the right app
@@ -543,7 +543,7 @@ IT administrators can control which apps are allowed to be installed on Windows
Windows 10 Mobile includes AppLocker, which enables administrators to create allow or disallow lists of apps from the Microsoft Store. This capability extends to built-in apps, as well, such as Xbox, Groove, text messaging, email, and calendar, etc. The ability to allow or deny apps helps to ensure that people use their mobile devices for their intended purposes. However, it is not always an easy approach to find a balance between what employees need or request and security concerns. Creating allow or disallow lists also requires keeping up with the changing app landscape in the Microsoft Store.
-For more information, see [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019(v=vs.85).aspx).
+For more information, see [AppLocker CSP](./mdm/applocker-csp.md).
In addition to controlling which apps are allowed, IT professionals can also implement additional app management settings on Windows 10 Mobile, using an MDM:
@@ -557,9 +557,9 @@ In addition to controlling which apps are allowed, IT professionals can also imp
- **Require Private Store Only** Specifies whether the private store is exclusively available to users in the Store app on the device. If enabled, only the private store is available. If disabled, the retail catalog and private store are both available.
- **Restrict App Data to System Volume** Specifies whether app data is allowed only on the system drive or can be stored on an SD card.
- **Restrict App to System Volume** Specifies whether app installation is allowed only to the system drive or can be installed on an SD card.
-- **Start screen layout** An XML blob used to configure the Start screen (for more information, see [Start layout for Windows 10 Mobile](https://msdn.microsoft.com/library/windows/hardware/mt171093(v=vs.85).aspx)).
+- **Start screen layout** An XML blob used to configure the Start screen (for more information, see [Start layout for Windows 10 Mobile](/windows/configuration/mobile-devices/start-layout-xml-mobile)).
-Find more details on application management options in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#ApplicationManagement_AllowAllTrustedApps).
+Find more details on application management options in the [Policy CSP](./mdm/policy-configuration-service-provider.md).
### Data leak prevention
@@ -603,7 +603,7 @@ The following table lists the settings that can be configured for Windows Inform
* Mandatory Windows Information Protection policies. To make Windows Information Protection functional, AppLocker and network isolation settings (specifically Enterprise IP Range and Enterprise Network Domain Names) must be configured. This defines the source of all corporate data that needs protection and also ensures data written to these locations won’t be encrypted by the user’s encryption key so that others in the company can access it.
-For more information on Windows Information Protection, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt697634(v=vs.85).aspx) and the following in-depth article series [Protect your enterprise data using Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip).
+For more information on Windows Information Protection, see the [EnterpriseDataProtection CSP](./mdm/enterprisedataprotection-csp.md) and the following in-depth article series [Protect your enterprise data using Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip).
### Managing user activities
@@ -813,7 +813,7 @@ To learn more about diagnostic, see [Configure Windows diagnostic data in your o
To activate Windows 10 Mobile Enterprise, use your MDM system or a provisioning package to inject the Windows 10 Enterprise license on a Windows 10 Mobile device. Licenses can be obtained from the Volume Licensing portal. For testing purposes, you can obtain a licensing file from the MSDN download center. A valid MSDN subscription is required.
-For more information on updating a device to Enterprise edition, see [WindowsLicensing CSP](https://msdn.microsoft.com/library/windows/hardware/dn904983(v=vs.85).aspx).
+For more information on updating a device to Enterprise edition, see [WindowsLicensing CSP](./mdm/windowslicensing-csp.md).
> [!NOTE]
> We recommend using Enterprise edition only on corporate devices. Once a device has been upgraded, it cannot be downgraded. Even a device wipe or reset will not remove the enterprise license from personal devices.
@@ -893,7 +893,7 @@ Pause Feature Updates for up to 35 days
*Applies to: Corporate devices with Enterprise edition*
-Set update client experience with [Allowautomaticupdate](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Update_AllowAutoUpdate) policy for your employees. This allows the IT Pro to influence the way the update client on the devices behaves when scanning, downloading, and installing updates.
+Set update client experience with [Allowautomaticupdate](./mdm/policy-configuration-service-provider.md) policy for your employees. This allows the IT Pro to influence the way the update client on the devices behaves when scanning, downloading, and installing updates.
This can include:
- Notifying users prior to downloading updates.
@@ -903,7 +903,7 @@ This can include:
- Automatically downloading and restarting devices without user interaction.
- Turning off automatic updates. This option should be used only for systems under regulatory compliance. The device does not receive any updates.
-In addition, in version 1607, you can configure when the update is applied to the employee device to ensure updates installs or reboots don’t interrupt business or worker productivity. Update installs and reboots can be scheduled [outside of active hours](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Update_ActiveHoursEnd) (supported values are 0-23, where 0 is 12am, 1 is 1am, and so on) or on a specific [day of the week](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Update_ScheduledInstallDay) (supported values are 0-7, where 0 is every day, 1 is Sunday, 2 is Monday, and so on).
+In addition, in version 1607, you can configure when the update is applied to the employee device to ensure updates installs or reboots don’t interrupt business or worker productivity. Update installs and reboots can be scheduled [outside of active hours](./mdm/policy-configuration-service-provider.md) (supported values are 0-23, where 0 is 12am, 1 is 1am, and so on) or on a specific [day of the week](./mdm/policy-configuration-service-provider.md) (supported values are 0-7, where 0 is every day, 1 is Sunday, 2 is Monday, and so on).
#### Managing the source of updates with MDM
@@ -921,7 +921,7 @@ IT administrators can specify where the device gets updates from with AllowUpdat
When using WSUS, set **UpdateServiceUrl** to allow the device to check for updates from a WSUS server instead of Windows Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet, usually handheld devices used for task completion, or other Windows IoT devices.
-For more information, see [managing updates with Windows Server Update Services (WSUS)](https://technet.microsoft.com/windowsserver/bb332157.aspx).
+For more information, see [managing updates with Windows Server Update Services (WSUS)](/windows/deployment/deploy-whats-new).
#### Querying the device update status
@@ -1080,9 +1080,9 @@ A better option than wiping the entire device is to use Windows Information Prot
## Related topics
-- [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=734050)
+- [Mobile device management](./mdm/index.md)
- [Enterprise Mobility + Security](https://go.microsoft.com/fwlink/p/?LinkId=723984)
-- [Overview of Mobile Device Management for Office 365](https://go.microsoft.com/fwlink/p/?LinkId=734052)
+- [Overview of Mobile Device Management for Office 365](/microsoft-365/admin/basic-mobility-security/overview)
- [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=722910)
diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md
index 9274477150..f906dc759d 100644
--- a/windows/client-management/windows-10-support-solutions.md
+++ b/windows/client-management/windows-10-support-solutions.md
@@ -19,116 +19,116 @@ Microsoft regularly releases both updates for Windows Server. To ensure your ser
This section contains advanced troubleshooting topics and links to help you resolve issues with Windows 10 in an enterprise or IT pro environment. Additional topics will be added as they become available.
## Troubleshoot 802.1x Authentication
-- [Advanced Troubleshooting 802.1X Authentication](https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-802-authentication)
-- [Data collection for troubleshooting 802.1X authentication](https://docs.microsoft.com/windows/client-management/data-collection-for-802-authentication)
+- [Advanced Troubleshooting 802.1X Authentication](./advanced-troubleshooting-802-authentication.md)
+- [Data collection for troubleshooting 802.1X authentication](./data-collection-for-802-authentication.md)
## Troubleshoot BitLocker
-- [Guidelines for troubleshooting BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/troubleshoot-bitlocker)
-- [BitLocker cannot encrypt a drive: known issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues)
-- [Enforcing BitLocker policies by using Intune: known issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues)
-- [BitLocker Network Unlock: known issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues)
-- [BitLocker recovery: known issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues)
-- [BitLocker configuration: known issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues)
-- [BitLocker cannot encrypt a drive: known TPM issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues)
-- [BitLocker and TPM: other known issues](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues)
-- [Decode Measured Boot logs to track PCR changes](https://docs.microsoft.com/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs)
-- [BitLocker frequently asked questions (FAQ)](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions)
+- [Guidelines for troubleshooting BitLocker](/windows/security/information-protection/bitlocker/troubleshoot-bitlocker)
+- [BitLocker cannot encrypt a drive: known issues](/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues)
+- [Enforcing BitLocker policies by using Intune: known issues](/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues)
+- [BitLocker Network Unlock: known issues](/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues)
+- [BitLocker recovery: known issues](/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues)
+- [BitLocker configuration: known issues](/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues)
+- [BitLocker cannot encrypt a drive: known TPM issues](/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues)
+- [BitLocker and TPM: other known issues](/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues)
+- [Decode Measured Boot logs to track PCR changes](/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs)
+- [BitLocker frequently asked questions (FAQ)](/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions)
## Troubleshoot Bugcheck and Stop errors
-- [Introduction to the page file](https://docs.microsoft.com/windows/client-management/introduction-page-file)
-- [How to determine the appropriate page file size for 64-bit versions of Windows](https://docs.microsoft.com/windows/client-management/determine-appropriate-page-file-size)
-- [Configure system failure and recovery options in Windows](https://docs.microsoft.com/windows/client-management/system-failure-recovery-options)
-- [Generate a kernel or complete crash dump](https://docs.microsoft.com/windows/client-management/generate-kernel-or-complete-crash-dump)
-- [Advanced troubleshooting for Stop error or blue screen error issue](https://docs.microsoft.com/windows/client-management/troubleshoot-stop-errors)
-- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](https://docs.microsoft.com/windows/client-management/troubleshoot-inaccessible-boot-device)
-- [Blue Screen Data - Windows drivers](https://docs.microsoft.com/windows-hardware/drivers/debugger/blue-screen-data)
-- [Bug Check Code Reference - Windows drivers](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2)
+- [Introduction to the page file](./introduction-page-file.md)
+- [How to determine the appropriate page file size for 64-bit versions of Windows](./determine-appropriate-page-file-size.md)
+- [Configure system failure and recovery options in Windows](./system-failure-recovery-options.md)
+- [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md)
+- [Advanced troubleshooting for Stop error or blue screen error issue](./troubleshoot-stop-errors.md)
+- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md)
+- [Blue Screen Data - Windows drivers](/windows-hardware/drivers/debugger/blue-screen-data)
+- [Bug Check Code Reference - Windows drivers](/windows-hardware/drivers/debugger/bug-check-code-reference2)
## Troubleshoot Credential Guard
-- [Windows Defender Credential Guard - Known issues (Windows 10)](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-known-issues)
+- [Windows Defender Credential Guard - Known issues (Windows 10)](/windows/security/identity-protection/credential-guard/credential-guard-known-issues)
## Troubleshoot Disks
-- [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt)
-- [Windows and GPT FAQ](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-and-gpt-faq)
+- [MBR2GPT](/windows/deployment/mbr-to-gpt)
+- [Windows and GPT FAQ](/windows-hardware/manufacture/desktop/windows-and-gpt-faq)
## Troubleshoot Kiosk mode
-- [Troubleshoot kiosk mode issues](https://docs.microsoft.com/windows/configuration/kiosk-troubleshoot)
+- [Troubleshoot kiosk mode issues](/windows/configuration/kiosk-troubleshoot)
## Troubleshoot No Boot
-- [Advanced troubleshooting for Windows boot problems](https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-boot-problems)
+- [Advanced troubleshooting for Windows boot problems](./advanced-troubleshooting-boot-problems.md)
## Troubleshoot Push Button Reset
-- [Push-button reset frequently-asked questions (FAQ)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/pbr-faq)
-- [Push-button reset frequently-asked questions (FAQ)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/pbr-validation)
-- [Recovery components](https://docs.microsoft.com/windows-hardware/manufacture/desktop/recovery-strategy-for-common-customizations)
+- [Push-button reset frequently-asked questions (FAQ)](/windows-hardware/manufacture/desktop/pbr-faq)
+- [Push-button reset frequently-asked questions (FAQ)](/windows-hardware/manufacture/desktop/pbr-validation)
+- [Recovery components](/windows-hardware/manufacture/desktop/recovery-strategy-for-common-customizations)
### Troubleshoot Power Management
-- [Modern Standby FAQs](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby-faqs)
+- [Modern Standby FAQs](/windows-hardware/design/device-experiences/modern-standby-faqs)
## Troubleshoot Secure Boot
-- [Secure Boot isn't configured correctly: troubleshooting](https://docs.microsoft.com/windows-hardware/manufacture/desktop/secure-boot-isnt-configured-correctly-troubleshooting)
+- [Secure Boot isn't configured correctly: troubleshooting](/windows-hardware/manufacture/desktop/secure-boot-isnt-configured-correctly-troubleshooting)
## Troubleshoot Setup and Install
-- [Deployment Troubleshooting and Log Files](https://docs.microsoft.com/windows-hardware/manufacture/desktop/deployment-troubleshooting-and-log-files)
+- [Deployment Troubleshooting and Log Files](/windows-hardware/manufacture/desktop/deployment-troubleshooting-and-log-files)
## Troubleshoot Start Menu
-- [Troubleshoot Start menu errors](https://docs.microsoft.com/windows/configuration/start-layout-troubleshoot)
+- [Troubleshoot Start menu errors](/windows/configuration/start-layout-troubleshoot)
## Troubleshoot Subscription Activation
-- [Deploy Windows 10 Enterprise licenses](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses)
+- [Deploy Windows 10 Enterprise licenses](/windows/deployment/deploy-enterprise-licenses)
## Troubleshoot System Hang
-- [Advanced troubleshooting for Windows-based computer freeze issues](https://docs.microsoft.com/windows/client-management/troubleshoot-windows-freeze)
+- [Advanced troubleshooting for Windows-based computer freeze issues](./troubleshoot-windows-freeze.md)
## Troubleshoot TCP/IP Communication
-- [Collect data using Network Monitor](https://docs.microsoft.com/windows/client-management/troubleshoot-tcpip-netmon)
-- [Troubleshoot TCP/IP connectivity](https://docs.microsoft.com/windows/client-management/troubleshoot-tcpip-connectivity)
-- [Troubleshoot port exhaustion issues](https://docs.microsoft.com/windows/client-management/troubleshoot-tcpip-port-exhaust)
-- [Troubleshoot Remote Procedure Call (RPC) errors](https://docs.microsoft.com/windows/client-management/troubleshoot-tcpip-rpc-errors)
+- [Collect data using Network Monitor](./troubleshoot-tcpip-netmon.md)
+- [Troubleshoot TCP/IP connectivity](./troubleshoot-tcpip-connectivity.md)
+- [Troubleshoot port exhaustion issues](./troubleshoot-tcpip-port-exhaust.md)
+- [Troubleshoot Remote Procedure Call (RPC) errors](./troubleshoot-tcpip-rpc-errors.md)
## Troubleshoot User State Migration Toolkit (USMT)
-- [Common Issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues)
-- [Frequently Asked Questions](https://docs.microsoft.com/windows/deployment/usmt/usmt-faq)
-- [Log Files](https://docs.microsoft.com/windows/deployment/usmt/usmt-log-files)
-- [Return Codes](https://docs.microsoft.com/windows/deployment/usmt/usmt-return-codes)
+- [Common Issues](/windows/deployment/usmt/usmt-common-issues)
+- [Frequently Asked Questions](/windows/deployment/usmt/usmt-faq)
+- [Log Files](/windows/deployment/usmt/usmt-log-files)
+- [Return Codes](/windows/deployment/usmt/usmt-return-codes)
## Troubleshoot Windows Hello for Business (WHFB)
-- [Windows Hello for Business Frequently Asked Questions](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-faq)
-- [Windows Hello errors during PIN creation (Windows 10)](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation)
-- [Event ID 300 - Windows Hello successfully created (Windows 10)](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-event-300)
+- [Windows Hello for Business Frequently Asked Questions](/windows/security/identity-protection/hello-for-business/hello-faq)
+- [Windows Hello errors during PIN creation (Windows 10)](/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation)
+- [Event ID 300 - Windows Hello successfully created (Windows 10)](/windows/security/identity-protection/hello-for-business/hello-event-300)
## Troubleshoot Windows Analytics
-- [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-faq-troubleshooting)
+- [Frequently asked questions and troubleshooting Windows Analytics](/windows/deployment/update/windows-analytics-faq-troubleshooting)
## Troubleshoot Windows Update
-- [How Windows Update works](https://docs.microsoft.com/windows/deployment/update/how-windows-update-works)
-- [Windows Update log files](https://docs.microsoft.com/windows/deployment/update/windows-update-logs)
-- [Windows Update troubleshooting](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting)
-- [Windows Update common errors and mitigation](https://docs.microsoft.com/windows/deployment/update/windows-update-errors)
-- [Windows Update - Additional resources](https://docs.microsoft.com/windows/deployment/update/windows-update-resources)
-- [Get started with Windows Update](https://docs.microsoft.com/windows/deployment/update/windows-update-overview)
-- [Servicing stack updates](https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates)
+- [How Windows Update works](/windows/deployment/update/how-windows-update-works)
+- [Windows Update log files](/windows/deployment/update/windows-update-logs)
+- [Windows Update troubleshooting](/windows/deployment/update/windows-update-troubleshooting)
+- [Windows Update common errors and mitigation](/windows/deployment/update/windows-update-errors)
+- [Windows Update - Additional resources](/windows/deployment/update/windows-update-resources)
+- [Get started with Windows Update](/windows/deployment/update/windows-update-overview)
+- [Servicing stack updates](/windows/deployment/update/servicing-stack-updates)
## Troubleshoot Windows Upgrade
-- [Quick fixes - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/quick-fixes)
-- [SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag)
-- [Troubleshoot Windows 10 upgrade errors - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/troubleshoot-upgrade-errors)
-- [Windows error reporting - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/windows-error-reporting)
-- [Upgrade error codes - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-error-codes)
-- [Log files - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/log-files)
-- [Resolution procedures - Windows IT Pro](https://docs.microsoft.com/windows/deployment/upgrade/resolution-procedures)
+- [Quick fixes - Windows IT Pro](/windows/deployment/upgrade/quick-fixes)
+- [SetupDiag](/windows/deployment/upgrade/setupdiag)
+- [Troubleshoot Windows 10 upgrade errors - Windows IT Pro](/windows/deployment/upgrade/troubleshoot-upgrade-errors)
+- [Windows error reporting - Windows IT Pro](/windows/deployment/upgrade/windows-error-reporting)
+- [Upgrade error codes - Windows IT Pro](/windows/deployment/upgrade/upgrade-error-codes)
+- [Log files - Windows IT Pro](/windows/deployment/upgrade/log-files)
+- [Resolution procedures - Windows IT Pro](/windows/deployment/upgrade/resolution-procedures)
## Troubleshoot Windows Recovery (WinRE)
-- [Windows RE troubleshooting features](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-re-troubleshooting-features)
+- [Windows RE troubleshooting features](/windows-hardware/manufacture/desktop/windows-re-troubleshooting-features)
## Troubleshoot Wireless Connection
-- [Advanced Troubleshooting Wireless Network Connectivity](https://docs.microsoft.com/windows/client-management/advanced-troubleshooting-wireless-network-connectivity)
+- [Advanced Troubleshooting Wireless Network Connectivity](./advanced-troubleshooting-wireless-network-connectivity.md)
## Other Resources
-- [Troubleshooting Windows Server components](https://docs.microsoft.com/windows-server/troubleshoot/windows-server-troubleshooting)
+- [Troubleshooting Windows Server components](/windows-server/troubleshoot/windows-server-troubleshooting)
\ No newline at end of file
diff --git a/windows/client-management/windows-libraries.md b/windows/client-management/windows-libraries.md
index b5977c0973..a287d48be1 100644
--- a/windows/client-management/windows-libraries.md
+++ b/windows/client-management/windows-libraries.md
@@ -35,7 +35,7 @@ Administrators can configure and control Windows libraries in the following ways
- Specify a set of libraries available to Default User, and then deploy those libraries to users that derive from Default User.
- Specify locations to include in a library.
- Remove a default location from a library.
-- Remove advanced libraries features, when the environment does not support the local caching of files, by using the [Turn off Windows Libraries features that rely on indexed file data](https://technet.microsoft.com/library/faaefdad-6e12-419a-b714-6a7bb60f6773#WS_TurnOffWindowsLibraries) Group Policy. This makes all libraries basic (see [Indexing Requirements and Basic Libraries](https://technet.microsoft.com/library/dd744693.aspx#WS_IndexingReqs_BasicLibraries)), removes libraries from the scope of the Start menu search, and removes other features to avoid confusing users and consuming resources.
+- Remove advanced libraries features, when the environment does not support the local caching of files, by using the [Turn off Windows Libraries features that rely on indexed file data](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10)#WS_TurnOffWindowsLibraries) Group Policy. This makes all libraries basic (see [Indexing Requirements and Basic Libraries](/previous-versions/windows/it-pro/windows-7/dd744693(v=ws.10)#WS_IndexingReqs_BasicLibraries)), removes libraries from the scope of the Start menu search, and removes other features to avoid confusing users and consuming resources.
## More about Libraries
@@ -57,7 +57,7 @@ Libraries are built upon the legacy known folders (such as My Documents, My Pict
### Hiding Default Libraries
-Users or administrators can hide or delete the default libraries, though the libraries node in the Navigation pane cannot be hidden or deleted. Hiding a default library is preferable to deleting it, as applications like Windows Media Player rely on the default libraries and will re-create them if they do not exist on the computer. See [How to Hide Default Libraries](https://technet.microsoft.com/library/d44c78e0-08ef-4e91-935a-a6f43716e37d#BKMK_HideDefaultLibraries) for instructions.
+Users or administrators can hide or delete the default libraries, though the libraries node in the Navigation pane cannot be hidden or deleted. Hiding a default library is preferable to deleting it, as applications like Windows Media Player rely on the default libraries and will re-create them if they do not exist on the computer. See [How to Hide Default Libraries](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_HideDefaultLibraries) for instructions.
### Default Save Locations for Libraries
@@ -75,13 +75,13 @@ Certain library features depend on the contents of the libraries being indexed.
To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that are not indexed remotely can be added to the local index using Offline File synchronization. This gives the user the benefits of local storage even though the location is remote. Making a folder “Always available offline” creates a local copy of the folder’s files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations which are not indexed remotely and are not using folder redirection to gain the benefits of being indexed locally.
-For instructions on enabling indexing, see [How to Enable Indexing of Library Locations](https://technet.microsoft.com/library/d44c78e0-08ef-4e91-935a-a6f43716e37d#BKMK_EnableIndexLocations).
+For instructions on enabling indexing, see [How to Enable Indexing of Library Locations](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_EnableIndexLocations).
-If your environment does not support caching files locally, you should enable the [Turn off Windows Libraries features that rely on indexed file](https://technet.microsoft.com/library/faaefdad-6e12-419a-b714-6a7bb60f6773#WS_TurnOffWindowsLibraries) data Group Policy. This makes all libraries basic. For further information, see [Group Policy for Windows Search, Browse, and Organize](https://technet.microsoft.com/library/dd744697.aspx).
+If your environment does not support caching files locally, you should enable the [Turn off Windows Libraries features that rely on indexed file](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10)#WS_TurnOffWindowsLibraries) data Group Policy. This makes all libraries basic. For further information, see [Group Policy for Windows Search, Browse, and Organize](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10)).
### Folder Redirection
-While library files themselves cannot be redirected, you can redirect known folders included in libraries by using [Folder Redirection](https://technet.microsoft.com/library/hh848267.aspx). For example, you can redirect the “My Documents” folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side.
+While library files themselves cannot be redirected, you can redirect known folders included in libraries by using [Folder Redirection](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). For example, you can redirect the “My Documents” folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side.
### Supported storage locations
@@ -111,20 +111,20 @@ The following library attributes can be modified within Windows Explorer, the Li
The library icon can be modified by the administrator or user by directly editing the Library Description schema file.
-See the [Library Description Schema](https://go.microsoft.com/fwlink/?LinkId=159581) topic on MSDN for information on creating Library Description files.
+See the [Library Description Schema](/windows/win32/shell/library-schema-entry) topic on MSDN for information on creating Library Description files.
## See also
### Concepts
-- [Windows Search Features](https://technet.microsoft.com/library/dd744686.aspx)
-- [Windows Indexing Features](https://technet.microsoft.com/library/dd744700.aspx)
-- [Federated Search Features](https://technet.microsoft.com/library/dd744682.aspx)
-- [Administrative How-to Guides](https://technet.microsoft.com/library/ee461108.aspx)
-- [Group Policy for Windows Search, Browse, and Organize](https://technet.microsoft.com/library/dd744697.aspx)
-- [Additional Resources for Windows Search, Browse, and Organization](https://technet.microsoft.com/library/dd744695.aspx)
+- [Windows Search Features](/previous-versions/windows/it-pro/windows-7/dd744686(v=ws.10))
+- [Windows Indexing Features](/previous-versions/windows/it-pro/windows-7/dd744700(v=ws.10))
+- [Federated Search Features](/previous-versions/windows/it-pro/windows-7/dd744682(v=ws.10))
+- [Administrative How-to Guides](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10))
+- [Group Policy for Windows Search, Browse, and Organize](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10))
+- [Additional Resources for Windows Search, Browse, and Organization](/previous-versions/windows/it-pro/windows-7/dd744695(v=ws.10))
### Other resources
-- [Folder Redirection, Offline Files, and Roaming User Profiles](https://technet.microsoft.com/library/hh848267.aspx)
-- [Library Description Schema](https://msdn.microsoft.com/library/dd798389.aspx)
+- [Folder Redirection, Offline Files, and Roaming User Profiles](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11))
+- [Library Description Schema](/windows/win32/shell/library-schema-entry)
\ No newline at end of file
diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md
index 63dd4a3abe..29a781be98 100644
--- a/windows/client-management/windows-version-search.md
+++ b/windows/client-management/windows-version-search.md
@@ -15,7 +15,7 @@ ms.topic: troubleshooting
# What version of Windows am I running?
-To determine if your device is enrolled in the [Long-Term Servicing Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [Semi-Annual Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them.
+To determine if your device is enrolled in the [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [Semi-Annual Channel](/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them.
## System Properties
Click **Start** > **Settings** > **System** > click **About** from the bottom of the left-hand menu
@@ -48,4 +48,4 @@ At the Command Prompt or PowerShell, type **"slmgr /dlv"**, and then press ENTER
The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Microsoft Store, Cortana (you do have some limited search capabilities), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. It’s important to remember that the LTSC model is primarily for specialized devices.
-In the Semi-Annual Channel, you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows 10 feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment.
+In the Semi-Annual Channel, you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows 10 feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment.
\ No newline at end of file
diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md
deleted file mode 100644
index 0d01784273..0000000000
--- a/windows/configuration/TOC.md
+++ /dev/null
@@ -1,177 +0,0 @@
-# [Configure Windows 10](index.md)
-## [Accessibility information for IT Pros](windows-10-accessibility-for-ITPros.md)
-## [Configure access to Microsoft Store](stop-employees-from-using-microsoft-store.md)
-## [Configure Cortana in Windows 10](cortana-at-work/cortana-at-work-overview.md)
-## [Set up and test Cortana in Windows 10, version 2004 and later](cortana-at-work/set-up-and-test-cortana-in-windows-10.md)
-## [Testing scenarios using Cortana in your business or organization](cortana-at-work/cortana-at-work-testing-scenarios.md)
-### [Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query](cortana-at-work/cortana-at-work-scenario-1.md)
-### [Test scenario 2 - Perform a Bing search with Cortana](cortana-at-work/cortana-at-work-scenario-2.md)
-### [Test scenario 3 - Set a reminder](cortana-at-work/cortana-at-work-scenario-3.md)
-### [Test scenario 4 - Use Cortana to find free time on your calendar](cortana-at-work/cortana-at-work-scenario-4.md)
-### [Test scenario 5 - Find out about a person](cortana-at-work/cortana-at-work-scenario-5.md)
-### [Test scenario 6 - Change your language and perform a quick search with Cortana](cortana-at-work/cortana-at-work-scenario-6.md)
-## [Send feedback about Cortana back to Microsoft](cortana-at-work/cortana-at-work-feedback.md)
-## [Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization](cortana-at-work/cortana-at-work-o365.md)
-## [Testing scenarios using Cortana in your business or organization](cortana-at-work/cortana-at-work-testing-scenarios.md)
-### [Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query](cortana-at-work/test-scenario-1.md)
-### [Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work/test-scenario-2.md)
-### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work/test-scenario-3.md)
-### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work/test-scenario-4.md)
-### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work/test-scenario-5.md)
-### [Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work/test-scenario-6.md)
-### [Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work/cortana-at-work-scenario-7.md)
-## [Set up and test custom voice commands in Cortana for your organization](cortana-at-work/cortana-at-work-voice-commands.md)
-## [Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization](cortana-at-work/cortana-at-work-policy-settings.md)
-## [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)
-## [Configure kiosks and digital signs on Windows desktop editions](kiosk-methods.md)
-### [Prepare a device for kiosk configuration](kiosk-prepare.md)
-### [Set up digital signs on Windows 10](setup-digital-signage.md)
-### [Set up a single-app kiosk](kiosk-single-app.md)
-### [Set up a multi-app kiosk](lock-down-windows-10-to-specific-apps.md)
-### [More kiosk methods and reference information](kiosk-additional-reference.md)
-#### [Find the Application User Model ID of an installed app](find-the-application-user-model-id-of-an-installed-app.md)
-#### [Validate your kiosk configuration](kiosk-validate.md)
-#### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
-#### [Policies enforced on kiosk devices](kiosk-policies.md)
-#### [Assigned access XML reference](kiosk-xml.md)
-#### [Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md)
-#### [Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md)
-#### [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md)
-#### [Troubleshoot kiosk mode issues](kiosk-troubleshoot.md)
-## [Configure Windows Spotlight on the lock screen](windows-spotlight.md)
-## [Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions](manage-tips-and-suggestions.md)
-## [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
-### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
-### [Customize and export Start layout](customize-and-export-start-layout.md)
-### [Add image for secondary tiles](start-secondary-tiles.md)
-### [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
-### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
-### [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-### [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
-### [Troubleshoot Start menu errors](start-layout-troubleshoot.md)
-### [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
-## [Provisioning packages for Windows 10](provisioning-packages/provisioning-packages.md)
-### [How provisioning works in Windows 10](provisioning-packages/provisioning-how-it-works.md)
-### [Introduction to configuration service providers (CSPs)](provisioning-packages/how-it-pros-can-use-configuration-service-providers.md)
-### [Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md)
-### [Create a provisioning package](provisioning-packages/provisioning-create-package.md)
-### [Apply a provisioning package](provisioning-packages/provisioning-apply-package.md)
-### [Settings changed when you uninstall a provisioning package](provisioning-packages/provisioning-uninstall-package.md)
-### [Provision PCs with common settings for initial deployment (desktop wizard)](provisioning-packages/provision-pcs-for-initial-deployment.md)
-### [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)
-### [Use a script to install a desktop app in provisioning packages](provisioning-packages/provisioning-script-to-install-app.md)
-### [Create a provisioning package with multivariant settings](provisioning-packages/provisioning-multivariant.md)
-### [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-packages/provisioning-powershell.md)
-### [Windows Configuration Designer command-line interface (reference)](provisioning-packages/provisioning-command-line.md)
-### [Windows Configuration Designer provisioning settings (reference)](wcd/wcd.md)
-#### [Changes to settings in Windows Configuration Designer](wcd/wcd-changes.md)
-#### [AccountManagement](wcd/wcd-accountmanagement.md)
-#### [Accounts](wcd/wcd-accounts.md)
-#### [ADMXIngestion](wcd/wcd-admxingestion.md)
-#### [AssignedAccess](wcd/wcd-assignedaccess.md)
-#### [AutomaticTime](wcd/wcd-automatictime.md)
-#### [Browser](wcd/wcd-browser.md)
-#### [CallAndMessagingEnhancement](wcd/wcd-callandmessagingenhancement.md)
-#### [Calling](wcd/wcd-calling.md)
-#### [CellCore](wcd/wcd-cellcore.md)
-#### [Cellular](wcd/wcd-cellular.md)
-#### [Certificates](wcd/wcd-certificates.md)
-#### [CleanPC](wcd/wcd-cleanpc.md)
-#### [Connections](wcd/wcd-connections.md)
-#### [ConnectivityProfiles](wcd/wcd-connectivityprofiles.md)
-#### [CountryAndRegion](wcd/wcd-countryandregion.md)
-#### [DesktopBackgroundAndColors](wcd/wcd-desktopbackgroundandcolors.md)
-#### [DeveloperSetup](wcd/wcd-developersetup.md)
-#### [DeviceFormFactor](wcd/wcd-deviceformfactor.md)
-#### [DeviceInfo](wcd/wcd-deviceinfo.md)
-#### [DeviceManagement](wcd/wcd-devicemanagement.md)
-#### [DeviceUpdateCenter](wcd/wcd-deviceupdatecenter.md)
-#### [DMClient](wcd/wcd-dmclient.md)
-#### [EditionUpgrade](wcd/wcd-editionupgrade.md)
-#### [EmbeddedLockdownProfiles](wcd/wcd-embeddedlockdownprofiles.md)
-#### [FirewallConfiguration](wcd/wcd-firewallconfiguration.md)
-#### [FirstExperience](wcd/wcd-firstexperience.md)
-#### [Folders](wcd/wcd-folders.md)
-#### [HotSpot](wcd/wcd-hotspot.md)
-#### [InitialSetup](wcd/wcd-initialsetup.md)
-#### [InternetExplorer](wcd/wcd-internetexplorer.md)
-#### [KioskBrowser](wcd/wcd-kioskbrowser.md)
-#### [Licensing](wcd/wcd-licensing.md)
-#### [Location](wcd/wcd-location.md)
-#### [Maps](wcd/wcd-maps.md)
-#### [Messaging](wcd/wcd-messaging.md)
-#### [ModemConfigurations](wcd/wcd-modemconfigurations.md)
-#### [Multivariant](wcd/wcd-multivariant.md)
-#### [NetworkProxy](wcd/wcd-networkproxy.md)
-#### [NetworkQOSPolicy](wcd/wcd-networkqospolicy.md)
-#### [NFC](wcd/wcd-nfc.md)
-#### [OOBE](wcd/wcd-oobe.md)
-#### [OtherAssets](wcd/wcd-otherassets.md)
-#### [Personalization](wcd/wcd-personalization.md)
-#### [Policies](wcd/wcd-policies.md)
-#### [Privacy](wcd/wcd-privacy.md)
-#### [ProvisioningCommands](wcd/wcd-provisioningcommands.md)
-#### [RcsPresence](wcd/wcd-rcspresence.md)
-#### [SharedPC](wcd/wcd-sharedpc.md)
-#### [Shell](wcd/wcd-shell.md)
-#### [SMISettings](wcd/wcd-smisettings.md)
-#### [Start](wcd/wcd-start.md)
-#### [StartupApp](wcd/wcd-startupapp.md)
-#### [StartupBackgroundTasks](wcd/wcd-startupbackgroundtasks.md)
-#### [StorageD3InModernStandby](wcd/wcd-storaged3inmodernstandby.md)
-#### [SurfaceHubManagement](wcd/wcd-surfacehubmanagement.md)
-#### [TabletMode](wcd/wcd-tabletmode.md)
-#### [TakeATest](wcd/wcd-takeatest.md)
-#### [TextInput](wcd/wcd-textinput.md)
-#### [Theme](wcd/wcd-theme.md)
-#### [Time](wcd/wcd-time.md)
-#### [UnifiedWriteFilter](wcd/wcd-unifiedwritefilter.md)
-#### [UniversalAppInstall](wcd/wcd-universalappinstall.md)
-#### [UniversalAppUninstall](wcd/wcd-universalappuninstall.md)
-#### [UsbErrorsOEMOverride](wcd/wcd-usberrorsoemoverride.md)
-#### [WeakCharger](wcd/wcd-weakcharger.md)
-#### [WindowsHelloForBusiness](wcd/wcd-windowshelloforbusiness.md)
-#### [WindowsTeamSettings](wcd/wcd-windowsteamsettings.md)
-#### [WLAN](wcd/wcd-wlan.md)
-#### [Workplace](wcd/wcd-workplace.md)
-## [Configure cellular settings for tablets and PCs](provisioning-apn.md)
-## [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md)
-## [User Experience Virtualization (UE-V) for Windows](ue-v/uev-for-windows.md)
-### [Get Started with UE-V](ue-v/uev-getting-started.md)
-#### [What's New in UE-V for Windows 10, version 1607](ue-v/uev-whats-new-in-uev-for-windows.md)
-#### [User Experience Virtualization Release Notes](ue-v/uev-release-notes-1607.md)
-#### [Upgrade to UE-V for Windows 10](ue-v/uev-upgrade-uev-from-previous-releases.md)
-### [Prepare a UE-V Deployment](ue-v/uev-prepare-for-deployment.md)
-#### [Deploy Required UE-V Features](ue-v/uev-deploy-required-features.md)
-#### [Deploy UE-V for use with Custom Applications](ue-v/uev-deploy-uev-for-custom-applications.md)
-### [Administering UE-V](ue-v/uev-administering-uev.md)
-#### [Manage Configurations for UE-V](ue-v/uev-manage-configurations.md)
-##### [Configuring UE-V with Group Policy Objects](ue-v/uev-configuring-uev-with-group-policy-objects.md)
-##### [Configuring UE-V with Microsoft Endpoint Configuration Manager](ue-v/uev-configuring-uev-with-system-center-configuration-manager.md)
-##### [Administering UE-V with Windows PowerShell and WMI](ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md)
-###### [Managing the UE-V Service and Packages with Windows PowerShell and WMI](ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md)
-###### [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md)
-#### [Working with Custom UE-V Templates and the UE-V Template Generator](ue-v/uev-working-with-custom-templates-and-the-uev-generator.md)
-#### [Manage Administrative Backup and Restore in UE-V](ue-v/uev-manage-administrative-backup-and-restore.md)
-#### [Changing the Frequency of UE-V Scheduled Tasks](ue-v/uev-changing-the-frequency-of-scheduled-tasks.md)
-#### [Migrating UE-V Settings Packages](ue-v/uev-migrating-settings-packages.md)
-#### [Using UE-V with Application Virtualization Applications](ue-v/uev-using-uev-with-application-virtualization-applications.md)
-### [Troubleshooting UE-V](ue-v/uev-troubleshooting.md)
-### [Technical Reference for UE-V](ue-v/uev-technical-reference.md)
-#### [Sync Methods for UE-V](ue-v/uev-sync-methods.md)
-#### [Sync Trigger Events for UE-V](ue-v/uev-sync-trigger-events.md)
-#### [Synchronizing Microsoft Office with UE-V](ue-v/uev-synchronizing-microsoft-office-with-uev.md)
-#### [Application Template Schema Reference for UE-V](ue-v/uev-application-template-schema-reference.md)
-#### [Security Considerations for UE-V](ue-v/uev-security-considerations.md)
-## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)
-## [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md)
-### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md)
-### [Use Windows Configuration Designer to configure Windows 10 Mobile devices](mobile-devices/provisioning-configure-mobile.md)
-#### [NFC-based device provisioning](mobile-devices/provisioning-nfc.md)
-#### [Barcode provisioning and the package splitter tool](mobile-devices/provisioning-package-splitter.md)
-### [Use the Lockdown Designer app to create a Lockdown XML file](mobile-devices/mobile-lockdown-designer.md)
-### [Configure Windows 10 Mobile using Lockdown XML](mobile-devices/lockdown-xml.md)
-### [Settings and quick actions that can be locked down in Windows 10 Mobile](mobile-devices/settings-that-can-be-locked-down.md)
-### [Product IDs in Windows 10 Mobile](mobile-devices/product-ids-in-windows-10-mobile.md)
-### [Start layout XML for mobile editions of Windows 10 (reference)](mobile-devices/start-layout-xml-mobile.md)
-## [Change history for Configure Windows 10](change-history-for-configure-windows-10.md)
diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml
new file mode 100644
index 0000000000..a5a0bbbb07
--- /dev/null
+++ b/windows/configuration/TOC.yml
@@ -0,0 +1,397 @@
+- name: Configure Windows 10
+ href: index.yml
+- name: Configure appearance settings
+ items:
+ - name: Windows 10 Start and taskbar
+ items:
+ - name: Manage Windows 10 Start and taskbar layout
+ href: windows-10-start-layout-options-and-policies.md
+ - name: Configure Windows 10 taskbar
+ href: configure-windows-10-taskbar.md
+ - name: Customize and export Start layout
+ href: customize-and-export-start-layout.md
+ - name: Add image for secondary tiles
+ href: start-secondary-tiles.md
+ - name: Start layout XML for desktop editions of Windows 10 (reference)
+ href: start-layout-xml-desktop.md
+ - name: Customize Windows 10 Start and taskbar with Group Policy
+ href: customize-windows-10-start-screens-by-using-group-policy.md
+ - name: Customize Windows 10 Start and taskbar with provisioning packages
+ href: customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
+ - name: Customize Windows 10 Start and taskbar with mobile device management (MDM)
+ href: customize-windows-10-start-screens-by-using-mobile-device-management.md
+ - name: Troubleshoot Start menu errors
+ href: start-layout-troubleshoot.md
+ - name: Changes to Start policies in Windows 10
+ href: changes-to-start-policies-in-windows-10.md
+ - name: Accessibility settings
+ items:
+ - name: Accessibility information for IT Pros
+ href: windows-10-accessibility-for-ITPros.md
+ - name: Configure access to Microsoft Store
+ href: stop-employees-from-using-microsoft-store.md
+ - name: Configure Windows Spotlight on the lock screen
+ href: windows-spotlight.md
+ - name: Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions
+ href: manage-tips-and-suggestions.md
+ - name: Configure cellular settings for tablets and PCs
+ href: provisioning-apn.md
+ - name: Lockdown features from Windows Embedded 8.1 Industry
+ href: lockdown-features-windows-10.md
+
+
+- name: Configure kiosks and digital signs
+ items:
+ - name: Configure kiosks and digital signs on Windows desktop editions
+ href: kiosk-methods.md
+ - name: Prepare a device for kiosk configuration
+ href: kiosk-prepare.md
+ - name: Set up digital signs on Windows 10
+ href: setup-digital-signage.md
+ - name: Set up a single-app kiosk
+ href: kiosk-single-app.md
+ - name: Set up a multi-app kiosk
+ href: lock-down-windows-10-to-specific-apps.md
+ - name: Set up a shared or guest PC with Windows 10
+ href: set-up-shared-or-guest-pc.md
+ - name: Set up a kiosk on Windows 10 Mobile
+ href: mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
+ - name: Additional kiosk reference information
+ items:
+ - name: More kiosk methods and reference information
+ href: kiosk-additional-reference.md
+ - name: Find the Application User Model ID of an installed app
+ href: find-the-application-user-model-id-of-an-installed-app.md
+ - name: Validate your kiosk configuration
+ href: kiosk-validate.md
+ - name: Guidelines for choosing an app for assigned access (kiosk mode)
+ href: guidelines-for-assigned-access-app.md
+ - name: Policies enforced on kiosk devices
+ href: kiosk-policies.md
+ - name: Assigned access XML reference
+ href: kiosk-xml.md
+ - name: Use AppLocker to create a Windows 10 kiosk
+ href: lock-down-windows-10-applocker.md
+ - name: Use Shell Launcher to create a Windows 10 kiosk
+ href: kiosk-shelllauncher.md
+ - name: Use MDM Bridge WMI Provider to create a Windows 10 kiosk
+ href: kiosk-mdm-bridge.md
+ - name: Troubleshoot kiosk mode issues
+ href: kiosk-troubleshoot.md
+
+
+- name: Use provisioning packages
+ items:
+ - name: Provisioning packages for Windows 10
+ href: provisioning-packages/provisioning-packages.md
+ - name: How provisioning works in Windows 10
+ href: provisioning-packages/provisioning-how-it-works.md
+ - name: Introduction to configuration service providers (CSPs)
+ href: provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
+ - name: Install Windows Configuration Designer
+ href: provisioning-packages/provisioning-install-icd.md
+ - name: Create a provisioning package
+ href: provisioning-packages/provisioning-create-package.md
+ - name: Apply a provisioning package
+ href: provisioning-packages/provisioning-apply-package.md
+ - name: Settings changed when you uninstall a provisioning package
+ href: provisioning-packages/provisioning-uninstall-package.md
+ - name: Provision PCs with common settings for initial deployment (desktop wizard)
+ href: provisioning-packages/provision-pcs-for-initial-deployment.md
+ - name: Provision PCs with apps
+ href: provisioning-packages/provision-pcs-with-apps.md
+ - name: Use a script to install a desktop app in provisioning packages
+ href: provisioning-packages/provisioning-script-to-install-app.md
+ - name: Create a provisioning package with multivariant settings
+ href: provisioning-packages/provisioning-multivariant.md
+ - name: PowerShell cmdlets for provisioning Windows 10 (reference)
+ href: provisioning-packages/provisioning-powershell.md
+ - name: Windows Configuration Designer command-line interface (reference)
+ href: provisioning-packages/provisioning-command-line.md
+
+- name: Configure Cortana
+ items:
+ - name: Configure Cortana in Windows 10
+ href: cortana-at-work/cortana-at-work-overview.md
+ - name: Testing scenarios using Cortana n Windows 10, version 2004 and later
+ items:
+ - name: Set up and test Cortana in Windows 10, version 2004 and later
+ href: cortana-at-work/set-up-and-test-cortana-in-windows-10.md
+ - name: Testing scenarios using Cortana in your business or organization
+ href: cortana-at-work/cortana-at-work-testing-scenarios.md
+ - name: Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query
+ href: cortana-at-work/cortana-at-work-scenario-1.md
+ - name: Test scenario 2 - Perform a Bing search with Cortana
+ href: cortana-at-work/cortana-at-work-scenario-2.md
+ - name: Test scenario 3 - Set a reminder
+ href: cortana-at-work/cortana-at-work-scenario-3.md
+ - name: Test scenario 4 - Use Cortana to find free time on your calendar
+ href: cortana-at-work/cortana-at-work-scenario-4.md
+ - name: Test scenario 5 - Find out about a person
+ href: cortana-at-work/cortana-at-work-scenario-5.md
+ - name: Test scenario 6 - Change your language and perform a quick search with Cortana
+ href: cortana-at-work/cortana-at-work-scenario-6.md
+ - name: Send feedback about Cortana back to Microsoftr
+ href: cortana-at-work/cortana-at-work-feedback.md
+ - name: Testing scenarios using Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization
+ items:
+ - name: Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization
+ href: cortana-at-work/cortana-at-work-o365.md
+ - name: Testing scenarios using Cortana in your business or organization
+ href: cortana-at-work/cortana-at-work-testing-scenarios.md
+ - name: Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query
+ href: cortana-at-work/test-scenario-1.md
+ - name: Test scenario 2 - Perform a quick search with Cortana at work
+ href: cortana-at-work/test-scenario-2.md
+ - name: Test scenario 3 - Set a reminder for a specific location using Cortana at work
+ href: cortana-at-work/test-scenario-3.md
+ - name: Test scenario 4 - Use Cortana at work to find your upcoming meetings
+ href: cortana-at-work/test-scenario-4.md
+ - name: Test scenario 5 - Use Cortana to send email to a co-worker
+ href: cortana-at-work/test-scenario-5.md
+ - name: Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email
+ href: cortana-at-work/test-scenario-6.md
+ - name: Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device
+ href: cortana-at-work/cortana-at-work-scenario-7.md
+
+ - name: Set up and test custom voice commands in Cortana for your organization
+ href: cortana-at-work/cortana-at-work-voice-commands.md
+ - name: Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
+ href: cortana-at-work/cortana-at-work-policy-settings.md
+
+
+- name: Reference
+ items:
+ - name: Configure Windows 10 Mobile devices
+ href: mobile-devices/configure-mobile.md
+ - name: Windows Configuration Designer reference
+ items:
+ - name: Windows Configuration Designer provisioning settings (reference)
+ href: wcd/wcd.md
+ - name: Changes to settings in Windows Configuration Designer
+ href: wcd/wcd-changes.md
+ - name: AccountManagement
+ href: wcd/wcd-accountmanagement.md
+ - name: Accounts
+ href: wcd/wcd-accounts.md
+ - name: ADMXIngestion
+ href: wcd/wcd-admxingestion.md
+ - name: AssignedAccess
+ href: wcd/wcd-assignedaccess.md
+ - name: AutomaticTime
+ href: wcd/wcd-automatictime.md
+ - name: Browser
+ href: wcd/wcd-browser.md
+ - name: CallAndMessagingEnhancement
+ href: wcd/wcd-callandmessagingenhancement.md
+ - name: Calling
+ href: wcd/wcd-calling.md
+ - name: CellCore
+ href: wcd/wcd-cellcore.md
+ - name: Cellular
+ href: wcd/wcd-cellular.md
+ - name: Certificates
+ href: wcd/wcd-certificates.md
+ - name: CleanPC
+ href: wcd/wcd-cleanpc.md
+ - name: Connections
+ href: wcd/wcd-connections.md
+ - name: ConnectivityProfiles
+ href: wcd/wcd-connectivityprofiles.md
+ - name: CountryAndRegion
+ href: wcd/wcd-countryandregion.md
+ - name: DesktopBackgroundAndColors
+ href: wcd/wcd-desktopbackgroundandcolors.md
+ - name: DeveloperSetup
+ href: wcd/wcd-developersetup.md
+ - name: DeviceFormFactor
+ href: wcd/wcd-deviceformfactor.md
+ - name: DeviceInfo
+ href: wcd/wcd-deviceinfo.md
+ - name: DeviceManagement
+ href: wcd/wcd-devicemanagement.md
+ - name: DeviceUpdateCenter
+ href: wcd/wcd-deviceupdatecenter.md
+ - name: DMClient
+ href: wcd/wcd-dmclient.md
+ - name: EditionUpgrade
+ href: wcd/wcd-editionupgrade.md
+ - name: EmbeddedLockdownProfiles
+ href: wcd/wcd-embeddedlockdownprofiles.md
+ - name: FirewallConfiguration
+ href: wcd/wcd-firewallconfiguration.md
+ - name: FirstExperience
+ href: wcd/wcd-firstexperience.md
+ - name: Folders
+ href: wcd/wcd-folders.md
+ - name: HotSpot
+ href: wcd/wcd-hotspot.md
+ - name: InitialSetup
+ href: wcd/wcd-initialsetup.md
+ - name: InternetExplorer
+ href: wcd/wcd-internetexplorer.md
+ - name: KioskBrowser
+ href: wcd/wcd-kioskbrowser.md
+ - name: Licensing
+ href: wcd/wcd-licensing.md
+ - name: Location
+ href: wcd/wcd-location.md
+ - name: Maps
+ href: wcd/wcd-maps.md
+ - name: Messaging
+ href: wcd/wcd-messaging.md
+ - name: ModemConfigurations
+ href: wcd/wcd-modemconfigurations.md
+ - name: Multivariant
+ href: wcd/wcd-multivariant.md
+ - name: NetworkProxy
+ href: wcd/wcd-networkproxy.md
+ - name: NetworkQOSPolicy
+ href: wcd/wcd-networkqospolicy.md
+ - name: NFC
+ href: wcd/wcd-nfc.md
+ - name: OOBE
+ href: wcd/wcd-oobe.md
+ - name: OtherAssets
+ href: wcd/wcd-otherassets.md
+ - name: Personalization
+ href: wcd/wcd-personalization.md
+ - name: Policies
+ href: wcd/wcd-policies.md
+ - name: Privacy
+ href: wcd/wcd-privacy.md
+ - name: ProvisioningCommands
+ href: wcd/wcd-provisioningcommands.md
+ - name: RcsPresence
+ href: wcd/wcd-rcspresence.md
+ - name: SharedPC
+ href: wcd/wcd-sharedpc.md
+ - name: Shell
+ href: wcd/wcd-shell.md
+ - name: SMISettings
+ href: wcd/wcd-smisettings.md
+ - name: Start
+ href: wcd/wcd-start.md
+ - name: StartupApp
+ href: wcd/wcd-startupapp.md
+ - name: StartupBackgroundTasks
+ href: wcd/wcd-startupbackgroundtasks.md
+ - name: StorageD3InModernStandby
+ href: wcd/wcd-storaged3inmodernstandby.md
+ - name: SurfaceHubManagement
+ href: wcd/wcd-surfacehubmanagement.md
+ - name: TabletMode
+ href: wcd/wcd-tabletmode.md
+ - name: TakeATest
+ href: wcd/wcd-takeatest.md
+ - name: TextInput
+ href: wcd/wcd-textinput.md
+ - name: Theme
+ href: wcd/wcd-theme.md
+ - name: Time
+ href: wcd/wcd-time.md
+ - name: UnifiedWriteFilter
+ href: wcd/wcd-unifiedwritefilter.md
+ - name: UniversalAppInstall
+ href: wcd/wcd-universalappinstall.md
+ - name: UniversalAppUninstall
+ href: wcd/wcd-universalappuninstall.md
+ - name: UsbErrorsOEMOverride
+ href: wcd/wcd-usberrorsoemoverride.md
+ - name: WeakCharger
+ href: wcd/wcd-weakcharger.md
+ - name: WindowsHelloForBusiness
+ href: wcd/wcd-windowshelloforbusiness.md
+ - name: WindowsTeamSettings
+ href: wcd/wcd-windowsteamsettings.md
+ - name: WLAN
+ href: wcd/wcd-wlan.md
+ - name: Workplace
+ href: wcd/wcd-workplace.md
+
+ - name: User Experience Virtualization (UE-V)
+ items:
+ - name: User Experience Virtualization (UE-V) for Windows 10
+ href: ue-v/uev-for-windows.md
+ - name: Get started with UE-V
+ items:
+ - name: Get started with UE-V
+ href: ue-v/uev-getting-started.md
+ - name: What's New in UE-V for Windows 10, version 1607
+ href: ue-v/uev-whats-new-in-uev-for-windows.md
+ - name: User Experience Virtualization Release Notes
+ href: ue-v/uev-release-notes-1607.md
+ - name: Upgrade to UE-V for Windows 10
+ href: ue-v/uev-upgrade-uev-from-previous-releases.md
+ - name: Prepare a UE-V Deployment
+ items:
+ - name: Prepare a UE-V Deployment
+ href: ue-v/uev-prepare-for-deployment.md
+ - name: Deploy Required UE-V Features
+ href: ue-v/uev-deploy-required-features.md
+ - name: Deploy UE-V for use with Custom Applications
+ href: ue-v/uev-deploy-uev-for-custom-applications.md
+ - name: Administer UE-V
+ items:
+ - name: UE-V administion guide
+ href: ue-v/uev-administering-uev.md
+ - name: Manage Configurations for UE-V
+ items:
+ - name: Manage Configurations for UE-V
+ href: ue-v/uev-manage-configurations.md
+ - name: Configuring UE-V with Group Policy Objects
+ href: ue-v/uev-configuring-uev-with-group-policy-objects.md
+ - name: Configuring UE-V with Microsoft Endpoint Configuration Manager
+ href: ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
+ - name: Administering UE-V with Windows PowerShell and WMI
+ href: ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
+ - name: Managing the UE-V Service and Packages with Windows PowerShell and WMI
+ href: ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
+ - name: Managing UE-V Settings Location Templates Using Windows PowerShell and WMI
+ href: ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
+ - name: Working with Custom UE-V Templates and the UE-V Template Generator
+ href: ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
+ - name: Manage Administrative Backup and Restore in UE-V
+ href: ue-v/uev-manage-administrative-backup-and-restore.md
+ - name: Changing the Frequency of UE-V Scheduled Tasks
+ href: ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
+ - name: Migrating UE-V Settings Packages
+ href: ue-v/uev-migrating-settings-packages.md
+ - name: Using UE-V with Application Virtualization Applications
+ href: ue-v/uev-using-uev-with-application-virtualization-applications.md
+ - name: Troubleshooting UE-V
+ href: ue-v/uev-troubleshooting.md
+ - name: Technical Reference for UE-V
+ items:
+ - name: Technical Reference for UE-V
+ href: ue-v/uev-technical-reference.md
+ - name: Sync Methods for UE-V
+ href: ue-v/uev-sync-methods.md
+ - name: Sync Trigger Events for UE-V
+ href: ue-v/uev-sync-trigger-events.md
+ - name: Synchronizing Microsoft Office with UE-V
+ href: ue-v/uev-synchronizing-microsoft-office-with-uev.md
+ - name: Application Template Schema Reference for UE-V
+ href: ue-v/uev-application-template-schema-reference.md
+ - name: Security Considerations for UE-V
+ href: ue-v/uev-security-considerations.md
+
+
+ - name: Use Windows Configuration Designer for Windows 10 Mobile devices
+ items:
+ - name: Use Windows Configuration Designer to configure Windows 10 Mobile devices
+ href: mobile-devices/provisioning-configure-mobile.md
+ - name: NFC-based device provisioning
+ href: mobile-devices/provisioning-nfc.md
+ - name: Barcode provisioning and the package splitter tool
+ href: mobile-devices/provisioning-package-splitter.md
+ - name: Use the Lockdown Designer app to create a Lockdown XML file
+ href: mobile-devices/mobile-lockdown-designer.md
+ - name: Configure Windows 10 Mobile using Lockdown XML
+ href: mobile-devices/lockdown-xml.md
+ - name: Settings and quick actions that can be locked down in Windows 10 Mobile
+ href: mobile-devices/settings-that-can-be-locked-down.md
+ - name: Product IDs in Windows 10 Mobile
+ href: mobile-devices/product-ids-in-windows-10-mobile.md
+ - name: Start layout XML for mobile editions of Windows 10 (reference)
+ href: mobile-devices/start-layout-xml-mobile.md
\ No newline at end of file
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
deleted file mode 100644
index 875beb0290..0000000000
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ /dev/null
@@ -1,236 +0,0 @@
----
-title: Change history for Configure Windows 10 (Windows 10)
-ms.reviewer:
-manager: dansimp
-description: Learn about new and updated topics in the Configure Windows 10 documentation for Windows 10 and Windows 10 Mobile.
-keywords:
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.date: 10/03/2019
----
-
-# Change history for Configure Windows 10
-
-This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
-
-## April 2019
-
-New or changed topic | Description
---- | ---
-[Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) | Added information for Shell Launcher v2, coming in the next feature update to Windows 10.
-[Prepare a device for kiosk configuration](kiosk-prepare.md) | Added new recommendations for policies to manage updates.
-
-## February 2019
-
-New or changed topic | Description
---- | ---
-[Set up a single-app kiosk](kiosk-single-app.md) | Replaced instructions for Microsoft Intune with a link to the Intune documentation.
-[Set up a multi-app kiosk](lock-down-windows-10-to-specific-apps.md) | Replaced instructions for Intune with a link to the Intune documentation.
-
-## January 2019
-
-New or changed topic | Description
---- | ---
-[Prepare a device for kiosk configuration](kiosk-prepare.md) | Added how to connect to a single-app kiosk in a virtual machine (VM) for testing.
-
-## November 2018
-
-New or changed topic | Description
---- | ---
-[Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) | Updated script.
-
-## October 2018
-
-New or changed topic | Description
---- | ---
-[Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md) and [Set up a single-app kiosk](kiosk-single-app.md) | Added event log path for auto-logon issues.
-
-## RELEASE: Windows 10, version 1809
-
-The topics in this library have been updated for Windows 10, version 1809. The following new topic has been added:
-
-- [Changes to settings in Windows Configuration Designer](wcd/wcd-changes.md)
-
-## September 2018
-
-New or changed topic | Description
---- | ---
-[Find the Application User Model ID of an installed app](find-the-application-user-model-id-of-an-installed-app.md) | New
-[Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) | Add required order of elements in XML.
-
-## August 2018
-
-New or changed topic | Description
---- | ---
-[Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | Added instructions for specifying multiple URLs in configuration settings for Kiosk Browser.
-
-## July 2018
-
-New or changed topic | Description
---- | ---
-[Configure kiosks and child topics](kiosk-methods.md) | Reorganized the information for configuring kiosks into new topics, and moved [Set up shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md).
-
-## June 2018
-
-New or changed topic | Description
---- | ---
-[Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) and [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Updated instructions for using Microsoft Intune to configure a kiosk. Added instructions for showing local accounts on the sign-in screen for domain-joined devices.
-[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Added new Group Policy to remove "Recently added" list from Start menu.
-|[Add image for secondary tiles](start-secondary-tiles.md#using-mdm) | Updated mobile device management (MDM) instructions. |
-
-## May 2018
-
-New or changed topic | Description
---- | ---
-[Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Added note that Wi-Fi Sense is no longer available.
-Topics about Windows 10 diagnostic data | Moved to [Windows Privacy](https://docs.microsoft.com/windows/privacy/).
-[Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | Added information on Kiosk Browser settings and URL filtering.
-[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Added details of event log entries to check for when customization is not applied as expected.
-[Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) | Added Active Directory domain account to provisioning method.
-
-## RELEASE: Windows 10, version 1803
-
-The topics in this library have been updated for Windows 10, version 1803. The following new topics have been added:
-
-- Windows Configuration Designer setting: [AccountManagement](wcd/wcd-accountmanagement.md)
-- Windows Configuration Designer setting: [RcsPresence](wcd/wcd-rcspresence.md)
-
-The following topics were moved into the [Privacy](/windows/privacy/index) library:
-
-- [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization)
-- [Diagnostic Data Viewer Overview](/windows/privacy/diagnostic-data-viewer-overview)
-- [Windows 10, version 1803 basic level Windows diagnostic events and fields](/windows/privacy/basic-level-windows-diagnostic-events-and-fields)
-- [Windows 10, version 1709 basic level Windows diagnostic events and fields](/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709)
-- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703)
-- [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields)
-- [Windows 10, version 1709 diagnostic data for the Full level](/windows/privacy/windows-diagnostic-data)
-- [Windows 10, version 1703 diagnostic data for the Full level](/windows/privacy/windows-diagnostic-data-1703)
-- [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](/windows/privacy/gdpr-win10-whitepaper)
-- [Manage connections from Windows operating system components to Microsoft services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services)
-- [Manage Windows 10 connection endpoints](/windows/privacy/manage-windows-endpoints-version-1709)
-
-## April 2018
-
-New or changed topic | Description
---- | ---
-[Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization) | Updated endpoints.
-[Configure cellular settings for tablets and PCs](provisioning-apn.md) | Added instructions for confirming that the settings were applied.
-
-## March 2018
-
-New or changed topic | Description
---- | ---
-[Windows 10, version 1709 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709) and [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703) | Added events and fields that were added in the March update.
-Set up a kiosk on Windows 10 Pro, Enterprise, or Education | Renamed it **Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education** and reorganized the information to make the choices clearer.
-
-
-## February 2018
-
-New or changed topic | Description
---- | ---
-[Windows 10, version 1709 basic diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709) and [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703) | Added events and fields that were added in the February update.
-[Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Added steps for configuring a kiosk in Microsoft Intune.
-[Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | Updated the instructions for applying a customized Start layout using Microsoft Intune.
-
-## January 2018
-
-New or changed topic | Description
---- | ---
-[Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Added videos demonstrating how to use Microsoft Intune and how to use provisioning packages to configure multi-app kiosks.
-[ConnectivityProfiles](wcd/wcd-connectivityprofiles.md) | Added settings for VPN **Native** and **Third Party** profile types.
-[Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) | Clarified that the TopMFUApps elements in layoutmodification.xml are not supported in Windows 10, version 1709.
-| [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/privacy/diagnostic-data-viewer-overviewd) | New topic |
-[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) | Added section for removing default apps from the taskbar.
-[Manage Windows 10 connection endpoints](https://docs.microsoft.com/windows/privacy/manage-windows-1709-endpoints) | New topic for Windows 10, version 1709 that explains the purpose for connections to Microsoft services and how to manage them.
-[Configure Windows Spotlight on the lock screen](windows-spotlight.md) | Added section for resolution of custom lock screen images.
-[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Added section for automatic sign-in after restart on unmanaged devices.
-
-
-## November 2017
-
-New or changed topic | Description
---- | ---
-|[Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703)| Added events that were added in November. |
-[Create a provisioning package with multivariant settings](provisioning-packages/provisioning-multivariant.md) | Add support for desktop to [Conditions](provisioning-packages/provisioning-multivariant.md#conditions) table.
-
-## October 2017
-
-| New or changed topic | Description |
-|---------------------------------------------------------------------------------------------|----------------------------------------------------------------|
-| [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md) | Added that Microsoft Edge is not supported for assigned access |
-
-## RELEASE: Windows 10, version 1709
-
-The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). The following new topics have been added:
-
-- [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md)
-- [Multi-app kiosk XML reference](multi-app-kiosk-xml.md)
-- [Windows 10, version 1709 basic diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709)
-- [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields)
-
-
-## September 2017
-
-|New or changed topic | Description|
-|--- | ---|
-|[Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](https://docs.microsoft.com/windows/privacy/gdpr-win10-whitepaper)|New conceptual info about Windows 10 and the upcoming GDPR-compliance requirements.|
-|[Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services) | Added that Windows Spotlight can be managed by the Experience/AllowWindowsSpotlight MDM policy. |
-
-
-
-## August 2017
-
-|New or changed topic | Description|
-|--- | ---|
-|[Windows Configuration Designer provisioning settings (reference)](wcd/wcd.md) | New section; reference content from [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx) is being relocated here from MSDN. |
-
-
-## July 2017
-
-| New or changed topic | Description |
-| --- | --- |
-|[Windows 10, version 1703 Diagnostic Data](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703)|Updated categories and included diagnostic data.|
-|[Add image for secondary tiles](start-secondary-tiles.md) | Added XML example for Edge secondary tiles and **ImportEdgeAssets** |
-|[Customize and export Start layout](customize-and-export-start-layout.md) | Added explanation for tile behavior when the app is not installed |
-|[Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md) | Added that Microsoft Edge is not supported for assigned access |
-|[Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703)|Updated several Appraiser events and added Census.Speech. |
-|[Manage connections from Windows operating system components to Microsoft-services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services) | Updated Date & Time and Windows spotlight sections. |
-
-## June 2017
-
-| New or changed topic | Description |
-| --- | --- |
-| [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md) | Added guidelines for using Remote Desktop app as the kiosk app and added a general guideline that apps generated using the Desktop App Converter cannot be used for kiosk apps |
-| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Added warning about using Shell Launcher to set a custom shell with an application that launches a different process and then exits |
-| [Windows Configuration Designer command-line interface (reference)](provisioning-packages/provisioning-command-line.md) | Removed references to imaging |
-
-## May 2017
-
-| New or changed topic | Description |
-| --- | --- |
-| [Configure cellular settings for tablets and PCs](provisioning-apn.md) | New |
-| [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services) | Added MDM policies for privacy settings |
-
-
-## April 2017
-
-| New or changed topic | Description |
-| --- | --- |
-| [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Added instructions for using WMI bridge to configure shared PC |
-
-
-
-## RELEASE: Windows 10, version 1703
-
-The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added:
-
-- [Use the Lockdown Designer app to create a Lockdown XML file](mobile-devices/mobile-lockdown-designer.md)
-- [Add image for secondary tiles](start-secondary-tiles.md)
-- [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)
-- [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703)
diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md
index 1e6ec5db4b..53742aa809 100644
--- a/windows/configuration/configure-windows-10-taskbar.md
+++ b/windows/configuration/configure-windows-10-taskbar.md
@@ -20,7 +20,7 @@ Starting in Windows 10, version 1607, administrators can pin additional apps to
> [!NOTE]
> The only aspect of the taskbar that can currently be configured by the layout modification XML file is the layout.
-You can specify different taskbar configurations based on device locale and region. There is no limit on the number of apps that you can pin. You specify apps using the [Application User Model ID (AUMID)](https://go.microsoft.com/fwlink/p/?LinkId=614867) or Desktop Application Link Path (the local path to the application).
+You can specify different taskbar configurations based on device locale and region. There is no limit on the number of apps that you can pin. You specify apps using the [Application User Model ID (AUMID)](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path (the local path to the application).
If you specify an app to be pinned that is not provisioned for the user on the computer, the pinned icon won't appear on the taskbar.
@@ -41,16 +41,16 @@ The following example shows how apps will be pinned: Windows default apps to the
1. Create the XML file.
* If you are also [customizing the Start layout](customize-and-export-start-layout.md), use `Export-StartLayout` to create the XML, and then add the `
- Windows 10, version 2004 (recommended)
- Windows 10, version 1703 (legacy version of Cortana)
Mobile: Windows 10 mobile, version 1703 (legacy version of Cortana)
For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-overview#how-is-my-data-processed-by-cortana) below. |
+|Client operating system | Desktop:
- Windows 10, version 2004 (recommended)
- Windows 10, version 1703 (legacy version of Cortana)
Mobile: Windows 10 mobile, version 1703 (legacy version of Cortana)
For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](#how-is-my-data-processed-by-cortana) below. |
|Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn't required. |
|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help. |
## Signing in using Azure AD
-Your organization must have an Azure AD tenant and your employees' devices must all be Azure AD-joined for the best Cortana experience. (Users may also sign into Cortana with a Microsoft account, but will not be able to use their enterprise email or calendar.) For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [Azure Active Directory documentation.](https://docs.microsoft.com/azure/active-directory/)
+Your organization must have an Azure AD tenant and your employees' devices must all be Azure AD-joined for the best Cortana experience. (Users may also sign into Cortana with a Microsoft account, but will not be able to use their enterprise email or calendar.) For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [Azure Active Directory documentation.](/azure/active-directory/)
## How is my data processed by Cortana?
@@ -48,7 +48,7 @@ Cortana's approach to integration with Microsoft 365 has changed with Windows 10
### Cortana in Windows 10, version 2004 and later
-Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365).
+Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365).
#### How does Microsoft store, retain, process, and use Customer Data in Cortana?
@@ -70,7 +70,7 @@ The table below describes the data handling for Cortana enterprise services.
Cortana only begins listening for commands or queries when the wake word is detected, or the microphone button has been selected.
-First, the user must enable the wake word from within Cortana settings. Once it has been enabled, a component of Windows called the [Windows Multiple Voice Assistant platform](https://docs.microsoft.com/windows-hardware/drivers/audio/voice-activation-mva#voice-activation) will start listening for the wake word. No audio is processed by speech recognition unless two local wake word detectors and a server-side one agree with high confidence that the wake word was heard.
+First, the user must enable the wake word from within Cortana settings. Once it has been enabled, a component of Windows called the [Windows Multiple Voice Assistant platform](/windows-hardware/drivers/audio/voice-activation-mva#voice-activation) will start listening for the wake word. No audio is processed by speech recognition unless two local wake word detectors and a server-side one agree with high confidence that the wake word was heard.
The first decision is made by the Windows Multiple Voice Assistant platform leveraging hardware optionally included in the user's PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening.
@@ -88,4 +88,4 @@ Cortana is covered under the [Microsoft Privacy Statement](https://privacy.micro
## See also
-- [What is Cortana?](https://go.microsoft.com/fwlink/p/?LinkId=746818)
+- [What is Cortana?](https://go.microsoft.com/fwlink/p/?LinkId=746818)
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
index 1729809a44..e01908c73b 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
@@ -15,7 +15,7 @@ manager: dansimp
# Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
>[!NOTE]
->For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) topic, located in the configuration service provider reference topics.
+>For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) topic, located in the configuration service provider reference topics.
|**Group policy** |**MDM policy** |**Description** |
@@ -26,10 +26,10 @@ manager: dansimp
|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock |AboveLock/AllowCortanaAboveLock |Specifies whether an employee can interact with Cortana using voice commands when the system is locked.
> [!NOTE]
> Cortana in Windows 10, versions 2004 and later do not currently support Above Lock. |
-|Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsActivateWithVoice |[Privacy/LetAppsActivateWithVoice](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsactivatewithvoice) |Specifies whether apps (such as Cortana or other voice assistants) can activate using a wake word (e.g. “Hey Cortana”).
+|Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsActivateWithVoice |[Privacy/LetAppsActivateWithVoice](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsactivatewithvoice) |Specifies whether apps (such as Cortana or other voice assistants) can activate using a wake word (e.g. “Hey Cortana”).
> [!NOTE]
> This setting only applies to Windows 10 versions 2004 and later. To disable wake word activation on Windows 10 versions 1909 and earlier, you will need to disable voice commands using Privacy/AllowInputPersonalization. |
-|Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsAccessMicrophone |[Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone-forcedenytheseapps) | Use this to disable Cortana’s access to the microphone. To do so, specify Cortana’s Package Family Name: Microsoft.549981C3F5F10_8wekyb3d8bbwe
+|Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsAccessMicrophone |[Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone-forcedenytheseapps) | Use this to disable Cortana’s access to the microphone. To do so, specify Cortana’s Package Family Name: Microsoft.549981C3F5F10_8wekyb3d8bbwe
Users will still be able to type queries to Cortana. |
|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services |Privacy/AllowInputPersonalization |Specifies whether an employee can use voice commands with Cortana in your organization.
**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).
**In Windows 10, version 1607 and later**
Non-speech aspects of Cortana will still work if this setting is turned off (disabled).
**In Windows 10, version 2004 and later**
Cortana will work, but voice input will be disabled. |
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
index d4e6253873..c33346c27f 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
@@ -23,4 +23,4 @@ Cortana will respond with the information from Bing.
:::image type="content" source="../screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderabad":::
>[!NOTE]
->This scenario requires Bing Answers to be enabled. To learn more, see [Set up and configure the Bing Answers feature](https://docs.microsoft.com/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10#set-up-and-configure-the-bing-answers-feature).
\ No newline at end of file
+>This scenario requires Bing Answers to be enabled. To learn more, see [Set up and configure the Bing Answers feature](./set-up-and-test-cortana-in-windows-10.md#set-up-and-configure-the-bing-answers-feature).
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
index a0e470eed5..229a2be971 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
@@ -28,9 +28,9 @@ To enable voice commands in Cortana
Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, it’s best for that to happen in the foreground. However, if the app only uses basic commands and doesn’t require interaction, it can happen in the background.
- - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Activate a foreground app with voice commands through Cortana](https://docs.microsoft.com/cortana/voice-commands/launch-a-foreground-app-with-voice-commands-in-cortana).
+ - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Activate a foreground app with voice commands through Cortana](/cortana/voice-commands/launch-a-foreground-app-with-voice-commands-in-cortana).
- - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](https://docs.microsoft.com/cortana/voice-commands/launch-a-background-app-with-voice-commands-in-cortana).
+ - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](/cortana/voice-commands/launch-a-background-app-with-voice-commands-in-cortana).
2. **Install the VCD file on employees' devices**. You can use Microsoft Endpoint Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization.
@@ -59,4 +59,4 @@ While these aren't line-of-business apps, we've worked to make sure to implement
Cortana changes, letting you provide your trip details for Uber.
## See also
-- [Cortana for developers](https://go.microsoft.com/fwlink/?LinkId=717385)
+- [Cortana for developers](/cortana/skills/)
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
index da23d57297..5f35fb8ca0 100644
--- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
+++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
@@ -16,7 +16,7 @@ ms.author: dansimp
## Before you begin
- If your enterprise had previously disabled Cortana for your employees using the **Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana** Group Policy or the **Experience\AllowCortana** MDM setting but want to enable it now that Cortana is part of Microsoft 365, you will need to re-enable it at least for Windows 10, version 2004 and later.
-- **Cortana is regularly updated through the Microsoft Store.** Beginning with Windows 10, version 2004, Cortana is an appx preinstalled with Windows and is regularly updated through the Microsoft Store. To receive the latest updates to Cortana, you will need to [enable updates through the Microsoft Store](https://docs.microsoft.com/windows/configuration/stop-employees-from-using-microsoft-store).
+- **Cortana is regularly updated through the Microsoft Store.** Beginning with Windows 10, version 2004, Cortana is an appx preinstalled with Windows and is regularly updated through the Microsoft Store. To receive the latest updates to Cortana, you will need to [enable updates through the Microsoft Store](../stop-employees-from-using-microsoft-store.md).
## Set up and configure the Bing Answers feature
Bing Answers provides fast, authoritative results to search queries based on search terms. When the Bing Answers feature is enabled, users will be able to ask Cortana web-related questions in the Cortana in Windows app, such as "What's the current weather?" or "Who is the president of the U.S.?," and get a response, based on public results from Bing.com.
@@ -31,7 +31,7 @@ Users cannot enable or disable the Bing Answer feature individually. So, if you
Sign in to the [Office Configuration Admin tool](https://config.office.com/).
-Follow the steps [here](https://docs.microsoft.com/deployoffice/overview-office-cloud-policy-service#steps-for-creating-a-policy-configuration) to create this policy configuration. Once completed, the policy will look as shown below:
+Follow the steps [here](/deployoffice/overview-office-cloud-policy-service#steps-for-creating-a-policy-configuration) to create this policy configuration. Once completed, the policy will look as shown below:
:::image type="content" source="../screenshot3.png" alt-text="Screenshot: Bing policy example":::
@@ -41,7 +41,7 @@ When a user enters a search query (by speech or text), Cortana evaluates if the
1. If it is for any of the first-party compliant skills, the query is sent to that skill, and results/action are returned.
-2. If it is not for any of the first-party compliant skills, the query is sent to Bing for a search of public results from Bing.com. Because enterprise searches might be sensitive, similar to [Microsoft Search in Bing](https://docs.microsoft.com/MicrosoftSearch/security-for-search#microsoft-search-in-bing-protects-workplace-searches), Bing Answers in Cortana has implemented a set of trust measures, described below, that govern how the separate search of public results from Bing.com is handled. The Bing Answers in Cortana trust measures are consistent with the enhanced privacy and security measures described in [Microsoft Search in Bing](https://docs.microsoft.com/MicrosoftSearch/security-for-search). All Bing.com search logs that pertain to Cortana traffic are disassociated from users' workplace identity. All Cortana queries issued via a work or school account are stored separately from public, non-Cortana traffic.
+2. If it is not for any of the first-party compliant skills, the query is sent to Bing for a search of public results from Bing.com. Because enterprise searches might be sensitive, similar to [Microsoft Search in Bing](/MicrosoftSearch/security-for-search#microsoft-search-in-bing-protects-workplace-searches), Bing Answers in Cortana has implemented a set of trust measures, described below, that govern how the separate search of public results from Bing.com is handled. The Bing Answers in Cortana trust measures are consistent with the enhanced privacy and security measures described in [Microsoft Search in Bing](/MicrosoftSearch/security-for-search). All Bing.com search logs that pertain to Cortana traffic are disassociated from users' workplace identity. All Cortana queries issued via a work or school account are stored separately from public, non-Cortana traffic.
Bing Answers is enabled by default for all users. However, admins can configure and change this for specific users and user groups in their organization.
diff --git a/windows/configuration/cortana-at-work/test-scenario-6.md b/windows/configuration/cortana-at-work/test-scenario-6.md
index cd22204b99..6b23f0c1af 100644
--- a/windows/configuration/cortana-at-work/test-scenario-6.md
+++ b/windows/configuration/cortana-at-work/test-scenario-6.md
@@ -24,7 +24,7 @@ Cortana automatically finds patterns in your email, suggesting reminders based t
## Use Cortana to create suggested reminders for you
-1. Make sure that you've connected Cortana to Office 365. For the steps to connect, see [Set up and test Cortana with Office 365 in your organization](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-o365).
+1. Make sure that you've connected Cortana to Office 365. For the steps to connect, see [Set up and test Cortana with Office 365 in your organization](./cortana-at-work-o365.md).
2. Click on the **Cortana** search box in the taskbar, click the **Notebook** icon, and then click **Permissions**.
diff --git a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md
index 01bd26ace5..03d098501d 100644
--- a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md
+++ b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md
@@ -16,10 +16,10 @@ manager: dansimp
We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to:
-- [Sign in with your work or school account and use Cortana to manage the notebook](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-scenario-1)
-- [Perform a quick search with Cortana at work](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-scenario-2)
-- [Set a reminder for a specific location using Cortana at work](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-scenario-3)
-- [Use Cortana at work to find your upcoming meetings](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-scenario-4)
-- [Use Cortana to send email to a co-worker](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-scenario-5)
-- [Review a reminder suggested by Cortana based on what you've promised in email](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-scenario-6)
-- [Use Cortana and Windows Information Protection (WIP) to help protect your organization's data on a device](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-scenario-7)
\ No newline at end of file
+- [Sign in with your work or school account and use Cortana to manage the notebook](./cortana-at-work-scenario-1.md)
+- [Perform a quick search with Cortana at work](./cortana-at-work-scenario-2.md)
+- [Set a reminder for a specific location using Cortana at work](./cortana-at-work-scenario-3.md)
+- [Use Cortana at work to find your upcoming meetings](./cortana-at-work-scenario-4.md)
+- [Use Cortana to send email to a co-worker](./cortana-at-work-scenario-5.md)
+- [Review a reminder suggested by Cortana based on what you've promised in email](./cortana-at-work-scenario-6.md)
+- [Use Cortana and Windows Information Protection (WIP) to help protect your organization's data on a device](./cortana-at-work-scenario-7.md)
\ No newline at end of file
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index 4eade94321..a2266f5239 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -80,7 +80,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a
## Export the Start layout
-When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet in Windows PowerShell to export the Start layout to an .xml file. Start layout is located by default at C:\Users\username\AppData\Local\Microsoft\Windows\Shell\
+When you have the Start layout that you want your users to see, use the [Export-StartLayout](/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet in Windows PowerShell to export the Start layout to an .xml file. Start layout is located by default at C:\Users\username\AppData\Local\Microsoft\Windows\Shell\
>[!IMPORTANT]
>If you include secondary Microsoft Edge tiles (tiles that link to specific websites in Microsoft Edge), see [Add custom images to Microsoft Edge secondary tiles](start-secondary-tiles.md) for instructions.
@@ -101,7 +101,7 @@ When you have the Start layout that you want your users to see, use the [Export-
In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml).
- Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet does not append the file name extension, and the policy settings require the extension.
+ Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet does not append the file name extension, and the policy settings require the extension.
Example of a layout file produced by `Export-StartLayout`:
@@ -197,10 +197,4 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed
- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
-- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
-
-
-
-
-
-
+- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
index ebadfd9803..6f7c6e2b24 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
@@ -39,17 +39,17 @@ This topic describes how to update Group Policy settings to display a customized
In Windows 10, version 1607, Start and taskbar layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education. In Windows 10, version 1703, Start and taskbar layout control using Group Policy is also supported in Windows 10 Pro.
-The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841, written for Windows Vista and still applicable](https://go.microsoft.com/fwlink/p/?LinkId=691687) in the Microsoft Knowledge Base.
+The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841, written for Windows Vista and still applicable](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) in the Microsoft Knowledge Base.
## How Start layout control works
Three features enable Start and taskbar layout control:
-- The [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format.
+- The [Export-StartLayout](/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format.
>[!NOTE]
- >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/import-startlayout) cmdlet.
+ >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](/powershell/module/startlayout/import-startlayout) cmdlet.
- [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `
(New in Windows 10, version 1809) | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**
-or-
Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)
-or-
Add the following registry keys as type DWORD (32-bit) in the path of **HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate**:
**\SetUpdateNotificationLevel** with a value of `1`, and **\UpdateNotificationLevel** with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings.
-Enable and schedule automatic updates | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates**, and select `option 4 (Auto download and schedule the install)`
-or-
Use the MDM setting **Update/AllowAutoUpdate** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate), and select `option 3 (Auto install and restart at a specified time)`
**Note:** Installations can take from between 30 minutes and 2 hours, depending on the device, so you should schedule updates to occur when a block of 3-4 hours is available.
To schedule the automatic update, configure **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**.
+Hide update notifications
(New in Windows 10, version 1809) | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**
-or-
Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)
-or-
Add the following registry keys as type DWORD (32-bit) in the path of **HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate**:
**\SetUpdateNotificationLevel** with a value of `1`, and **\UpdateNotificationLevel** with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings.
+Enable and schedule automatic updates | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates**, and select `option 4 (Auto download and schedule the install)`
-or-
Use the MDM setting **Update/AllowAutoUpdate** from the [**Policy/Update** configuration service provider](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate), and select `option 3 (Auto install and restart at a specified time)`
**Note:** Installations can take from between 30 minutes and 2 hours, depending on the device, so you should schedule updates to occur when a block of 3-4 hours is available.
To schedule the automatic update, configure **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**.
Enable automatic restart at the scheduled time | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Always automatically restart at the scheduled time**
Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:**HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled**
Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign.
-Hide **Ease of access** feature on the sign-in screen. | See [how to disable the Ease of Access button in the registry.](https://docs.microsoft.com/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen)
+Hide **Ease of access** feature on the sign-in screen. | See [how to disable the Ease of Access button in the registry.](/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen)
Disable the hardware power button. | Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
Remove the power button from the sign-in screen. | Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.**
Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**.
@@ -52,7 +52,7 @@ Disable removable media. | Go to **Group Policy Editor** > **Computer Con
## Enable logging
-Logs can help you [troubleshoot issues](multi-app-kiosk-troubleshoot.md) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
+Logs can help you [troubleshoot issues](./kiosk-troubleshoot.md) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
@@ -72,7 +72,7 @@ In addition to the settings in the table, you may want to set up **automatic log
1. Open Registry Editor (regedit.exe).
> [!NOTE]
- > If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).
+ > If you are not familiar with Registry Editor, [learn how to modify the Windows registry](/troubleshoot/windows-server/performance/windows-registry-advanced-users).
2. Go to
@@ -95,10 +95,10 @@ In addition to the settings in the table, you may want to set up **automatic log
4. Close Registry Editor. The next time the computer restarts, the account will sign in automatically.
> [!TIP]
-> You can also configure automatic sign-in [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon).
+> You can also configure automatic sign-in [using the Autologon tool from Sysinternals](/sysinternals/downloads/autologon).
> [!NOTE]
-> If you are also using [Custom Logon](https://docs.microsoft.com/windows-hardware/customize/enterprise/custom-logon) with **HideAutoLogonUI** enabled, you might experience a black screen after a password expires. We recommend that you consider [setting the password to never expire](https://docs.microsoft.com/windows-hardware/customize/enterprise/troubleshooting-custom-logon#the-device-displays-a-black-screen-when-a-password-expiration-screen-is-displayed).
+> If you are also using [Custom Logon](/windows-hardware/customize/enterprise/custom-logon) with **HideAutoLogonUI** enabled, you might experience a black screen after a password expires. We recommend that you consider [setting the password to never expire](/windows-hardware/customize/enterprise/troubleshooting-custom-logon#the-device-displays-a-black-screen-when-a-password-expiration-screen-is-displayed).
## Interactions and interoperability
@@ -122,7 +122,7 @@ The following table describes some features that have interoperability issues we
+
@@ -261,4 +261,4 @@ When you connect to a VM configured as a single-app kiosk, you need a *basic* se
To connect to a VM in a basic session, do not select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog.
-
+
\ No newline at end of file
diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md
index 43317581df..6bbcf680f1 100644
--- a/windows/configuration/kiosk-shelllauncher.md
+++ b/windows/configuration/kiosk-shelllauncher.md
@@ -27,8 +27,8 @@ Using Shell Launcher, you can configure a device that runs an application as the
>
>Methods of controlling access to other desktop applications and system components can be used in addition to using the Shell Launcher. These methods include, but are not limited to:
>- [Group Policy](https://www.microsoft.com/download/details.aspx?id=25250) - example: Prevent access to registry editing tools
->- [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview) - Application control policies
->- [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm) - Enterprise management of device security policies
+>- [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview) - Application control policies
+>- [Mobile Device Management](/windows/client-management/mdm) - Enterprise management of device security policies
You can apply a custom shell through Shell Launcher [by using PowerShell](#configure-a-custom-shell-using-powershell). In Windows 10, version 1803 and later, you can also [use mobile device management (MDM)](#configure-a-custom-shell-in-mdm) to apply a custom shell through Shell Launcher.
@@ -57,7 +57,7 @@ For sample XML configurations for the different app combinations, see [Samples f
- A Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer.
-[See the technical reference for the shell launcher component.](https://docs.microsoft.com/windows-hardware/customize/enterprise/shell-launcher)
+[See the technical reference for the shell launcher component.](/windows-hardware/customize/enterprise/shell-launcher)
## Enable Shell Launcher feature
@@ -131,7 +131,7 @@ xmlns:v2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
### Custom OMA-URI setting
-In your MDM service, you can create a [custom OMA-URI setting](https://docs.microsoft.com/intune/custom-settings-windows-10) to configure Shell Launcher v1 or v2. (The [XML](#xml-for-shell-launcher-configuration) that you use for your setting will determine whether you apply Shell Launcher v1 or v2.)
+In your MDM service, you can create a [custom OMA-URI setting](/intune/custom-settings-windows-10) to configure Shell Launcher v1 or v2. (The [XML](#xml-for-shell-launcher-configuration) that you use for your setting will determine whether you apply Shell Launcher v1 or v2.)
The OMA-URI path is `./Device/Vendor/MSFT/AssignedAccess/ShellLauncher`.
@@ -290,7 +290,7 @@ Value|Description
2|Shut down the device
3|Do nothing
-These action can be used as default action, or can be mapped to a specific exit code. Refer to [Shell Launcher](https://docs.microsoft.com/windows-hardware/customize/enterprise/wesl-usersettingsetcustomshell) to see how these codes with Shell Launcher WMI.
+These action can be used as default action, or can be mapped to a specific exit code. Refer to [Shell Launcher](/windows-hardware/customize/enterprise/wesl-usersettingsetcustomshell) to see how these codes with Shell Launcher WMI.
To configure these action with Shell Launcher CSP, use below syntax in the shell launcher configuration xml. You can specify at most 4 custom actions mapping to 4 exit codes, and one default action for all other exit codes. When app exits and if the exit code is not found in the custom action mapping, or there is no default action defined, it will be no-op, i.e. nothing happens. So it's recommeded to at least define DefaultAction. [Get XML examples for different Shell Launcher v2 configurations.](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2)
``` xml
@@ -302,4 +302,4 @@ To configure these action with Shell Launcher CSP, use below syntax in the shell
-
When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app. | 
>[!IMPORTANT]
->[User account control (UAC)](https://docs.microsoft.com/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode.
+>[User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode.
>
>Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. Apps that run in kiosk mode cannot use copy and paste.
@@ -172,9 +172,9 @@ Set-AssignedAccess -AppName
-
-
diff --git a/windows/configuration/manage-tips-and-suggestions.md b/windows/configuration/manage-tips-and-suggestions.md
index 911ad4decc..24cf0cf610 100644
--- a/windows/configuration/manage-tips-and-suggestions.md
+++ b/windows/configuration/manage-tips-and-suggestions.md
@@ -56,14 +56,9 @@ Windows 10 provides organizations the ability to centrally manage the type of co
- [Manage Windows 10 Start layout](windows-10-start-layout-options-and-policies.md)
- [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md)
- [Windows spotlight on the lock screen](windows-spotlight.md)
-- [Windows 10 editions for education customers](https://technet.microsoft.com/edu/windows/windows-editions-for-education-customers)
+- [Windows 10 editions for education customers](/education/windows/windows-editions-for-education-customers)
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md
index a6c43780bc..37e5e45d89 100644
--- a/windows/configuration/manage-wifi-sense-in-enterprise.md
+++ b/windows/configuration/manage-wifi-sense-in-enterprise.md
@@ -58,7 +58,7 @@ You can manage your Wi-Fi Sense settings by using registry keys and the Registry
1. Open your Registry Editor and go to `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config\`
2. Create and set a new **DWORD (32-bit) Value** named, **AutoConnectAllowedOEM**, with a **Value data** of **0 (zero)**.
- 
Enable device setup if you want to configure settings on this page.If enabled:Enter a name for the device.(Optional) Select a license file to upgrade Windows 10 to a different edition. See the permitted upgrades.Toggle Configure devices for shared use off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.You can also select to remove pre-installed software from the device. 
Enable device setup if you want to configure settings on this page.If enabled:Enter a name for the device.(Optional) Select a license file to upgrade Windows 10 to a different edition. See the permitted upgrades.Toggle Configure devices for shared use off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.You can also select to remove pre-installed software from the device. 
Enable network setup if you want to configure settings on this page.If enabled:Toggle On or Off for wireless network connectivity. If you select On, enter the SSID, the network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.
Enable account management if you want to configure settings on this page. If enabled:You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the deviceTo enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.Warning: You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.To create a local administrator account, select that option and enter a user name and password. Important: If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 
Enable account management if you want to configure settings on this page. If enabled:You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the deviceTo enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.Warning: You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.To create a local administrator account, select that option and enter a user name and password. Important: If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 
You can provision the kiosk app in the Add applications step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see Provision PCs with appsWarning: If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in Installer Path, and then a Cancel button becomes available, allowing you to complete the provisioning package without an application. 
To provision the device with a certificate for the kiosk app, click Add a certificate. Enter a name for the certificate, and then browse to and select the certificate to be used.
You can create a local standard user account that will be used to run the kiosk app. If you toggle No, make sure that you have an existing user account to run the kiosk app.If you want to create an account, enter the user name and password, and then toggle Yes or No to automatically sign in the account when the device starts. (If you encounter issues with auto sign-in after you apply the provisioning package, check the Event Viewer logs for auto logon issues under Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational.)In Configure the kiosk mode app, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.
-
HORM
+HORM
-
Unified Write Filter
+Unified Write Filter
-
Keyboard Filter
+Keyboard Filter
-
Shell Launcher
+Shell Launcher
-
Assigned Access
+Assigned Access
-
AppLocker
@@ -74,48 +74,47 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be
-
Mobile device management (MDM) and Group Policy
-
Windows Imaging and Configuration Designer (ICD)
+Windows Imaging and Configuration Designer (ICD)
-
MDM and Group Policy
-
Assigned Access
+Assigned Access
-
MDM and Group Policy
-
-
Embedded Logon
+Embedded Logon
-
Unbranded Boot
+Unbranded Boot
@@ -88,4 +88,4 @@ You can apply a provisioning package to a device running Windows 10 Mobile by us
## Related topics
- [NFC-based device provisioning](provisioning-nfc.md)
-- [Use the package splitter tool](provisioning-package-splitter.md)
+- [Use the package splitter tool](provisioning-package-splitter.md)
\ No newline at end of file
diff --git a/windows/configuration/mobile-devices/provisioning-nfc.md b/windows/configuration/mobile-devices/provisioning-nfc.md
index 68b962d26f..d2a9b9c494 100644
--- a/windows/configuration/mobile-devices/provisioning-nfc.md
+++ b/windows/configuration/mobile-devices/provisioning-nfc.md
@@ -57,7 +57,7 @@ The protocol used for NFC-based device provisioning is similar to the one used f
NFC tags are suitable for very light applications where minimal provisioning is required. The size of NFC tags that contain provisioning packages is typically 4 KB to 10 KB.
-To write to an NFC tag, you will need to use an NFC Writer tool, or you can use the [ProximityDevice class API](https://msdn.microsoft.com/library/windows/apps/windows.networking.proximity.proximitydevice.aspx) to write your own custom tool to transfer your provisioning package file to your NFC tag. The tool must publish a binary message (write) a Chunk data type to your NFC tag.
+To write to an NFC tag, you will need to use an NFC Writer tool, or you can use the [ProximityDevice class API](/uwp/api/Windows.Networking.Proximity.ProximityDevice) to write your own custom tool to transfer your provisioning package file to your NFC tag. The tool must publish a binary message (write) a Chunk data type to your NFC tag.
The following table describes the information that is required when writing to an NFC tag.
@@ -125,7 +125,7 @@ The following example shows how to write to an NFC tag. This example assumes tha
Provisioning from an NFC-enabled source device allows for larger provisioning packages than can be transferred using an NFC tag. When provisioning from an NFC-enabled device, we recommend that the total file size not exceed 120 KB. Be aware that the larger the NFC file is, the longer it will take to transfer the provisioning file. Depending on your NFC hardware, the transfer time for a 120 KB file will vary between 2.5 seconds and 10 seconds.
-To provision from an NFC-enabled source device, use [ProximityDevice class API](https://msdn.microsoft.com/library/windows/apps/windows.networking.proximity.proximitydevice.aspx) to write your own custom tool that transfers your provisioning package in chunks to your target mobile device. The tool must publish binary messages (transmit) a Header message, followed by one or more Chunk messages. The Header specifies the total amount of data that will be transferred to the target device; the Chunks must contain binary raw data formatted provisioning data, as shown in the NFC tag components section.
+To provision from an NFC-enabled source device, use [ProximityDevice class API](/uwp/api/Windows.Networking.Proximity.ProximityDevice) to write your own custom tool that transfers your provisioning package in chunks to your target mobile device. The tool must publish binary messages (transmit) a Header message, followed by one or more Chunk messages. The Header specifies the total amount of data that will be transferred to the target device; the Chunks must contain binary raw data formatted provisioning data, as shown in the NFC tag components section.
For detailed information and code samples on how to implement an NFC-enabled device tag, see **ConvertToNfcMessageAsync** in [this GitHub NfcProvisioner Universal Windows app example](https://github.com/Microsoft/Windows-universal-samples/blob/master/Samples/NfcProvisioner/cs/Scenario1.xaml.cs). The sample app shows you how to host the provisioning package on a master device so that you can transfer it to the receiving device.
@@ -142,9 +142,3 @@ For detailed information and code samples on how to implement an NFC-enabled dev
- [Barcode provisioning and the package splitter tool](provisioning-package-splitter.md)
-
-
-
-
-
-
diff --git a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
index 15522142ec..09d3921057 100644
--- a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
+++ b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
@@ -42,7 +42,7 @@ Enterprise Assigned Access allows you to put your Windows 10 Mobile or Windows
In AssignedAccessXml, for Application, you enter the product ID for the app to run in kiosk mode. Find product IDs at [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md).
-[See the technical reference for the Enterprise Assigned Access configuration service provider (CSP).](https://go.microsoft.com/fwlink/p/?LinkID=618601)
+[See the technical reference for the Enterprise Assigned Access configuration service provider (CSP).](/windows/client-management/mdm/enterpriseassignedaccess-csp)
### Set up assigned access using Windows Configuration Designer
@@ -51,7 +51,7 @@ In AssignedAccessXml, for Application, you enter the product ID for the app to r
#### Create the *AssignedAccess*.xml file
-1. Create an *AssignedAccess*.xml file that specifies the app the device will run. (You can name use any file name.) For instructions on AssignedAccessXml, see [EnterpriseAssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=618601).
+1. Create an *AssignedAccess*.xml file that specifies the app the device will run. (You can name use any file name.) For instructions on AssignedAccessXml, see [EnterpriseAssignedAccess CSP](/windows/client-management/mdm/enterpriseassignedaccess-csp).
>[!NOTE]
>Do not escape the xml in *AssignedAccess*.xml file as Windows Configuration Designer will do that when building the package. Providing escaped xml in Windows ICD will cause building the package fail.
@@ -194,13 +194,9 @@ Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or
## Related topics
-[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](../set-up-a-kiosk-for-windows-10-for-desktop-editions.md)
+[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](../kiosk-single-app.md)
[Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)
[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md)
-
-
-
-
diff --git a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md
index f1d9a178fc..76ae609c66 100644
--- a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md
+++ b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md
@@ -31,7 +31,7 @@ In earlier versions of Windows 10, you used the page name to define allowed sett
For example, in place of **SettingsPageDisplay**, you would use **ms-settings:display**.
-See the [ms-settings: URI scheme reference](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to find the URI for each Settings page.
+See the [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to find the URI for each Settings page.
## Settings lockdown in Windows 10, version 1607 and earlier
@@ -496,9 +496,4 @@ You can specify the quick actions as follows:
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
index 5fe68ff0bd..ba75a5631c 100644
--- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
@@ -21,12 +21,12 @@ ms.date: 07/27/2017
- Windows 10
- Windows 10 Mobile
-This article explains how IT pros and system administrators can take advantage of many settings available through configuration service providers (CSPs) to configure devices running Windows 10 and Windows 10 Mobile in their organizations. CSPs expose device configuration settings in Windows 10. The CSPs are used by mobile device management (MDM) service providers and are documented in the [Hardware Dev Center](https://go.microsoft.com/fwlink/p/?LinkId=717390).
+This article explains how IT pros and system administrators can take advantage of many settings available through configuration service providers (CSPs) to configure devices running Windows 10 and Windows 10 Mobile in their organizations. CSPs expose device configuration settings in Windows 10. The CSPs are used by mobile device management (MDM) service providers and are documented in the [Hardware Dev Center](/windows/client-management/mdm/configuration-service-provider-reference).
> [!NOTE]
> The information provided here about CSPs and CSP documentation also applies to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile.
- [See what's new for CSPs in Windows 10, version 1809.](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1809)
+ [See what's new for CSPs in Windows 10, version 1809.](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1809)
## What is a CSP?
@@ -34,9 +34,9 @@ In the client operating system, a CSP is the interface between configuration set
Starting with Windows Mobile 5.0, CSPs were used to manage Windows mobile devices. On the Windows 10 platform, the management approach for both desktop and mobile devices converges, taking advantage of the same CSPs to configure and manage all devices running Windows 10.
-Each CSP provides access to specific settings. For example, the [Wi-Fi CSP](https://go.microsoft.com/fwlink/p/?LinkId=717438) contains the settings to create a Wi-Fi profile.
+Each CSP provides access to specific settings. For example, the [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp) contains the settings to create a Wi-Fi profile.
-CSPs are behind many of the management tasks and policies for Windows 10, both in Microsoft Intune and in non-Microsoft MDM service providers. For example, in Intune, the policy to allow search suggestions in the Microsoft Edge address bar uses **Browser/AllowSearchSuggestionsinAddressBar** in the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244).
+CSPs are behind many of the management tasks and policies for Windows 10, both in Microsoft Intune and in non-Microsoft MDM service providers. For example, in Intune, the policy to allow search suggestions in the Microsoft Edge address bar uses **Browser/AllowSearchSuggestionsinAddressBar** in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
@@ -50,7 +50,7 @@ The Open Mobile Alliance Device Management (OMA-DM) protocol uses the XML-based
The WMI-to-CSP Bridge is a component allowing configuration of Windows 10 CSPs using scripts and traditional enterprise management software, such as Configuration Manager using WMI. The bridge is responsible for reading WMI commands and through a component called the common device configurator pass them to a CSP for application on the device.
-[Learn how to use the WMI Bridge Provider with PowerShell.](https://go.microsoft.com/fwlink/p/?LinkId=761090)
+[Learn how to use the WMI Bridge Provider with PowerShell.](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider)
## Why should you learn about CSPs?
@@ -58,11 +58,11 @@ Generally, enterprises rely on Group Policy or MDM to configure and manage devic
In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management. You may also want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#bkmk-csp-doc) can help you understand the settings that can be configured or queried.
-Some of the articles in the [Windows 10 and Windows 10 Mobile](/windows/windows-10) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](../cortana-at-work/cortana-at-work-overview.md), which links to the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings.
+Some of the articles in the [Windows 10 and Windows 10 Mobile](/windows/windows-10) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](../cortana-at-work/cortana-at-work-overview.md), which links to the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). In the CSP topics, you can learn about all of the available configuration settings.
### CSPs in Windows Configuration Designer
-You can use Windows Configuration Designer to create [provisioning packages](https://go.microsoft.com/fwlink/p/?LinkId=717466) to apply settings to devices during the out-of-box-experience (OOBE), and after the devices are set up. You can also use provisioning packages to configure a device's connectivity and enroll the device in MDM. Many of the runtime settings in Windows Configuration Designer are based on CSPs.
+You can use Windows Configuration Designer to create [provisioning packages](./provisioning-packages.md) to apply settings to devices during the out-of-box-experience (OOBE), and after the devices are set up. You can also use provisioning packages to configure a device's connectivity and enroll the device in MDM. Many of the runtime settings in Windows Configuration Designer are based on CSPs.
Many settings in Windows Configuration Designer will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image.
@@ -72,19 +72,19 @@ Many settings in Windows Configuration Designer will display documentation for t
### CSPs in MDM
-Most, if not all, CSPs are surfaced through your MDM service. If you see a CSP that provides a capability that you want to make use of and cannot find that capability in your MDM service, contact your MDM provider for assistance. It might be named differently than you expected. You can see the CSPs supported by MDM in the [Configuration service provider reference](https://go.microsoft.com/fwlink/p/?LinkId=717390).
+Most, if not all, CSPs are surfaced through your MDM service. If you see a CSP that provides a capability that you want to make use of and cannot find that capability in your MDM service, contact your MDM provider for assistance. It might be named differently than you expected. You can see the CSPs supported by MDM in the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference).
-When a CSP is available but is not explicitly included in your MDM solution, you may be able to make use of the CSP by using OMA-URI settings. In Intune, for example, you can use [custom policy settings](https://go.microsoft.com/fwlink/p/?LinkID=616316) to deploy settings. Intune documents [a partial list of settings](https://go.microsoft.com/fwlink/p/?LinkID=616317) that you can enter in the **OMA-URI Settings** section of a custom policy, if your MDM service provides that extension. You'll notice that the list doesn't explain the meanings of the allowed and default values, so use the [CSP reference documentation](https://go.microsoft.com/fwlink/p/?LinkId=717390) to locate that information.
+When a CSP is available but is not explicitly included in your MDM solution, you may be able to make use of the CSP by using OMA-URI settings. In Intune, for example, you can use [custom policy settings](https://go.microsoft.com/fwlink/p/?LinkID=616316) to deploy settings. Intune documents [a partial list of settings](https://go.microsoft.com/fwlink/p/?LinkID=616317) that you can enter in the **OMA-URI Settings** section of a custom policy, if your MDM service provides that extension. You'll notice that the list doesn't explain the meanings of the allowed and default values, so use the [CSP reference documentation](/windows/client-management/mdm/configuration-service-provider-reference) to locate that information.
### CSPs in Lockdown XML
-Lockdown XML can be used to configure devices running Windows 10 Mobile. You can manually author a [Lockdown XML file](../mobile-devices/lockdown-xml.md) to make use of the configuration settings available through the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601). In Windows 10, version 1703, you can also use the new [Lockdown Designer app](../mobile-devices/mobile-lockdown-designer.md) to configure your Lockdown XML.
+Lockdown XML can be used to configure devices running Windows 10 Mobile. You can manually author a [Lockdown XML file](../mobile-devices/lockdown-xml.md) to make use of the configuration settings available through the [EnterpriseAssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/enterpriseassignedaccess-csp). In Windows 10, version 1703, you can also use the new [Lockdown Designer app](../mobile-devices/mobile-lockdown-designer.md) to configure your Lockdown XML.
## How do you use the CSP documentation?
-All CSPs in Windows 10 are documented in the [Configuration service provider reference](https://go.microsoft.com/fwlink/p/?LinkId=717390).
+All CSPs in Windows 10 are documented in the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference).
-The [main CSP topic](https://go.microsoft.com/fwlink/p/?LinkId=717390) tells you which CSPs are supported on each edition of Windows 10, and links to the documentation for each individual CSP.
+The [main CSP topic](/windows/client-management/mdm/configuration-service-provider-reference) tells you which CSPs are supported on each edition of Windows 10, and links to the documentation for each individual CSP.
@@ -92,11 +92,11 @@ The documentation for each CSP follows the same structure. After an introduction
The full path to a specific configuration setting is represented by its Open Mobile Alliance - Uniform Resource Identifier (OMA-URI). The URI is relative to the devices’ root node (MSFT, for example). Features supported by a particular CSP can be set by addressing the complete OMA-URI path.
-The following example shows the diagram for the [AssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=626608). The diagram maps to the XML for that CSP. Notice the different shapes in the diagram: rounded elements are nodes, and rectangular elements are settings or policies for which a value must be supplied.
+The following example shows the diagram for the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). The diagram maps to the XML for that CSP. Notice the different shapes in the diagram: rounded elements are nodes, and rectangular elements are settings or policies for which a value must be supplied.
-The element in the tree diagram after the root node tells you the name of the CSP. Knowing this structure, you would recognize in XML the parts of the URI path for that CSP and, if you saw it in XML, you would know which CSP reference to look up. For example, in the following OMS-URI path for the kiosk mode app settings, you can see that it uses the [AssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=626608).
+The element in the tree diagram after the root node tells you the name of the CSP. Knowing this structure, you would recognize in XML the parts of the URI path for that CSP and, if you saw it in XML, you would know which CSP reference to look up. For example, in the following OMS-URI path for the kiosk mode app settings, you can see that it uses the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp).
```XML
./Vendor/MSFT/AssignedAccess/KioskModeApp
@@ -108,7 +108,7 @@ When an element in the diagram uses _italic_ font, it indicates a placeholder fo
After the diagram, the documentation describes each element. For each policy or setting, the valid values are listed.
-For example, in the [AssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=626608), the setting is **KioskModeApp**. The documentation tells you that the value for **KioskModeApp** is a JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app.
+For example, in the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp), the setting is **KioskModeApp**. The documentation tells you that the value for **KioskModeApp** is a JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app.
The documentation for most CSPs will also include an XML example.
@@ -116,7 +116,7 @@ The documentation for most CSPs will also include an XML example.
CSPs provide access to a number of settings useful to enterprises. This section introduces the CSPs that an enterprise might find useful.
-- [EnterpriseAssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=618601)
+- [EnterpriseAssignedAccess CSP](/windows/client-management/mdm/enterpriseassignedaccess-csp)
The EnterpriseAssignedAccess CSP lets IT administrators configure settings on a Windows 10 Mobile device. An enterprise can make use of this CSP to create single-use or limited-use mobile devices, such as a handheld device that only runs a price-checking app.
@@ -131,7 +131,7 @@ CSPs provide access to a number of settings useful to enterprises. This section
- Enabling or disabling tile manipulation.
- Creating role-specific configurations.
-- [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244)
+- [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider)
The Policy CSP enables the enterprise to configure policies on Windows 10 and Windows 10 Mobile. Some of these policy settings can also be applied using Group Policy, and the CSP documentation lists the equivalent Group Policy settings.
@@ -155,60 +155,60 @@ CSPs provide access to a number of settings useful to enterprises. This section
Here is a list of CSPs supported on Windows 10 Enterprise, Windows 10 Mobile Enterprise, or both:
-- [ActiveSync CSP](https://go.microsoft.com/fwlink/p/?LinkId=723219)
-- [Application CSP](https://go.microsoft.com/fwlink/p/?LinkId=723220)
-- [AppLocker CSP](https://go.microsoft.com/fwlink/p/?LinkID=626609)
-- [AssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=626608)
-- [Bootstrap CSP](https://go.microsoft.com/fwlink/p/?LinkId=723224)
-- [BrowserFavorite CSP](https://go.microsoft.com/fwlink/p/?LinkId=723428)
-- [CellularSettings CSP](https://go.microsoft.com/fwlink/p/?LinkId=723427)
-- [CertificateStore CSP](https://go.microsoft.com/fwlink/p/?LinkId=723225)
-- [ClientCertificateInstall CSP](https://go.microsoft.com/fwlink/p/?LinkId=723226)
-- [CM\_CellularEntries CSP](https://go.microsoft.com/fwlink/p/?LinkId=723426)
-- [CM\_ProxyEntries CSP](https://go.microsoft.com/fwlink/p/?LinkId=723425)
-- [CMPolicy CSP](https://go.microsoft.com/fwlink/p/?LinkId=723424)
-- [Defender CSP](https://go.microsoft.com/fwlink/p/?LinkId=723227)
-- [DevDetail CSP](https://go.microsoft.com/fwlink/p/?LinkId=723228)
-- [DeviceInstanceService CSP](https://go.microsoft.com/fwlink/p/?LinkId=723275)
-- [DeviceLock CSP](https://go.microsoft.com/fwlink/p/?LinkId=723370)
-- [DeviceStatus CSP](https://go.microsoft.com/fwlink/p/?LinkId=723229)
-- [DevInfo CSP](https://go.microsoft.com/fwlink/p/?LinkId=723230)
-- [DiagnosticLog CSP](https://go.microsoft.com/fwlink/p/?LinkId=723231)
-- [DMAcc CSP](https://go.microsoft.com/fwlink/p/?LinkId=723232)
-- [DMClient CSP](https://go.microsoft.com/fwlink/p/?LinkId=723233)
-- [Email2 CSP](https://go.microsoft.com/fwlink/p/?LinkId=723234)
-- [EnterpriseAPN CSP](https://go.microsoft.com/fwlink/p/?LinkId=723235)
-- [EnterpriseAppManagement CSP](https://go.microsoft.com/fwlink/p/?LinkId=723237)
-- [EnterpriseAssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=618601)
-- [EnterpriseDesktopAppManagement CSP](https://go.microsoft.com/fwlink/p/?LinkId=723236)
-- [EnterpriseExt CSP](https://go.microsoft.com/fwlink/p/?LinkId=723423)
-- [EnterpriseExtFileSystem CSP](https://go.microsoft.com/fwlink/p/?LinkID=703716)
-- [EnterpriseModernAppManagement CSP](https://go.microsoft.com/fwlink/p/?LinkId=723257)
-- [FileSystem CSP](https://go.microsoft.com/fwlink/p/?LinkId=723422)
-- [HealthAttestation CSP](https://go.microsoft.com/fwlink/p/?LinkId=723258)
-- [HotSpot CSP](https://go.microsoft.com/fwlink/p/?LinkId=723421)
-- [Maps CSP](https://go.microsoft.com/fwlink/p/?LinkId=723420)
-- [NAP CSP](https://go.microsoft.com/fwlink/p/?LinkId=723419)
-- [NAPDEF CSP](https://go.microsoft.com/fwlink/p/?LinkId=723371)
+- [ActiveSync CSP](/windows/client-management/mdm/activesync-csp)
+- [Application CSP](/windows/client-management/mdm/application-csp)
+- [AppLocker CSP](/windows/client-management/mdm/applocker-csp)
+- [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp)
+- [Bootstrap CSP](/windows/client-management/mdm/bootstrap-csp)
+- [BrowserFavorite CSP](/windows/client-management/mdm/browserfavorite-csp)
+- [CellularSettings CSP](/windows/client-management/mdm/cellularsettings-csp)
+- [CertificateStore CSP](/windows/client-management/mdm/certificatestore-csp)
+- [ClientCertificateInstall CSP](/windows/client-management/mdm/clientcertificateinstall-csp)
+- [CM\_CellularEntries CSP](/windows/client-management/mdm/cm-cellularentries-csp)
+- [CM\_ProxyEntries CSP](/windows/client-management/mdm/cm-proxyentries-csp)
+- [CMPolicy CSP](/windows/client-management/mdm/cmpolicy-csp)
+- [Defender CSP](/windows/client-management/mdm/defender-csp)
+- [DevDetail CSP](/windows/client-management/mdm/devdetail-csp)
+- [DeviceInstanceService CSP](/windows/client-management/mdm/deviceinstanceservice-csp)
+- [DeviceLock CSP](/windows/client-management/mdm/devicelock-csp)
+- [DeviceStatus CSP](/windows/client-management/mdm/devicestatus-csp)
+- [DevInfo CSP](/windows/client-management/mdm/devinfo-csp)
+- [DiagnosticLog CSP](/windows/client-management/mdm/diagnosticlog-csp)
+- [DMAcc CSP](/windows/client-management/mdm/dmacc-csp)
+- [DMClient CSP](/windows/client-management/mdm/dmclient-csp)
+- [Email2 CSP](/windows/client-management/mdm/email2-csp)
+- [EnterpriseAPN CSP](/windows/client-management/mdm/enterpriseapn-csp)
+- [EnterpriseAppManagement CSP](/windows/client-management/mdm/enterpriseappmanagement-csp)
+- [EnterpriseAssignedAccess CSP](/windows/client-management/mdm/enterpriseassignedaccess-csp)
+- [EnterpriseDesktopAppManagement CSP](/windows/client-management/mdm/enterprisedesktopappmanagement-csp)
+- [EnterpriseExt CSP](/windows/client-management/mdm/enterpriseext-csp)
+- [EnterpriseExtFileSystem CSP](/windows/client-management/mdm/enterpriseextfilessystem-csp)
+- [EnterpriseModernAppManagement CSP](/windows/client-management/mdm/enterprisemodernappmanagement-csp)
+- [FileSystem CSP](/windows/client-management/mdm/filesystem-csp)
+- [HealthAttestation CSP](/windows/client-management/mdm/healthattestation-csp)
+- [HotSpot CSP](/windows/client-management/mdm/hotspot-csp)
+- [Maps CSP](/windows/client-management/mdm/maps-csp)
+- [NAP CSP](/windows/client-management/mdm/filesystem-csp)
+- [NAPDEF CSP](/windows/client-management/mdm/napdef-csp)
- [NodeCache CSP]( https://go.microsoft.com/fwlink/p/?LinkId=723265)
-- [PassportForWork CSP](https://go.microsoft.com/fwlink/p/?LinkID=692070)
-- [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244)
+- [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp)
+- [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider)
- [PolicyManager CSP]( https://go.microsoft.com/fwlink/p/?LinkId=723418)
-- [Provisioning CSP](https://go.microsoft.com/fwlink/p/?LinkId=723266)
+- [Provisioning CSP](/windows/client-management/mdm/provisioning-csp)
- [Proxy CSP]( https://go.microsoft.com/fwlink/p/?LinkId=723372)
-- [PXLOGICAL CSP](https://go.microsoft.com/fwlink/p/?LinkId=723374)
-- [Registry CSP](https://go.microsoft.com/fwlink/p/?LinkId=723417)
-- [RemoteFind CSP](https://go.microsoft.com/fwlink/p/?LinkId=723267)
-- [RemoteWipe CSP](https://go.microsoft.com/fwlink/p/?LinkID=703714)
-- [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkId=723375)
-- [RootCATrustedCertificates CSP](https://go.microsoft.com/fwlink/p/?LinkId=723270)
-- [SecurityPolicy CSP](https://go.microsoft.com/fwlink/p/?LinkId=723376)
-- [Storage CSP](https://go.microsoft.com/fwlink/p/?LinkId=723377)
-- [SUPL CSP](https://go.microsoft.com/fwlink/p/?LinkId=723378)
-- [UnifiedWriteFilter CSP](https://go.microsoft.com/fwlink/p/?LinkId=723272)
-- [Update CSP](https://go.microsoft.com/fwlink/p/?LinkId=723271)
-- [VPN CSP](https://go.microsoft.com/fwlink/p/?LinkId=723416)
-- [VPNv2 CSP](https://go.microsoft.com/fwlink/p/?LinkID=617588)
-- [Wi-Fi CSP](https://go.microsoft.com/fwlink/p/?LinkID=71743)
-- [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkId=723274)
-- [WindowsSecurityAuditing CSP](https://go.microsoft.com/fwlink/p/?LinkId=723415)
+- [PXLOGICAL CSP](/windows/client-management/mdm/pxlogical-csp)
+- [Registry CSP](/windows/client-management/mdm/registry-csp)
+- [RemoteFind CSP](/windows/client-management/mdm/remotefind-csp)
+- [RemoteWipe CSP](/windows/client-management/mdm/remotewipe-csp)
+- [Reporting CSP](/windows/client-management/mdm/reporting-csp)
+- [RootCATrustedCertificates CSP](/windows/client-management/mdm/rootcacertificates-csp)
+- [SecurityPolicy CSP](/windows/client-management/mdm/securitypolicy-csp)
+- [Storage CSP](/windows/client-management/mdm/storage-csp)
+- [SUPL CSP](/windows/client-management/mdm/supl-csp)
+- [UnifiedWriteFilter CSP](/windows/client-management/mdm/unifiedwritefilter-csp)
+- [Update CSP](/windows/client-management/mdm/update-csp)
+- [VPN CSP](/windows/client-management/mdm/vpn-csp)
+- [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp)
+- [Wi-Fi CSP](/documentation/)
+- [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp)
+- [WindowsSecurityAuditing CSP](/windows/client-management/mdm/windowssecurityauditing-csp)
\ No newline at end of file
diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
index b825b767ae..24171db2ae 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
@@ -81,9 +81,9 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
Enter a device name. Optionally, you can enter a product key to upgrade the device from Windows 10 Mobile to Windows 10 Mobile Enterprise. 
Toggle On or Off for wireless network connectivity. If you select On, enter the SSID, network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.
Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.Warning: You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. 
Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.Warning: You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. 
You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.
-
-For details on each specific setting, see [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx). The reference topic for a setting is also displayed in Windows Configuration Designer when you select the setting, as shown in the following image.
+For details on each specific setting, see [Windows Provisioning settings reference](../wcd/wcd.md). The reference topic for a setting is also displayed in Windows Configuration Designer when you select the setting, as shown in the following image.
@@ -150,7 +150,7 @@ For details on each specific setting, see [Windows Provisioning settings referen
- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
-- [How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm)
+- [How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm)
## Related topics
@@ -163,4 +163,4 @@ For details on each specific setting, see [Windows Provisioning settings referen
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
\ No newline at end of file
diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
index 8153ebaf57..46b7f1524f 100644
--- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md
+++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
@@ -65,7 +65,7 @@ Windows provisioning XML is the framework that allows Microsoft and OEM componen
Settings for each component can be declared within that component's package manifest file. These declarations are turned into settings schema that are used by Windows Configuration Designer to expose the potential settings to users to create customizations in the image or in provisioning packages. Windows Configuration Designer translates the user configuration, which is declared through Windows provisioning answer file(s), into the on-device provisioning format.
-When the provisioning engine selects a configuration, the Windows provisioning XML is contained within the selected provisioning data and is passed through the configuration manager and then to the [Windows provisioning CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/provisioning-csp). The Windows provisioning CSP then takes and applies the provisioning to the proper location for the actual component to use.
+When the provisioning engine selects a configuration, the Windows provisioning XML is contained within the selected provisioning data and is passed through the configuration manager and then to the [Windows provisioning CSP](/windows/client-management/mdm/provisioning-csp). The Windows provisioning CSP then takes and applies the provisioning to the proper location for the actual component to use.
## Provisioning engine
@@ -82,7 +82,7 @@ The provisioning engine provides the following functionality:
## Configuration manager
-The configuration manager provides the unified way of managing Windows 10 devices. Configuration is mainly done through the Open Mobile Alliance (OMA) Device Management (DM) and Client Provisioning (CP) protocols. The configuration manager handles and parses these protocol requests from different channels and passes them down to [Configuration Service Providers (CSPs)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference) to perform the specific management requests and settings.
+The configuration manager provides the unified way of managing Windows 10 devices. Configuration is mainly done through the Open Mobile Alliance (OMA) Device Management (DM) and Client Provisioning (CP) protocols. The configuration manager handles and parses these protocol requests from different channels and passes them down to [Configuration Service Providers (CSPs)](/windows/client-management/mdm/configuration-service-provider-reference) to perform the specific management requests and settings.
The provisioning engine relies on configuration manager for all of the actual processing and application of a chosen configuration. The provisioning engine determines the stage of provisioning and, based on a set of keys, determines the set of configuration to send to the configuration manager. The configuration manager in turn parses and calls into the CSPs for the setting to be applied.
@@ -178,9 +178,4 @@ After a stand-alone provisioning package is applied to the device, the package i
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md
index bf0de14b73..6d642dc5a8 100644
--- a/windows/configuration/provisioning-packages/provisioning-multivariant.md
+++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md
@@ -61,7 +61,7 @@ The following table shows the conditions supported in Windows 10 provisioning fo
| ProcessorType | P1 | Supported | Supported | String | Use to target settings based on the processor type. |
| ProcessorName | P1 | Supported | Supported | String | Use to target settings based on the processor name. |
| AoAc ("Always On, Always Connected") | P1 | Supported | Supported | Boolean | Set the value to **0** (false) or **1** (true). If this condition is TRUE, the system supports the S0 low power idle model. |
-| PowerPlatformRole | P1 | Supported | Supported | Enumeration | Indicates the preferred power management profile. Set the value based on the [POWER_PLATFORM_ROLE enumeration](https://msdn.microsoft.com/library/windows/desktop/aa373174.aspx). |
+| PowerPlatformRole | P1 | Supported | Supported | Enumeration | Indicates the preferred power management profile. Set the value based on the [POWER_PLATFORM_ROLE enumeration](/windows/win32/api/winnt/ne-winnt-power_platform_role). |
| Architecture | P1 | Supported | Supported | String | Matches the PROCESSOR_ARCHITECTURE environment variable. |
| Server | P1 | Supported | Supported | Boolean | Set the value to **0** (false) or **1** (true) to identify a server. |
| Region | P1 | Supported | Supported | Enumeration | Use to target settings based on country/region, using the 2-digit alpha ISO code per [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2). |
@@ -316,9 +316,3 @@ The following events trigger provisioning on Windows 10 devices:
- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
-
-
-
-
-
-
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index b5816befcb..0542d32d99 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -79,7 +79,7 @@ The following table describes settings that you can configure using the wizards
Enter a name for the device.(Optional) Select a license file to upgrade Windows 10 to a different edition. See the permitted upgrades.Toggle Yes or No to Configure devices for shared use. This setting optimizes Windows 10 for shared use scenarios. Learn more about shared PC configuration.You can also select to remove pre-installed software from the device. 
Enter a name for the device.(Optional) Select a license file to upgrade Windows 10 to a different edition. See the permitted upgrades.Toggle Yes or No to Configure devices for shared use. This setting optimizes Windows 10 for shared use scenarios. Learn more about shared PC configuration.You can also select to remove pre-installed software from the device. 
Toggle On or Off for wireless network connectivity. If you select On, enter the SSID, the network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.
Enable account management if you want to configure settings on this page. You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the deviceTo enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions. To create a local administrator account, select that option and enter a user name and password. Important: If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 
Enable account management if you want to configure settings on this page. You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the deviceTo enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions. To create a local administrator account, select that option and enter a user name and password. Important: If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 
You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see Provision PCs with apps. 
To provision the device with a certificate, click Add a certificate. Enter a name for the certificate, and then browse to and select the certificate to be used.
You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.
When the setting is configured, it is displayed in the Selected customizations pane.
Set up device Assign device name,enter product key to upgrade Windows,configure shared used,remove pre-installed software 
(Only device name and upgrade key)Set up network Connect to a Wi-Fi network Account management Enroll device in Active Directory,enroll device in Azure Active Directory,or create a local administrator account 
Bulk Enrollment in Azure AD Enroll device in Azure Active DirectoryBefore you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. Bulk Enrollment in Azure AD Enroll device in Azure Active DirectoryBefore you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. Add applications Install applications using the provisioning package. Add certificates Include a certificate file in the provisioning package. Configure kiosk account and app Create local account to run the kiosk mode app,specify the app to run in kiosk mode
- **Only guest** allows anyone to use the PC as a local standard (non-admin) account.
- **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account.
- **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. |
| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out.
- **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed.
Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not.
- **Delete at disk space threshold and inactive threshold** will apply the same disk space checks as noted above, but also delete accounts if they have not signed in within the number of days specified by **InactiveThreshold** |
| AccountManagement: DiskLevelCaching | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching. |
| AccountManagement: DiskLevelDeletion | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion. |
| AccountManagement: InactiveThreshold | If you set **DeletionPolicy** to **Delete at disk space threshold and inactive threshold**, set the number of days after which an account that has not signed in will be deleted. |
| AccountManagement: EnableAccountManager | Set as **True** to enable automatic account management. If this is not set to true, no automatic account management will be done. |
-| AccountManagement: KioskModeAUMID | Set an Application User Model ID (AUMID) to enable the kiosk account on the sign-in screen. A new account will be created and will use assigned access to only run the app specified by the AUMID. Note that the app must be installed on the PC. Set the name of the account using **KioskModeUserTileDisplayText**, or a default name will be used. [Find the Application User Model ID of an installed app](https://msdn.microsoft.com/library/dn449300.aspx) |
+| AccountManagement: KioskModeAUMID | Set an Application User Model ID (AUMID) to enable the kiosk account on the sign-in screen. A new account will be created and will use assigned access to only run the app specified by the AUMID. Note that the app must be installed on the PC. Set the name of the account using **KioskModeUserTileDisplayText**, or a default name will be used. [Find the Application User Model ID of an installed app](/previous-versions/windows/embedded/dn449300(v=winembedded.82)) |
| AccountManagement: KioskModeUserTileDisplayText | Sets the display text on the kiosk account if **KioskModeAUMID** has been set. |
| Customization: MaintenanceStartTime | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value. |
| Customization: MaxPageFileSizeMB | Adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs. |
-| Customization: RestrictLocalStorage | Set as **True** to restrict the user from saving or viewing local storage when using File Explorer. This setting controls this API: [ShouldAvoidLocalStorage](https://docs.microsoft.com/uwp/api/windows.system.profile.sharedmodesettings) |
-| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. For more information, see [Windows 10 configuration recommendations for education customers](https://docs.microsoft.com/education/windows/configure-windows-for-education). This setting controls this API: [IsEducationEnvironment](https://docs.microsoft.com/uwp/api/windows.system.profile.educationsettings) |
+| Customization: RestrictLocalStorage | Set as **True** to restrict the user from saving or viewing local storage when using File Explorer. This setting controls this API: [ShouldAvoidLocalStorage](/uwp/api/windows.system.profile.sharedmodesettings) |
+| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. For more information, see [Windows 10 configuration recommendations for education customers](/education/windows/configure-windows-for-education). This setting controls this API: [IsEducationEnvironment](/uwp/api/windows.system.profile.educationsettings) |
| Customization: SetPowerPolicies | When set as **True**:
- Prevents users from changing power settings
- Turns off hibernate
- Overrides all power state transitions to sleep (e.g. lid close) |
| Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. |
| Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. |
@@ -83,7 +83,7 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re
You can configure Windows to be in shared PC mode in a couple different ways:
-- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows 10 in Intune, complete the following steps:
+- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows 10 in Intune, complete the following steps:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
@@ -112,11 +112,11 @@ You can configure Windows to be in shared PC mode in a couple different ways:
11. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**.
-- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**.
+- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**.
-- WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following:
+- WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the [MDM_SharedPC class](/windows/win32/dmwmibridgeprov/mdm-sharedpc). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following:
```powershell
$sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC"
@@ -330,9 +330,3 @@ Shared PC mode sets local group policies to configure the device. Some of these
-
-
-
-
-
-
diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md
index 7741d3ba98..ea28c23abd 100644
--- a/windows/configuration/setup-digital-signage.md
+++ b/windows/configuration/setup-digital-signage.md
@@ -24,7 +24,7 @@ ms.topic: article
Digital signage can be a useful and exciting business tool. Use digital signs to showcase your products and services, to display testimonials, or to advertise promotions and campaigns. A digital sign can be a static display, such as a building directory or menu, or it can be dynamic, such as repeating videos or a social media feed.
-For digital signage, simply select a digital sign player as your kiosk app. You can also use [Microsoft Edge in kiosk mode](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) or the Kiosk Browser app (a new Microsoft app for Windows 10, version 1803) and configure it to show your online content.
+For digital signage, simply select a digital sign player as your kiosk app. You can also use [Microsoft Edge in kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) or the Kiosk Browser app (a new Microsoft app for Windows 10, version 1803) and configure it to show your online content.
>[!TIP]
>Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers).
@@ -32,13 +32,13 @@ For digital signage, simply select a digital sign player as your kiosk app. You
Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 10, version 1803.
>[!NOTE]
->If you haven't set up your Microsoft Store for Business yet, check out [the prerequisites](https://docs.microsoft.com/microsoft-store/prerequisites-microsoft-store-for-business) and then [sign up](https://docs.microsoft.com/microsoft-store/sign-up-microsoft-store-for-business).
+>If you haven't set up your Microsoft Store for Business yet, check out [the prerequisites](/microsoft-store/prerequisites-microsoft-store-for-business) and then [sign up](/microsoft-store/sign-up-microsoft-store-for-business).
This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows 10, version 1803, that has already been set up (completed the first-run experience).
-1. [Get **Kiosk Browser** in Microsoft Store for Business with offline, unencoded license type.](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps)
-2. [Download the **Kiosk Browser** package, license file, and all required frameworks.](https://docs.microsoft.com/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app)
+1. [Get **Kiosk Browser** in Microsoft Store for Business with offline, unencoded license type.](/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps)
+2. [Download the **Kiosk Browser** package, license file, and all required frameworks.](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app)
2. [Install Windows Configuration Designer.](~/provisioning-packages/provisioning-install-icd.md)
3. Open Windows Configuration Designer and select **Provision kiosk devices**.
4. Enter a friendly name for the project, and select **Finish**.
@@ -92,4 +92,3 @@ This procedure explains how to configure digital signage using Kiosk Browser on
-
diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md
index f373bc8c78..7e22c5ecb6 100644
--- a/windows/configuration/start-layout-troubleshoot.md
+++ b/windows/configuration/start-layout-troubleshoot.md
@@ -18,7 +18,7 @@ Start failures can be organized into these categories:
- **Deployment/Install issues** - Easiest to identify but difficult to recover. This failure is consistent and usually permanent. Reset, restore from backup, or rollback to recover.
- **Performance issues** - More common with older hardware, low-powered machines. Symptoms include: High CPU utilization, disk contention, memory resources. This makes Start very slow to respond. Behavior is intermittent depending on available resources.
-- **Crashes** - Also easy to identify. Crashes in Shell Experience Host or related can be found in System or Application event logs. This can be a code defect or related to missing or altered permissions to files or registry keys by a program or incorrect security tightening configurations. Determining permissions issues can be time consuming but a [SysInternals tool called Procmon](https://docs.microsoft.com/sysinternals/downloads/procmon) will show **Access Denied**. The other option is to get a dump of the process when it crashes and depending on comfort level, review the dump in the debugger, or have support review the data.
+- **Crashes** - Also easy to identify. Crashes in Shell Experience Host or related can be found in System or Application event logs. This can be a code defect or related to missing or altered permissions to files or registry keys by a program or incorrect security tightening configurations. Determining permissions issues can be time consuming but a [SysInternals tool called Procmon](/sysinternals/downloads/procmon) will show **Access Denied**. The other option is to get a dump of the process when it crashes and depending on comfort level, review the dump in the debugger, or have support review the data.
- **Hangs** - in Shell Experience host or related. These are the hardest issues to identify as there are few events logged, but behavior is typically intermittent or recovers with a reboot. If a background application or service hangs, Start will not have resources to respond in time. Clean boot may help identify if the issue is related to additional software. Procmon is also useful in this scenario.
- **Other issues** - Customization, domain policies, deployment issues.
@@ -324,17 +324,4 @@ If you have already encountered this issue, use one of the following two options
5. Select **Edit**, and then select **Add** to add the group.
-6. Test Start and other Apps.
-
-
-
-
-
-
-
-
-
-
-
-
-
+6. Test Start and other Apps.
\ No newline at end of file
diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md
index 520de10950..e3704b03a6 100644
--- a/windows/configuration/start-layout-xml-desktop.md
+++ b/windows/configuration/start-layout-xml-desktop.md
@@ -33,7 +33,7 @@ On Windows 10 for desktop editions, the customized Start works by:
- No limit to the number of apps that can be pinned. There is a theoretical limit of 24 tiles per group (4 small tiles per medium square x 3 columns x 2 rows).
>[!NOTE]
->To use the layout modification XML to configure Start with roaming user profiles, see [Deploying Roaming User Profiles](https://docs.microsoft.com/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs).
+>To use the layout modification XML to configure Start with roaming user profiles, see [Deploying Roaming User Profiles](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs).
@@ -84,7 +84,7 @@ start:Folder
Parent:
start:Group | Name (in Windows 10, version 1809 a
| TopMFUAppsParent:LayoutModificationTemplate | n/a | Use to add up to 3 default apps to the frequently used apps section in the system area.**Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |
| TileParent:TopMFUApps | AppUserModelID | Use with the TopMFUApps tags to specify an app with a known AppUserModelID. **Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |
| DesktopApplicationTileParent:TopMFUApps | LinkFilePath | Use with the TopMFUApps tags to specify an app without a known AppUserModelID.**Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |
-| AppendOfficeSuiteParent:LayoutModificationTemplate | n/a | Use to add the in-box installed Office suite to Start. For more information, see [Customize the Office suite of tiles](https://docs.microsoft.com/windows-hardware/customize/desktop/customize-start-layout#customize-the-office-suite-of-tiles).Do not use this tag with AppendDownloadOfficeTile |
+| AppendOfficeSuiteParent:LayoutModificationTemplate | n/a | Use to add the in-box installed Office suite to Start. For more information, see [Customize the Office suite of tiles](/windows-hardware/customize/desktop/customize-start-layout#customize-the-office-suite-of-tiles).Do not use this tag with AppendDownloadOfficeTile |
| AppendDownloadOfficeTileParent:LayoutModificationTemplate | n/a | Use to add a specific **Download Office** tile to a specific location in StartDo not use this tag with AppendOfficeSuite |
### LayoutOptions
@@ -213,7 +213,7 @@ You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop ap
- By using the application's application user model ID, if this is known. If the Windows desktop application doesn't have one, use the shortcut link option.
- You can use the [Get-StartApps cmdlet](https://technet.microsoft.com/library/dn283402.aspx) on a PC that has the application pinned to Start to obtain the app ID.
+ You can use the [Get-StartApps cmdlet](/powershell/module/startlayout/get-startapps) on a PC that has the application pinned to Start to obtain the app ID.
To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app.
@@ -341,9 +341,9 @@ This tag is added in Windows 10, version 1803. You have two options in this tag:
Use `Choice=DesktopBridgeSubscription` on devices running Windows 10, version 1803, that have Office 365 preinstalled. This will set the heading of the Office suite of tiles to **Office 365**, to highlight the Office 365 apps that you've made available on the device.
-Use `Choice=DesktopBridge` on devices running versions of Windows 10 earlier than version 1803, and on devices shipping with [perpetual licenses for Office](https://blogs.technet.microsoft.com/ausoemteam/2017/11/30/choosing-the-right-office-version-for-your-customers/). This will set the heading of the Office suite of tiles to **Create**.
+Use `Choice=DesktopBridge` on devices running versions of Windows 10 earlier than version 1803, and on devices shipping with [perpetual licenses for Office](/archive/blogs/ausoemteam/choosing-the-right-office-version-for-your-customers). This will set the heading of the Office suite of tiles to **Create**.
-For more information, see [Customize the Office suite of tiles](https://docs.microsoft.com/windows-hardware/customize/desktop/customize-start-layout#customize-the-office-suite-of-tiles).
+For more information, see [Customize the Office suite of tiles](/windows-hardware/customize/desktop/customize-start-layout#customize-the-office-suite-of-tiles).
#### AppendDownloadOfficeTile
@@ -442,7 +442,7 @@ The following sample LayoutModification.xml shows how you can configure the Star
## Use Windows Provisioning multivariant support
-The Windows Provisioning multivariant capability allows you to declare target conditions that, when met, supply specific customizations for each variant condition. For Start customization, you can create specific layouts for each variant that you have. To do this, you must create a separate LayoutModification.xml file for each variant that you want to support and then include these in your provisioning package. For more information on how to do this, see [Create a provisioning package with multivariant settings](https://msdn.microsoft.com/library/windows/hardware/dn916108.aspx).
+The Windows Provisioning multivariant capability allows you to declare target conditions that, when met, supply specific customizations for each variant condition. For Start customization, you can create specific layouts for each variant that you have. To do this, you must create a separate LayoutModification.xml file for each variant that you want to support and then include these in your provisioning package. For more information on how to do this, see [Create a provisioning package with multivariant settings](./provisioning-packages/provisioning-multivariant.md).
The provisioning engine chooses the right customization file based on the target conditions that were met, adds the file in the location that's specified for the setting, and then uses the specific file to customize Start. To differentiate between layouts, you can add modifiers to the LayoutModification.xml filename such as "LayoutCustomization1". Regardless of the modifier that you use, the provsioning engine will always output "LayoutCustomization.xml" so that the operating system has a consistent file name to query against.
@@ -548,9 +548,3 @@ Once you have created the LayoutModification.xml file and it is present in the d
-
-
-
-
-
-
diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md
index 2064129dc1..57f5af4735 100644
--- a/windows/configuration/start-secondary-tiles.md
+++ b/windows/configuration/start-secondary-tiles.md
@@ -71,7 +71,7 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE
```
In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml).
- Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet does not append the file name extension, and the policy settings require the extension.
+ Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet does not append the file name extension, and the policy settings require the extension.
3. If you’d like to change the image for a secondary tile to your own custom image, open the layout.xml file, and look for the images that the tile references.
- For example, your layout.xml contains `Square150x150LogoUri="ms-appdata:///local/PinnedTiles/21581260870/hires.png" Wide310x150LogoUri="ms-appx:///"`
@@ -89,7 +89,7 @@ You can apply the customized Start layout with images for secondary tiles by usi
### Using MDM
-In Microsoft Intune, you create a device restrictions policy to apply to device group. For other MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=623244). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`.
+In Microsoft Intune, you create a device restrictions policy to apply to device group. For other MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`.
1. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
@@ -103,10 +103,10 @@ In Microsoft Intune, you create a device restrictions policy to apply to device
9. In **Start menu layout**, browse to and select your Start layout XML file.
9. In **Pin websites to tiles in Start menu**, browse to and select your assets XML file.
10. Select **OK** twice, and then select **Create**.
-11. [Assign the profile to a group](https://docs.microsoft.com/intune/device-profile-assign).
+11. [Assign the profile to a group](/intune/device-profile-assign).
>[!NOTE]
->The device restrictions in Microsoft Intune include [other Start settings](https://docs.microsoft.com/intune/device-restrictions-windows-10#start) that you can also configure in your profile.
+>The device restrictions in Microsoft Intune include [other Start settings](/intune/device-restrictions-windows-10#start) that you can also configure in your profile.
### Using a provisioning package
@@ -211,4 +211,3 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
-
diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md
index a6c45ca8c1..0807229078 100644
--- a/windows/configuration/stop-employees-from-using-microsoft-store.md
+++ b/windows/configuration/stop-employees-from-using-microsoft-store.md
@@ -69,12 +69,12 @@ Applies to: Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education
If you have Windows 10 devices in your organization that are managed using a mobile device management (MDM) system, such as Microsoft Intune, you can block access to Microsoft Store app using the following configuration service providers (CSPs):
-- [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)
-- [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp)
+- [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider)
+- [AppLocker CSP](/windows/client-management/mdm/applocker-csp)
-For more information, see [Configure an MDM provider](https://docs.microsoft.com/microsoft-store/configure-mdm-provider-microsoft-store-for-business).
+For more information, see [Configure an MDM provider](/microsoft-store/configure-mdm-provider-microsoft-store-for-business).
-For more information on the rules available via AppLocker on the different supported operating systems, see [Operating system requirements](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker#operating-system-requirements).
+For more information on the rules available via AppLocker on the different supported operating systems, see [Operating system requirements](/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker#operating-system-requirements).
## Block Microsoft Store using Group Policy
@@ -109,9 +109,9 @@ If you have mobile devices in your organization that you upgraded from earlier v
When your MDM tool supports Microsoft Store for Business, the MDM can use these CSPs to block Microsoft Store app:
-- [Policy](https://go.microsoft.com/fwlink/p/?LinkId=717030)
+- [Policy](/windows/client-management/mdm/policy-configuration-service-provider)
-- [EnterpriseAssignedAccess](https://msdn.microsoft.com/library/windows/hardware/mt157024.aspx) (Windows 10 Mobile, only)
+- [EnterpriseAssignedAccess](/windows/client-management/mdm/enterpriseassignedaccess-csp) (Windows 10 Mobile, only)
For more information, see [Configure an MDM provider](/microsoft-store/configure-mdm-provider-windows-store-for-business).
@@ -139,9 +139,4 @@ If you're using Microsoft Store for Business and you want employees to only see
[Manage access to private store](/microsoft-store/manage-access-to-private-store)
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
index 159d0b1376..1ac80eee49 100644
--- a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
+++ b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
@@ -21,7 +21,7 @@ ms.topic: article
User Experience Virtualization (UE-V) provides Windows PowerShell cmdlets to help administrators perform various UE-V tasks. The following sections provide more information about using Windows PowerShell in UE-V.
-> **Note** Administering UE-V with Windows PowerShell requires PowerShell 3.0 or higher. For a complete list of UE-V cmdlets, see [User Experience Virtualization in Windows PowerShell](https://technet.microsoft.com/library/mt772286.aspx).
+> **Note** Administering UE-V with Windows PowerShell requires PowerShell 3.0 or higher. For a complete list of UE-V cmdlets, see [User Experience Virtualization in Windows PowerShell](/powershell/module/uev/).
## Managing the UE-V service and packages by using Windows PowerShell and WMI
@@ -44,4 +44,4 @@ After you create and deploy UE-V settings location templates, you can manage tho
- [Administering UE-V](uev-administering-uev.md)
-- [User Experience Virtualization in Windows PowerShell](https://technet.microsoft.com/library/mt772286.aspx)
+- [User Experience Virtualization in Windows PowerShell](/powershell/module/uev/)
\ No newline at end of file
diff --git a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
index a4d2addc34..3b63f09133 100644
--- a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
+++ b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
@@ -34,7 +34,7 @@ These tasks must remain enabled, because UE-V cannot function without them.
These scheduled tasks are not configurable with the UE-V tools. Administrators who want to change the scheduled task for these items can create a script that uses the Schtasks.exe command-line options.
-For more information about Schtasks.exe, see [Schtasks](https://technet.microsoft.com/library/cc725744(v=ws.11).aspx).
+For more information about Schtasks.exe, see [Schtasks](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc725744(v=ws.11)).
## UE-V Scheduled Tasks
@@ -251,4 +251,4 @@ The following additional information applies to UE-V scheduled tasks:
[Administering UE-V](uev-administering-uev.md)
-[Deploy UE-V for Custom Applications](uev-deploy-uev-for-custom-applications.md)
+[Deploy UE-V for Custom Applications](uev-deploy-uev-for-custom-applications.md)
\ No newline at end of file
diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md
index 28a035aedc..debae0eb95 100644
--- a/windows/configuration/ue-v/uev-getting-started.md
+++ b/windows/configuration/ue-v/uev-getting-started.md
@@ -18,7 +18,7 @@ ms.author: dansimp
- Windows 10, version 1607
>[!NOTE]
->This documentation is for the most recent version of UE-V. If you're looking for information about UE-V 2.x, which was included in the Microsoft Desktop Optimization Pack (MDOP), see [Get Started with UE-V 2.x](https://docs.microsoft.com/microsoft-desktop-optimization-pack/uev-v2/get-started-with-ue-v-2x-new-uevv2).
+>This documentation is for the most recent version of UE-V. If you're looking for information about UE-V 2.x, which was included in the Microsoft Desktop Optimization Pack (MDOP), see [Get Started with UE-V 2.x](/microsoft-desktop-optimization-pack/uev-v2/get-started-with-ue-v-2x-new-uevv2).
Follow the steps in this topic to deploy User Experience Virtualization (UE-V) for the first time in a test environment. Evaluate UE-V to determine whether it’s the right solution to manage user settings across multiple devices within your enterprise.
@@ -170,4 +170,4 @@ For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.c
- [Troubleshooting UE-V](uev-troubleshooting.md)
-- [Technical Reference for UE-V](uev-technical-reference.md)
+- [Technical Reference for UE-V](uev-technical-reference.md)
\ No newline at end of file
diff --git a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
index d992e34fb6..07c7b40039 100644
--- a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
+++ b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md
@@ -21,7 +21,7 @@ ms.topic: article
User Experience Virtualization (UE-V) uses XML settings location templates to define the settings that User Experience Virtualization captures and applies. UE-V includes a set of standard settings location templates. It also includes the UE-V template generator tool that enables you to create custom settings location templates. After you create and deploy settings location templates, you can manage those templates by using Windows PowerShell and the Windows Management Instrumentation (WMI).
-> **Note** For a complete list of UE-V cmdlets, see [User Experience Virtualization in Windows PowerShell](https://technet.microsoft.com/library/mt772286.aspx).
+> **Note** For a complete list of UE-V cmdlets, see [User Experience Virtualization in Windows PowerShell](/powershell/module/uev/).
## Manage UE-V settings location templates by using Windows PowerShell
@@ -344,4 +344,4 @@ Where a list of Package Family Names is called by the WMI command, the list must
[Administering UE-V](uev-administering-uev.md)
-[User Experience Virtualization in Windows PowerShell](https://technet.microsoft.com/library/mt772286.aspx)
+[User Experience Virtualization in Windows PowerShell](/powershell/module/uev/)
\ No newline at end of file
diff --git a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
index 3fe4ab887a..98b17b34e9 100644
--- a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
+++ b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md
@@ -21,7 +21,7 @@ ms.topic: article
You can use Windows Management Instrumentation (WMI) and Windows PowerShell to manage User Experience Virtualization (UE-V) service configuration and synchronization behavior.
->**Note** For a complete list of UE-V cmdlets, see [User Experience Virtualization in Windows PowerShell](https://technet.microsoft.com/library/mt772286.aspx).
+>**Note** For a complete list of UE-V cmdlets, see [User Experience Virtualization in Windows PowerShell](/powershell/module/uev/).
## To configure the UE-V service with Windows PowerShell
@@ -357,4 +357,4 @@ When you are finished configuring the UE-V service with WMI and Windows PowerShe
[Administering UE-V](uev-administering-uev.md)
-[User Experience Virtualization in Windows PowerShell](https://technet.microsoft.com/library/mt772286.aspx)
+[User Experience Virtualization in Windows PowerShell](/powershell/module/uev/)
\ No newline at end of file
diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
index 32ed4968bb..f5e4f43205 100644
--- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
+++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
@@ -28,7 +28,7 @@ To synchronize Office applications settings, you can download Office templates f
UE-V includes settings location templates for Microsoft Office 2016, 2013, and 2010. In previous versions of UE-V, settings location templates for Office 2013 and Office 2010 were distributed and registered when you installed the UE-V agent. Now that UE-V is a feature in Windows 10, version 1607, settings location templates are installed when you install or upgrade to the new operating system.
-These templates help synchronize users’ Office experience between devices. Microsoft Office 2016 settings roamed by Office 365 experience are not included in these settings. For a list of Office 365-specific settings, see [Overview of user and roaming settings for Office](https://technet.microsoft.com/library/jj733593.aspx).
+These templates help synchronize users’ Office experience between devices. Microsoft Office 2016 settings roamed by Office 365 experience are not included in these settings. For a list of Office 365-specific settings, see [Overview of user and roaming settings for Office](/previous-versions/office/office-2013-resource-kit/jj733593(v=office.15)).
## Synchronized Office Settings
@@ -139,9 +139,4 @@ You can deploy UE-V settings location template with the following methods:
- **Registering template with Template Catalog Path**. If you use the Settings Template Catalog Path to manage templates on users’ computers, copy the Office template into the folder defined in the UE-V service. The next time the Template Auto Update (ApplySettingsCatalog.exe) scheduled task runs, the settings location template will be registered on the device. For more information, see [Deploy a settings template catalog](uev-deploy-uev-for-custom-applications.md).
-- **Registering template with Configuration Manager**. If you use Configuration Manager to manage your UE-V settings storage templates, recreate the Template Baseline CAB, import it into Configuration Manager, and then deploy the baseline to user devices. For more information, see the guidance provided in the documentation for the [System Center 2012 Configuration Pack for Microsoft User Experience Virtualization 2.0](https://www.microsoft.com/download/details.aspx?id=40913).
-
-
-
-
-
+- **Registering template with Configuration Manager**. If you use Configuration Manager to manage your UE-V settings storage templates, recreate the Template Baseline CAB, import it into Configuration Manager, and then deploy the baseline to user devices. For more information, see the guidance provided in the documentation for the [System Center 2012 Configuration Pack for Microsoft User Experience Virtualization 2.0](https://www.microsoft.com/download/details.aspx?id=40913).
\ No newline at end of file
diff --git a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
index d726744568..6090c8879e 100644
--- a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
+++ b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
@@ -35,7 +35,7 @@ If you’re already using UE-V 2.x and you’re planning to upgrade user devices
## Upgrade user devices to Windows 10, version 1607
-Performing an in-place upgrade on user devices automatically installs the UE-V service, updates the settings location path, and migrates users' UE-V settings. See the [Windows 10 documentation for IT Pros](https://technet.microsoft.com/itpro/windows/deploy/index) for information about upgrading user devices to Windows 10.
+Performing an in-place upgrade on user devices automatically installs the UE-V service, updates the settings location path, and migrates users' UE-V settings. See the [Windows 10 documentation for IT Pros](/windows/deployment/) for information about upgrading user devices to Windows 10.
## Verify that UE-V settings were migrated correctly
@@ -119,4 +119,4 @@ The UE-V template generator is included in the Windows Assessment and Deployment
- [Migrating settings packages](uev-migrating-settings-packages.md)
-- [Technical Reference for UE-V](uev-technical-reference.md)
+- [Technical Reference for UE-V](uev-technical-reference.md)
\ No newline at end of file
diff --git a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
index 09d5d2ace3..b9b1272e9a 100644
--- a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
+++ b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
@@ -60,7 +60,7 @@ Administrators can still define which user-customized application settings can s
With Windows 10, version 1607, users can synchronize Windows application settings and Windows operating system settings to Azure instead of to OneDrive. You can use the Windows 10 enterprise sync functionality together with UE-V for on-premises domain-joined devices only.
-In hybrid cloud environments, UE-V can roam Win32 applications on-premises while [Enterprise State Roaming](https://azure.microsoft.com/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) (ESR) can roam the rest, e.g., Windows and desktop settings, themes, colors, etc., to an Azure cloud installation.
+In hybrid cloud environments, UE-V can roam Win32 applications on-premises while [Enterprise State Roaming](/azure/active-directory/devices/enterprise-state-roaming-overview) (ESR) can roam the rest, e.g., Windows and desktop settings, themes, colors, etc., to an Azure cloud installation.
To configure UE-V to roam Windows desktop and application data only, change the following group policies:
@@ -68,7 +68,7 @@ To configure UE-V to roam Windows desktop and application data only, change the
- Enable “Do not synchronize Windows Apps” group policy
-For more information about using UE-V with Enterprise State Roaming, see [Settings and data roaming FAQ](https://azure.microsoft.com/documentation/articles/active-directory-windows-enterprise-state-roaming-faqs/#what-are-the-options-for-roaming-settings-for-existing-windows-desktop-applications).
+For more information about using UE-V with Enterprise State Roaming, see [Settings and data roaming FAQ](/azure/active-directory/devices/enterprise-state-roaming-faqs#what-are-the-options-for-roaming-settings-for-existing-windows-desktop-applications).
Additionally, to enable Windows 10 and UE-V to work together, configure these policy settings in the Microsoft User Experience Virtualization node:
@@ -107,7 +107,7 @@ UE-V for Windows 10, version 1607 includes the Microsoft Office 2016 settings lo
> **Note** An Outlook profile must be created on any device on which a user wants to synchronize their Outlook signature. If the profile is not already created, the user can create one and then restart Outlook on that device to enable signature synchronization.
-UE-V works with Office 365 to determine whether Office 2016 settings are roamed by Office 365. If settings are roamed by Office 365, they are not roamed by UE-V. See [Overview of user and roaming settings for Microsoft Office](https://technet.microsoft.com/library/jj733593.aspx) for more information.
+UE-V works with Office 365 to determine whether Office 2016 settings are roamed by Office 365. If settings are roamed by Office 365, they are not roamed by UE-V. See [Overview of user and roaming settings for Microsoft Office](/previous-versions/office/office-2013-resource-kit/jj733593(v=office.15)) for more information.
To enable settings synchronization using UE-V, do one of the following:
@@ -131,4 +131,4 @@ UE-V includes Office 2016, Office 2013, and Office 2010 templates. Office 2007 t
- [User Experience Virtualization (UE-V) Release Notes](uev-release-notes-1607.md) for Windows 10, version 1607
-- [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md)
+- [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-admxingestion.md b/windows/configuration/wcd/wcd-admxingestion.md
index 4f71f13ace..0e68a1d02b 100644
--- a/windows/configuration/wcd/wcd-admxingestion.md
+++ b/windows/configuration/wcd/wcd-admxingestion.md
@@ -15,7 +15,7 @@ manager: dansimp
# ADMXIngestion (Windows Configuration Designer reference)
-Starting in Windows 10, version 1703, you can import (*ingest*) select Group Policy administrative templates (ADMX files) and configure values for ADMX-backed policies in a provisioning package. To see which types of ADMX-backed policies can be applied, see [Win32 and Desktop Bridge app policy configuration overview](https://docs.microsoft.com/windows/client-management/mdm/win32-and-centennial-app-policy-configuration).
+Starting in Windows 10, version 1703, you can import (*ingest*) select Group Policy administrative templates (ADMX files) and configure values for ADMX-backed policies in a provisioning package. To see which types of ADMX-backed policies can be applied, see [Win32 and Desktop Bridge app policy configuration overview](/windows/client-management/mdm/win32-and-centennial-app-policy-configuration).
- The settings under [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) allow you to set values for policies in the imported ADMX file.
- The settings under [ConfigOperations](#configoperations) specify the ADMX file to be imported.
@@ -96,5 +96,5 @@ The next image highlights the specific policy.
## Related topics
-- [Policy configuration service provider (CSP): ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed)
-- [Understanding ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/understanding-admx-backed-policies)
+- [Policy configuration service provider (CSP): ADMX-backed policies](/windows/client-management/mdm/policy-configuration-service-provider)
+- [Understanding ADMX-backed policies](/windows/client-management/mdm/understanding-admx-backed-policies)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md
index 0dd2768060..464b19a7ae 100644
--- a/windows/configuration/wcd/wcd-assignedaccess.md
+++ b/windows/configuration/wcd/wcd-assignedaccess.md
@@ -27,7 +27,7 @@ Use this setting to configure single use (kiosk) devices.
## AssignedAccessSettings
-Enter the account and the application you want to use for Assigned access, using [the AUMID](https://msdn.microsoft.com/windows/hardware/commercialize/customize/enterprise/find-the-application-user-model-id-of-an-installed-app). When that user account signs in on the device, only the specified app will run.
+Enter the account and the application you want to use for Assigned access, using [the AUMID](../find-the-application-user-model-id-of-an-installed-app.md). When that user account signs in on the device, only the specified app will run.
**Example**:
@@ -42,10 +42,10 @@ Enter the account and the application you want to use for Assigned access, using
Use this setting to configure a kiosk device that runs more than one app.
-1. Create an assigned access configuration XML file for multiple apps [(desktop](../lock-down-windows-10-to-specific-apps.md) or [HoloLens)](https://docs.microsoft.com/hololens/hololens-provisioning).
+1. Create an assigned access configuration XML file for multiple apps [(desktop](../lock-down-windows-10-to-specific-apps.md) or [HoloLens)](/hololens/hololens-provisioning).
2. In Windows Configuration Designer, select **MultiAppAssignedAccessSettings**.
3. Browse to and select the assigned access configuration XML file.
## Related topics
-- [AssignedAccess configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/assignedaccess-csp)
+- [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-calling.md b/windows/configuration/wcd/wcd-calling.md
index ea77470ed5..d08b7dd512 100644
--- a/windows/configuration/wcd/wcd-calling.md
+++ b/windows/configuration/wcd/wcd-calling.md
@@ -29,17 +29,17 @@ Use to configure settings for Calling.
## Branding
-See [Branding for phone calls](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/branding-for-phone-calls).
+See [Branding for phone calls](/windows-hardware/customize/mobile/mcsf/branding-for-phone-calls).
## CallIDMatchOverrides
Enter a GEOID, select **Add**, and then enter the number of digits for matching caller ID.
-For a list of GEOID codes and default number of digits for each country/region, see [Overriding the OS default minimu number of digits for caller ID matching](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/caller-id-matching#a-href-idoverriding-os-default-min-number-digitsaoverriding-the-os-default-minimum-number-of-digits-for-caller-id-matching).
+For a list of GEOID codes and default number of digits for each country/region, see [Overriding the OS default minimu number of digits for caller ID matching](/windows-hardware/customize/mobile/mcsf/caller-id-matching#a-href-idoverriding-os-default-min-number-digitsaoverriding-the-os-default-minimum-number-of-digits-for-caller-id-matching).
## CauseCodeRegistrationTable
-See [Cause codes](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/cause-codes).
+See [Cause codes](/windows-hardware/customize/mobile/mcsf/cause-codes).
## CDMAHeuristics
@@ -53,7 +53,7 @@ Set **DisableCdmaHeuristics** to **True** to disable the built-in heuristics.
## PartnerAppSupport
-See [Dialer codes to launch diagnostic applications](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/dialer-codes-to-launch-diagnostic-applications).
+See [Dialer codes to launch diagnostic applications](/windows-hardware/customize/mobile/mcsf/dialer-codes-to-launch-diagnostic-applications).
## PerSimSettings
@@ -94,7 +94,7 @@ WiFiCallingOperatorName | Enter the operator name to be shown when the phone is
### HDAudio
-To customize call progress branding when a call is made using a specific audio codec, select the audio codec from the dropdown menu and select **Add**. Select the codec in **Available Customizations** and then enter a text string (up to 10 characters) to be used for call progress branding for calls using that codec. For more information, see [Use HD audio codec for call branding](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/use-hd-audio-codec-for-call-branding).
+To customize call progress branding when a call is made using a specific audio codec, select the audio codec from the dropdown menu and select **Add**. Select the codec in **Available Customizations** and then enter a text string (up to 10 characters) to be used for call progress branding for calls using that codec. For more information, see [Use HD audio codec for call branding](/windows-hardware/customize/mobile/mcsf/use-hd-audio-codec-for-call-branding).
### IMSSubscriptionUpdate
@@ -102,7 +102,7 @@ These are Verizon/Sprint-only settings to allow the operator to send an OMA-DM u
### RoamingNumberOverrides
-See [Dial string overrides when roaming](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/dial-string-overrides-when-roaming).
+See [Dial string overrides when roaming](/windows-hardware/customize/mobile/mcsf/dial-string-overrides-when-roaming).
## PhoneSettings
@@ -151,11 +151,11 @@ AppId | Enter the app ID for your phone call/SMS filter application.
## SupplementaryServiceCodeOverrides
-See [Dialer codes for supplementary services](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/dialer-codes-for-supplementary-services).
+See [Dialer codes for supplementary services](/windows-hardware/customize/mobile/mcsf/dialer-codes-for-supplementary-services).
## VoicemailRegistrationTable
-Configure these settings to customize visual voicemail in the Windows 10 Mobile UI. For settings and values, see [Visual voicemail](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/visual-voicemail).
+Configure these settings to customize visual voicemail in the Windows 10 Mobile UI. For settings and values, see [Visual voicemail](/windows-hardware/customize/mobile/mcsf/visual-voicemail).
## List of USSD codes
@@ -216,4 +216,3 @@ Codes | Description | DWORD Value
592 | MSP2 | 00000592
593 | MSP3 | 00000593
594 | MSP4 | 00000594
-
diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md
index 5e739a99ce..c00e9a5180 100644
--- a/windows/configuration/wcd/wcd-cellcore.md
+++ b/windows/configuration/wcd/wcd-cellcore.md
@@ -165,7 +165,7 @@ ImageOnly > MTU > DormancyTimeout1 | Enter the number of milliseconds to wait af
ImageOnly > MTU > MTUDataSize | Customize the TCP maximum segment size (MSS) by setting the maximum transmission unit (MTU) data size if the MSS does not meet the requirements of the mobile operator network. For TCP, the default maximum transmission unit (MTU) is set to 1500 bytes, which makes the maximum segment size (MSS) 1460 bytes. In general, this value should not be changed, as the user experience will degrade if low values are set. However, if the MSS does not meet the requirements of the mobile operator network, OEMs can customize it by setting the MTU data size. This customization configures the MTU, so the size should be set to the required MSS size plus 40 bytes.
ImageOnly > MTU > RoamingMTUDataSize | Customize the TCP maximum segment size (MSS) for roaming by setting the maximum transmission unit (MTU) data size if the MSS does not meet the requirements of the mobile operator network. For TCP, the default maximum transmission unit (MTU) is set to 1500 bytes, which makes the maximum segment size (MSS) 1460 bytes. In general, this value should not be changed, as the user experience will degrade if low values are set. However, if the MSS does not meet the requirements of the mobile operator network, OEMs can customize it for roaming by setting the MTU data size. This customization configures the MTU, so the size should be set to the required MSS size plus 40 bytes.
ImageOnly > SuppressNwPSDetach | Configure whether to suppress reporting of network-initiated PS detach (appear attached to OS) until deregistered.
-SignalBarMapping Table | You can modify the percentage values used for the signal strength in the status bar per filter. For details, see [Custom percentages for signal strength bars](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/custom-percentages-for-signal-strength-bars).
+SignalBarMapping Table | You can modify the percentage values used for the signal strength in the status bar per filter. For details, see [Custom percentages for signal strength bars](/windows-hardware/customize/mobile/mcsf/custom-percentages-for-signal-strength-bars).
SRVCCAutoToggleWmRil | Configure whether to link SRVCC to VOLTE on/off.
@@ -187,7 +187,7 @@ DTMFOffTime | Sets the length of time, in milliseconds (between 64 and 1000 incl
DTMFOnTime | Sets the length of time, in milliseconds (between 64 and 1000 inclusive), to generate the DTMF tone when a key is pressed. For example, a value of 120 specifies 0.12 seconds.
EnableIMSWhenRoaming | Set to **Yes** to enable IMS when roaming.
ExcludedSystemTypesByDefault | Set the default value for **Highest connection speed** in the **Settings** > **Cellular & SIM** > **SIM** screen by specifying the bitmask for any combination of radio technology to be excluded from the default value. The connection speed that has not been excluded will show up as the highest connection speed. On dual SIM phones that only support up to 3G connection speeds, the **Highest connection speed** option is replaced by a 3G on/off toggle based on the per-device setting. Enter the binary setting to exclude 4G (`10000`) or 3G (`01000`).
-ExcludedSystemTypesPerOperator | Exclude specified system types from SIM cards that match the MCC:MNC pairs listed in **OperatorListForExcludedSystemTypes**. This setting is used only for China. Set the value to match the system type to be excluded. For more information about the RIL system types, see [RILSYSTEMTYPE](https://msdn.microsoft.com/library/windows/hardware/dn931143.aspx). For example, a value of 0x8 specifies RIL_SYSTEMTYPE_UMTS (3G) while 0x10 specifies RIL_SYSTEMTYPE_LTE (4G). To exclude more than one system type, perform a bitwise OR operation on the radio technologies you want to exclude. For example, a bitwise OR operation on RIL_SYSTEMTYPE_LTE (4G) and RIL_SYSTEMTYPE_UMTS (3G) results in the value 11000 (binary) or 0x18 (hexadecimal). In this case, the ExcludedSystemTypesPerOperator value must be set to 0x18 to limit the matching MCC:MNC pairs to 2G.
+ExcludedSystemTypesPerOperator | Exclude specified system types from SIM cards that match the MCC:MNC pairs listed in **OperatorListForExcludedSystemTypes**. This setting is used only for China. Set the value to match the system type to be excluded. For more information about the RIL system types, see [RILSYSTEMTYPE](/previous-versions/windows/hardware/cellular/dn931143(v=vs.85)). For example, a value of 0x8 specifies RIL_SYSTEMTYPE_UMTS (3G) while 0x10 specifies RIL_SYSTEMTYPE_LTE (4G). To exclude more than one system type, perform a bitwise OR operation on the radio technologies you want to exclude. For example, a bitwise OR operation on RIL_SYSTEMTYPE_LTE (4G) and RIL_SYSTEMTYPE_UMTS (3G) results in the value 11000 (binary) or 0x18 (hexadecimal). In this case, the ExcludedSystemTypesPerOperator value must be set to 0x18 to limit the matching MCC:MNC pairs to 2G.
LTEEnabled | Select **Yes** to enable LTE, and **No** to disable LTE.
LTEForced | Select **Yes** to force LTE.
ManualNetworkSelectionTimeout | Set the default network selection timeout value, in a range of 1-600 seconds. By default, the OS allows the phone to attempt registration on the manually selected network for 60 seconds (or 1 minute) before it switches back to automatic mode. This value is the amount of time that the OS will wait for the modem to register on the manually selected network. If the time lapses and the modem was not able to register on the network that was manually selected by the user, the OS will either switch back to the automatic network selection mode if Permanent automatic mode is enabled, and the user has manually selected a network or the modem was turned on, or display a dialog that notifies the user that the phone was unable to connect to the manually selected network after the phone was turned on or after airplane mode was turned off.
@@ -197,7 +197,7 @@ OperatorListForExcludedSystemTypes | Enter a comma-separated list of MCC and MNC
OperatorPreferredForFasterRadio | Set Issuer Identification Number (IIN) or partial ICCID of preferred operator for the faster radio. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can map a partial ICCID or an Industry Identification Number (IIN) to the faster radio regardless of which SIM card is chosen for data connectivity. This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. To map a partial ICCID or an IIN to the faster radio regardless of which SIM card is chosen for data connectivity, set the value of OperatorPreferredForFasterRadio to match the IIN or the ICCID, up to 7 digits, of the preferred operator.
PreferredDataProviderList | OEMs can set a list of MCC/MNC pairs for the purchase order (PO) carrier or primary operator. For mobile operators that require it, OEMs can set a list of MCC/MNC pairs for the purchase order (PO) carrier or primary operator so that it can be set as the default data line for phones that have a dual SIM. When the PO SIM is inserted into the phone, the OS picks the PO SIM as the data line and shows a notification to the user that the SIM has been selected for Internet data. If two PO SIMs are inserted, the OS will choose the first PO SIM that was detected as the default data line and the mobile operator action required dialogue (ARD) is shown. If two non-PO SIMs are inserted, the user is prompted to choose the SIM to use as the default data line. Note OEMs should not set this customization unless required by the mobile operator. To enumerate the MCC/MNC value pairs to use for data connections, set the value for **PreferredDataProviderList**. The value must be a comma-separated list of preferred MCC:MNC values. For example, the value can be 301:026,310:030 and so on.
Slot2DisableAppsList | Disable specified apps from slot 2 on a C+G dual SIM phone. To disable a list of specified apps from Slot 2, set Slot2DisableAppsList to a comma-separated list of values representing the apps. For example, `4,6`.
-Slot2ExcludedSystemTypes | Exclude specified system types from SIM cards inserted in Slot 2. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can restrict the second slot in a dual-SIM phone regardless of what apps or executor mapping the second slot is associated with. Note This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. To allow an operator to simply restrict the second slot in a dual SIM phone regardless of what apps or executor mapping the second slot is associated with, set the value of Slot2ExcludedSystemTypes to the system types to be excluded from the SIM cards inserted in Slot 2. For example, a value of 0x8 specifies RIL_SYSTEMTYPE_UMTS (3G) while 0x10 specifies RIL_SYSTEMTYPE_LTE (4G). To exclude more than one system type, perform a bitwise OR operation on the radio technologies you want to exclude. For example, a bitwise OR operation on RIL_SYSTEMTYPE_LTE (4G) and RIL_SYSTEMTYPE_UMTS (3G) results in the value 11000 (binary) or 0x18 (hexadecimal). In this case, any SIM inserted in Slot 2 will be limited to 2G. For more information about the RIL system types, see [RILSYSTEMTYPE](https://msdn.microsoft.com/library/windows/hardware/dn931143.aspx).
+Slot2ExcludedSystemTypes | Exclude specified system types from SIM cards inserted in Slot 2. For mobile operators that require more control over the system types that their phones use to connect to the mobile operators' networks, OEMs can restrict the second slot in a dual-SIM phone regardless of what apps or executor mapping the second slot is associated with. Note This setting is used only for China. OEMs should not use this setting unless required by the mobile operator. To allow an operator to simply restrict the second slot in a dual SIM phone regardless of what apps or executor mapping the second slot is associated with, set the value of Slot2ExcludedSystemTypes to the system types to be excluded from the SIM cards inserted in Slot 2. For example, a value of 0x8 specifies RIL_SYSTEMTYPE_UMTS (3G) while 0x10 specifies RIL_SYSTEMTYPE_LTE (4G). To exclude more than one system type, perform a bitwise OR operation on the radio technologies you want to exclude. For example, a bitwise OR operation on RIL_SYSTEMTYPE_LTE (4G) and RIL_SYSTEMTYPE_UMTS (3G) results in the value 11000 (binary) or 0x18 (hexadecimal). In this case, any SIM inserted in Slot 2 will be limited to 2G. For more information about the RIL system types, see [RILSYSTEMTYPE](/previous-versions/windows/hardware/cellular/dn931143(v=vs.85)).
SuggestDataRoamingARD | Use to show the data roaming suggestion dialog when roaming and the data roaming setting is set to no roaming.
SuggestGlobalModeARD | Define whether Global Mode is suggested on a C+G dual SIM phone.
SuggestGlobalModeTimeout | To specify the number of seconds to wait for network registration before suggesting global mode, set SuggestGlobalModeTimeout to a value between 1 and 600, inclusive. For example, to set the timeout to 60 seconds, set the value to 60 (decimal) or 0x3C (hexadecimal).
@@ -441,5 +441,4 @@ Yes|No|Yes|*MultivariantProvisionedSPN*1234 or *MultivariantProvisionedSPN*" "12
No|Yes|Yes|If SPN string >= 12: *SPN*1234If SPN string < 12: *SPN*" "1234
No|No|No|*SIM 1* or *SIM 2*
No|Yes|No|SPN (up to 16 characters)
-No|No|Yes|*SIM 1* or *SIM 2*
-
+No|No|Yes|*SIM 1* or *SIM 2*
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md
index fbff60c5e4..ba1ec42b57 100644
--- a/windows/configuration/wcd/wcd-cellular.md
+++ b/windows/configuration/wcd/wcd-cellular.md
@@ -55,7 +55,7 @@ Enter the service provider name for the mobile operator.
### DataClassMappingTable
-Enter a customized string for the appropriate [data class](https://docs.microsoft.com/windows/desktop/api/mbnapi/ne-mbnapi-mbn_data_class).
+Enter a customized string for the appropriate [data class](/windows/desktop/api/mbnapi/ne-mbnapi-mbn_data_class).
### NetworkBlockList
@@ -79,4 +79,4 @@ Enter a comma-separated list of mobile country code (MCC) and mobile network cod
### UseBrandingNameOnRoaming
-Select an option for displaying the BrandingName when the device is roaming.
+Select an option for displaying the BrandingName when the device is roaming.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-certificates.md b/windows/configuration/wcd/wcd-certificates.md
index 1ca02c30f0..78ce980355 100644
--- a/windows/configuration/wcd/wcd-certificates.md
+++ b/windows/configuration/wcd/wcd-certificates.md
@@ -71,4 +71,4 @@ Use to deploy Root Certificate Authority (CA) certificates to devices. The follo
## Related topics
-- [RootCATrustedCertficates configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/rootcacertificates-csp)
+- [RootCATrustedCertficates configuration service provider (CSP)](/windows/client-management/mdm/rootcacertificates-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-cleanpc.md b/windows/configuration/wcd/wcd-cleanpc.md
index 8befd7addc..9bc2d38599 100644
--- a/windows/configuration/wcd/wcd-cleanpc.md
+++ b/windows/configuration/wcd/wcd-cleanpc.md
@@ -28,4 +28,4 @@ For each setting, the options are **Enable** and **Not configured**.
## Related topics
-- [CleanPC configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp)
+- [CleanPC configuration service provider (CSP)](/windows/client-management/mdm/cleanpc-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-connections.md b/windows/configuration/wcd/wcd-connections.md
index 110c6fa1b8..b8f745cbb4 100644
--- a/windows/configuration/wcd/wcd-connections.md
+++ b/windows/configuration/wcd/wcd-connections.md
@@ -30,12 +30,12 @@ For each setting group:
## Cellular
-See [CM_CellularEntries configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cm-cellularentries-csp) for settings and values.
+See [CM_CellularEntries configuration service provider (CSP)](/windows/client-management/mdm/cm-cellularentries-csp) for settings and values.
## EnterpriseAPN
-See [Configure cellular settings for tablets and PCs](https://docs.microsoft.com/windows/configuration/provisioning-apn) and
-[EnterpriseAPN CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseapn-csp) for settings and values.
+See [Configure cellular settings for tablets and PCs](../provisioning-apn.md) and
+[EnterpriseAPN CSP](/windows/client-management/mdm/enterpriseapn-csp) for settings and values.
## General
@@ -43,8 +43,8 @@ Use **General > DataRoam** to set the default value for the **Default roaming op
## Policies
-See [CMPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cmpolicy-csp) for settings and values.
+See [CMPolicy CSP](/windows/client-management/mdm/cmpolicy-csp) for settings and values.
## Proxies
-See [CM_ProxyEntries CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cm-proxyentries-csp) for settings and values.
+See [CM_ProxyEntries CSP](/windows/client-management/mdm/cm-proxyentries-csp) for settings and values.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md
index b3c7b54807..54f87c6845 100644
--- a/windows/configuration/wcd/wcd-connectivityprofiles.md
+++ b/windows/configuration/wcd/wcd-connectivityprofiles.md
@@ -59,7 +59,7 @@ Specify an email account to be automatically set up on the device.
## Exchange
-Configure settings related to Exchange email server. These settings are related to the [ActiveSync configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/activesync-csp).
+Configure settings related to Exchange email server. These settings are related to the [ActiveSync configuration service provider (CSP)](/windows/client-management/mdm/activesync-csp).
1. In **Available customizations**, select **Exchange**, enter a name for the account, and then click **Add**. A globally unique identifier (GUID) is generated for the account.
@@ -132,7 +132,7 @@ When **ProfileType** is set to **Native**, the following additional settings are
Setting | Description
--- | ---
AuthenticationUserMethod | When you set **NativeProtocolType** to **IKEv2**, choose between **EAP** and **MSChapv2**.
-EAPConfiguration | When you set **AuthenticationUserMethod** to **EAP**, enter the HTML-encoded XML to configure EAP. For more information, see [EAP configuration](https://docs.microsoft.com/windows/client-management/mdm/eap-configuration).
+EAPConfiguration | When you set **AuthenticationUserMethod** to **EAP**, enter the HTML-encoded XML to configure EAP. For more information, see [EAP configuration](/windows/client-management/mdm/eap-configuration).
NativeProtocolType | Choose between **PPTP**, **L2TP**, **IKEv2**, and **Automatic**.
RoutingPolicyType | Choose between **SplitTunnel**, in which traffic can go over any interface as determined by the networking stack, and **ForceTunnel**, in which all IP traffic must go over the VPN interface.
Server | Enter the public or routable IP address or DNS name for the VPN gateway. It can point to the exteranl IP of a gateway or a virtual IP for a server farm.
@@ -188,7 +188,7 @@ Configure settings for wireless connectivity.
**To add a profile**
-1. Create [the wireless profile XML](https://msdn.microsoft.com/library/windows/desktop/aa369853.aspx).
+1. Create [the wireless profile XML](/windows/win32/nativewifi/wireless-profile-samples).
2. In **WLAN > Profiles**, browse to and select the profile XML file.
3. Click **Add**.
@@ -201,4 +201,4 @@ Enter a SSID, click **Add**, and then configure the following settings for the S
| ProxyServerPort | (Optional) Specify the configuration of the network proxy as **host:port**. A proxy server host and port can be specified per connection for Windows 10 for mobile devices. The host can be server name, FQDN, or SLN or IPv4 or IPv6 address. This proxy configuration is only supported in Windows 10 for mobile devices. Using this configuration in Windows 10 for desktop editions will result in failure. |
| AutoConnect | (Optional) Select **True** or **false** to specify whether to automatically connect to WLAN. |
| HiddenNetwork | (Optional) Select **True** or **false** to specify whether the network is hidden. |
-| SecurityType | Choose between **Open**, **WEP**, and **WPA2-Personal**. If you select **WEP** or **WPA2-Personal**, enter the **SecurityKey** required by the WLAN. |
+| SecurityType | Choose between **Open**, **WEP**, and **WPA2-Personal**. If you select **WEP** or **WPA2-Personal**, enter the **SecurityKey** required by the WLAN. |
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-developersetup.md b/windows/configuration/wcd/wcd-developersetup.md
index 02f177cf8f..29ec1d65bc 100644
--- a/windows/configuration/wcd/wcd-developersetup.md
+++ b/windows/configuration/wcd/wcd-developersetup.md
@@ -37,4 +37,4 @@ When AuthenticationMode is set to **Basic Auth**, enter a user name and password
## Related topics
-- [Device Portal for HoloLens](https://docs.microsoft.com/windows/uwp/debug-test-perf/device-portal-hololens)
+- [Device Portal for HoloLens](/windows/uwp/debug-test-perf/device-portal-hololens)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-deviceinfo.md b/windows/configuration/wcd/wcd-deviceinfo.md
index 4b8f5b396e..b4080fa9b3 100644
--- a/windows/configuration/wcd/wcd-deviceinfo.md
+++ b/windows/configuration/wcd/wcd-deviceinfo.md
@@ -39,7 +39,7 @@ This string is not visible to the user.
This setting must not be changed over time even if the user switches SIMs or mobile operators, as updates are always targeted based on the first mobile operator associated with the phone.
-The [PhoneManufacturer](https://msdn.microsoft.com/library/windows/hardware/mt138328.aspx), [PhoneManufacturerModelName](https://msdn.microsoft.com/library/windows/hardware/mt138336.aspx), and PhoneMobileOperatorName should create a unique Phone-Operator-Pairing (POP).
+The [PhoneManufacturer](/previous-versions/windows/hardware/previsioning-framework/mt138328(v=vs.85)), [PhoneManufacturerModelName](/previous-versions/windows/hardware/previsioning-framework/mt138336(v=vs.85)), and PhoneMobileOperatorName should create a unique Phone-Operator-Pairing (POP).
@@ -63,5 +63,4 @@ This setting varies by OEM.
## PhoneSupportPhoneNumber
-Use to specify the OEM or mobile operator's support contact phone number. The country code is not required. This string is displayed in the About screen in Settings. This setting also corresponds to the Genuine Windows Phone Certificates (GWPC) support number.
-
+Use to specify the OEM or mobile operator's support contact phone number. The country code is not required. This string is displayed in the About screen in Settings. This setting also corresponds to the Genuine Windows Phone Certificates (GWPC) support number.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md
index 6ce7ce542c..4cfeffee0a 100644
--- a/windows/configuration/wcd/wcd-devicemanagement.md
+++ b/windows/configuration/wcd/wcd-devicemanagement.md
@@ -52,7 +52,7 @@ Use to configure device management settings.
| ProtocolVersion | Select between **1.1** and **1.2** for the OMA DM protocol version that the server supports |
| **Role** | Select between **Enterprise** and **Mobile Operator** for the role mask that the DM session runs with when it communicates with the server |
| **ServerID** | Enter the OMA DM server's unique identifier for the current OMA DM account |
-| SSLClientCertSearchCriteria | Specify the client certificate search criteria, by subject attribute and certificate stores. For details, see [DMAcc configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmacc-csp). |
+| SSLClientCertSearchCriteria | Specify the client certificate search criteria, by subject attribute and certificate stores. For details, see [DMAcc configuration service provider (CSP)](/windows/client-management/mdm/dmacc-csp). |
| UseHardwareDeviceID | Specify whether to use the hardware ID for the ./DevInfo/DevID parameter in the DM account to identify the device |
| UseNonceResync | Specify whether the OMA DM client should use the nonce resynchronization procedure if the server trigger notification fails authentication |
@@ -91,5 +91,5 @@ In **PROVURL**, enter the URL for a Trusted Provisioning Server (TPS).
## Related topics
-- [DMAcc configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/dmacc-csp)
-- [PXLOGICAL CSP](https://docs.microsoft.com/windows/client-management/mdm/pxlogical-csp)
+- [DMAcc configuration service provider (CSP)](/windows/client-management/mdm/dmacc-csp)
+- [PXLOGICAL CSP](/windows/client-management/mdm/pxlogical-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-dmclient.md b/windows/configuration/wcd/wcd-dmclient.md
index 7946a9d44e..7dee09082c 100644
--- a/windows/configuration/wcd/wcd-dmclient.md
+++ b/windows/configuration/wcd/wcd-dmclient.md
@@ -27,4 +27,4 @@ For the **UpdateManagementServiceAddress** setting, enter a list of servers. The
## Related topics
-- [DMClient configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp)
+- [DMClient configuration service provider (CSP)](/windows/client-management/mdm/dmclient-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-editionupgrade.md b/windows/configuration/wcd/wcd-editionupgrade.md
index 0f21e3eb3c..5b8b8969a5 100644
--- a/windows/configuration/wcd/wcd-editionupgrade.md
+++ b/windows/configuration/wcd/wcd-editionupgrade.md
@@ -15,7 +15,7 @@ manager: dansimp
# EditionUpgrade (Windows Configuration Designer reference)
-Use to upgrade the edition of Windows 10 on the device. [Learn about Windows 10 edition upgrades.](https://docs.microsoft.com/windows/deployment/upgrade/windows-10-edition-upgrades)
+Use to upgrade the edition of Windows 10 on the device. [Learn about Windows 10 edition upgrades.](/windows/deployment/upgrade/windows-10-edition-upgrades)
## Applies to
@@ -46,4 +46,4 @@ After the device restarts, the edition upgrade process completes. The user will
## Related topics
-- [WindowsLicensing configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/windowslicensing-csp)
+- [WindowsLicensing configuration service provider (CSP)](/windows/client-management/mdm/windowslicensing-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md b/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md
index 54b378fd72..5a1cbf3bd0 100644
--- a/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md
+++ b/windows/configuration/wcd/wcd-embeddedlockdownprofiles.md
@@ -29,4 +29,4 @@ Use to apply an XML configuration to a mobile device that locks down the device,
## Related topics
-- [EnterpriseAssignedAccess configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseassignedaccess-csp)
+- [EnterpriseAssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/enterpriseassignedaccess-csp)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-firstexperience.md b/windows/configuration/wcd/wcd-firstexperience.md
index c6e1b45f25..10aa317751 100644
--- a/windows/configuration/wcd/wcd-firstexperience.md
+++ b/windows/configuration/wcd/wcd-firstexperience.md
@@ -25,9 +25,8 @@ Use these settings to configure the out-of-box experience (OOBE) to set up HoloL
Setting | Description
--- | ---
-PreferredRegion | Enter the [geographical location identifier](https://msdn.microsoft.com/library/windows/desktop/dd374073.aspx) for the region.
-PreferredTimezone | Enter the timezone. [Microsoft Time Zone Index Values](https://msdn.microsoft.com/library/ms912391.aspx)
+PreferredRegion | Enter the [geographical location identifier](/windows/win32/intl/table-of-geographical-locations) for the region.
+PreferredTimezone | Enter the timezone. [Microsoft Time Zone Index Values](/previous-versions/windows/embedded/ms912391(v=winembedded.11))
SkipCalibration | Initial setup of HoloLens includes a calibration step. Set to **True** to skip calibration.
SkipTraining | Initial setup of HoloLens includes training on how to perform the gestures to operate HoloLens. Set to **True** to skip training.
-SkipWifi | Set to **True** to skip connecting to a Wi-Fi network.
**Note:** HoloLens [requires a Wi-Fi connection during setup to verify the account](https://docs.microsoft.com/hololens/hololens-setup). To skip the Wi-Fi connection page during setup, your provisioning package must provide the network configuration. You can configure the network configuration [in the HoloLens wizard](https://docs.microsoft.com/hololens/hololens-provisioning#create-a-provisioning-package-for-hololens-using-the-hololens-wizard) and then switch to the advanced editor to configure **FirstExperience** settings, or in advanced settings, configure a WLAN [connectivity profile](wcd-connectivityprofiles.md).
-
+SkipWifi | Set to **True** to skip connecting to a Wi-Fi network.
**Note:** HoloLens [requires a Wi-Fi connection during setup to verify the account](/hololens/hololens-setup). To skip the Wi-Fi connection page during setup, your provisioning package must provide the network configuration. You can configure the network configuration [in the HoloLens wizard](/hololens/hololens-provisioning#create-a-provisioning-package-for-hololens-using-the-hololens-wizard) and then switch to the advanced editor to configure **FirstExperience** settings, or in advanced settings, configure a WLAN [connectivity profile](wcd-connectivityprofiles.md).
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-hotspot.md b/windows/configuration/wcd/wcd-hotspot.md
index d18a727658..9f37adbdb3 100644
--- a/windows/configuration/wcd/wcd-hotspot.md
+++ b/windows/configuration/wcd/wcd-hotspot.md
@@ -15,4 +15,4 @@ manager: dansimp
# HotSpot (Windows Configuration Designer reference)
-Do not use. Enterprise admins who want to configure settings for mobile hotspots should use [Policies > Wifi](wcd-policies.md#wifi). Mobile operators should use the [Country and Operator Settings Asset (COSA) format](https://docs.microsoft.com/windows-hardware/drivers/mobilebroadband/cosa-overview).
\ No newline at end of file
+Do not use. Enterprise admins who want to configure settings for mobile hotspots should use [Policies > Wifi](wcd-policies.md#wifi). Mobile operators should use the [Country and Operator Settings Asset (COSA) format](/windows-hardware/drivers/mobilebroadband/cosa-overview).
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-messaging.md b/windows/configuration/wcd/wcd-messaging.md
index f556155dc7..5db05285af 100644
--- a/windows/configuration/wcd/wcd-messaging.md
+++ b/windows/configuration/wcd/wcd-messaging.md
@@ -177,7 +177,7 @@ LimitRecipients | Set the maximum number of recipients to which a single SMS or
MaxRetryCount | You can specify the number of times that the phone can retry sending the failed MMS message and photo before the user receives a notification that the photo could not be sent. Specify MaxRetryCount to specify the number of times the MMS transport will attempt resending the MMS message. This value has a maximum limit of 3.
MMSLimitAttachments | You can specify the maximum number of attachments for MMS messages, from 1 to 20. The default is 5.
NIInfoEnabled | NIInfoEnabled
-ProxyAuthorizationToken | See [Proxy authorization for MMS.](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/proxy-authorization-for-mms)
+ProxyAuthorizationToken | See [Proxy authorization for MMS.](/windows-hardware/customize/mobile/mcsf/proxy-authorization-for-mms)
RetrySize | For MMS messages that have photo attachments and that fail to send, you can choose to automatically resize the photo and attempt to resend the message. Specify the maximum size to use to resize the photo in KB. Minimum is 0xA (10 KB).
SetCacheControlNoTransform | When set, proxies and transcoders are instructed not to change the HTTP header and the content should not be modified. A value of 1 or 0x1 adds support for the HTTP header Cache-Control No-Transform directive. When the SetCacheControlNoTransform``Value is set to 0 or 0x0 or when the setting is not set, the default HTTP header Cache-Control No-Cache directive is used.
ShowRequiredMonthlyTest | **True** enables devices to receive CMAS Required Monthly Test (RMT) messages and have these show up on the device. **False** disables devices from receiving CMAS RMT messages.
@@ -206,7 +206,7 @@ Set **ImsiAuthenticationToken** to the token used as the header for authenticati
### LatAlertOptions
-Enable `LatLocalAlertEnabled` to enable support for LAT-Alert Local Alerts for devices sold in Chile. For more information, see [Emergency notifications](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/emergency-notifications).
+Enable `LatLocalAlertEnabled` to enable support for LAT-Alert Local Alerts for devices sold in Chile. For more information, see [Emergency notifications](/windows-hardware/customize/mobile/mcsf/emergency-notifications).
### MaxRetryCount
@@ -229,7 +229,7 @@ ShowMmsGroupTextWarning | **True** shows the warning that alerts users of possib
### NIAlertOptions
-Enable `NI2AlertEnabled` to enable support for the Netherlands Announcements for devices sold in the Netherlands. For more information, see [Emergency notifications](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/emergency-notifications).
+Enable `NI2AlertEnabled` to enable support for the Netherlands Announcements for devices sold in the Netherlands. For more information, see [Emergency notifications](/windows-hardware/customize/mobile/mcsf/emergency-notifications).
### RcsOptions
@@ -284,7 +284,7 @@ Set TargetVideoFormat to one of the following values to configure the default tr
### TaiwanAlertOptions
-Set options for Taiwan Emergency Alerts system. For more information, see [Emergency notifications](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/emergency-notifications#taiwan-alerts).
+Set options for Taiwan Emergency Alerts system. For more information, see [Emergency notifications](/windows-hardware/customize/mobile/mcsf/emergency-notifications#taiwan-alerts).
Setting | Description
@@ -338,7 +338,7 @@ By default, this string has the format WindowsPhoneMMS/MicrosoftMMSVersionNumber
| APPID | Set to `w4`. |
| MS | (optional) Specify the maximum size of MMS, in KB. If the value is not a number, or is less than or equal to 10, it will be ignored and outgoing MMS will not be resized. |
| NAME | (optional) Enter user–readable application identity. This parameter is also used to define part of the registry path for the APPLICATION parameters. The possible values to configure the **NAME** parameter are:- Character string containing the name- no value specifiedIf no value is specified, the registry location will default to `
-[Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home)
-
-
-
+[Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home)
\ No newline at end of file
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index 0cea204292..4707849d86 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -25,12 +25,12 @@ ms.custom: seo-marvel-apr2020
This topic provides an overview of new solutions and online content related to deploying Windows 10 in your organization.
-- For an all-up overview of new features in Windows 10, see [What's new in Windows 10](https://docs.microsoft.com/windows/whats-new/index).
+- For an all-up overview of new features in Windows 10, see [What's new in Windows 10](/windows/whats-new/index).
## Latest news
[SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later.
-The [Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/adk-install) is available.
+The [Windows ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install) is available.
New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
VPN support is added to [Windows Autopilot](#windows-autopilot)
An in-place upgrade wizard is available in [Configuration Manager](#microsoft-endpoint-configuration-manager).
@@ -39,7 +39,7 @@ The Windows 10 deployment and update [landing page](index.yml) has been redesign
## The Modern Desktop Deployment Center
-The [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Microsoft 365 Apps for enterprise.
+The [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Microsoft 365 Apps for enterprise.
## Microsoft 365
@@ -60,10 +60,10 @@ Windows PowerShell cmdlets for Delivery Optimization have been improved:
- **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections.
- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting.
-Additional improvements in [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) include:
-- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/archive/new-for-business#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
+Additional improvements in [Delivery Optimization](./update/waas-delivery-optimization.md) include:
+- Enterprise network [throttling is enhanced](/windows-insider/archive/new-for-business#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
- Automatic cloud-based congestion detection is available for PCs with cloud service support.
-- Improved peer efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates and Intune content, with Microsoft Endpoint Manager content coming soon!
+- Improved peer efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates and Intune content, with Microsoft Endpoint Manager content coming soon!
The following Delivery Optimization policies are removed in the Windows 10, version 2004 release:
@@ -76,11 +76,11 @@ The following Delivery Optimization policies are removed in the Windows 10, vers
### Windows Update for Business
-[Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) enhancements in this release include:
+[Windows Update for Business](./update/waas-manage-updates-wufb.md) enhancements in this release include:
- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds.
-- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
+- [**Automatic Restart Sign-on (ARSO)**](/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again.
@@ -104,19 +104,19 @@ For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterpris
### Windows Autopilot
-[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose, and recover devices.
+[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose, and recover devices.
-With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.
+With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.
If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, this was only supported with self-deploying profiles.
The following Windows Autopilot features are available in Windows 10, version 1903 and later:
-- [Windows Autopilot for white glove deployment](https://docs.microsoft.com/windows/deployment/windows-autopilot/white-glove) is new in Windows 10, version 1903. "White glove" deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users.
-- The Intune [enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
-- [Cortana voiceover](https://docs.microsoft.com/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
+- [Windows Autopilot for white glove deployment](/windows/deployment/windows-autopilot/white-glove) is new in Windows 10, version 1903. "White glove" deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users.
+- The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
+- [Cortana voiceover](/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
- Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
-- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
+- Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
### Microsoft Endpoint Configuration Manager
@@ -126,7 +126,7 @@ An in-place upgrade wizard is available in Configuration Manager. For more infor
Windows 10 Education support has been added to Windows 10 Subscription Activation.
-With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation).
+With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](./windows-10-subscription-activation.md).
### SetupDiag
@@ -147,7 +147,7 @@ The development of Upgrade Readiness has been heavily influenced by input from t
For more information about Upgrade Readiness, see the following topics:
- [Windows Analytics blog](https://aka.ms/blog/WindowsAnalytics/)
-- [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md)
+- [Manage Windows upgrades with Upgrade Readiness](/mem/configmgr/desktop-analytics/overview)
### Update Compliance
@@ -160,7 +160,7 @@ For more information about Update Compliance, see [Monitor Windows Updates with
### Device Health
-Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by helping to identify devices crashes and the cause. Device drivers that are causing crashes are identified along with alternative drivers that might reduce the number of crashes. Windows Information Protection misconfigurations are also identified. For more information, see [Monitor the health of devices with Device Health](update/device-health-monitor.md)
+Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by helping to identify devices crashes and the cause. Device drivers that are causing crashes are identified along with alternative drivers that might reduce the number of crashes. Windows Information Protection misconfigurations are also identified. For more information, see [Monitor the health of devices with Device Health](/mem/configmgr/desktop-analytics/overview)
### MBR2GPT
@@ -174,15 +174,15 @@ For more information, see [MBR2GPT.EXE](mbr-to-gpt.md).
MDT version 8456 supports Windows 10, version 2004 and earlier operating systems, including Windows Server 2019. There is currently an issue that causes MDT to incorrectly detect that UEFI is present in Windows 10, version 2004. This issue is currently under investigation.
-For the latest information about MDT, see the [MDT release notes](https://docs.microsoft.com/mem/configmgr/mdt/release-notes).
+For the latest information about MDT, see the [MDT release notes](/mem/configmgr/mdt/release-notes).
### Windows Assessment and Deployment Kit (ADK)
The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows.
-Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 [here](https://docs.microsoft.com/windows-hardware/get-started/adk-install).
+Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 [here](/windows-hardware/get-started/adk-install).
-For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004).
+For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004).
Also see [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
@@ -206,7 +206,7 @@ For more information, see the following guides:
[Overview of Windows as a service](update/waas-overview.md)
[Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md)
-[Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information)
+[Windows 10 release information](/windows/windows-10/release-information)
[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications)
[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
-[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
+[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-cm/TOC.md b/windows/deployment/deploy-windows-cm/TOC.md
deleted file mode 100644
index b26445c4ab..0000000000
--- a/windows/deployment/deploy-windows-cm/TOC.md
+++ /dev/null
@@ -1,15 +0,0 @@
-# Deploy Windows 10 with Microsoft Endpoint Configuration Manager
-## Prepare for Windows 10 deployment with Configuration Manager
-### [Prepare for Zero Touch Installation with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
-### [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
-### [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
-### [Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-### [Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md)
-### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
-
-## Deploy Windows 10 with Configuration Manager
-### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade-to-windows-10-with-configuraton-manager.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-cm/TOC.yml b/windows/deployment/deploy-windows-cm/TOC.yml
new file mode 100644
index 0000000000..06bf59500f
--- /dev/null
+++ b/windows/deployment/deploy-windows-cm/TOC.yml
@@ -0,0 +1,28 @@
+- name: Deploy Windows 10 with Microsoft Endpoint Configuration Manager
+ items:
+ - name: Prepare for Windows 10 deployment with Configuration Manager
+ items:
+ - name: Prepare for Zero Touch Installation with Configuration Manager
+ href: prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+ - name: Create a custom Windows PE boot image with Configuration Manager
+ href: create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+ - name: Add a Windows 10 operating system image using Configuration Manager
+ href: add-a-windows-10-operating-system-image-using-configuration-manager.md
+ - name: Create an application to deploy with Windows 10 using Configuration Manager
+ href: create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
+ - name: Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager
+ href: add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
+ - name: Create a task sequence with Configuration Manager and MDT
+ href: create-a-task-sequence-with-configuration-manager-and-mdt.md
+ - name: Finalize the operating system configuration for Windows 10 deployment with Configuration Manager
+ href: finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
+ - name: Deploy Windows 10 with Configuration Manager
+ items:
+ - name: Deploy Windows 10 using PXE and Configuration Manager
+ href: deploy-windows-10-using-pxe-and-configuration-manager.md
+ - name: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager
+ href: refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+ - name: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
+ href: replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+ - name: Perform an in-place upgrade to Windows 10 using Configuration Manager
+ href: upgrade-to-windows-10-with-configuraton-manager.md
diff --git a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
index 5d44f0af26..d5890631a6 100644
--- a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
@@ -65,7 +65,7 @@ Next, see [Create an application to deploy with Windows 10 using Configuration M
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
index 85dcbc3828..3c4382a940 100644
--- a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
@@ -105,7 +105,7 @@ Next, see [Create a task sequence with Configuration Manager and MDT](create-a-t
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
index e4d235f852..1943afe9b2 100644
--- a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -95,7 +95,7 @@ Next, see [Add a Windows 10 operating system image using Configuration Manager](
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
index 4b0eb20dcf..90f2ec38e6 100644
--- a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
@@ -80,7 +80,7 @@ Next, see [Add drivers to a Windows 10 deployment with Windows PE using Configur
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
index ccb8ed6bb5..a36d3b0ba3 100644
--- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
@@ -97,6 +97,6 @@ Next, see [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Ma
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
index 87bed1dd16..2534b0e7da 100644
--- a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
@@ -162,7 +162,7 @@ Next, see [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
index 66c81b0a5b..dfb02baa06 100644
--- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -29,14 +29,14 @@ This topic will walk you through the Zero Touch Installation process of Windows
In this topic, you will use [components](#components-of-configuration-manager-operating-system-deployment) of an existing Configuration Manager infrastructure to prepare for Windows 10 OSD. In addition to the base setup, the following configurations should be made in the Configuration Manager environment:
- Configuration Manager current branch + all security and critical updates are installed.
- - Note: Procedures in this guide use ConfigMgr 1910. For information about the version of Windows 10 supported by ConfigMgr, see [Support for Windows 10](https://docs.microsoft.com/configmgr/core/plan-design/configs/support-for-windows-10).
-- The [Active Directory Schema has been extended](https://docs.microsoft.com/configmgr/core/plan-design/network/extend-the-active-directory-schema) and System Management container created.
-- Active Directory Forest Discovery and Active Directory System Discovery are [enabled](https://docs.microsoft.com/configmgr/core/servers/deploy/configure/configure-discovery-methods).
-- IP range [boundaries and a boundary group](https://docs.microsoft.com/configmgr/core/servers/deploy/configure/define-site-boundaries-and-boundary-groups) for content and site assignment have been created.
-- The Configuration Manager [reporting services](https://docs.microsoft.com/configmgr/core/servers/manage/configuring-reporting) point role has been added and configured.
+ - Note: Procedures in this guide use ConfigMgr 1910. For information about the version of Windows 10 supported by ConfigMgr, see [Support for Windows 10](/configmgr/core/plan-design/configs/support-for-windows-10).
+- The [Active Directory Schema has been extended](/configmgr/core/plan-design/network/extend-the-active-directory-schema) and System Management container created.
+- Active Directory Forest Discovery and Active Directory System Discovery are [enabled](/configmgr/core/servers/deploy/configure/configure-discovery-methods).
+- IP range [boundaries and a boundary group](/configmgr/core/servers/deploy/configure/define-site-boundaries-and-boundary-groups) for content and site assignment have been created.
+- The Configuration Manager [reporting services](/configmgr/core/servers/manage/configuring-reporting) point role has been added and configured.
- A file system folder structure and Configuration Manager console folder structure for packages has been created. Steps to verify or create this folder structure are [provided below](#review-the-sources-folder-structure).
-- The [Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) (including USMT) version 1903, Windows PE add-on, WSIM 1903 update, [MDT](https://www.microsoft.com/download/details.aspx?id=54259) version 8456, and DaRT 10 (part of [MDOP 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015)) are installed.
-- The [CMTrace tool](https://docs.microsoft.com/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point.
+- The [Windows ADK](/windows-hardware/get-started/adk-install) (including USMT) version 1903, Windows PE add-on, WSIM 1903 update, [MDT](https://www.microsoft.com/download/details.aspx?id=54259) version 8456, and DaRT 10 (part of [MDOP 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015)) are installed.
+- The [CMTrace tool](/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point.
- Note: CMTrace is automatically installed with the current branch of Configuration Manager at **Program Files\Microsoft Configuration Manager\tools\cmtrace.exe**. In previous releases of ConfigMgr it was necessary to install the [Configuration Manager Toolkit](https://www.microsoft.com/download/details.aspx?id=50012) separately to get the CMTrace tool, but this is no longer needed. Configuraton Manager version 1910 installs version 5.0.8913.1000 of the CMTrace tool.
For the purposes of this guide, we will use three server computers: DC01, CM01 and HV01.
@@ -266,7 +266,7 @@ On **CM01**:
Configure the CM01 distribution point for PXE.
>[!NOTE]
- >If you select **Enable a PXE responder without Windows Deployment Service**, then WDS will not be installed, or if it is already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (SccmPxe) will be used instead of WDS. The ConfigMgr PXE Responder does not support multicast. For more information, see [Install and configure distribution points](https://docs.microsoft.com/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe).
+ >If you select **Enable a PXE responder without Windows Deployment Service**, then WDS will not be installed, or if it is already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (SccmPxe) will be used instead of WDS. The ConfigMgr PXE Responder does not support multicast. For more information, see [Install and configure distribution points](/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe).
4. Using the CMTrace tool, review the C:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Look for ConfigurePXE and CcmInstallPXE lines.
@@ -386,7 +386,7 @@ You can create reference images for Configuration Manager in Configuration Manag
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 7ff3078c04..b07364dbe5 100644
--- a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -144,6 +144,6 @@ Next, see [Replace a Windows 7 SP1 client with Windows 10 using Configuration Ma
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 4c98f861cf..a30a182bb9 100644
--- a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -32,7 +32,7 @@ An existing Configuration Manager infrastructure that is integrated with MDT is
For the purposes of this article, we will use one server computer (CM01) and two client computers (PC0004, PC0006).
- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
- - Important: CM01 must include the **[State migration point](https://docs.microsoft.com/configmgr/osd/get-started/manage-user-state#BKMK_StateMigrationPoint)** role for the replace task sequence used in this article to work.
+ - Important: CM01 must include the **[State migration point](/configmgr/osd/get-started/manage-user-state#BKMK_StateMigrationPoint)** role for the replace task sequence used in this article to work.
- PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be replaced.
- PC0006 is a domain member client computer running Windows 10, with the Configuration Manager client installed, that will replace PC0004.
@@ -210,6 +210,6 @@ Next, see [Perform an in-place upgrade to Windows 10 using Configuration Manager
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
-[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
+[Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
-[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
+[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
index 1c8551218d..2c3f12e36a 100644
--- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
+++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
@@ -41,7 +41,7 @@ All server and client computers referenced in this guide are on the same subnet.
## Add an OS upgrade package
-Configuration Manager Current Branch includes a native in-place upgrade task. This task sequence differs from the MDT in-place upgrade task sequence in that it does not use a default OS image, but rather uses an [OS upgrade package](https://docs.microsoft.com/configmgr/osd/get-started/manage-operating-system-upgrade-packages).
+Configuration Manager Current Branch includes a native in-place upgrade task. This task sequence differs from the MDT in-place upgrade task sequence in that it does not use a default OS image, but rather uses an [OS upgrade package](/configmgr/osd/get-started/manage-operating-system-upgrade-packages).
On **CM01**:
@@ -140,4 +140,4 @@ In-place upgrade with Configuration Manager
## Related topics
[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
-[Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620109)
+[Configuration Manager Team blog](https://go.microsoft.com/fwlink/p/?LinkId=620109)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-mdt/TOC.md b/windows/deployment/deploy-windows-mdt/TOC.md
deleted file mode 100644
index 7f51b8ca5b..0000000000
--- a/windows/deployment/deploy-windows-mdt/TOC.md
+++ /dev/null
@@ -1,22 +0,0 @@
-# Deploy Windows 10 with the Microsoft Deployment Toolkit (MDT)
-## [Get started with MDT](get-started-with-the-microsoft-deployment-toolkit.md)
-
-## Deploy Windows 10 with MDT
-### [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)
-### [Create a Windows 10 reference image](create-a-windows-10-reference-image.md)
-### [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
-### [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
-### [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-### [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-### [Perform an in-place upgrade to Windows 10 with MDT](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-
-## Customize MDT
-### [Configure MDT settings](configure-mdt-settings.md)
-### [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
-### [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
-### [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md)
-### [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md)
-### [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
-### [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
-### [Use web services in MDT](use-web-services-in-mdt.md)
-### [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
diff --git a/windows/deployment/deploy-windows-mdt/TOC.yml b/windows/deployment/deploy-windows-mdt/TOC.yml
new file mode 100644
index 0000000000..51493a1083
--- /dev/null
+++ b/windows/deployment/deploy-windows-mdt/TOC.yml
@@ -0,0 +1,40 @@
+- name: Deploy Windows 10 with the Microsoft Deployment Toolkit (MDT)
+ items:
+ - name: Get started with MDT
+ href: get-started-with-the-microsoft-deployment-toolkit.md
+ - name: Deploy Windows 10 with MDT
+ items:
+ - name: Prepare for deployment with MDT
+ href: prepare-for-windows-deployment-with-mdt.md
+ - name: Create a Windows 10 reference image
+ href: create-a-windows-10-reference-image.md
+ - name: Deploy a Windows 10 image using MDT
+ href: deploy-a-windows-10-image-using-mdt.md
+ - name: Build a distributed environment for Windows 10 deployment
+ href: build-a-distributed-environment-for-windows-10-deployment.md
+ - name: Refresh a Windows 7 computer with Windows 10
+ href: refresh-a-windows-7-computer-with-windows-10.md
+ - name: Replace a Windows 7 computer with a Windows 10 computer
+ href: replace-a-windows-7-computer-with-a-windows-10-computer.md
+ - name: Perform an in-place upgrade to Windows 10 with MDT
+ href: upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
+ - name: Customize MDT
+ items:
+ - name: Configure MDT settings
+ href: configure-mdt-settings.md
+ - name: Set up MDT for BitLocker
+ href: set-up-mdt-for-bitlocker.md
+ - name: Configure MDT deployment share rules
+ href: configure-mdt-deployment-share-rules.md
+ - name: Configure MDT for UserExit scripts
+ href: configure-mdt-for-userexit-scripts.md
+ - name: Simulate a Windows 10 deployment in a test environment
+ href: simulate-a-windows-10-deployment-in-a-test-environment.md
+ - name: Use the MDT database to stage Windows 10 deployment information
+ href: use-the-mdt-database-to-stage-windows-10-deployment-information.md
+ - name: Assign applications using roles in MDT
+ href: assign-applications-using-roles-in-mdt.md
+ - name: Use web services in MDT
+ href: use-web-services-in-mdt.md
+ - name: Use Orchestrator runbooks with MDT
+ href: use-orchestrator-runbooks-with-mdt.md
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
index 0eac636a76..9ec7f0adba 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
@@ -19,7 +19,7 @@ ms.topic: article
# Configure MDT settings
One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment.
-For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md).
@@ -43,4 +43,4 @@ The computers used in this topic.
[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
-[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
+[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index f60f34e592..a7bf59ddef 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -184,7 +184,7 @@ Download all three items in this list to the D:\\Downloads folder on MDT01.
>[!TIP]
>You can also use the web-based interface of the [Office Customization Tool](https://config.office.com/) to help you create your configuration.xml file.
- Also see [Configuration options for the Office Deployment Tool](https://docs.microsoft.com/deployoffice/configuration-options-for-the-office-2016-deployment-tool) and [Overview of the Office Deployment Tool](https://docs.microsoft.com/DeployOffice/overview-of-the-office-2016-deployment-tool) for more information.
+ Also see [Configuration options for the Office Deployment Tool](/deployoffice/configuration-options-for-the-office-2016-deployment-tool) and [Overview of the Office Deployment Tool](/DeployOffice/overview-of-the-office-2016-deployment-tool) for more information.
3. Ensure the configuration.xml file is in the D:\\Downloads\\Office365 folder. See the following example of the extracted files plus the configuration.xml file in the Downloads\\Office365 folder:
@@ -389,7 +389,7 @@ On **MDT01**:
2. In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This will take a few minutes, and then Windows System Image Manager (Windows SIM) will start.
> [!IMPORTANT]
- > The ADK version 1903 has a [known issue](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](https://docs.microsoft.com/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903:
+ > The ADK version 1903 has a [known issue](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903:
> - Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144.
> - Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe).
> - Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim).
@@ -665,7 +665,7 @@ If you [enabled monitoring](#enable-monitoring), you can check the progress of t
-If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](https://docs.microsoft.com/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$.
+If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$.
After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim.
@@ -676,4 +676,4 @@ After some time, you will have a Windows 10 Enterprise x64 image that is fully
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-[Configure MDT settings](configure-mdt-settings.md)
+[Configure MDT settings](configure-mdt-settings.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 5d5ff0215e..ebe98a9061 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -236,7 +236,7 @@ Or, you can use this command in a normal command prompt:
wmic csproduct get name
```
-If you want a more standardized naming convention, try the **ModelAliasExit.vbs script** from the Deployment Guys blog post, entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536).
+If you want a more standardized naming convention, try the **ModelAliasExit.vbs script** from the Deployment Guys blog post, entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](/archive/blogs/deploymentguys/using-and-extending-model-aliases-for-hardware-specific-application-installation).
@@ -576,7 +576,7 @@ If you have licensing for MDOP and DaRT, you can add DaRT to the boot images usi
> [!NOTE]
-> DaRT 10 is part of [MDOP 2015](https://docs.microsoft.com/microsoft-desktop-optimization-pack/#how-to-get-mdop).
+> DaRT 10 is part of [MDOP 2015](/microsoft-desktop-optimization-pack/#how-to-get-mdop).
>
> MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**.
@@ -829,7 +829,7 @@ Follow these steps to create a bootable USB stick from the offline media content
## Unified Extensible Firmware Interface (UEFI)-based deployments
-As referenced in [Windows 10 deployment scenarios and tools](https://go.microsoft.com/fwlink/p/?LinkId=619546), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you have an UEFI-based machine and creates the partitions UEFI requires. You do not need to update or change your task sequences in any way to accommodate UEFI.
+As referenced in [Windows 10 deployment scenarios and tools](../windows-deployment-scenarios-and-tools.md), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you have an UEFI-based machine and creates the partitions UEFI requires. You do not need to update or change your task sequences in any way to accommodate UEFI.
@@ -842,4 +842,4 @@ The partitions when deploying an UEFI-based machine.
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-[Configure MDT settings](configure-mdt-settings.md)
+[Configure MDT settings](configure-mdt-settings.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
index 00c0a446a3..03e9e01012 100644
--- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
@@ -21,15 +21,15 @@ ms.topic: article
**Applies to**
- Windows 10
-This article provides an overview of the features, components, and capabilities of the [Microsoft Deployment Toolkit (MDT)](https://go.microsoft.com/fwlink/p/?LinkId=618117). When you have finished reviewing this information, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
+This article provides an overview of the features, components, and capabilities of the [Microsoft Deployment Toolkit (MDT)](/mem/configmgr/mdt/). When you have finished reviewing this information, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
## About MDT
MDT is a unified collection of tools, processes, and guidance for automating desktop and server deployment. You can use it to create reference images or as a complete deployment solution. MDT is one of the most important tools available to IT professionals today.
-In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the [Windows Assessment and Deployment Kit](https://docs.microsoft.com/windows-hardware/get-started/adk-install) (Windows ADK) with additional guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment.
+In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) with additional guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment.
-MDT supports the deployment of Windows 10, as well as Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/).
+MDT supports the deployment of Windows 10, as well as Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Endpoint Configuration Manager](/configmgr/).
## Key features in MDT
@@ -68,7 +68,7 @@ MDT has many useful features, such as:
- **Support for Microsoft Office.** Provides added support for deploying Microsoft Office.
- **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later.
- **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts.
-- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
+- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/).
## MDT Lite Touch components
@@ -91,7 +91,7 @@ The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The r
- Domain to join, and organizational unit (OU) in Active Directory to hold the computer object
- Whether to enable BitLocker
- Regional settings
-You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](https://go.microsoft.com/fwlink/p/?LinkId=618117).
+You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](/mem/configmgr/mdt/).
diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
index e2da8e687d..5f3c2aa9ad 100644
--- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
@@ -57,7 +57,7 @@ MDT01 and HV01 should have the ability to store up to 200 GB of files on a data
### Hyper-V requirements
-If you do not have access to a Hyper-V server, you can install Hyper-V on a Windows 10 or Windows 8.1 computer temporarily to use for building reference images. For instructions on how to enable Hyper-V on Windows 10, see the [Verify support and install Hyper-V](https://docs.microsoft.com/windows/deployment/windows-10-poc#verify-support-and-install-hyper-v) section in the Windows 10 deployment test lab guide. This guide is a proof-of-concept guide that has detailed instructions for installing Hyper-V.
+If you do not have access to a Hyper-V server, you can install Hyper-V on a Windows 10 or Windows 8.1 computer temporarily to use for building reference images. For instructions on how to enable Hyper-V on Windows 10, see the [Verify support and install Hyper-V](../windows-10-poc.md#verify-support-and-install-hyper-v) section in the Windows 10 deployment test lab guide. This guide is a proof-of-concept guide that has detailed instructions for installing Hyper-V.
### Network requirements
@@ -83,7 +83,7 @@ These steps assume that you have the MDT01 member server running and configured
On **MDT01**:
-Visit the [Download and install the Windows ADK](https://go.microsoft.com/fwlink/p/?LinkId=526803) page and download the following items to the **D:\\Downloads\\ADK** folder on MDT01 (you will need to create this folder):
+Visit the [Download and install the Windows ADK](/windows-hardware/get-started/adk-install) page and download the following items to the **D:\\Downloads\\ADK** folder on MDT01 (you will need to create this folder):
- [The Windows ADK for Windows 10](https://go.microsoft.com/fwlink/?linkid=2086042)
- [The Windows PE add-on for the ADK](https://go.microsoft.com/fwlink/?linkid=2087112)
- [The Windows System Image Manager (WSIM) 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334)
@@ -121,7 +121,7 @@ To install WSUS on MDT01, enter the following at an elevated Windows PowerShell
cmd /c "C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall CONTENT_DIR=C:\WSUS
```
->To use the WSUS that you have installed on MDT01, you must also [configure Group Policy](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wsus#configure-automatic-updates-and-update-service-location) on DC01 and perform the neccessary post-installation configuration of WSUS on MDT01.
+>To use the WSUS that you have installed on MDT01, you must also [configure Group Policy](../update/waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) on DC01 and perform the neccessary post-installation configuration of WSUS on MDT01.
## Install MDT
@@ -133,7 +133,7 @@ To install WSUS on MDT01, enter the following at an elevated Windows PowerShell
On **MDT01**:
-1. Visit the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117) and click **Download MDT**.
+1. Visit the [MDT resource page](/mem/configmgr/mdt/) and click **Download MDT**.
2. Save the **MicrosoftDeploymentToolkit_x64.msi** file to the D:\\Downloads\\MDT folder on MDT01.
- **Note**: As of the publishing date for this guide, the current version of MDT is 8456 (6.3.8456.1000), but a later version will also work.
3. Install **MDT** (D:\\Downloads\\MDT\\MicrosoftDeploymentToolkit_x64.exe) with the default settings.
@@ -237,7 +237,7 @@ See the following example:
## Use CMTrace to read log files (optional)
-The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace ([CMTrace](https://docs.microsoft.com/sccm/core/support/cmtrace)), which is available as part of the [Microsoft System 2012 R2 Center Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You should also download this tool.
+The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace ([CMTrace](/sccm/core/support/cmtrace)), which is available as part of the [Microsoft System 2012 R2 Center Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You should also download this tool.
You can use Notepad (example below):
@@ -257,6 +257,6 @@ When you have completed all the steps in this section to prepare for deployment,
**Sample files**
The following sample files are also available to help automate some MDT deployment tasks. This guide does not use these files, but they are made available here so you can see how some tasks can be automated with Windows PowerShell.
-- [Gather.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619361). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment.
+- [Gather.ps1](/samples/browse/?redirectedfrom=TechNet-Gallery). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment.
- [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU.
-- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT.
+- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT.
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
index c0f5f7d8a1..2bba58db5a 100644
--- a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
+++ b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
@@ -21,7 +21,7 @@ ms.topic: article
**Applies to**
- Windows 10
-This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the online computer refresh process. The computer refresh scenario is a reinstallation of an updated operating system on the same computer. You can also use this procedure to reinstall the same OS version. In this article, the computer refresh will be done while the computer is online. MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property on the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117).
+This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the online computer refresh process. The computer refresh scenario is a reinstallation of an updated operating system on the same computer. You can also use this procedure to reinstall the same OS version. In this article, the computer refresh will be done while the computer is online. MDT also supports an offline computer refresh. For more info on that scenario, see the USMTOfflineMigration property on the [MDT resource page](/mem/configmgr/mdt/).
For the purposes of this topic, we will use three computers: DC01, MDT01, and PC0001.
- DC01 is a domain controller for the contoso.com domain.
@@ -62,7 +62,7 @@ For example, the following line configures USMT to migrate only domain user prof
### Support for additional settings
-In addition to the command-line switches that control which profiles to migrate, [XML templates](https://docs.microsoft.com/windows/deployment/usmt/understanding-migration-xml-files) control exactly what data is being migrated. You can control data within and outside the user profiles.
+In addition to the command-line switches that control which profiles to migrate, [XML templates](../usmt/understanding-migration-xml-files.md) control exactly what data is being migrated. You can control data within and outside the user profiles.
### Multicast
@@ -117,4 +117,4 @@ It is also assumed that you have a domain member client computer named PC0001 in
[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md)
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-[Configure MDT settings](configure-mdt-settings.md)
+[Configure MDT settings](configure-mdt-settings.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
index 231b73680a..1aaab1936a 100644
--- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
+++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
@@ -32,16 +32,16 @@ To configure your environment for BitLocker, you will need to do the following:
4. Configure the rules (CustomSettings.ini) for BitLocker.
> [!NOTE]
-> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For additional information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://docs.microsoft.com/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds).
+> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For additional information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds).
If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
> [!NOTE]
> Backing up TPM to Active Directory was supported only on Windows 10 version 1507 and 1511.
>[!NOTE]
->Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-7/dd875529(v=ws.10)). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
+>Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-7/dd875529(v=ws.10)). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
-For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md).
+For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md).
## Configure Active Directory for BitLocker
@@ -148,7 +148,7 @@ cscript.exe SetConfig.vbs SecurityChip Active
## Configure the Windows 10 task sequence to enable BitLocker
-When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In the following task sequence, we are using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](https://go.microsoft.com/fwlink/p/?LinkId=619549).
+When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In the following task sequence, we are using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](/archive/blogs/deploymentguys/check-to-see-if-the-tpm-is-enabled).
In the following task sequence, we added five actions:
@@ -170,4 +170,4 @@ In the following task sequence, we added five actions:
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
[Use web services in MDT](use-web-services-in-mdt.md)
-[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
+[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
index cb28eea313..e0c0bd23c1 100644
--- a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
+++ b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
@@ -33,7 +33,7 @@ This topic will walk you through the process of creating a simulated environment
On **PC0001**:
1. Sign as **contoso\\Administrator**.
-2. Download the [sample Gather.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619361) from the TechNet gallery and copy it to a directory named **C:\MDT** on PC0001.
+2. Download the [sample Gather.ps1 script](/samples/browse/?redirectedfrom=TechNet-Gallery) from the TechNet gallery and copy it to a directory named **C:\MDT** on PC0001.
3. Download and install the free [Microsoft System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717) on PC0001 so that you have access to the Configuration Manager Trace (cmtrace.exe) tool.
4. Using Local Users and Groups (lusrmgr.msc), add the **contoso\\MDT\_BA** user account to the local **Administrators** group.
5. Sign off, and then sign on to PC0001 as **contoso\\MDT\_BA**.
@@ -74,4 +74,4 @@ On **PC0001**:
[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
[Use web services in MDT](use-web-services-in-mdt.md)
-[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
+[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
index 38604acbf4..ad18311cbc 100644
--- a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -111,4 +111,4 @@ After the task sequence completes, the computer will be fully upgraded to Window
## Related topics
[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
-[Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117)
\ No newline at end of file
+[Microsoft Deployment Toolkit downloads and resources](/mem/configmgr/mdt/)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
index e7cabd8fec..f948eab51d 100644
--- a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
@@ -36,7 +36,7 @@ Before diving into the core details, here is a quick course in Orchestrator term
- **Integration packs.** These provide additional workflow activities you can import to integrate with other products or solutions, like the rest of Active Directory, other System Center 2012 R2 products, or Microsoft Exchange Server, to name a few.
**Note**
-To find and download additional integration packs, see [Integration Packs for System Center 2012 - Orchestrator](https://go.microsoft.com/fwlink/p/?LinkId=619554).
+To find and download additional integration packs, see [Integration Packs for System Center 2012 - Orchestrator](/previous-versions/system-center/packs/hh295851(v=technet.10)).
## Create a sample runbook
@@ -141,7 +141,7 @@ Figure 31. The ready-made task sequence.
Since this task sequence just starts a runbook, you can test this on the PC0001 client that you used for the MDT simulation environment.
**Note**
-Make sure the account you are using has permissions to run runbooks on the Orchestrator server. For more information about runbook permissions, see [Runbook Permissions](https://go.microsoft.com/fwlink/p/?LinkId=619555).
+Make sure the account you are using has permissions to run runbooks on the Orchestrator server. For more information about runbook permissions, see [Runbook Permissions](/previous-versions/system-center/system-center-2012-R2/hh403774(v=sc.12)).
1. On PC0001, log on as **CONTOSO\\MDT\_BA**.
2. Using an elevated command prompt (run as Administrator), type the following command:
@@ -175,4 +175,4 @@ Figure 32. The ready-made task sequence.
[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
-[Use web services in MDT](use-web-services-in-mdt.md)
+[Use web services in MDT](use-web-services-in-mdt.md)
\ No newline at end of file
diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md
index 90d0dc48d1..aa9e0cf79b 100644
--- a/windows/deployment/deploy-windows-to-go.md
+++ b/windows/deployment/deploy-windows-to-go.md
@@ -39,7 +39,7 @@ The following is a list of items that you should be aware of before you start th
* When running a Windows To Go workspace, always shutdown the workspace before unplugging the drive.
-* System Center 2012 Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. You can download Configuration Manager for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkId=618746). For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=619148).
+* System Center 2012 Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. You can download Configuration Manager for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkId=618746). For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)).
* If you are planning on using a USB drive duplicator to duplicate Windows To Go drives, do not configure offline domain join or BitLocker on the drive.
@@ -47,14 +47,14 @@ The following is a list of items that you should be aware of before you start th
Unless you are using a customized operating system image, your initial Windows To Go workspace will not be domain joined and will not contain applications. This is exactly like a new installation of Windows on a desktop or laptop computer. When planning your deployment, you should develop methods to join Windows to Go drives to the domain and install the standard applications that users in your organization require. These methods probably will be similar to the ones used for setting up desktop and laptop computers with domain privileges and applications. This section describes the instructions for creating the correct disk layout on the USB drive, applying the operating system image and the core Windows To Go specific configurations to the drive. The following steps are used in both small-scale and large-scale Windows To Go deployment scenarios.
-Completing these steps will give you a generic Windows To Go drive that can be distributed to your users and then customized for their usage as needed. This drive is also appropriate for use with USB drive duplicators. Your specific deployment scenarios will involve more than just these basic steps but these additional deployment considerations are similar to traditional PC deployment and can be incorporated into your Windows To Go deployment plan. For additional information, see [Windows Deployment Options](https://go.microsoft.com/fwlink/p/?LinkId=619149).
+Completing these steps will give you a generic Windows To Go drive that can be distributed to your users and then customized for their usage as needed. This drive is also appropriate for use with USB drive duplicators. Your specific deployment scenarios will involve more than just these basic steps but these additional deployment considerations are similar to traditional PC deployment and can be incorporated into your Windows To Go deployment plan. For additional information, see [Windows Deployment Options](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825230(v=win.10)).
>[!WARNING]
>If you plan to use the generic Windows To Go drive as the master drive in a USB duplicator, the drive should not be booted. If the drive has been booted inadvertently it should be reprovisioned prior to duplication.
### Create the Windows To Go workspace
-In this step we are creating the operating system image that will be used on the Windows To Go drives. You can use the Windows To Go Creator Wizard or you can [do this manually](https://go.microsoft.com/fwlink/p/?LinkId=619174) using a combination of Windows PowerShell and command-line tools.
+In this step we are creating the operating system image that will be used on the Windows To Go drives. You can use the Windows To Go Creator Wizard or you can [do this manually](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) using a combination of Windows PowerShell and command-line tools.
>[!WARNING]
>The preferred method to create a single Windows To Go drive is to use the Windows To Go Creator Wizard included in Windows 10 Enterprise and Windows 10 Education.
@@ -68,7 +68,7 @@ In this step we are creating the operating system image that will be used on the
3. Verify that the .wim file location (which can be a network share, a DVD , or a USB drive) is accessible and that it contains a valid Windows 10 Enterprise or Windows 10 Education image that has been generalized using sysprep. Many environments can use the same image for both Windows To Go and desktop deployments.
>[!NOTE]
- >For more information about .wim files, see [Windows System Image Manager (Windows SIM) Technical Reference](https://go.microsoft.com/fwlink/p/?LinkId=619150). For more information about using sysprep, see [Sysprep Overview](https://go.microsoft.com/fwlink/p/?LinkId=619151).
+ >For more information about .wim files, see [Windows System Image Manager (Windows SIM) Technical Reference](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824929(v=win.10)). For more information about using sysprep, see [Sysprep Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825209(v=win.10)).
4. Using Cortana, search for **Windows To Go** and then press **Enter**. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. The **Windows To Go Creator Wizard** opens.
@@ -76,7 +76,7 @@ In this step we are creating the operating system image that will be used on the
6. On the **Choose a Windows image** page, click **Add Search Location** and then navigate to the .wim file location and click select folder. The wizard will display the installable images present in the folder; select the Windows 10 Enterprise or Windows 10 Education image you wish to use and then click **Next**.
-7. (Optional) On the **Set a BitLocker password (optional)** page, you can select **Use BitLocker with my Windows To Go Workspace** to encrypt your Windows To Go drive. If you do not wish to encrypt the drive at this time, click **Skip**. If you decide you want to add BitLocker protection later, see [Enable BitLocker protection for your Windows To Go drive](https://go.microsoft.com/fwlink/p/?LinkId=619152) for instructions.
+7. (Optional) On the **Set a BitLocker password (optional)** page, you can select **Use BitLocker with my Windows To Go Workspace** to encrypt your Windows To Go drive. If you do not wish to encrypt the drive at this time, click **Skip**. If you decide you want to add BitLocker protection later, see [Enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) for instructions.
r
>[!WARNING]
@@ -89,7 +89,7 @@ r
~~~
>[!IMPORTANT]
- >The BitLocker recovery password will be saved in the documents library of the computer used to create the workspace automatically. If your organization is using Active Directory Domain Services (AD DS) to store recovery passwords it will also be saved in AD DS under the computer account of the computer used to create the workspace. This password will be used only if you need to recover access to the drive because the BitLocker password specified in the previous step is not available, such as if a password is lost or forgotten. For more information about BitLocker and AD DS, see [Active Directory Domain Services considerations](https://go.microsoft.com/fwlink/p/?LinkId=619157).
+ >The BitLocker recovery password will be saved in the documents library of the computer used to create the workspace automatically. If your organization is using Active Directory Domain Services (AD DS) to store recovery passwords it will also be saved in AD DS under the computer account of the computer used to create the workspace. This password will be used only if you need to recover access to the drive because the BitLocker password specified in the previous step is not available, such as if a password is lost or forgotten. For more information about BitLocker and AD DS, see [Active Directory Domain Services considerations](/previous-versions/windows/it-pro/windows-8.1-and-8/jj592683(v=ws.11)).
~~~
8. Verify that the USB drive inserted is the one you want to provision for Windows To Go and then click **Create** to start the Windows To Go workspace creation process.
@@ -99,7 +99,7 @@ r
9. Wait for the creation process to complete, which can take 20 to 30 minutes. A completion page will be displayed that tells you when your Windows To Go workspace is ready to use. From the completion page you can configure the Windows To Go startup options to configure the current computer as a Windows To Go host computer.
-Your Windows To Go workspace is now ready to be started. You can now [prepare a host computer](https://go.microsoft.com/fwlink/p/?LinkId=619159) using the Windows To Go startup options and boot your Windows To Go drive.
+Your Windows To Go workspace is now ready to be started. You can now [prepare a host computer](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) using the Windows To Go startup options and boot your Windows To Go drive.
#### Windows PowerShell equivalent commands
@@ -143,7 +143,7 @@ The following Windows PowerShell cmdlet or cmdlets perform the same function as
Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE
```
-3. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you just created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](https://go.microsoft.com/fwlink/p/?LinkId=619161) command-line tool (DISM):
+3. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you just created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM):
>[!TIP]
>The index number must be set correctly to a valid Enterprise image in the .WIM file.
@@ -153,7 +153,7 @@ The following Windows PowerShell cmdlet or cmdlets perform the same function as
dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /index:1 /applydir:W:\
```
-4. Now use the [bcdboot](https://go.microsoft.com/fwlink/p/?LinkId=619163) command line tool to move the necessary boot components to the system partition on the disk. This helps ensure that the boot components, operating system versions, and architectures match. The `/f ALL` parameter indicates that boot components for UEFI and BIOS should be placed on the system partition of the disk. The following example illustrates this step:
+4. Now use the [bcdboot](/previous-versions/windows/it-pro/windows-8.1-and-8/hh824874(v=win.10)) command line tool to move the necessary boot components to the system partition on the disk. This helps ensure that the boot components, operating system versions, and architectures match. The `/f ALL` parameter indicates that boot components for UEFI and BIOS should be placed on the system partition of the disk. The following example illustrates this step:
~~~
@@ -234,7 +234,7 @@ W:\Windows\System32\bcdboot W:\Windows /f ALL /s S:
If you do not wish to boot your Windows To Go device on this computer and want to remove it to boot it on another PC, be sure to use the **Safely Remove Hardware and Eject Media** option to safely disconnect the drive before physically removing it from the PC.
-Your Windows To Go workspace is now ready to be started. You can now [prepare a host computer](https://go.microsoft.com/fwlink/p/?LinkId=619165) using the Windows To Go startup options to test your workspace configuration, [configure the workspace for offline domain join](https://go.microsoft.com/fwlink/p/?LinkId=619166), or [enable BitLocker protection for your Windows To Go drive](https://go.microsoft.com/fwlink/p/?LinkId=619167).
+Your Windows To Go workspace is now ready to be started. You can now [prepare a host computer](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) using the Windows To Go startup options to test your workspace configuration, [configure the workspace for offline domain join](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)), or [enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)).
### To prepare a host computer
@@ -265,7 +265,7 @@ You can configure your organization's computers to automatically start from the
After this policy setting is enabled, automatic starting of a Windows To Go workspace will be attempted when a USB drive is connected to the computer when it is started. Users will not be able to use the Windows To Go Startup Options to change this behavior. If you disable this policy setting, booting to Windows To Go when a USB drive is connected will not occur unless a user configures the option manually in the firmware. If you do not configure this policy setting, users who are members of the Administrators group can enable or disable booting from a USB drive using the Windows To Go Startup Options.
-Your host computer is now ready to boot directly into Windows To Go workspace when it is inserted prior to starting the computer. Optionally you can perform [Configure Windows To Go workspace for offline domain join](https://go.microsoft.com/fwlink/p/?LinkId=619169) and [Enable BitLocker protection for your Windows To Go drive](https://go.microsoft.com/fwlink/p/?LinkId=619152).
+Your host computer is now ready to boot directly into Windows To Go workspace when it is inserted prior to starting the computer. Optionally you can perform [Configure Windows To Go workspace for offline domain join](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) and [Enable BitLocker protection for your Windows To Go drive](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)).
### Booting your Windows To Go workspace
@@ -296,7 +296,7 @@ Making sure that Windows To Go workspaces are effective when used off premises i
- A domain user account with rights to add computer accounts to the domain and is a member of the Administrator group on the Windows To Go host computer
-- [DirectAccess](https://go.microsoft.com/fwlink/p/?LinkId=619170) configured on the domain
+- [DirectAccess](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831539(v=ws.11)) configured on the domain
**To configure your Windows To Go workspace for remote access**
@@ -307,7 +307,7 @@ Making sure that Windows To Go workspaces are effective when used off premises i
```
>[!NOTE]
- >The **/certtemplate** parameter supports the use of certificate templates for distributing certificates for DirectAccess, if your organization is not using certificate templates you can omit this parameter. Additionally, if are using djoin.exe with Windows Server 2008-based Domain Controllers, append the /downlevel switch during provisioning. For more information see the [Offline Domain Join Step-by-Step guide](https://go.microsoft.com/fwlink/p/?LinkId=619171).
+ >The **/certtemplate** parameter supports the use of certificate templates for distributing certificates for DirectAccess, if your organization is not using certificate templates you can omit this parameter. Additionally, if are using djoin.exe with Windows Server 2008-based Domain Controllers, append the /downlevel switch during provisioning. For more information see the [Offline Domain Join Step-by-Step guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392267(v=ws.10)).
2. Insert the Windows To Go drive.
@@ -349,7 +349,7 @@ Making sure that Windows To Go workspaces are effective when used off premises i
Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE
```
-5. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you just created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](https://go.microsoft.com/fwlink/p/?LinkId=619161) command-line tool (DISM):
+5. Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you just created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM):
~~~
@@ -368,7 +368,7 @@ dism /apply-image /imagefile:n:\imagefolder\deploymentimages\mywtgimage.wim /ind
djoin /requestodj /loadfile C:\example\path\domainmetadatafile /windowspath W:\Windows
```
-7. Next, we will need to edit the unattend.xml file to configure the first run (OOBE) settings. In this example we are hiding the Microsoft Software License Terms (EULA) page, configuring automatic updates to install important and recommended updates automatically, and identifying this workspace as part of a private office network. You can use other OOBE settings that you have configured for your organization if desired. For more information about the OOBE settings, see [OOBE](https://go.microsoft.com/fwlink/p/?LinkId=619172):
+7. Next, we will need to edit the unattend.xml file to configure the first run (OOBE) settings. In this example we are hiding the Microsoft Software License Terms (EULA) page, configuring automatic updates to install important and recommended updates automatically, and identifying this workspace as part of a private office network. You can use other OOBE settings that you have configured for your organization if desired. For more information about the OOBE settings, see [OOBE](/previous-versions/windows/it-pro/windows-8.1-and-8/ff716016(v=win.10)):
```
@@ -439,7 +439,7 @@ You can choose to enable BitLocker protection on Windows To Go drives before dis
Enabling BitLocker during provisioning ensures that your operating system image is always protected by BitLocker. When enabling BitLocker during the provisioning process you can significantly reduce the time required for encrypting the drive by enabling BitLocker after configuring the disk and just prior to applying the image. If you use this method, you will need to give users their BitLocker password when you give then their Windows To Go workspace. Also, you should instruct your users to boot their workspace and change their BitLocker password as soon as possible (this can be done with standard user privileges).
-Enabling BitLocker after distribution requires that your users turn on BitLocker. This means that your Windows To Go workspaces are unprotected until the user enables BitLocker. Administrative rights on the Windows To Go workspace are required to enable BitLocker. For more information about BitLocker see the [BitLocker Overview](https://go.microsoft.com/fwlink/p/?LinkId=619173).
+Enabling BitLocker after distribution requires that your users turn on BitLocker. This means that your Windows To Go workspaces are unprotected until the user enables BitLocker. Administrative rights on the Windows To Go workspace are required to enable BitLocker. For more information about BitLocker see the [BitLocker Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831713(v=ws.11)).
#### BitLocker recovery keys
@@ -461,7 +461,7 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot
4. Provision the Windows To Go drive using the following cmdlets:
>[!NOTE]
- >If you used the [manual method for creating a workspace](https://go.microsoft.com/fwlink/p/?LinkId=619174) you should have already provisioned the Windows To Go drive. If so, you can continue on to the next step.
+ >If you used the [manual method for creating a workspace](/previous-versions/windows/it-pro/windows-8.1-and-8/jj721578(v=ws.11)) you should have already provisioned the Windows To Go drive. If so, you can continue on to the next step.
```
# The following command will set $Disk to all USB drives with >20 GB of storage
@@ -497,7 +497,7 @@ BitLocker recovery keys are the keys that can be used to unlock a BitLocker prot
Set-Partition -InputObject $OSPartition -NoDefaultDriveLetter $TRUE
```
- Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you just created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](https://go.microsoft.com/fwlink/p/?LinkId=619161) command-line tool (DISM):
+ Next you need to apply the operating system image that you want to use with Windows To Go to the operating system partition you just created on the disk (this may take 30 minutes or longer, depending on the size of the image and the speed of your USB connection). The following command shows how this can be accomplished using the [Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) command-line tool (DISM):
>[!TIP]
>The index number must be set correctly to a valid Enterprise image in the .WIM file.
@@ -593,7 +593,7 @@ The sample script creates an unattend file that streamlines the deployment proce
Set-ExecutionPolicy RemoteSigned
```
- The RemoteSigned execution policy will prevent unsigned scripts from the internet from running on the computer, but will allow locally created scripts to run. For more information on execution policies, see [Set-ExecutionPolicy](https://go.microsoft.com/fwlink/p/?LinkId=619175).
+ The RemoteSigned execution policy will prevent unsigned scripts from the internet from running on the computer, but will allow locally created scripts to run. For more information on execution policies, see [Set-ExecutionPolicy](/powershell/module/microsoft.powershell.security/set-executionpolicy).
> [!TIP]
> To get online help for any Windows PowerShell cmdlet, whether or not it is installed locally type the following cmdlet, replacing <cmdlet-name> with the name of the cmdlet you want to see the help for:
@@ -1001,13 +1001,4 @@ In the PowerShell provisioning script, after the image has been applied, you can
[Security and data protection considerations for Windows To Go](planning/security-and-data-protection-considerations-for-windows-to-go.md)
-[BitLocker overview](https://go.microsoft.com/fwlink/p/?LinkId=619173)
-
-
-
-
-
-
-
-
-
+[BitLocker overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831713(v=ws.11))
\ No newline at end of file
diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md
index bb85dc9972..1e3fbadce0 100644
--- a/windows/deployment/deploy.md
+++ b/windows/deployment/deploy.md
@@ -23,18 +23,18 @@ Windows 10 upgrade options are discussed and information is provided about plann
|Topic |Description |
|------|------------|
-|[Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) |This topic provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. |
+|[Overview of Windows Autopilot](/mem/autopilot/windows-autopilot) |This topic provides an overview of Windows Autopilot deployment, a new zero-touch method for deploying Windows 10 in the enterprise. |
|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |This topic provides information about support for upgrading directly to Windows 10 from a previous operating system. |
|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |This topic provides information about support for upgrading from one edition of Windows 10 to another. |
|[Windows 10 volume license media](windows-10-media.md) |This topic provides information about updates to volume licensing media in the current version of Windows 10. |
-|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
+|[Manage Windows upgrades with Upgrade Readiness](/mem/configmgr/desktop-analytics/overview) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
|[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md). |
|[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. |
-|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
+|[Deploy Windows 10 with the Microsoft Deployment Toolkit](./deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
|[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) |If you have Microsoft Endpoint Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
|[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. |
|[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.|
## Related topics
-[Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home)
\ No newline at end of file
+[Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home)
\ No newline at end of file
diff --git a/windows/deployment/images/configmgr-assets.PNG b/windows/deployment/images/configmgr-assets.PNG
deleted file mode 100644
index ac315148c5..0000000000
Binary files a/windows/deployment/images/configmgr-assets.PNG and /dev/null differ
diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml
index dbd960b4a7..55641790b7 100644
--- a/windows/deployment/index.yml
+++ b/windows/deployment/index.yml
@@ -53,7 +53,7 @@ landingContent:
- linkListType: deploy
links:
- text: Deploy Windows 10 with Autopilot
- url: https://docs.microsoft.com/mem/autopilot
+ url: /mem/autopilot
- text: Assign devices to servicing channels
url: update/waas-servicing-channels-windows-10-updates.md
- text: Deploy Windows updates with Configuration Manager
@@ -71,7 +71,7 @@ landingContent:
- text: Basics of Windows updates, channels, and tools
url: update/get-started-updates-channels-tools.md
- text: Overview of Windows Autopilot
- url: https://docs.microsoft.com/mem/autopilot/windows-autopilot
+ url: /mem/autopilot/windows-autopilot
# Card
- title: Support remote work
@@ -81,11 +81,11 @@ landingContent:
- text: Deploy Windows 10 for a remote world
url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/deploying-a-new-version-of-windows-10-in-a-remote-world/ba-p/1419846
- text: Empower remote workers with Microsoft 365
- url: https://docs.microsoft.com/microsoft-365/solutions/empower-people-to-work-remotely
+ url: /microsoft-365/solutions/empower-people-to-work-remotely
- text: Top 12 tasks for security teams to support working from home
- url: https://docs.microsoft.com/microsoft-365/security/top-security-tasks-for-remote-work
+ url: /microsoft-365/security/top-security-tasks-for-remote-work
- text: Support your remote workforce
- url: https://docs.microsoft.com/microsoftteams/faq-support-remote-workforce
+ url: /microsoftteams/faq-support-remote-workforce
# Card (optional)
- title: Microsoft Learn
@@ -93,8 +93,8 @@ landingContent:
- linkListType: learn
links:
- text: Plan to deploy updates for Windows 10 and Microsoft 365 Apps
- url: https://docs.microsoft.com/learn/modules/windows-plan
+ url: /learn/modules/windows-plan
- text: Prepare to deploy updates for Windows 10 and Microsoft 365 Apps
- url: https://docs.microsoft.com/learn/modules/windows-prepare/
+ url: /learn/modules/windows-prepare/
- text: Deploy updates for Windows 10 and Microsoft 365 Apps
- url: https://docs.microsoft.com/learn/modules/windows-deploy
+ url: /learn/modules/windows-deploy
\ No newline at end of file
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 7324318c18..496c96e73b 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -96,11 +96,11 @@ MBR2GPT: Validation completed successfully
In the following example:
1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0.
-2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) is **07** corresponding to the installable file system (IFS) type.
+2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type.
2. The MBR2GPT tool is used to convert disk 0.
3. The DiskPart tool displays that disk 0 is now using the GPT format.
4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
-5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
+5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
>As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly.
@@ -266,8 +266,8 @@ In addition to applying the correct partition types, partitions of type PARTITIO
- GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER (0x8000000000000000)
For more information about partition types, see:
-- [GPT partition types](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx)
-- [MBR partition types](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx)
+- [GPT partition types](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt)
+- [MBR partition types](/windows/win32/fileio/disk-partition-types)
### Persisting drive letter assignments
@@ -420,7 +420,7 @@ This issue occurs because in Windows 10, version 1903 and later versions, MBR2GP
To fix this issue, mount the Windows PE image (WIM), copy the missing file from the [Windows 10, version 1903 Assessment and Development Kit (ADK)](https://go.microsoft.com/fwlink/?linkid=2086042) source, and then commit the changes to the WIM. To do this, follow these steps:
-1. Mount the Windows PE WIM to a path (for example, C:\WinPE_Mount). For more information about how to mount WIM files, see [Mount an image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#mount-an-image).
+1. Mount the Windows PE WIM to a path (for example, C:\WinPE_Mount). For more information about how to mount WIM files, see [Mount an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#mount-an-image).
2. Copy the ReAgent files and the ReAgent localization files from the Window 10, version 1903 ADK source folder to the mounted WIM.
@@ -450,11 +450,11 @@ To fix this issue, mount the Windows PE image (WIM), copy the missing file from
> [!NOTE]
> If you aren't using an English version of Windows, replace "En-Us" in the path with the appropriate string that represents the system language.
-3. After you copy all the files, commit the changes and unmount the Windows PE WIM. MBR2GPT.exe now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image).
+3. After you copy all the files, commit the changes and unmount the Windows PE WIM. MBR2GPT.exe now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image).
## Related topics
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
-
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
+
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
\ No newline at end of file
diff --git a/windows/deployment/planning/act-technical-reference.md b/windows/deployment/planning/act-technical-reference.md
index abb5e94fdb..0226ea23b4 100644
--- a/windows/deployment/planning/act-technical-reference.md
+++ b/windows/deployment/planning/act-technical-reference.md
@@ -21,7 +21,7 @@ ms.topic: article
- Windows 10, version 1607
>[!IMPORTANT]
->We've replaced the majority of functionality included in the Application Compatibility Toolkit (ACT) with [Windows Analytics](../update/windows-analytics-overview.md), a solution in the Microsoft Operations Management Suite. Windows Analytics gives enterprises the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released.
+>We've replaced the majority of functionality included in the Application Compatibility Toolkit (ACT) with [Windows Analytics](/mem/configmgr/desktop-analytics/overview), a solution in the Microsoft Operations Management Suite. Windows Analytics gives enterprises the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released.
Microsoft developed Windows Analytics in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Windows Analytics was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10.
@@ -46,4 +46,4 @@ At the same time, we've kept the Standard User Analyzer tool, which helps you te
|------|------------|
|[Standard User Analyzer (SUA) User's Guide](sua-users-guide.md) |The Standard User Analyzer (SUA) helps you test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. |
|[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) |The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. |
-|[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) |You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. |
+|[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) |You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. |
\ No newline at end of file
diff --git a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
index 504dc52a3c..eda58b00ab 100644
--- a/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
+++ b/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
@@ -84,7 +84,7 @@ The following table lists the known compatibility fixes for all Windows operatin
Software\MyCompany\Key1^Software\MyCompany\Key2.
-
[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
+[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
\ No newline at end of file
diff --git a/windows/deployment/planning/features-lifecycle.md b/windows/deployment/planning/features-lifecycle.md
index 2b515fbbd0..333be6284a 100644
--- a/windows/deployment/planning/features-lifecycle.md
+++ b/windows/deployment/planning/features-lifecycle.md
@@ -42,4 +42,4 @@ The following terms can be used to describe the status that might be assigned to
## Also see
-[Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information)
+[Windows 10 release information](/windows/release-health/release-information)
\ No newline at end of file
diff --git a/windows/deployment/planning/index.md b/windows/deployment/planning/index.md
index 76f55d16c6..518a1c29c4 100644
--- a/windows/deployment/planning/index.md
+++ b/windows/deployment/planning/index.md
@@ -27,9 +27,9 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi
## Related topics
- [Windows 10 servicing options for updates and upgrades](../update/index.md)
-- [Deploy Windows 10 with MDT](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
+- [Deploy Windows 10 with MDT](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
- [Upgrade to Windows 10 with MDT](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
-- [Upgrade to Windows 10 with Configuration Manager](../upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
-- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=733911)
-
+- [Upgrade to Windows 10 with Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md)
+- [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd)
+
\ No newline at end of file
diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
index 99acb38299..53ac520c06 100644
--- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
+++ b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
@@ -75,7 +75,7 @@ Because Windows To Go requires no additional software and minimal configuration,
Windows To Go uses volume activation. You can use either Active Directory-based activation or KMS activation with Windows To Go. The Windows To Go workspace counts as another installation when assessing compliance with application licensing agreements.
-Microsoft software, such as Microsoft Office, distributed to a Windows To Go workspace must also be activated. Office deployment is fully supported on Windows To Go. Please note, due to the retail subscription activation method associated with Microsoft 365 Apps for enterprise, Microsoft 365 Apps for enterprise subscribers are provided volume licensing activation rights for Office Professional Plus 2013 MSI for local installation on the Windows To Go drive. This is available to organizations who purchase Microsoft 365 Apps for enterprise or Office 365 Enterprise SKUs containing Microsoft 365 Apps for enterprise via volume licensing channels. For more information about activating Microsoft Office, see [Volume activation methods in Office 2013](https://go.microsoft.com/fwlink/p/?LinkId=618922).
+Microsoft software, such as Microsoft Office, distributed to a Windows To Go workspace must also be activated. Office deployment is fully supported on Windows To Go. Please note, due to the retail subscription activation method associated with Microsoft 365 Apps for enterprise, Microsoft 365 Apps for enterprise subscribers are provided volume licensing activation rights for Office Professional Plus 2013 MSI for local installation on the Windows To Go drive. This is available to organizations who purchase Microsoft 365 Apps for enterprise or Office 365 Enterprise SKUs containing Microsoft 365 Apps for enterprise via volume licensing channels. For more information about activating Microsoft Office, see [Volume activation methods in Office 2013](/DeployOffice/vlactivation/plan-volume-activation-of-office).
You should investigate other software manufacturer's licensing requirements to ensure they are compatible with roaming usage before deploying them to a Windows To Go workspace.
@@ -84,7 +84,7 @@ You should investigate other software manufacturer's licensing requirements to e
-See [Plan for Volume Activation](https://go.microsoft.com/fwlink/p/?LinkId=618923) for more information about these activation methods and how they can be used in your organization.
+See [Plan for Volume Activation](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134042(v=ws.11)) for more information about these activation methods and how they can be used in your organization.
## Organizational unit structure and use of Group Policy Objects
@@ -103,14 +103,14 @@ If you configure Windows To Go drives for scenarios where drives may remain unus
## User account and data management
-People use computers to work with data and consume content - that is their core function. The data must be stored and retrievable for it to be useful. When users are working in a Windows To Go workspace, they need to have the ability to get to the data that they work with and to keep it accessible when the workspace is not being used. For this reason we recommend that you use folder redirection and offline files to redirect the path of local folders (such as the Documents folder) to a network location, while caching the contents locally for increased speed and availability. We also recommend that you use roaming user profiles to synchronize user specific settings so that users receive the same operating system and application settings when using their Windows To Go workspace and their desktop computer. When a user signs in using a domain account that is set up with a file share as the profile path, the user's profile is downloaded to the local computer and merged with the local profile (if present). When the user logs off the computer, the local copy of their profile, including any changes, is merged with the server copy of the profile. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](https://go.microsoft.com/fwlink/p/?LinkId=618924).
+People use computers to work with data and consume content - that is their core function. The data must be stored and retrievable for it to be useful. When users are working in a Windows To Go workspace, they need to have the ability to get to the data that they work with and to keep it accessible when the workspace is not being used. For this reason we recommend that you use folder redirection and offline files to redirect the path of local folders (such as the Documents folder) to a network location, while caching the contents locally for increased speed and availability. We also recommend that you use roaming user profiles to synchronize user specific settings so that users receive the same operating system and application settings when using their Windows To Go workspace and their desktop computer. When a user signs in using a domain account that is set up with a file share as the profile path, the user's profile is downloaded to the local computer and merged with the local profile (if present). When the user logs off the computer, the local copy of their profile, including any changes, is merged with the server copy of the profile. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)).
Windows To Go is fully integrated with your Microsoft account. Setting synchronization is accomplished by connecting a Microsoft account to a user account. Windows To Go devices fully support this feature and can be managed by Group Policy so that the customization and configurations you prefer will be applied to your Windows To Go workspace.
## Remote connectivity
-If you want Windows To Go to be able to connect back to organizational resources when it is being used off-premises a remote connectivity solution must be enabled. Windows Server 2012 DirectAccess can be used as can a virtual private network (VPN) solution. For more information about configuring a remote access solution, see the [Remote Access (DirectAccess, Routing and Remote Access) Overview](https://go.microsoft.com/fwlink/p/?LinkId=618925).
+If you want Windows To Go to be able to connect back to organizational resources when it is being used off-premises a remote connectivity solution must be enabled. Windows Server 2012 DirectAccess can be used as can a virtual private network (VPN) solution. For more information about configuring a remote access solution, see the [Remote Access (DirectAccess, Routing and Remote Access) Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn636119(v=ws.11)).
## Related topics
@@ -125,9 +125,3 @@ If you want Windows To Go to be able to connect back to organizational resources
-
-
-
-
-
-
diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
index 952f743607..faa9cab6ed 100644
--- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
+++ b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
@@ -30,9 +30,9 @@ One of the most important requirements to consider when you plan your Windows To
## Backup and restore
-As long as you are not saving data on the Windows To Go drive, there is no need for a backup and restore solution for Windows To Go. If you are saving data on the drive and are not using folder redirection and offline files, you should back up all of your data to a network location, such as cloud storage or a network share after each work session. Review the new and improved features described in [Supporting Information Workers with Reliable File Services and Storage](https://go.microsoft.com/fwlink/p/?LinkId=619102) for different solutions you could implement.
+As long as you are not saving data on the Windows To Go drive, there is no need for a backup and restore solution for Windows To Go. If you are saving data on the drive and are not using folder redirection and offline files, you should back up all of your data to a network location, such as cloud storage or a network share after each work session. Review the new and improved features described in [Supporting Information Workers with Reliable File Services and Storage](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831495(v=ws.11)) for different solutions you could implement.
-If the USB drive fails for any reason, the standard process to restore the drive to working condition is to reformat and re-provision the drive with Windows To Go, so all data and customization on the drive will be lost. This is another reason why using roaming user profiles, folder redirection and offline files with Windows To Go is strongly recommended. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](https://go.microsoft.com/fwlink/p/?LinkId=618924).
+If the USB drive fails for any reason, the standard process to restore the drive to working condition is to reformat and re-provision the drive with Windows To Go, so all data and customization on the drive will be lost. This is another reason why using roaming user profiles, folder redirection and offline files with Windows To Go is strongly recommended. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)).
## BitLocker
@@ -55,16 +55,16 @@ We recommend that you use the **NoDefaultDriveLetter** attribute when provisioni
To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It is strongly recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and, therefore, user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted.
-For more information, see [How to Configure Storage Area Network (SAN) Policy in Windows PE](https://go.microsoft.com/fwlink/p/?LinkId=619103).
+For more information, see [How to Configure Storage Area Network (SAN) Policy in Windows PE](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825063(v=win.10)).
## Security certifications for Windows To Go
Windows to Go is a core capability of Windows when it is deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for additional certifications by the solution provider that cover the solution provider’s specific hardware environment. For more details about Windows security certifications, see the following topics.
-- [Windows Platform Common Criteria Certification](https://go.microsoft.com/fwlink/p/?LinkId=619104)
+- [Windows Platform Common Criteria Certification](/windows/security/threat-protection/windows-platform-common-criteria)
-- [FIPS 140 Evaluation](https://go.microsoft.com/fwlink/p/?LinkId=619107)
+- [FIPS 140 Evaluation](/windows/security/threat-protection/fips-140-validation)
## Related topics
@@ -79,9 +79,3 @@ Windows to Go is a core capability of Windows when it is deployed on the drive a
-
-
-
-
-
-
diff --git a/windows/deployment/planning/windows-10-compatibility.md b/windows/deployment/planning/windows-10-compatibility.md
index 965ad4dad7..1689fef566 100644
--- a/windows/deployment/planning/windows-10-compatibility.md
+++ b/windows/deployment/planning/windows-10-compatibility.md
@@ -31,7 +31,7 @@ Existing desktop (Win32) application compatibility is also expected to be strong
Existing Windows Store (WinRT) apps created for Windows 8 and Windows 8.1 should also continue to work, because compatibility can be validated against all the apps that have been submitted to the Windows Store.
-For web apps and sites, modern HTML5-based sites should also have a high degree of compatibility and excellent performance through the new Microsoft Edge browser, while older web apps and sites can continue to use Internet Explorer 11 and the Enterprise Mode features that were first introduced in Windows 7 and Windows 8.1 and are still present in Windows 10. For more information about Internet Explorer and Enterprise Mode, see the [Internet Explorer 11 Deployment Guide for IT Pros.](https://go.microsoft.com/fwlink/p/?LinkId=734031)
+For web apps and sites, modern HTML5-based sites should also have a high degree of compatibility and excellent performance through the new Microsoft Edge browser, while older web apps and sites can continue to use Internet Explorer 11 and the Enterprise Mode features that were first introduced in Windows 7 and Windows 8.1 and are still present in Windows 10. For more information about Internet Explorer and Enterprise Mode, see the [Internet Explorer 11 Deployment Guide for IT Pros.](/internet-explorer/ie11-deploy-guide/)
## Recommended application testing process
@@ -53,9 +53,4 @@ Historically, organizations have performed extensive, and often exhaustive, test
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md
index acf11aa0ee..90d0c547cb 100644
--- a/windows/deployment/planning/windows-10-deployment-considerations.md
+++ b/windows/deployment/planning/windows-10-deployment-considerations.md
@@ -92,9 +92,9 @@ For organizations that did not take advantage of the free upgrade offer and are
For new computers acquired with Windows 10 preinstalled, you can leverage dynamic provisioning scenarios to transform the device from its initial state into a fully-configured organization PC. There are two primary dynamic provisioning scenarios you can use:
-- **User-driven, from the cloud.** By joining a device into Azure Active Directory and leveraging the automatic mobile device management (MDM) provisioning capabilities at the same time, an end user can initiate the provisioning process themselves just by entering the Azure Active Directory account and password (called their “work or school account” within Windows 10). The MDM service can then transform the device into a fully-configured organization PC. For more information, see [Azure Active Directory integration with MDM](https://go.microsoft.com/fwlink/p/?LinkId=625075).
+- **User-driven, from the cloud.** By joining a device into Azure Active Directory and leveraging the automatic mobile device management (MDM) provisioning capabilities at the same time, an end user can initiate the provisioning process themselves just by entering the Azure Active Directory account and password (called their “work or school account” within Windows 10). The MDM service can then transform the device into a fully-configured organization PC. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm).
-- **IT admin-driven, using new tools.** Using the new Windows Imaging and Configuration Designer (ICD) tool, IT administrators can create provisioning packages that can be applied to a computer to transform it into a fully-configured organization PC. For more information, see [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=625076).
+- **IT admin-driven, using new tools.** Using the new Windows Imaging and Configuration Designer (ICD) tool, IT administrators can create provisioning packages that can be applied to a computer to transform it into a fully-configured organization PC. For more information, see [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
In either of these scenarios, you can make a variety of configuration changes to the PC:
@@ -124,9 +124,4 @@ The upgrade process is also optimized to reduce the overall time and network ban
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md
index 2012a23148..ccc51614a9 100644
--- a/windows/deployment/planning/windows-10-deprecated-features.md
+++ b/windows/deployment/planning/windows-10-deprecated-features.md
@@ -27,28 +27,28 @@ The features described below are no longer being actively developed, and might b
|Feature | Details and mitigation | Announced in version |
| ----------- | --------------------- | ---- |
| Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 |
-| Companion Device Framework | The [Companion Device Framework](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 |
-| Dynamic Disks | The [Dynamic Disks](https://docs.microsoft.com/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](https://docs.microsoft.com/windows-server/storage/storage-spaces/overview) in a future release.| 2004 |
+| Companion Device Framework | The [Companion Device Framework](/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 |
+| Dynamic Disks | The [Dynamic Disks](/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](/windows-server/storage/storage-spaces/overview) in a future release.| 2004 |
| Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 |
| My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 |
-| Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
The recommended replacement for PSR is [Azure App Service](https://docs.microsoft.com/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 |
+| Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 |
| XDDM-based remote display driver | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information about implementing a remote indirect display driver, ISVs can reach out to [rdsdev@microsoft.com](mailto:rdsdev@microsoft.com). | 1903 |
| Taskbar settings roaming | Roaming of taskbar settings is no longer being developed and we plan to remove this capability in a future release. | 1903 |
| Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which are not as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 |
| Windows To Go | Windows To Go is no longer being developed.
The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.| 1903 |
| Print 3D app | Going forward, 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.| 1903 |
-|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this, and because non-Microsoft partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 |
+|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](/windows/security/identity-protection/hello-for-business/hello-features#dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this, and because non-Microsoft partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 |
|OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.| 1809 |
|Snipping Tool|The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're [introducing a new universal app, Snip & Sketch](https://blogs.windows.com/windowsexperience/2018/05/03/announcing-windows-10-insider-preview-build-17661/#8xbvP8vMO0lF20AM.97), that provides the same screen snipping abilities, as well as additional features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the “Screen snip” button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch.| 1809 |
-|[Software Restriction Policies](https://docs.microsoft.com/windows-server/identity/software-restriction-policies/software-restriction-policies) in Group Policy|Instead of using the Software Restriction Policies through Group Policy, you can use [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/applocker/applocker-overview) or [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control) to control which apps users can access and what code can run in the kernel.| 1803 |
-|[Offline symbol packages](https://docs.microsoft.com/windows-hardware/drivers/debugger/debugger-download-symbols) (Debug symbol MSIs)|We're no longer making the symbol packages available as a downloadable MSI. Instead, the [Microsoft Symbol Server is moving to be an Azure-based symbol store](https://blogs.msdn.microsoft.com/windbg/2017/10/18/update-on-microsofts-symbol-server/). If you need the Windows symbols, connect to the Microsoft Symbol Server to cache your symbols locally or use a manifest file with SymChk.exe on a computer with internet access.| 1803 |
+|[Software Restriction Policies](/windows-server/identity/software-restriction-policies/software-restriction-policies) in Group Policy|Instead of using the Software Restriction Policies through Group Policy, you can use [AppLocker](/windows/security/threat-protection/applocker/applocker-overview) or [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control) to control which apps users can access and what code can run in the kernel.| 1803 |
+|[Offline symbol packages](/windows-hardware/drivers/debugger/debugger-download-symbols) (Debug symbol MSIs)|We're no longer making the symbol packages available as a downloadable MSI. Instead, the [Microsoft Symbol Server is moving to be an Azure-based symbol store](/archive/blogs/windbg/update-on-microsofts-symbol-server). If you need the Windows symbols, connect to the Microsoft Symbol Server to cache your symbols locally or use a manifest file with SymChk.exe on a computer with internet access.| 1803 |
|Windows Help Viewer (WinHlp32.exe)|All Windows help information is [available online](https://support.microsoft.com/products/windows?os=windows-10). The Windows Help Viewer is no longer supported in Windows 10. If for any reason you see an error message about "help not supported," possibly when using a non-Microsoft application, read [this support article](https://support.microsoft.com/help/917607/error-opening-help-in-windows-based-programs-feature-not-included-or-h) for additional information and any next steps.| 1803 |
-|MBAE service metadata|The MBAE app experience is replaced by an MO UWP app. For more information, see [Developer guide for creating service metadata](https://docs.microsoft.com/windows-hardware/drivers/mobilebroadband/developer-guide-for-creating-service-metadata) | 1803 |
-|Contacts feature in File Explorer|We're no longer developing the Contacts feature or the corresponding [Windows Contacts API](https://msdn.microsoft.com/library/ff800913.aspx). Instead, you can use the People app in Windows 10 to maintain your contacts.| 1803 |
+|MBAE service metadata|The MBAE app experience is replaced by an MO UWP app. For more information, see [Developer guide for creating service metadata](/windows-hardware/drivers/mobilebroadband/developer-guide-for-creating-service-metadata) | 1803 |
+|Contacts feature in File Explorer|We're no longer developing the Contacts feature or the corresponding [Windows Contacts API](/previous-versions/windows/desktop/wincontacts/-wincontacts-entry-point). Instead, you can use the People app in Windows 10 to maintain your contacts.| 1803 |
|Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.| 1803 |
|IPv4/6 Transition Technologies (6to4, ISATAP, Teredo, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), Teredo has been disabled since Windows 10, version 1803, and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.| 1803 |
-|[Layered Service Providers](https://msdn.microsoft.com/library/windows/desktop/bb513664)|Layered Service Providers has not been developed since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510) instead. When you upgrade from an older version of Windows, any layered service providers you're using aren't migrated; you'll need to re-install them after upgrading.| 1803 |
-|Business Scanning| This feature is also called Distributed Scan Management (DSM) **(Added 05/03/2018)**
The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124(v=ws.11)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.| 1803 |
+|[Layered Service Providers](/windows/win32/winsock/categorizing-layered-service-providers-and-applications)|Layered Service Providers has not been developed since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) instead. When you upgrade from an older version of Windows, any layered service providers you're using aren't migrated; you'll need to re-install them after upgrading.| 1803 |
+|Business Scanning| This feature is also called Distributed Scan Management (DSM) **(Added 05/03/2018)**
The [Scan Management functionality](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124(v=ws.11)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.| 1803 |
|IIS 6 Management Compatibility* | We recommend that users use alternative scripting tools and a newer management console. | 1709 |
|IIS Digest Authentication | We recommend that users use alternative authentication methods.| 1709 |
|RSA/AES Encryption for IIS | We recommend that users use CNG encryption provider. | 1709 |
@@ -62,8 +62,8 @@ The features described below are no longer being actively developed, and might b
|Windows Hello for Business deployment that uses Microsoft Endpoint Manager |Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 |
|Windows PowerShell 2.0 | Applications and components should be migrated to PowerShell 5.0+. | 1709 |
|Apndatabase.xml | Apndatabase.xml is being replaced by the COSA database. Therefore, some constructs will no longer function. This includes Hardware ID, incoming SMS messaging rules in mobile apps, a list of privileged apps in mobile apps, autoconnect order, APN parser, and CDMAProvider ID. | 1703 |
-|Tile Data Layer | The [Tile Data Layer](https://docs.microsoft.com/windows/configuration/start-layout-troubleshoot#symptom-start-menu-issues-with-tile-data-layer-corruption) database stopped development in Windows 10, version 1703. | 1703 |
-|TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](https://docs.microsoft.com/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 |
-|TCPChimney | TCP Chimney Offload is no longer being developed. See [Performance Tuning Network Adapters](https://docs.microsoft.com/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 |
-|IPsec Task Offload| [IPsec Task Offload](https://docs.microsoft.com/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and should not be used. | 1703 |
-|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
Applies to Windows Server 2016 and Windows Server 2019 as well.|
+|Tile Data Layer | The [Tile Data Layer](/windows/configuration/start-layout-troubleshoot#symptom-start-menu-issues-with-tile-data-layer-corruption) database stopped development in Windows 10, version 1703. | 1703 |
+|TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 |
+|TCPChimney | TCP Chimney Offload is no longer being developed. See [Performance Tuning Network Adapters](/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 |
+|IPsec Task Offload| [IPsec Task Offload](/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and should not be used. | 1703 |
+|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
Applies to Windows Server 2016 and Windows Server 2019 as well.|
\ No newline at end of file
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
index b48649cf32..a70b3498c4 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
@@ -52,11 +52,11 @@ For many devices, drivers will be automatically installed in Windows 10 and ther
### Where can I find out if an application or device is compatible with Windows 10?
-Many existing Win32 and Win64 applications already run reliably on Windows 10 without any changes. You can also expect strong compatibility and support for Web apps and devices. The [Ready for Windows](https://www.readyforwindows.com/) website lists software solutions that are supported and in use for Windows 10. You can find additional guidance to help with application compatibility at [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793) on the Windows IT Center.
+Many existing Win32 and Win64 applications already run reliably on Windows 10 without any changes. You can also expect strong compatibility and support for Web apps and devices. The [Ready for Windows](https://www.readyforwindows.com/) website lists software solutions that are supported and in use for Windows 10. You can find additional guidance to help with application compatibility at [Windows 10 application compatibility](/windows/windows-10/) on the Windows IT Center.
### Is there an easy way to assess if my organization’s devices are ready to upgrade to Windows 10?
-[Windows Analytics Upgrade Readiness](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. You can find additional product information at [Windows Analytics](https://www.microsoft.com/WindowsForBusiness/Windows-Analytics).
+[Windows Analytics Upgrade Readiness](/mem/configmgr/desktop-analytics/overview) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. You can find additional product information at [Windows Analytics](https://www.microsoft.com/WindowsForBusiness/Windows-Analytics).
## Administration and deployment
@@ -69,7 +69,7 @@ Updated versions of Microsoft deployment tools, including MDT, Configuration Man
### Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image?
-Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit).
+Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with Microsoft Endpoint Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md).
### Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free?
@@ -81,7 +81,7 @@ For devices that are licensed under a volume license agreement for Windows that
### What is Windows as a service?
-The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. For more information, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview).
+The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. For more information, see [Overview of Windows as a service](../update/waas-overview.md).
### How is servicing different with Windows as a service?
@@ -89,7 +89,7 @@ Traditional Windows servicing has included several release types: major revision
### What are the servicing channels?
-To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: Semi-Annual Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](/windows/deployment/update/waas-overview#servicing-channels).
+To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: Semi-Annual Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](../update/waas-overview.md#servicing-channels).
### What tools can I use to manage Windows as a service updates?
@@ -99,13 +99,13 @@ There are many tools are available. You can choose from these:
- Windows Server Update Services
- Microsoft Endpoint Configuration Manager
-For more information on pros and cons for these tools, see [Servicing Tools](/windows/deployment/update/waas-overview#servicing-tools).
+For more information on pros and cons for these tools, see [Servicing Tools](../update/waas-overview.md#servicing-tools).
## User experience
### Where can I find information about new features and changes in Windows 10 Enterprise?
-For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library.
+For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](/windows/whats-new/) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library.
Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10.
@@ -113,7 +113,7 @@ To find out which version of Windows 10 is right for your organization, you can
### How will people in my organization adjust to using Windows 10 Enterprise after upgrading from Windows 7 or Windows 8.1?
-Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1. To help you make the transition a seamless one, download the [Windows 10 Adoption Planning Kit](https://info.microsoft.com/Windows10AdoptionPlanningKit) and see our [end user readiness](https://technet.microsoft.com/windows/dn621092) resources.
+Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1. To help you make the transition a seamless one, download the [Windows 10 Adoption Planning Kit](https://info.microsoft.com/Windows10AdoptionPlanningKit) and see our [end user readiness](/windows/windows-10/) resources.
### How does Windows 10 help people work with applications and data across a variety of devices?
@@ -131,4 +131,4 @@ Use the following resources for additional information about Windows 10.
- If you are an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet.
- If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum/windows_10).
- If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev) or [Windows and Windows phone apps forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsapps) on MSDN.
-- If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home) on TechNet.
+- If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home) on TechNet.
\ No newline at end of file
diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md
index ccc6b27193..cbb4f663b4 100644
--- a/windows/deployment/planning/windows-10-infrastructure-requirements.md
+++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md
@@ -32,19 +32,19 @@ For persistent VDI environments, carefully consider the I/O impact from upgradin
## Deployment tools
-The latest version of the Windows Assessment and Deployment Toolkit (ADK) is available for download [here](https://docs.microsoft.com/windows-hardware/get-started/adk-install).
+The latest version of the Windows Assessment and Deployment Toolkit (ADK) is available for download [here](/windows-hardware/get-started/adk-install).
Significant enhancements in the ADK for Windows 10 include new runtime provisioning capabilities, which leverage the Windows Imaging and Configuration Designer (Windows ICD), as well as updated versions of existing deployment tools (DISM, USMT, Windows PE, and more).
-The latest version of the Microsoft Deployment Toolkit (MDT) is available for download [here](https://docs.microsoft.com/mem/configmgr/mdt/release-notes).
+The latest version of the Microsoft Deployment Toolkit (MDT) is available for download [here](/mem/configmgr/mdt/release-notes).
-For Configuration Manager, Windows 10 version specific support is offered with [various releases](https://docs.microsoft.com/mem/configmgr/core/plan-design/configs/support-for-windows-10).
+For Configuration Manager, Windows 10 version specific support is offered with [various releases](/mem/configmgr/core/plan-design/configs/support-for-windows-10).
For more details about Microsoft Endpoint Manager support for Windows 10, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
## Management tools
-In addition to Microsoft Endpoint Configuration Manager, Windows 10 also leverages other tools for management. For Windows Server and Active Directory, existing supported versions are fully supported for Windows 10. New Group Policy templates will be needed to configure new settings available in Windows 10; these templates are available in the Windows 10 media images, and are available as a separate download [here](https://go.microsoft.com/fwlink/p/?LinkId=625081). See [Group Policy settings reference](https://go.microsoft.com/fwlink/p/?LinkId=625082) for a list of the new and modified policy settings. If you are using a central policy store, follow the steps outlined [here](https://go.microsoft.com/fwlink/p/?LinkId=625083) to update the ADMX files stored in that central store.
+In addition to Microsoft Endpoint Configuration Manager, Windows 10 also leverages other tools for management. For Windows Server and Active Directory, existing supported versions are fully supported for Windows 10. New Group Policy templates will be needed to configure new settings available in Windows 10; these templates are available in the Windows 10 media images, and are available as a separate download [here](https://go.microsoft.com/fwlink/p/?LinkId=625081). See [Group Policy settings reference](https://go.microsoft.com/fwlink/p/?LinkId=625082) for a list of the new and modified policy settings. If you are using a central policy store, follow the steps outlined [here](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) to update the ADMX files stored in that central store.
No new Active Directory schema updates or specific functional levels are currently required for core Windows 10 product functionality, although subsequent upgrades could require these to support new features.
@@ -58,9 +58,9 @@ Microsoft Desktop Optimization Pack (MDOP) has been updated to support Windows
| Microsoft BitLocker Administration and Monitoring (MBAM) | MBAM 2.5 SP1 (2.5 is OK) |
| User Experience Virtualization (UE-V) | UE-V 2.1 SP1 |
-For more information, see the [MDOP TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=625090).
+For more information, see the [MDOP TechCenter](/microsoft-desktop-optimization-pack/).
-For devices you manage with mobile device management (MDM) solutions such as Microsoft Intune, existing capabilities (provided initially in Windows 8.1) are fully supported in Windows 10; new Windows 10 MDM settings and capabilities will require updates to the MDM services. See [Mobile device management](https://go.microsoft.com/fwlink/p/?LinkId=625084) for more information.
+For devices you manage with mobile device management (MDM) solutions such as Microsoft Intune, existing capabilities (provided initially in Windows 8.1) are fully supported in Windows 10; new Windows 10 MDM settings and capabilities will require updates to the MDM services. See [Mobile device management](/windows/client-management/mdm/) for more information.
Windows Server Update Services (WSUS) requires some additional configuration to receive updates for Windows 10. Use the Windows Server Update Services admin tool and follow these instructions:
@@ -72,7 +72,7 @@ Windows Server Update Services (WSUS) requires some additional configuration to
WSUS product list with Windows 10 choices
-Because Windows 10 updates are cumulative in nature, each month’s new update will supersede the previous month's. Consider leveraging “express installation” packages to reduce the size of the payload that needs to be sent to each PC each month; see [Express installation files](https://go.microsoft.com/fwlink/p/?LinkId=625086) for more information. (Note that this will increase the amount of disk storage needed by WSUS, and impacts all operating systems being managed with WSUS.)
+Because Windows 10 updates are cumulative in nature, each month’s new update will supersede the previous month's. Consider leveraging “express installation” packages to reduce the size of the payload that needs to be sent to each PC each month; see [Express installation files](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd939908(v=ws.10)) for more information. (Note that this will increase the amount of disk storage needed by WSUS, and impacts all operating systems being managed with WSUS.)
## Activation
@@ -85,7 +85,7 @@ Windows 10 volume license editions of Windows 10 will continue to support all
| Windows Server 2012 and Windows 8 | [https://support.microsoft.com/kb/3058168](https://go.microsoft.com/fwlink/p/?LinkId=625087) |
| Windows Server 2008 R2 and Windows 7 | [https://support.microsoft.com/kb/3079821](https://support.microsoft.com/kb/3079821) |
-Also see: [Windows Server 2016 Volume Activation Tips](https://blogs.technet.microsoft.com/askcore/2016/10/19/windows-server-2016-volume-activation-tips/)
+Also see: [Windows Server 2016 Volume Activation Tips](/archive/blogs/askcore/windows-server-2016-volume-activation-tips)
Additionally, new product keys will be needed for all types of volume license activation (KMS, MAK, and AD-based Activation); these keys are available on the Volume Licensing Service Center (VLSC) for customers with rights to the Windows 10 operating system. To find the needed keys:
@@ -103,9 +103,4 @@ Note that Windows 10 Enterprise and Windows 10 Enterprise LTSC installations u
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md
index 22163f17a9..e760025b65 100644
--- a/windows/deployment/planning/windows-10-removed-features.md
+++ b/windows/deployment/planning/windows-10-removed-features.md
@@ -28,28 +28,28 @@ The following features and functionalities have been removed from the installed
|Feature | Details and mitigation | Removed in version |
| ----------- | --------------------- | ------ |
-|Microsoft Edge|The legacy version of Microsoft Edge is no longer supported after March 9th, 2021. For more information, see [End of support reminder for Microsoft Edge Legacy](https://docs.microsoft.com/lifecycle/announcements/edge-legacy-eos-details). | 21H1 |
+|Microsoft Edge|The legacy version of Microsoft Edge is no longer supported after March 9th, 2021. For more information, see [End of support reminder for Microsoft Edge Legacy](/lifecycle/announcements/edge-legacy-eos-details). | 21H1 |
|MBAE service metadata|The MBAE app experience is replaced by an MO UWP app. Metadata for the MBAE service is removed. | 20H2 |
| Connect app | The **Connect** app for wireless projection using Miracast is no longer installed by default, but is available as an optional feature. To install the app, click on **Settings** > **Apps** > **Optional features** > **Add a feature** and then install the **Wireless Display** app. | 2004 |
| Rinna and Japanese Address suggestion | The Rinna and Japanese Address suggestion service for Microsoft Japanese Input Method Editor (IME) ended on August 13th, 2020. For more information, see [Rinna and Japanese Address suggestion will no longer be offered](https://support.microsoft.com/help/4576767/windows-10-rinna-and-japanese-address-suggestion) | 2004 |
-| Cortana | Cortana has been updated and enhanced in the Windows 10 May 2020 Update. With [these changes](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-2004#cortana), some previously available consumer skills such as music, connected home, and other non-Microsoft skills are no longer available. | 2004 |
+| Cortana | Cortana has been updated and enhanced in the Windows 10 May 2020 Update. With [these changes](/windows/whats-new/whats-new-windows-10-version-2004#cortana), some previously available consumer skills such as music, connected home, and other non-Microsoft skills are no longer available. | 2004 |
| Windows To Go | Windows To Go was announced as deprecated in Windows 10, version 1903 and is removed in this release. | 2004 |
| Mobile Plans and Messaging apps | Both apps are still supported, but are now distributed in a different way. OEMs can now include these apps in Windows images for cellular enabled devices. The apps are removed for non-cellular devices.| 2004 |
| PNRP APIs| The Peer Name Resolution Protocol (PNRP) cloud service was removed in Windows 10, version 1809. We are planning to complete the removal process by removing the corresponding APIs. | 1909 |
| Taskbar settings roaming | Roaming of taskbar settings is removed in this release. This feature was announced as no longer being developed in Windows 10, version 1903. | 1909 |
| Desktop messaging app doesn't offer messages sync | The messaging app on Desktop has a sync feature that can be used to sync SMS text messages received from Windows Mobile and keep a copy of them on the Desktop. The sync feature has been removed from all devices. Due to this change, you will only be able to access messages from the device that received the message. | 1903 |
|Business Scanning, also called Distributed Scan Management (DSM)|We're removing this secure scanning and scanner management capability - there are no devices that support this feature.| 1809 |
-|[FontSmoothing setting](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-visualeffects-fontsmoothing) in unattend.xml|The FontSmoothing setting let you specify the font antialiasing strategy to use across the system. We've changed Windows 10 to use [ClearType](https://docs.microsoft.com/typography/cleartype/) by default, so we're removing this setting as it is no longer necessary. If you include this setting in the unattend.xml file, it'll be ignored.| 1809 |
+|[FontSmoothing setting](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-visualeffects-fontsmoothing) in unattend.xml|The FontSmoothing setting let you specify the font antialiasing strategy to use across the system. We've changed Windows 10 to use [ClearType](/typography/cleartype/) by default, so we're removing this setting as it is no longer necessary. If you include this setting in the unattend.xml file, it'll be ignored.| 1809 |
|Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or Hololens with the Mixed Reality Viewer.| 1809 |
|limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.| 1809 |
|Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.| 1809 |
-|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| 1809 |
+|Future updates through [Windows Embedded Developer Update](/previous-versions/windows/embedded/ff770079(v=winembedded.60)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| 1809 |
|Groove Music Pass|[We ended the Groove streaming music service and music track sales through the Microsoft Store in 2017](https://support.microsoft.com/help/4046109/groove-music-and-spotify-faq). The Groove app is being updated to reflect this change. You can still use Groove Music to play the music on your PC. You can use Spotify or other music services to stream music on Windows 10, or to buy music to own.| 1803 |
|People - Suggestions will no longer include unsaved contacts for non-Microsoft accounts|Manually save the contact details for people you send mail to or get mail from.| 1803 |
|Language control in the Control Panel| Use the Settings app to change your language settings.| 1803 |
|HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.
When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.
Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10:
- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10)
- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | 1803 |
|**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).| 1803 |
-|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer.
However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.| 1803 |
+|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer.
However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](/windows/application-management/add-apps-and-features) or through [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.| 1803 |
|3D Builder app | No longer installed by default. Consider using Print 3D and Paint 3D in its place. However, 3D Builder is still available for download from the Windows Store.| 1709 |
|Apndatabase.xml | For more information about the replacement database, see the following Hardware Dev Center articles:
[MO Process to update COSA](/windows-hardware/drivers/mobilebroadband/planning-your-apn-database-submission)
[COSA FAQ](/windows-hardware/drivers/mobilebroadband/cosa---faq) | 1709 |
|Enhanced Mitigation Experience Toolkit (EMET) |Use of this feature will be blocked. Consider using [Exploit Protection](https://blogs.windows.com/windowsexperience/2017/06/28/) as a replacement. | 1709 |
@@ -63,8 +63,8 @@ The following features and functionalities have been removed from the installed
|Resilient File System (ReFS) (added: August 17, 2017)| Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations. Creation ability will be removed from all other editions. All other editions will have Read and Write ability. | 1709 |
|Apps Corner| This Windows 10 mobile application is removed in the version 1703 release. | 1703 |
|By default, Flash autorun in Edge is turned off. | Use the Click-to-Run (C2R) option instead. (This setting can be changed by the user.) | 1703 |
-|Interactive Service Detection Service| See [Interactive Services](https://docs.microsoft.com/windows/win32/services/interactive-services?redirectedfrom=MSDN) for guidance on how to keep software up to date. | 1703 |
+|Interactive Service Detection Service| See [Interactive Services](/windows/win32/services/interactive-services) for guidance on how to keep software up to date. | 1703 |
|Microsoft Paint | This application will not be available for languages that are not on the [full localization list](https://www.microsoft.com/windows/windows-10-specifications#Windows-10-localization). | 1703 |
|NPN support in TLS | This feature is superseded by Application-Layer Protocol Negotiation (ALPN). | 1703 |
|Windows Information Protection "AllowUserDecryption" policy | Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported. | 1703 |
-|WSUS for Windows Mobile | Updates are being transitioned to the new Unified Update Platform (UUP) | 1703 |
+|WSUS for Windows Mobile | Updates are being transitioned to the new Unified Update Platform (UUP) | 1703 |
\ No newline at end of file
diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md
index f0c41844f7..0d77876b13 100644
--- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md
+++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md
@@ -320,7 +320,7 @@ The size constraints are the same as full Windows. To ensure that you have enoug
## Do I need to activate Windows To Go every time I roam?
-No, Windows To Go requires volume activation; either using the [Key Management Service](https://go.microsoft.com/fwlink/p/?LinkId=619051) (KMS) server in your organization or using [Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=619053) based volume activation. The Windows To Go workspace will not need to be reactivated every time you roam. KMS activates Windows on a local network, eliminating the need for individual computers to connect to Microsoft. To remain activated, KMS client computers must renew their activation by connecting to the KMS host on periodic basis. This typically occurs as soon as the user has access to the corporate network (either through a direct connection on-premises or a through remote connection using DirectAccess or a virtual private network connection), once activated the machine will not need to be activated again until the activation validity interval has passed. In a KMS configuration the activation validity interval is 180 days.
+No, Windows To Go requires volume activation; either using the [Key Management Service](/previous-versions/tn-archive/ff793434(v=technet.10)) (KMS) server in your organization or using [Active Directory](/previous-versions/windows/hh852637(v=win.10)) based volume activation. The Windows To Go workspace will not need to be reactivated every time you roam. KMS activates Windows on a local network, eliminating the need for individual computers to connect to Microsoft. To remain activated, KMS client computers must renew their activation by connecting to the KMS host on periodic basis. This typically occurs as soon as the user has access to the corporate network (either through a direct connection on-premises or a through remote connection using DirectAccess or a virtual private network connection), once activated the machine will not need to be activated again until the activation validity interval has passed. In a KMS configuration the activation validity interval is 180 days.
## Can I use all Windows features on Windows To Go?
@@ -354,7 +354,7 @@ Yes. You can use a combination of identifiers to determine if the currently runn
Next, check if the **OperatingSystemSKU** property is equal to **4** (for Windows 10 Enterprise) or **121** (for Windows 10 Education). The combination of those two properties represents a Windows To Go workspace environment.
-For more information, see the MSDN article on the [Win32\_OperatingSystem class](https://go.microsoft.com/fwlink/p/?LinkId=619059).
+For more information, see the MSDN article on the [Win32\_OperatingSystem class](/windows/win32/cimwin32prov/win32-operatingsystem).
## How is Windows To Go licensed?
@@ -418,7 +418,7 @@ Reformatting the drive erases the data on the drive, but doesn't reconfigure the
-2. Start the [diskpart](https://go.microsoft.com/fwlink/p/?LinkId=619070) command interpreter, by typing `diskpart` at the command prompt.
+2. Start the [diskpart](/windows-server/administration/windows-commands/diskpart) command interpreter, by typing `diskpart` at the command prompt.
3. Use the `select disk` command to identify the drive. If you do not know the drive number, use the `list` command to display the list of disks available.
@@ -455,9 +455,3 @@ There is no support in Windows for upgrading a Windows To Go drive. Deployed Win
-
-
-
-
-
-
diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md
index c978295e6e..d5e3248369 100644
--- a/windows/deployment/planning/windows-to-go-overview.md
+++ b/windows/deployment/planning/windows-to-go-overview.md
@@ -27,7 +27,7 @@ ms.topic: article
Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs.
-PCs that meet the Windows 7 or later [certification requirements](https://go.microsoft.com/fwlink/p/?LinkId=618711) can run Windows 10 in a Windows To Go workspace, regardless of the operating system running on the PC. Windows To Go workspaces can use the same image enterprises use for their desktops and laptops and can be managed the same way. Windows To Go is not intended to replace desktops, laptops or supplant other mobility offerings. Rather, it provides support for efficient use of resources for alternative workplace scenarios. There are some additional considerations that you should keep in mind before you start to use Windows To Go:
+PCs that meet the Windows 7 or later [certification requirements](/previous-versions/windows/hardware/cert-program/) can run Windows 10 in a Windows To Go workspace, regardless of the operating system running on the PC. Windows To Go workspaces can use the same image enterprises use for their desktops and laptops and can be managed the same way. Windows To Go is not intended to replace desktops, laptops or supplant other mobility offerings. Rather, it provides support for efficient use of resources for alternative workplace scenarios. There are some additional considerations that you should keep in mind before you start to use Windows To Go:
- [Differences between Windows To Go and a typical installation of Windows](#bkmk-wtgdif)
- [Roaming with Windows To Go](#bkmk-wtgroam)
@@ -58,7 +58,7 @@ The applications that you want to use from the Windows To Go workspace should be
Enterprises install Windows on a large group of computers either by using configuration management software (such as Microsoft Endpoint Configuration Manager), or by using standard Windows deployment tools such as DiskPart and the Deployment Image Servicing and Management (DISM) tool.
-These same tools can be used to provision Windows To Go drive, just as you would if you were planning for provisioning a new class of mobile PCs. You can use the [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) to review deployment tools available.
+These same tools can be used to provision Windows To Go drive, just as you would if you were planning for provisioning a new class of mobile PCs. You can use the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) to review deployment tools available.
> [!IMPORTANT]
> Make sure you use the versions of the deployment tools provided for the version of Windows you are deploying. There have been many enhancements made to support Windows To Go. Using versions of the deployment tools released for earlier versions of Windows to provision a Windows To Go drive is not supported.
@@ -231,9 +231,9 @@ In addition to the USB boot support in the BIOS, the Windows 10 image on your Wi
## Related topics
-[Deploy Windows To Go in your organization](https://go.microsoft.com/fwlink/p/?LinkId=619975)
+[Deploy Windows To Go in your organization](../deploy-windows-to-go.md)
[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
-[Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md)
+[Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md)
\ No newline at end of file
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
index ea76222dde..9878ff1124 100644
--- a/windows/deployment/s-mode.md
+++ b/windows/deployment/s-mode.md
@@ -35,27 +35,27 @@ Start-ups are quick, and S mode is built to keep them that way. With Microsoft E
**Choice and flexibility**
-Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don’t find exactly what you want, you can easily [switch out of S mode](https://docs.microsoft.com/windows/deployment/windows-10-pro-in-s-mode) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below.
+Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don’t find exactly what you want, you can easily [switch out of S mode](./windows-10-pro-in-s-mode.md) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below.
## Deployment
-Windows 10 in S mode is built for [modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management) which means using [Windows Autopilot](windows-autopilot/windows-autopilot.md). Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic PC that can only be used to join the company domain; policies are then deployed automatically through mobile device management to customize the device to the user and the desired environment. Devices are shipped in S mode; you can either keep them in S mode or use Windows Autopilot to switch the device out of S mode during the first run process or later using mobile device management, if desired.
+Windows 10 in S mode is built for [modern management](/windows/client-management/manage-windows-10-in-your-organization-modern-management) which means using [Windows Autopilot](/mem/autopilot/windows-autopilot). Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic PC that can only be used to join the company domain; policies are then deployed automatically through mobile device management to customize the device to the user and the desired environment. Devices are shipped in S mode; you can either keep them in S mode or use Windows Autopilot to switch the device out of S mode during the first run process or later using mobile device management, if desired.
## Keep line of business apps functioning with Desktop Bridge
-Worried about your line of business apps not working in S mode? [Desktop Bridge](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Microsoft Store, making it ideal for Windows 10 in S mode.
+Worried about your line of business apps not working in S mode? [Desktop Bridge](/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Microsoft Store, making it ideal for Windows 10 in S mode.
## Repackage Win32 apps into the MSIX format
-The [MSIX Packaging Tool](https://docs.microsoft.com/windows/application-management/msix-app-packaging-tool), available from the Microsoft Store, enables you to repackage existing Win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your device and upload to the Microsoft Store. This is another way to get your apps ready to run on Windows 10 in S mode.
+The [MSIX Packaging Tool](/windows/application-management/msix-app-packaging-tool), available from the Microsoft Store, enables you to repackage existing Win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your device and upload to the Microsoft Store. This is another way to get your apps ready to run on Windows 10 in S mode.
## Related links
- [Consumer applications for S mode](https://www.microsoft.com/windows/s-mode)
- [S mode devices](https://www.microsoft.com/en-us/windows/view-all-devices)
-- [Windows Defender Application Control deployment guide](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
-- [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
+- [Windows Defender Application Control deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
+- [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
\ No newline at end of file
diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md
index 4a1087d274..72ed75e2d8 100644
--- a/windows/deployment/update/WIP4Biz-intro.md
+++ b/windows/deployment/update/WIP4Biz-intro.md
@@ -51,7 +51,7 @@ Windows 10 Insider Preview builds offer organizations a valuable and exciting op
|Feedback | - Provide feedback via [Feedback Hub app](insiderhub://home/). This helps us make adjustments to features as quickly as possible.
- Encourage users to sign into the Feedback Hub using their AAD work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
- [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/how-to-feedback/) |
## Validate Insider Preview builds
-Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. This activity can play an important role in your [Windows 10 deployment strategy](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business). Early validation has several benefits:
+Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. This activity can play an important role in your [Windows 10 deployment strategy](/windows/deployment/update/waas-windows-insider-for-business). Early validation has several benefits:
- Get a head start on your Windows validation process
- Identify issues sooner to accelerate your Windows deployment
@@ -65,4 +65,4 @@ Along with exploring new features, you also have the option to validate your app
|Users | Application and infrastructure validation: In addition to Insiders who might have participated in feature exploration, we also recommend including a small group of application users from each business department to ensure a representative sample.|
|Tasks | Application and infrastructure validation: Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) and [Windows Insider Tech Community](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) pages for updates on current issues and fixes. |
|Feedback | Application and infrastructure validation:Provide feedback in the Feedback Hub app and also inform app vendors of any significant issues. |
-|Guidance | Application and infrastructure validation:
- [Use Upgrade Readiness to create an app inventory and identify mission-critical apps](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-identify-apps)
- [Use Device Health to identify problem devices and device drivers](https://docs.microsoft.com/windows/deployment/update/device-health-monitor)
- [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793)|
\ No newline at end of file
+|Guidance | Application and infrastructure validation:
- [Use Upgrade Readiness to create an app inventory and identify mission-critical apps](/mem/configmgr/desktop-analytics/overview)
- [Use Device Health to identify problem devices and device drivers](/windows/deployment/update/device-health-monitor)
- [Windows 10 application compatibility](/windows/windows-10/)|
\ No newline at end of file
diff --git a/windows/deployment/update/change-history-for-update-windows-10.md b/windows/deployment/update/change-history-for-update-windows-10.md
index fc8013e00c..e2ea19dc8e 100644
--- a/windows/deployment/update/change-history-for-update-windows-10.md
+++ b/windows/deployment/update/change-history-for-update-windows-10.md
@@ -13,7 +13,7 @@ ms.topic: article
# Change history for Update Windows 10
-This topic lists new and updated topics in the [Update Windows 10](index.md) documentation for [Deploy and Update Windows 10](https://docs.microsoft.com/windows/deployment).
+This topic lists new and updated topics in the [Update Windows 10](index.md) documentation for [Deploy and Update Windows 10](/windows/deployment).
>If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history).
@@ -47,5 +47,5 @@ All topics were updated to reflect the new [naming changes](waas-overview.md#nam
## RELEASE: Windows 10, version 1703
The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added:
-* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-get-started)
-* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-register)
+* [Windows Insider Program for Business](/windows-insider/at-work-pro/wip-4-biz-get-started)
+* [Windows Insider Program for Business](/windows-insider/at-work-pro/wip-4-biz-register)
\ No newline at end of file
diff --git a/windows/deployment/update/check-release-health.md b/windows/deployment/update/check-release-health.md
new file mode 100644
index 0000000000..842ab74dbd
--- /dev/null
+++ b/windows/deployment/update/check-release-health.md
@@ -0,0 +1,151 @@
+---
+title: "How to check Windows release health"
+ms.author: v-nishmi
+author: DocsPreview
+manager: jren
+audience: Admin
+ms.topic: article
+ms.prod: w10
+localization_priority: Normal
+f1.keywords:
+- CSH
+ms.custom:
+- Adm_O365
+- 'O365P_ServiceHealthModern'
+- 'O365M_ServiceHealthModern'
+- 'O365E_ViewStatusServices'
+- 'O365E_ServiceHealthModern'
+- 'seo-marvel-apr2020'
+ms.collection:
+- Ent_O365
+- M365-subscription-management
+search.appverid:
+- MET150
+- MOE150
+- BCS160
+- IWA160
+ms.assetid: 932ad3ad-533c-418a-b938-6e44e8bc33b0
+description: "Check the release health status of Microsoft 365 services before you call support to see if there is an active service interruption."
+feedback_system: none
+---
+
+# How to check Windows release health
+
+The Windows release health page in the Microsoft 365 admin center enables you to view the latest information on known issues for Windows monthly and feature updates. A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The Windows release health page is designed to inform you about known issues so you can troubleshoot issues your users may be experiencing and/or to determine when, and at what scale, to deploy an update in your organization.
+
+If you are unable to sign in to the Microsoft 365 admin portal, check the [Microsoft 365 service health](https://status.office365.com) status page to check for known issues preventing you from logging into your tenant.
+
+To be informed about the latest updates and releases, follow us on Twitter [@WindowsUpdate](https://twitter.com/windowsupdate).
+
+## How to review Windows release health information
+
+1. Go to the Microsoft 365 admin center at [https://admin.microsoft.com](https://go.microsoft.com/fwlink/p/?linkid=2024339), and sign in with an administrator account.
+
+ > [!NOTE]
+ > By default, the Windows release health page is available to individuals who have been assigned the global admin or service administrator role for their tenant. To allow Exchange, SharePoint, and Skype for Business admins to view the Windows release health page, you must first assign them to a Service admin role. For more information about roles that can view service health, see [About admin roles](https://docs.microsoft.com/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide&preserve-view=true#roles-available-in-the-microsoft-365-admin-center).
+
+2. To view Windows release health in the Microsoft 365 Admin Center, go to **Health > Windows release health**.
+
+3. On the **Windows release health** page, you will have access to known issue information for all supported versions of the Windows operating system.
+
+ The **All versions** tab (the default view) shows all Windows products with access to their posted known issues.
+
+ 
+
+ A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The **Active and recently resolved** column provides a link to the **Known issues** tab filtered to the version selected. Selecting the **Known issues** tab will show known issues that are active or resolved within the last 30 days.
+
+ 
+
+ The **History** tab shows the history of known issues that have been resolved for up to 6 months.
+
+ 
+
+ The known issue summary provides the following information:
+
+ - **Title** - A summary of the problem.
+ - **Version** - The name of the affected Windows product version.
+ - **Status** - The current status of the issue.
+ - **Originating KB** - The KB number where the issue was first identified.
+ - **Originating build** - The build number for the KB.
+
+ Select the **Issue title** to access more information, including a link to the history of all status updates posted while we work on a solution. Here is an example:
+
+ 
+
+## Status definitions
+
+In the **Windows release health** experience, every known issue is assigned as status. Those statuses are defined as follows:
+
+
+| Status | Definition |
+|:-----|:-----|
+|**Reported** | An issue has been brought to the attention of the Windows teams. At this stage, there is no confirmation that users are affected. |
+|**Investigating** | The issue is believed to affect users and efforts are underway to gather more information about the issue’s scope of impact, mitigation steps, and root cause. |
+|**Confirmed** | After close review, Microsoft teams have determined the issue is affecting Windows users, and progress is being made on mitigation steps and root cause. |
+|**Mitigated** | A workaround is available and communicated to Windows customers for a known issue. A known issue will stay in this state until a KB article is released by Microsoft to resolve the known issue. |
+|**Mitigated: External** | A workaround is available and communicated to Windows customers for a known issue that was caused by a software or driver from a third-party software or device manufacturer. A known issue will stay in this state until the issue is resolved by Microsoft or the third-party. |
+|**Resolved** | A solution has been released by Microsoft and has been documented in a KB article that will resolve the known issue once it’s deployed in the customer’s environment. |
+|**Resolved: External** | A solution has been released by a Microsoft or a third-party that will resolve the known issue once it’s deployed in the customer’s environment. |
+
+## Known issue history
+
+The Windows release health page lets you view the history of all status updates posted for a specific known issue. To view all past updates posted for a given issue, select **View history** on the issue detail page.
+
+
+
+A list of all status updates posted in the selected timeframe will be displayed, as shown below. You can expand any row to view the specific information provided in that status update.
+
+
+
+## Frequently asked questions
+
+### Windows release health coverage
+
+- **What is Windows release health?**
+ Windows release health is a Microsoft informational service created to keep licensed Windows customers aware of identified known issues and important announcements.
+
+- **Microsoft 365 service health content is specific to my tenants and services. Is the content in Windows release health specific to my Windows environment?**
+ Windows release health does not monitor user environments or collect customer environment information. In Windows release health, all known issue content across all supported Windows versions is published to all subscribed customers. Future iterations of the solution may target content based on customer location, industry, or Windows version.
+
+- **Where do I find Windows release health?**
+ After logging into Microsoft 365 admin center, expand the left-hand menu using **…Show All**, click **Health** and you’ll see **Windows release health**.
+
+- **Is the Windows release health content published to Microsoft 365 admin center the same as the content on Windows release health on Docs.microsoft.com?**
+ No. While the content is similar, you may see more issues and more technical details published to Windows release health on Microsoft 365 admin center to better support the IT admin. For example, you’ll find details to help you diagnose issues in your environment, steps to mitigate issues, and root cause analysis.
+
+- **How often will content be updated?**
+ In an effort to ensure Windows customers have important information as soon as possible, all major known issues will be shared with Windows customers on both Docs.microsoft.com and the Microsoft 365 admin center. We may also update the details available for Windows release health in the Microsoft 365 admin center when we have additional details on workarounds, root cause, or other information to help you plan for updates and handle issues in your environment.
+
+- **Can I share this content publicly or with other Windows customers?**
+ Windows release health is provided to you as a licensed Windows customer and is not to be shared publicly.
+
+- **Is the content redundant? How is the content organized in the different tabs?**
+ Windows release health provides three tabs. The landing **All versions** tab allows you to click into a specific version of Windows. The Known issues tab shows the list of issues that are active or resolved in the past 30 days. The History tab shows a six-month history of known issues that have been resolved.
+
+- **How do I find information for the versions of Windows I’m managing?**
+ On the **All versions** tab, you can select any Windows version. This will take you to the Known issues tab filtered for the version you selected. The known issues tab provides the list of active known issues and those resolved in the last 30 days. This selection persists throughout your session until changed. From the History tab you can view the list of resolved issues for that version. To change versions, use the filter in the tab.
+
+### Microsoft 365 Admin Center functions
+
+- **How do I best search for issues impacting my environment?**
+ You can search Microsoft 365 admin center pages using keywords. For Windows release health, go to the desired product page and search using KB numbers, build numbers, or keywords.
+
+- **How do I add other Windows admins?**
+ Using the left-hand menu, go to Users, then select the Active Users tab and follow the prompts to add a new user, or assign an existing user, to the role of “Service Support admin.”
+
+- **Why can’t I click to the KB article from the Known issues or History tabs?**
+ Within the issue description, you’ll find links to the KB articles. In the Known issue and History tabs, the entire row is a clickable entry to the issue’s Details pane.
+
+- **Microsoft 365 admin center has a mobile app but I don’t see Windows release health under the Health menu. Is this an open issue?**
+ We are working to build the Windows release health experience on mobile devices in a future release.
+
+### Help and support
+
+- **What should I do if I have an issue with Windows that is not reported in Windows release health?**
+ Seek assistance through Premier support, the [Microsoft Support website](https://support.microsoft.com), or connect with your normal channels for Windows support.
+
+- **When reaching out to Support, they asked me for an advisory ID. What is this and where can it?**
+ The advisory ID can be found in the upper left-hand corner of the known issue Details pane. To find it, select the Known issue you’re seeking help on, click the Details pane and you’ll find the ID under the issue title. It will be the letters WI followed by a number, similar to “WI123456”.
+
+- **How can I learn more about expanding my use of Microsoft 365 admin center?**
+ To learn more, see the [Microsoft 365 admin center documentation](https://docs.microsoft.com/microsoft-365/admin/admin-overview/about-the-admin-center).
diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md
index a1ce6bbe19..2d806516c6 100644
--- a/windows/deployment/update/create-deployment-plan.md
+++ b/windows/deployment/update/create-deployment-plan.md
@@ -113,7 +113,7 @@ During the broad deployment phase, you should focus on the following activities:
Previously, we have provided methods for analyzing your deployments, but these have been standalone tools to assess, manage and execute deployments. In other words, you would generate an analysis, make a deployment strategy, and then move to your console for implementation, repeating these steps for each deployment. We have combined many of these tasks, and more, into a single interface with Desktop Analytics.
-[Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview) is a cloud-based service and a key tool in [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/configmgr/core/understand/microsoft-endpoint-manager-faq). Using artificial intelligence and machine learning, Desktop Analytics is a powerful tool to give you insights and intelligence to
+[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) is a cloud-based service and a key tool in [Microsoft Endpoint Manager](/mem/configmgr/core/understand/microsoft-endpoint-manager-faq). Using artificial intelligence and machine learning, Desktop Analytics is a powerful tool to give you insights and intelligence to
make informed decisions about the readiness of your Windows devices.
In Windows 10 deployments, we have seen compatibility issues on < 0.5% of apps when using Desktop Analytics. Using Desktop Analytics with Microsoft Endpoint Manager can help you assess app compatibility with the latest
@@ -126,13 +126,12 @@ feature update and create groups that represent the broadest number of hardware
There are two ways to implement a ring deployment plan, depending on how you manage your devices:
-- If you are using Configuration Manager: Desktop Analytics provides end-to-end deployment plan integration so that you can also kick off phased deployments within a ring. Learn more about [deployment plans in Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/about-deployment-plans).
-- If you are using Microsoft Intune, see [Create deployment plans directly in Intune](https://docs.microsoft.com/mem/intune/fundamentals/planning-guide).
+- If you are using Configuration Manager: Desktop Analytics provides end-to-end deployment plan integration so that you can also kick off phased deployments within a ring. Learn more about [deployment plans in Desktop Analytics](/mem/configmgr/desktop-analytics/about-deployment-plans).
+- If you are using Microsoft Intune, see [Create deployment plans directly in Intune](/mem/intune/fundamentals/planning-guide).
For more about Desktop Analytics, see these articles:
-- [How to set up Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/set-up)
-- [Tutorial: Deploy Windows 10 to Pilot](https://docs.microsoft.com/mem/configmgr/desktop-analytics/tutorial-windows10)
-- [Desktop Analytics documentation](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview)
-- [Intune deployment planning, design, and implementation guide](https://docs.microsoft.com/mem/intune/fundamentals/planning-guide)
-
+- [How to set up Desktop Analytics](/mem/configmgr/desktop-analytics/set-up)
+- [Tutorial: Deploy Windows 10 to Pilot](/mem/configmgr/desktop-analytics/tutorial-windows10)
+- [Desktop Analytics documentation](/mem/configmgr/desktop-analytics/overview)
+- [Intune deployment planning, design, and implementation guide](/mem/intune/fundamentals/planning-guide)
\ No newline at end of file
diff --git a/windows/deployment/update/delivery-optimization-proxy.md b/windows/deployment/update/delivery-optimization-proxy.md
index 21e355ea15..5e3fa30528 100644
--- a/windows/deployment/update/delivery-optimization-proxy.md
+++ b/windows/deployment/update/delivery-optimization-proxy.md
@@ -60,7 +60,7 @@ With NetworkService (if unable to obtain a user token from a signed-in user):
## Setting a device-wide Internet Explorer proxy
-You can set a device-wide proxy that will apply to all users including an interactive user, LocalSystem, and NetworkService by using the [Network Proxy CSP](https://docs.microsoft.com/windows/client-management/mdm/networkproxy-csp).
+You can set a device-wide proxy that will apply to all users including an interactive user, LocalSystem, and NetworkService by using the [Network Proxy CSP](/windows/client-management/mdm/networkproxy-csp).
Or, if you use Group Policy, you can apply proxy settings to all users of the same device by enabling the **Computer Configuration\ Administrative Templates\ Windows Components\ Internet Explorer\ Make proxy settings per-machine (rather than per-user)** policy.
@@ -70,10 +70,10 @@ This policy is meant to ensure that proxy settings apply uniformly to the same c
Starting with Windows 10, version 2004, you can use Connected Cache behind a proxy. In older versions, when you set Delivery Optimization to download from Connected Cache, it will bypass the proxy and try to connect directly to the Connected Cache server. This can cause failure to download.
-However, you can set the Connected Cache server to use an unauthenticated proxy. For more information, see [Microsoft Connected Cache in Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache#prerequisites-and-limitations).
+However, you can set the Connected Cache server to use an unauthenticated proxy. For more information, see [Microsoft Connected Cache in Configuration Manager](/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache#prerequisites-and-limitations).
## Related articles
-- [How can I configure Proxy AutoConfigURL Setting using Group Policy Preference (GPP)?](https://docs.microsoft.com/archive/blogs/askie/how-can-i-configure-proxy-autoconfigurl-setting-using-group-policy-preference-gpp)
-- [How to use GPP Registry to uncheck automatically detect settings? ](https://docs.microsoft.com/archive/blogs/askie/how-to-use-gpp-registry-to-uncheck-automatically-detect-settings)
-- [How to configure a proxy server URL and Port using GPP Registry?](https://docs.microsoft.com/archive/blogs/askie/how-to-configure-a-proxy-server-url-and-port-using-gpp-registry)
+- [How can I configure Proxy AutoConfigURL Setting using Group Policy Preference (GPP)?](/archive/blogs/askie/how-can-i-configure-proxy-autoconfigurl-setting-using-group-policy-preference-gpp)
+- [How to use GPP Registry to uncheck automatically detect settings? ](/archive/blogs/askie/how-to-use-gpp-registry-to-uncheck-automatically-detect-settings)
+- [How to configure a proxy server URL and Port using GPP Registry?](/archive/blogs/askie/how-to-configure-a-proxy-server-url-and-port-using-gpp-registry)
\ No newline at end of file
diff --git a/windows/deployment/update/deploy-updates-configmgr.md b/windows/deployment/update/deploy-updates-configmgr.md
index 1706180e52..c62f135de1 100644
--- a/windows/deployment/update/deploy-updates-configmgr.md
+++ b/windows/deployment/update/deploy-updates-configmgr.md
@@ -17,4 +17,4 @@ ms.topic: article
- Windows 10
-See the Microsoft Endpoint Manager [documentation](https://docs.microsoft.com/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates.
\ No newline at end of file
+See the Microsoft Endpoint Manager [documentation](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates.
\ No newline at end of file
diff --git a/windows/deployment/update/deploy-updates-intune.md b/windows/deployment/update/deploy-updates-intune.md
index 8737d452c6..5079d8a8f7 100644
--- a/windows/deployment/update/deploy-updates-intune.md
+++ b/windows/deployment/update/deploy-updates-intune.md
@@ -17,4 +17,4 @@ ms.topic: article
- Windows 10
-See the Microsoft Intune [documentation](https://docs.microsoft.com/mem/intune/protect/windows-update-for-business-configure#windows-10-feature-updates) for details about using Intune to deploy and manage Windows 10 updates.
\ No newline at end of file
+See the Microsoft Intune [documentation](/mem/intune/protect/windows-update-for-business-configure#windows-10-feature-updates) for details about using Intune to deploy and manage Windows 10 updates.
\ No newline at end of file
diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md
index c586284056..e3accdee77 100644
--- a/windows/deployment/update/feature-update-maintenance-window.md
+++ b/windows/deployment/update/feature-update-maintenance-window.md
@@ -47,7 +47,7 @@ For example, by default, 90 minutes will be honored before the system is reboote
Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache.
-[Enable Configuration Manager client in full OS to share content](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update).
+[Enable Configuration Manager client in full OS to share content](/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update).
### Step 4: Override the default Windows setup priority (Windows 10, version 1709 and later)
@@ -60,7 +60,7 @@ If you're deploying **Feature update to Windows 10, version 1709** or later, by
Priority=Normal
```
-You can use the new [Run Scripts](https://docs.microsoft.com/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices.
+You can use the new [Run Scripts](/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices.
```
#Parameters
@@ -103,7 +103,7 @@ or documentation, even if Microsoft has been advised of the possibility of such
```
>[!NOTE]
->If you elect not to override the default setup priority, you will need to increase the [maximum run time](https://docs.microsoft.com/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value.
+>If you elect not to override the default setup priority, you will need to increase the [maximum run time](/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value.
## Manually deploy feature updates
@@ -143,20 +143,20 @@ Before you deploy the feature updates, you can download the content as a separat
>You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location.
Click **Next**.
-4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](https://docs.microsoft.com/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs).
+4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs).
>[!NOTE]
>The Distribution Points page is available only when you create a new software update deployment package.
5. On the **Distribution Settings** page, specify the following settings:
- **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority.
- - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios).
+ - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios).
- **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options:
- **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point.
- **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point.
- **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting.
- For more information about prestaging content to distribution points, see [Use Prestaged content](https://docs.microsoft.com/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage).
+ For more information about prestaging content to distribution points, see [Use Prestaged content](/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage).
Click **Next**.
6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options:
@@ -224,10 +224,10 @@ After you determine which feature updates you intend to deploy, you can manually
- **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links.
>[!NOTE]
- >The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#computer-agent).
+ >The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](/sccm/core/clients/deploy/about-client-settings#computer-agent).
7. On the User Experience page, configure the following settings:
- **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**.
- - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows).
+ - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](/sccm/core/clients/manage/collections/use-maintenance-windows).
- **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation.
>[!IMPORTANT]
@@ -244,12 +244,12 @@ After you determine which feature updates you intend to deploy, you can manually
9. On the Download Settings page, configure the following settings:
- Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location.
- Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point.
- - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache).
+ - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache).
- **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content.
- Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection.
>[!NOTE]
- >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios).
+ >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios).
10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting.
11. Click **Next** to deploy the feature update(s).
@@ -258,4 +258,4 @@ After you deploy the feature update(s), you can monitor the deployment status. U
1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**.
2. Click the software update group or software update for which you want to monitor the deployment status.
-3. On the **Home** tab, in the **Deployment** group, click **View Status**.
+3. On the **Home** tab, in the **Deployment** group, click **View Status**.
\ No newline at end of file
diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md
index 5c4c8987f1..052bebb7c1 100644
--- a/windows/deployment/update/feature-update-mission-critical.md
+++ b/windows/deployment/update/feature-update-mission-critical.md
@@ -21,7 +21,7 @@ ms.custom: seo-marvel-apr2020
Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren't the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the Microsoft Endpoint Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates.
-For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, see [Manage Windows as a service using Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service).
+For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, see [Manage Windows as a service using Configuration Manager](/configmgr/osd/deploy-use/manage-windows-as-a-service).
Devices and shared workstations that are online and available 24 hours a day, 7 days a week, can be serviced via one of two primary methods:
@@ -34,11 +34,11 @@ You can use Configuration Manager to deploy feature updates to Windows 10 device
- **Additional required tasks.** When deploying a feature update requires additional steps (for example, suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments.
- **Language pack installations.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs.
-If you need to use a task sequence to deploy feature updates, see [Manage Windows as a service using Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks performed pre-install or pre-commit, see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You might find this option useful in deploying software updates.
+If you need to use a task sequence to deploy feature updates, see [Manage Windows as a service using Configuration Manager](/configmgr/osd/deploy-use/manage-windows-as-a-service) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks performed pre-install or pre-commit, see the new [run custom actions](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You might find this option useful in deploying software updates.
Use the following information:
- [Deploy feature updates during maintenance windows](feature-update-maintenance-window.md)
- [Deploy feature updates for user-initiated installations](feature-update-user-install.md)
-- [Conclusion](feature-update-conclusion.md)
+- [Conclusion](feature-update-conclusion.md)
\ No newline at end of file
diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md
index 70dcc6a516..b9b2bef0fc 100644
--- a/windows/deployment/update/feature-update-user-install.md
+++ b/windows/deployment/update/feature-update-user-install.md
@@ -26,7 +26,7 @@ Use the following steps to deploy a feature update for a user-initiated installa
### Step 1: Enable Peer Cache
Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache.
-[Enable Configuration Manager client in full OS to share content](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update).
+[Enable Configuration Manager client in full OS to share content](/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update).
### Step 2: Override the default Windows setup priority (Windows 10, version 1709 and later)
@@ -39,7 +39,7 @@ If you're deploying **Feature update to Windows 10, version 1709** or later, by
Priority=Normal
```
-You can use the new [Run Scripts](https://docs.microsoft.com/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices.
+You can use the new [Run Scripts](/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices.
```
#Parameters
@@ -84,7 +84,7 @@ or documentation, even if Microsoft has been advised of the possibility of such
```
>[!NOTE]
->If you elect not to override the default setup priority, you will need to increase the [maximum run time](https://docs.microsoft.com/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value.
+>If you elect not to override the default setup priority, you will need to increase the [maximum run time](/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value.
## Manually deploy feature updates in a user-initiated installation
@@ -124,20 +124,20 @@ Before you deploy the feature updates, you can download the content as a separat
>You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location.
Click **Next**.
-4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](https://docs.microsoft.com/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs).
+4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs).
>[!NOTE]
>The Distribution Points page is available only when you create a new software update deployment package.
5. On the **Distribution Settings** page, specify the following settings:
- **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: **High**, **Medium**, or **Low**. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority.
- - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios).
+ - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios).
- **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options:
- **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point.
- **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point.
- **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting.
- For more information about prestaging content to distribution points, see [Use Prestaged content](https://docs.microsoft.com/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage).
+ For more information about prestaging content to distribution points, see [Use Prestaged content](/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage).
Click **Next**.
6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options:
@@ -225,12 +225,12 @@ After you determine which feature updates you intend to deploy, you can manually
9. On the Download Settings page, configure the following settings:
- Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location.
- Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point.
- - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache).
+ - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache).
- **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content.
- Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection.
>[!NOTE]
- >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios).
+ >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](/sccm/core/plan-design/hierarchy/content-source-location-scenarios).
10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting.
11. Click **Next** to deploy the feature update(s).
@@ -239,4 +239,4 @@ After you deploy the feature update(s), you can monitor the deployment status. U
1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**.
2. Click the software update group or software update for which you want to monitor the deployment status.
-3. On the **Home** tab, in the **Deployment** group, click **View Status**.
+3. On the **Home** tab, in the **Deployment** group, click **View Status**.
\ No newline at end of file
diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md
index 98579c7905..1ae3f99648 100644
--- a/windows/deployment/update/fod-and-lang-packs.md
+++ b/windows/deployment/update/fod-and-lang-packs.md
@@ -18,7 +18,7 @@ ms.custom: seo-marvel-apr2020
> Applies to: Windows 10
-As of Windows 10 version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FODs) locally. Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS.
+As of Windows 10 version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FODs) locally. Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS.
The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it's important to note this policy only allows specifying one alternate location and behaves differently across OS versions.
@@ -28,4 +28,4 @@ In Windows 10 version 1809 and beyond, changing the **Specify settings for optio
For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location.
-Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](https://docs.microsoft.com/windows/client-management/).
+Learn about other client management options, including using Group Policy and administrative templates, in [Manage clients in Windows 10](/windows/client-management/).
\ No newline at end of file
diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md
index 4816c7e26e..a647e33fd6 100644
--- a/windows/deployment/update/get-started-updates-channels-tools.md
+++ b/windows/deployment/update/get-started-updates-channels-tools.md
@@ -91,7 +91,7 @@ You can set up, control, and manage the server and update process with several t
- [Configuration Manager](deploy-updates-configmgr.md)
- Non-Microsoft tools
-For more information, see [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus).
+For more information, see [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus).
### Tools for cloud-based update delivery
@@ -103,4 +103,4 @@ Your individual devices connect to Microsoft endpoints directly to get the updat
### Hybrid scenarios
-It is also possible to combine WSUS-based on-premises update distribution with cloud-based update delivery.
+It is also possible to combine WSUS-based on-premises update distribution with cloud-based update delivery.
\ No newline at end of file
diff --git a/windows/deployment/update/images/WRH-history-20H2.png b/windows/deployment/update/images/WRH-history-20H2.png
new file mode 100644
index 0000000000..c00e041b69
Binary files /dev/null and b/windows/deployment/update/images/WRH-history-20H2.png differ
diff --git a/windows/deployment/update/images/WRH-known-issue-detail.png b/windows/deployment/update/images/WRH-known-issue-detail.png
new file mode 100644
index 0000000000..6f875d245c
Binary files /dev/null and b/windows/deployment/update/images/WRH-known-issue-detail.png differ
diff --git a/windows/deployment/update/images/WRH-known-issues-20H2.png b/windows/deployment/update/images/WRH-known-issues-20H2.png
new file mode 100644
index 0000000000..4b982604fd
Binary files /dev/null and b/windows/deployment/update/images/WRH-known-issues-20H2.png differ
diff --git a/windows/deployment/update/images/WRH-menu.png b/windows/deployment/update/images/WRH-menu.png
new file mode 100644
index 0000000000..b117413d64
Binary files /dev/null and b/windows/deployment/update/images/WRH-menu.png differ
diff --git a/windows/deployment/update/images/WRH-message-history-example-padded.png b/windows/deployment/update/images/WRH-message-history-example-padded.png
new file mode 100644
index 0000000000..f4701a7fa4
Binary files /dev/null and b/windows/deployment/update/images/WRH-message-history-example-padded.png differ
diff --git a/windows/deployment/update/images/WRH-message-history-example.png b/windows/deployment/update/images/WRH-message-history-example.png
new file mode 100644
index 0000000000..1aa35aca9b
Binary files /dev/null and b/windows/deployment/update/images/WRH-message-history-example.png differ
diff --git a/windows/deployment/update/images/WRH-view-message-history-padded.png b/windows/deployment/update/images/WRH-view-message-history-padded.png
new file mode 100644
index 0000000000..5dd7b7d942
Binary files /dev/null and b/windows/deployment/update/images/WRH-view-message-history-padded.png differ
diff --git a/windows/deployment/update/images/WRH-view-message-history.png b/windows/deployment/update/images/WRH-view-message-history.png
new file mode 100644
index 0000000000..20b85e33c0
Binary files /dev/null and b/windows/deployment/update/images/WRH-view-message-history.png differ
diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md
index 8a080c9bcd..f0fb882c47 100644
--- a/windows/deployment/update/index.md
+++ b/windows/deployment/update/index.md
@@ -35,17 +35,16 @@ Windows as a service provides a new way to think about building, deploying, and
| [Overview of Windows as a service](waas-overview.md) | Explains the differences in building, deploying, and servicing Windows 10; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. |
| [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. |
| [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | Explains how to make use of servicing branches and update deferrals to manage Windows 10 updates. |
-| [Assign devices to servicing branches for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-servicing-channels-windows-10-updates) | Explains how to assign devices to the Semi-Annual Channel for feature and quality updates, and how to enroll devices in Windows Insider. |
+| [Assign devices to servicing branches for Windows 10 updates](./waas-servicing-channels-windows-10-updates.md) | Explains how to assign devices to the Semi-Annual Channel for feature and quality updates, and how to enroll devices in Windows Insider. |
| [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | Explains how to use Update Compliance to monitor and manage Windows Updates on devices in your organization. |
| [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. |
| [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. |
| [Deploy Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. |
-| [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. |
+| [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) | Explains how to use Configuration Manager to manage Windows 10 updates. |
| [Manage device restarts after updates](waas-restart.md) | Explains how to manage update related device restarts. |
| [Manage additional Windows Update settings](waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update |
-| [Windows Insider Program for Business](waas-windows-insider-for-business.md) | Explains how the Windows Insider Program for Business works and how to become an insider. |
+| [Windows Insider Program for Business](/windows-insider/at-work-pro/wip-4-biz-get-started) | Explains how the Windows Insider Program for Business works and how to become an insider. |
>[!TIP]
>Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as Microsoft Endpoint Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows.
->With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Additionally, Windows 10 clients can move from any supported version of Windows 10 (i.e. Version 1511) to the latest version directly (i.e 1709).
-
+>With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Additionally, Windows 10 clients can move from any supported version of Windows 10 (i.e. Version 1511) to the latest version directly (i.e 1709).
\ No newline at end of file
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index 1f7465c2ff..34ef7cc00f 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -82,7 +82,7 @@ This table shows the correct sequence for applying the various tasks to the file
|Export image | 8 | 17 | 25 |
> [!NOTE]
-> Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates).
+> Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md).
### Multiple Windows editions
@@ -349,7 +349,7 @@ Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\
### Update the main operating system
-For this next phase, there is no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it leverages `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod).
+For this next phase, there is no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it leverages `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod).
Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .NET), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image.
@@ -456,4 +456,4 @@ Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Out-Null
Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null
Write-Output "$(Get-TS): Media refresh completed!"
-```
+```
\ No newline at end of file
diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
index 8997b5e4f9..e232d88043 100644
--- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
+++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
@@ -51,7 +51,7 @@ Choose one of the following two enrollment options:
### Set up an Azure Active Directory-REGISTERED Windows 10 device
-This is the Bring Your Own Device (BYOD) method--your device will receive Olympia policies and features, but a new account will not be created. See [Set up Azure Active Directory registered Windows 10 devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-registered-devices-windows10-setup) for additional information.
+This is the Bring Your Own Device (BYOD) method--your device will receive Olympia policies and features, but a new account will not be created. See [Set up Azure Active Directory registered Windows 10 devices](/azure/active-directory/device-management-azuread-registered-devices-windows10-setup) for additional information.
1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
@@ -87,10 +87,10 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi
### Set up Azure Active Directory-JOINED Windows 10 device
-- This method will upgrade your Windows 10 Pro license to Enterprise and create a new account. See [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup) for more information.
+- This method will upgrade your Windows 10 Pro license to Enterprise and create a new account. See [Set up Azure Active Directory joined devices](/azure/active-directory/device-management-azuread-joined-devices-setup) for more information.
> [!NOTE]
- > Make sure that you save your Pro license key before upgrading to the Enterprise edition. If the device gets disconnected from Olympia, you can use the Pro key to reactivate the license manually in the unlikely event that the license fails to downgrade back to Pro automatically. To reactivate manually, see [Upgrade by manually entering a product key](https://docs.microsoft.com/windows/deployment/upgrade/windows-10-edition-upgrades#upgrade-by-manually-entering-a-product-key).
+ > Make sure that you save your Pro license key before upgrading to the Enterprise edition. If the device gets disconnected from Olympia, you can use the Pro key to reactivate the license manually in the unlikely event that the license fails to downgrade back to Pro automatically. To reactivate manually, see [Upgrade by manually entering a product key](../../upgrade/windows-10-edition-upgrades.md#upgrade-by-manually-entering-a-product-key).
1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
@@ -133,5 +133,4 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi
13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**.
>[!NOTE]
-> Your Windows 10 Enterprise license will not be renewed if your device is not connected to Olympia.
-
+> Your Windows 10 Enterprise license will not be renewed if your device is not connected to Olympia.
\ No newline at end of file
diff --git a/windows/deployment/update/optional-content.md b/windows/deployment/update/optional-content.md
index 607c9114e4..addb9d4952 100644
--- a/windows/deployment/update/optional-content.md
+++ b/windows/deployment/update/optional-content.md
@@ -84,7 +84,7 @@ If you’re not ready to move to Windows Update, another option is to enable Dyn
- Latest cumulative update: Installs the latest cumulative quality update.
- Driver updates: Latest version of applicable drivers that have already been published by manufacturers into Windows Update and meant specifically for Dynamic Update.
-In addition to these updates for the new operating system, Dynamic Update will acquire optional content during the update process to ensure that the device has this content present when the update completes. So, although the device is not connected to Windows Update, it will fetch content from a nearby Microsoft content download network (CDN). This addresses the first pain point with optional content, but not user-initiated acquisition. By default, [Dynamic Update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate) is enabled by Windows 10 Setup. You can enable or disable Dynamic Update by using the /DynamicUpdate option in Windows Setup. If you use the servicing-based approach, you can set this with setupconfig.ini. See [Windows Setup Automation Overview](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
+In addition to these updates for the new operating system, Dynamic Update will acquire optional content during the update process to ensure that the device has this content present when the update completes. So, although the device is not connected to Windows Update, it will fetch content from a nearby Microsoft content download network (CDN). This addresses the first pain point with optional content, but not user-initiated acquisition. By default, [Dynamic Update](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate) is enabled by Windows 10 Setup. You can enable or disable Dynamic Update by using the /DynamicUpdate option in Windows Setup. If you use the servicing-based approach, you can set this with setupconfig.ini. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
Starting in Windows 10, version 2004, Dynamic Update can be configured with additional options. For example, you might want to have the benefits of optional content migration without automatically acquiring the latest quality update. You can do that with the /DynamicUpdate NoLCU option of Windows Setup. Afterward, you would separately follow your existing process for testing and approving monthly updates. The downside of this approach is the device will go through an additional reboot for the latest cumulative update since it was not available during the feature update.
@@ -109,7 +109,7 @@ The benefit of this option is that the Windows image can include those additiona
### Option 4: Install language features during deployment
-A partial solution to address the first pain point of failing to migrate optional content during upgrade is to inject a subset of optional content during the upgrade process. This approach uses the Windows 10 Setup option [/InstallLangPacks](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#installlangpacks) to add Language Packs and language capabilities such as text-to-speech recognition from a folder that contains the packages. This approach lets an IT pro take a subset of optional content and stage them within their network. If you use the servicing-based approach, you can configure InstallLangPacks using setupconfig.ini. See [Windows Setup Automation Overview](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
+A partial solution to address the first pain point of failing to migrate optional content during upgrade is to inject a subset of optional content during the upgrade process. This approach uses the Windows 10 Setup option [/InstallLangPacks](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#installlangpacks) to add Language Packs and language capabilities such as text-to-speech recognition from a folder that contains the packages. This approach lets an IT pro take a subset of optional content and stage them within their network. If you use the servicing-based approach, you can configure InstallLangPacks using setupconfig.ini. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
When Setup runs, it will inject these packages into the new operating system during installation. This means it can be an alternative to enabling Dynamic Update or customizing the operating system image before deployment. You must take care with this approach, because the packages cannot be renamed. Further, the content is coming from two separate release media ISOs. The key is to copy both the FOD packages and the FOD metadata .cab from the FOD ISO into the folder, as well as the architecture-specific Language Pack .cabs from the LPLIP ISO. Also, starting with Windows 10, version 1903, the behavior changed. In Windows 10, version 1809 and earlier, failure to install the packages wasn’t a fatal error. Starting with Windows 10, version 1903, we treat InstallLangPacks failures as fatal, and roll back the entire upgrade. The idea is to not leave the user in a bad state since media-based upgrades don’t migrate FOD and languages (unless Dynamic Update is enabled).
@@ -117,7 +117,7 @@ This approach has some interesting benefits. The original Windows image doesn’
### Option 5: Install optional content after deployment
-This option is like Option 3 in that you customize the operating system image with additional optional content after it’s deployed. IT pros can extend the behavior of Windows Setup by running their own custom action scripts during and after a feature update. See [Run custom actions during feature update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) for details. With this approach, you can create a device-specific migration of optional content by capturing the optional content that is installed in the operating system, and then saving this list to install the same optional content in the new operating system. Like Option 4, you would internally host a network share that contains the source of the optional content packages. Then, during the execution of Setup on the device, capture the list of installed optional content from the source operating system and save. Later, after Setup completes, you use the list to install the optional content, which leaves the user’s device without loss of functionality.
+This option is like Option 3 in that you customize the operating system image with additional optional content after it’s deployed. IT pros can extend the behavior of Windows Setup by running their own custom action scripts during and after a feature update. See [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) for details. With this approach, you can create a device-specific migration of optional content by capturing the optional content that is installed in the operating system, and then saving this list to install the same optional content in the new operating system. Like Option 4, you would internally host a network share that contains the source of the optional content packages. Then, during the execution of Setup on the device, capture the list of installed optional content from the source operating system and save. Later, after Setup completes, you use the list to install the optional content, which leaves the user’s device without loss of functionality.
### Option 6: Configure an alternative source for optional content
@@ -127,22 +127,22 @@ Several of the options address ways to address optional content migration issues
- This setting does not support installing language packs from Alternate source file path, only Features on Demand. If the policy is configured to acquire content from Windows Update, language packs will be acquired.
- If this setting is not configured or disabled, files will be downloaded from the default Windows Update location, for example Windows Update for Business or WSUS).
-See [Configure a Windows Repair Source](https://docs.microsoft.com/windows-hardware/manufacture/desktop/configure-a-windows-repair-source) for more information.
+See [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source) for more information.
## Learn more
For more information about the Unified Update Platform and the approaches outlined in this article, see the following resources:
-- [/InstallLangPacks](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#installlangpacks)
-- [/DynamicUpdate](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate)
-- [Configure a Windows Repair Source](https://docs.microsoft.com/windows-hardware/manufacture/desktop/configure-a-windows-repair-source)
+- [/InstallLangPacks](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#installlangpacks)
+- [/DynamicUpdate](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate)
+- [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source)
- [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073)
- [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002)
-- [Run custom actions during feature update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions)
+- [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions)
- [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/)
- [Updating Windows 10 media with Dynamic Update packages](media-dynamic-update.md)
-- [Windows Setup Automation Overview](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
+- [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
## Sample scripts
diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md
index 82ecea00a3..0bb65d7087 100644
--- a/windows/deployment/update/plan-determine-app-readiness.md
+++ b/windows/deployment/update/plan-determine-app-readiness.md
@@ -72,4 +72,4 @@ Desktop Analytics can make all of the tasks discussed in this article significan
- Automatically apply your app classifications (critical, important, not important)
- Automatically identify application compatibility risks and provide recommendations for reducing those risks
-For more information, see [What is Desktop Analytics?](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview)
+For more information, see [What is Desktop Analytics?](/mem/configmgr/desktop-analytics/overview)
\ No newline at end of file
diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md
index 19c0a83aa5..4da49340aa 100644
--- a/windows/deployment/update/prepare-deploy-windows.md
+++ b/windows/deployment/update/prepare-deploy-windows.md
@@ -114,7 +114,7 @@ Ensure that devices can reach necessary Windows Update endpoints through the fir
> [!NOTE]
> Be sure not to use HTTPS for those endpoints that specify HTTP, and vice versa. The connection will fail.
-The specific endpoints can vary between Windows 10 versions. See, for example, [Windows 10 2004 Enterprise connection endpoints](https://docs.microsoft.com/windows/privacy/manage-windows-2004-endpoints). Similar articles for other Windows 10 versions are available in the table of contents nearby.
+The specific endpoints can vary between Windows 10 versions. See, for example, [Windows 10 2004 Enterprise connection endpoints](/windows/privacy/manage-windows-2004-endpoints). Similar articles for other Windows 10 versions are available in the table of contents nearby.
### Optimize download bandwidth
@@ -139,9 +139,9 @@ You can also create and run scripts to perform additional cleanup actions on dev
- Compact the operating system by running **Compact.exe /CompactOS:always**.
-- Remove Windows Features on Demand that the user doesn't need. See [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) for more guidance.
+- Remove Windows Features on Demand that the user doesn't need. See [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) for more guidance.
-- Move Windows Known Folders to OneDrive. See [Use Group Policy to control OneDrive sync settings](https://docs.microsoft.com/onedrive/use-group-policy) for more information.
+- Move Windows Known Folders to OneDrive. See [Use Group Policy to control OneDrive sync settings](/onedrive/use-group-policy) for more information.
- Clean up the Software Distribution folder. Try deploying these commands as a batch file to run on devices to reset the download state of Windows Updates:
@@ -182,6 +182,4 @@ You can employ a variety of measures to achieve this goal, for example:
- Send personalized emails to users about the update with specific details.
- Set an opt-out deadline for employees that need to remain on the current version for a bit longer, due to a business need.
- Provide the ability to voluntarily update at users’ convenience.
-- Inform users of a mandatory installation date when the update will be installed on all devices.
-
-
+- Inform users of a mandatory installation date when the update will be installed on all devices.
\ No newline at end of file
diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md
index 003834c35c..ee1853ad2f 100644
--- a/windows/deployment/update/safeguard-holds.md
+++ b/windows/deployment/update/safeguard-holds.md
@@ -25,7 +25,7 @@ Safeguard holds only affect devices that use the Window Update service for updat
IT admins can use [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) to monitor various update health metrics for devices in their organization, including ones affected by a safeguard hold that prevents them from updating to a newer operating system version.
-Queries identify Safeguard IDs for each affected device, giving IT admins a detailed view into the various protections extended to devices. Safeguard IDs for publicly discussed known issues are also included in the [Windows release health](https://aka.ms/windowsreleasehealth) dashboard, where you can easily find information related to publicly available safeguards.
+Queries identify Safeguard IDs for each affected device, giving IT admins a detailed view into the various protections extended to devices. Safeguard IDs for publicly discussed known issues are also included in the [Windows release health](/windows/release-health/) dashboard, where you can easily find information related to publicly available safeguards.
On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users will see this message:
@@ -41,4 +41,4 @@ We recommend that you do not attempt to manually update until issues have been r
> [!CAUTION]
> Opting out of a safeguard hold can put devices at risk from known performance issues. We strongly recommend that you complete robust testing to ensure the impact is acceptable before opting out.
-With that in mind, IT admins who stay informed with [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) and the [Windows release health](https://aka.ms/windowsreleasehealth) dashboard can choose to temporarily [opt-out of the protection of all safeguard holds](safeguard-opt-out.md) and allow an update to proceed. We recommend opting out only in an IT environment and for validation purposes. If you do opt out of a hold, this condition is temporary. Once an update is complete, the protection of safeguard holds is reinstated automatically.
+With that in mind, IT admins who stay informed with [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) and the [Windows release health](/windows/release-health/) dashboard can choose to temporarily [opt-out of the protection of all safeguard holds](safeguard-opt-out.md) and allow an update to proceed. We recommend opting out only in an IT environment and for validation purposes. If you do opt out of a hold, this condition is temporary. Once an update is complete, the protection of safeguard holds is reinstated automatically.
\ No newline at end of file
diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md
index b22ca9e870..6b9563437a 100644
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@@ -53,7 +53,7 @@ Typically, the improvements are reliability and performance improvements that do
* Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system.
* Installing servicing stack update does not require restarting the device, so installation should not be disruptive.
* Servicing stack update releases are specific to the operating system version (build number), much like quality updates.
-* Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001).
+* Servicing stack updates can be delivered with Windows Update, or you can perform a search to install the latest available at [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001).
* Once a servicing stack update is installed, it cannot be removed or uninstalled from the machine.
## Simplifying on-premises deployment of servicing stack updates
diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md
index b96d2edfd6..8618bd7116 100644
--- a/windows/deployment/update/update-compliance-configuration-manual.md
+++ b/windows/deployment/update/update-compliance-configuration-manual.md
@@ -31,7 +31,7 @@ The requirements are separated into different categories:
> [!NOTE]
> Windows 10 MDM and Group Policies are backed by registry keys. It is not recommended you set these registry keys directly for configuration as it can lead to unexpected behavior, so the exact registry key locations are not provided, though they are referenced for troubleshooting configuration issues with the [Update Compliance Configuration Script](update-compliance-configuration-script.md).
-Update Compliance has a number of policies that must be appropriately configured in order for devices to be processed by Microsoft and visible in Update Compliance. They are enumerated below, separated by whether the policies will be configured via [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) or Group Policy. For both tables:
+Update Compliance has a number of policies that must be appropriately configured in order for devices to be processed by Microsoft and visible in Update Compliance. They are enumerated below, separated by whether the policies will be configured via [Mobile Device Management](/windows/client-management/mdm/) (MDM) or Group Policy. For both tables:
- **Policy** corresponds to the location and name of the policy.
- **Value** Indicates what value the policy must be set to. Update Compliance requires *at least* Basic (or Required) diagnostic data, but can function off Enhanced or Full (or Optional).
@@ -43,13 +43,13 @@ Each MDM Policy links to its documentation in the CSP hierarchy, providing its e
| Policy | Value | Function |
|---------------------------|-|------------------------------------------------------------|
-|**Provider/*ProviderID*/**[**CommercialID**](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. |
-|**System/**[**AllowTelemetry**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | 1- Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. |
-|**System/**[**ConfigureTelemetryOptInSettingsUx**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | 1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
-|**System/**[**AllowDeviceNameInDiagnosticData**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
+|**Provider/*ProviderID*/**[**CommercialID**](/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. |
+|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | 1- Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. |
+|**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | 1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
+|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
> [!NOTE]
-> If you use Microsoft Intune, set the **ProviderID** to *MS DM Server*. If you use another MDM product, check with its vendor. See also [DMClient CSP](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
+> If you use Microsoft Intune, set the **ProviderID** to *MS DM Server*. If you use another MDM product, check with its vendor. See also [DMClient CSP](/windows/client-management/mdm/dmclient-csp).
### Group Policies
@@ -89,4 +89,4 @@ A full Census sync adds a new registry value to Census's path. When this registr
1. For every device you are manually configuring for Update Compliance, add or modify the registry key located at **HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Census** to include a new **DWORD value** named **FullSync** and set to **1**.
2. Run Devicecensus.exe with administrator privileges on every device. Devicecensus.exe is in the System32 folder. No additional run parameters are required.
-3. After Devicecensus.exe has run, the **FullSync** registry value can be removed or set to **0**.
+3. After Devicecensus.exe has run, the **FullSync** registry value can be removed or set to **0**.
\ No newline at end of file
diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md
index f5f19921c9..c64828cc34 100644
--- a/windows/deployment/update/update-compliance-configuration-script.md
+++ b/windows/deployment/update/update-compliance-configuration-script.md
@@ -40,7 +40,7 @@ The script is organized into two folders **Pilot** and **Deployment**. Both fold
> If you encounter an issue with Update Compliance, the first step should be to run the script in Pilot mode on a device you are encountering issues with, and save these Logs for reference with Support.
> [!IMPORTANT]
-> The script must be run in the System context. To do this, use the PsExec tool included in the file. For more about PsExec, see [PsExec](https://docs.microsoft.com/sysinternals/downloads/psexec).
+> The script must be run in the System context. To do this, use the PsExec tool included in the file. For more about PsExec, see [PsExec](/sysinternals/downloads/psexec).
When using the script in the context of troubleshooting, use `Pilot`. Enter `RunConfig.bat`, and configure it as follows:
@@ -104,4 +104,4 @@ After verifying on a set of devices in a specific environment that everything is
| 51 | Unexpected exception when attempting to run Census.exe|
| 34 | Unexpected exception when attempting to check Proxy settings.|
| 30 | Unable to disable Enterprise Auth Proxy. This registry value must be 0 for UTC to operate in an authenticated proxy environment.|
-| 35 | Unexpected exception when checking User Proxy.|
+| 35 | Unexpected exception when checking User Proxy.|
\ No newline at end of file
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 32cf41ab89..9bd21c5fd2 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -21,7 +21,7 @@ This topic introduces the high-level steps required to enroll to the Update Comp
1. Ensure you can [meet the requirements](#update-compliance-prerequisites) to use Update Compliance.
2. [Add Update Compliance](#add-update-compliance-to-your-azure-subscription) to your Azure subscription.
-3. [Configure devices](#enroll-devices-in-update-compliance) to send data to Update Compliance.
+3. [Configure devices](#enroll-devices-in-update-compliance) to send data to Update Compliance.
After adding the solution to Azure and configuring devices, there will be a waiting period of up to 72 hours before you can begin to see devices in the solution. Before or as devices appear, you can learn how to [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates and Delivery Optimization.
@@ -29,7 +29,7 @@ After adding the solution to Azure and configuring devices, there will be a wait
Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites:
-1. **Compatible Operating Systems and Editions**: Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 Enterprise edition, as well as [Windows 10 Enterprise multi-session](https://docs.microsoft.com/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc.
+1. **Compatible Operating Systems and Editions**: Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance supports both the typical Windows 10 Enterprise edition, as well as [Windows 10 Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq). Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc.
2. **Compatible Windows 10 Servicing Channels**: Update Compliance supports Windows 10 devices on the Semi-Annual Channel (SAC) and the Long-term Servicing Channel (LTSC). Update Compliance *counts* Windows Insider Preview (WIP) devices, but does not currently provide detailed deployment insights for them.
3. **Diagnostic data requirements**: Update Compliance requires devices be configured to send diagnostic data at *Required* level (previously *Basic*). To learn more about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows 10](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy).
4. **Data transmission requirements**: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These are enumerated in detail at [Configuring Devices for Update Compliance manually](update-compliance-configuration-manual.md).
@@ -37,17 +37,47 @@ Before you begin the process to add Update Compliance to your Azure subscription
## Add Update Compliance to your Azure subscription
-Update Compliance is offered as an Azure Marketplace application which is linked to a new or existing [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. To configure this, follow these steps:
+Update Compliance is offered as an Azure Marketplace application which is linked to a new or existing [Azure Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. To configure this, follow these steps:
1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.WaaSUpdateInsights?tab=Overview). You may need to login to your Azure subscription to access this.
2. Select **Get it now**.
-3. Choose an existing or configure a new Log Analytics Workspace. While an Azure subscription is required, you will not be charged for ingestion of Update Compliance data.
- - [Desktop Analytics](https://docs.microsoft.com/sccm/desktop-analytics/overview) customers are advised to use the same workspace for Update Compliance.
- - [Azure Update Management](https://docs.microsoft.com/azure/automation/automation-update-management) customers are advised to use the same workspace for Update Compliance.
-4. After your workspace is configured and selected, select **Create**. You will receive a notification when the solution has been successfully created.
+3. Choose an existing or configure a new Log Analytics Workspace, ensuring it is in a **Compatible Log Analytics region** from the following table. Although an Azure subscription is required, you won't be charged for ingestion of Update Compliance data.
+ - [Desktop Analytics](/sccm/desktop-analytics/overview) users should use the same workspace for Update Compliance.
+ - [Azure Update Management](/azure/automation/automation-intro#update-management) users should use the same workspace for Update Compliance.
+4. After your workspace is configured and selected, select **Create**. You'll receive a notification when the solution has been successfully created.
+
+|Compatible Log Analytics regions |
+| ------------------------------- |
+|Australia Central |
+|Australia East |
+|Australia Southeast |
+|Brazil South |
+|Canada Central |
+|Central India |
+|Central US |
+|East Asia |
+|East US |
+|East US 2 |
+|Eastus2euap(canary) |
+|France Central |
+|Japan East |
+|Korea Central |
+|North Central US |
+|North Europe |
+|South Africa North |
+|South Central US |
+|Southeast Asia |
+|Switzerland North |
+|Switzerland West |
+|UK West |
+|UK south |
+|West Central US |
+|West Europe |
+|West US |
+|West US 2 |
> [!NOTE]
-> It is not currently supported to programmatically enroll to Update Compliance via the [Azure CLI](https://docs.microsoft.com/cli/azure) or otherwise. You must manually add Update Compliance to your Azure subscription.
+> It is not currently supported to programmatically enroll to Update Compliance via the [Azure CLI](/cli/azure) or otherwise. You must manually add Update Compliance to your Azure subscription.
### Get your CommercialID
@@ -67,7 +97,7 @@ To find your CommercialID within Azure:
Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are two ways to configure devices to use Update Compliance. After you configure devices, it can take up to 72 hours before devices are visible in the solution. Until then, Update Compliance will indicate it is still assessing devices.
> [!NOTE]
-> If you use or plan to use [Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview), follow the steps in [Enroll devices in Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/enroll-devices) to also enroll devices in Update Compliance. You should be aware that the Commercial ID and Log Analytics workspace must be the same for both Desktop Analytics and Update Compliance.
+> If you use or plan to use [Desktop Analytics](/mem/configmgr/desktop-analytics/overview), follow the steps in [Enroll devices in Desktop Analytics](/mem/configmgr/desktop-analytics/enroll-devices) to also enroll devices in Update Compliance. You should be aware that the Commercial ID and Log Analytics workspace must be the same for both Desktop Analytics and Update Compliance.
### Configure devices using the Update Compliance Configuration Script
diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
index 14008cd234..f3b292274c 100644
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@@ -28,7 +28,7 @@ Update Compliance enables organizations to:
Update Compliance is offered through the Azure portal, and is included as part of Windows 10 licenses listed in the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). Azure Log Analytics ingestion and retention charges are not incurred on your Azure subscription for Update Compliance data.
-Update Compliance uses Windows 10 diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, and Delivery Optimization usage data, and then sends this data to a customer-owned [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace to power the experience.
+Update Compliance uses Windows 10 diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, and Delivery Optimization usage data, and then sends this data to a customer-owned [Azure Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) workspace to power the experience.
See the following topics in this guide for detailed information about configuring and using the Update Compliance solution:
@@ -39,4 +39,4 @@ See the following topics in this guide for detailed information about configurin
* [Get started with Update Compliance](update-compliance-get-started.md)
* [Use Update Compliance to monitor Windows Updates](update-compliance-using.md)
-* [Update Compliance Schema Reference](update-compliance-schema.md)
+* [Update Compliance Schema Reference](update-compliance-schema.md)
\ No newline at end of file
diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md
index 6a441b08d7..514d07419f 100644
--- a/windows/deployment/update/update-compliance-need-attention.md
+++ b/windows/deployment/update/update-compliance-need-attention.md
@@ -36,11 +36,11 @@ The different issues are broken down by Device Issues and Update Issues:
* **Uninstalled**: This issue occurs when a feature update is uninstalled from a device by a user or an administrator. Note that this might not be a problem if the uninstallation was intentional, but is highlighted as it might need attention.
* **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 7 days.
-Selecting any of the issues will take you to a [Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue.
+Selecting any of the issues will take you to a [Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue.
> [!NOTE]
-> This blade also has a link to the [Setup Diagnostic Tool](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful.
+> This blade also has a link to the [Setup Diagnostic Tool](../upgrade/setupdiag.md), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful.
## List of Queries
-The **List of Queries** blade is in the **Needs Attention** section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that did not fit within any specific section or were listed to serve as a good starting point for modification into custom queries.
+The **List of Queries** blade is in the **Needs Attention** section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that did not fit within any specific section or were listed to serve as a good starting point for modification into custom queries.
\ No newline at end of file
diff --git a/windows/deployment/update/update-compliance-privacy.md b/windows/deployment/update/update-compliance-privacy.md
index a455261f8c..e76bb6ad6e 100644
--- a/windows/deployment/update/update-compliance-privacy.md
+++ b/windows/deployment/update/update-compliance-privacy.md
@@ -18,7 +18,7 @@ ms.topic: article
Update Compliance is fully committed to privacy, centering on these tenets:
-- **Transparency:** Windows 10 diagnostic data events that are required for Update Compliance's operation are fully documented (see the links for additional information) so you can review them with your company's security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) for details).
+- **Transparency:** Windows 10 diagnostic data events that are required for Update Compliance's operation are fully documented (see the links for additional information) so you can review them with your company's security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](/windows/configuration/diagnostic-data-viewer-overview) for details).
- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10, version 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics.
- **Security:** Your data is protected with strong security and encryption.
- **Trust:** Update Compliance supports the Online Services Terms.
@@ -47,9 +47,9 @@ Yes for Azure Log Analytics, but no for the Microsoft Data Management Service (w
See related topics for additional background information on privacy and treatment of diagnostic data:
-- [Windows 10 and the GDPR for IT Decision Makers](https://docs.microsoft.com/windows/privacy/gdpr-it-guidance)
-- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
-- [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview)
+- [Windows 10 and the GDPR for IT Decision Makers](/windows/privacy/gdpr-it-guidance)
+- [Configure Windows diagnostic data in your organization](/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
+- [Diagnostic Data Viewer Overview](/windows/configuration/diagnostic-data-viewer-overview)
- [Licensing Terms and Documentation](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31)
- [Confidence in the trusted cloud](https://azure.microsoft.com/support/trust-center/)
-- [Trust Center](https://www.microsoft.com/trustcenter)
+- [Trust Center](https://www.microsoft.com/trustcenter)
\ No newline at end of file
diff --git a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
index b5fe054a3e..9f0ddd10ef 100644
--- a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
+++ b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
@@ -16,31 +16,31 @@ ms.topic: article
# WaaSDeploymentStatus
-WaaSDeploymentStatus records track a specific update's installation progress on a specific device. Multiple WaaSDeploymentStatus records can exist simultaneously for a given device, as each record is specific to a given update and its type. For example, a device can have both a WaaSDeploymentStatus tracking a Windows Feature Update, as well as one tracking a Windows Quality Update, at the same time.
+WaaSDeploymentStatus records track a specific update's installation progress on a specific device. Multiple WaaSDeploymentStatus records can exist simultaneously for a given device, as each record is specific to a given update and its type. For example, a device can have both a WaaSDeploymentStatus tracking a Windows Feature Update, and one tracking a Windows Quality Update, at the same time.
|Field |Type |Example |Description |
|-|-|-----|------------------------|
-|**Computer** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enabling Device Name in Telemetry](https://docs.microsoft.com/windows/deployment/update/update-compliance-get-started#allow-device-name-in-telemetry-with-group-policy). |
-|**ComputerID** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user Managed Service Account (MSA) service is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. |
-|**DeferralDays** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |The deferral policy for this content type or `UpdateCategory` (Windows `Feature` or `Quality`). |
-|**DeploymentError** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Disk Error` |A readable string describing the error, if any. If empty, there is either no string matching the error or there is no error. |
-|**DeploymentErrorCode** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`8003001E` |Microsoft internal error code for the error, if any. If empty, there is either no error or there is *no error code*, meaning that the issue raised does not correspond to an error, but some inferred issue. |
-|**DeploymentStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Failed` |The high level status of installing this update on this device. Possible values are:
- **<0**: A value below 0 indicates the policy is disabled.
- **0**: A value of 0 indicates the policy is enabled, but the deferral period is 0 days.
- **1+**: A value of 1 and above indicates the deferral setting, in days. |
-|**FeaturePauseDays** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`0` |*Deprecated* This provides the count of days left in a pause |
-|**FeaturePauseState** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`NotConfigured` |The on-client Windows Update for Business Pause state. Reflects whether or not a device has paused Feature Updates.
- **<0**: A value below 0 indicates the policy is disabled.
- **0**: A value of 0 indicates the policy is enabled, but the deferral period is zero days.
- **1+**: A value of 1 and above indicates the deferral setting, in days. |
+|**FeaturePauseDays** |[int](/azure/kusto/query/scalar-data-types/int) |`0` |*Deprecated* This provides the count of days left in a pause |
+|**FeaturePauseState** |[int](/azure/kusto/query/scalar-data-types/int) |`NotConfigured` |The on-client Windows Update for Business Pause state. Reflects whether or not a device has paused Feature Updates.
-[Windows 10 volume license media](https://docs.microsoft.com/windows/deployment/windows-10-media)
-[Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation)
+[Windows 10 upgrade paths](./windows-10-upgrade-paths.md)
+[Windows 10 volume license media](../windows-10-media.md)
+[Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation)
\ No newline at end of file
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index ca70223a2c..57994ce79b 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -28,9 +28,9 @@ If you are also migrating to a different edition of Windows, see [Windows 10 edi
> **Windows 10 version upgrade**: You can directly upgrade any semi-annual channel version of Windows 10 to a newer, supported semi-annual channel version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) for availability and service information.
>
-> **Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions.
+> **Windows 10 LTSC/LTSB**: Due to [naming changes](../update/waas-overview.md#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions.
>
-> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 semi-annual channel](https://docs.microsoft.com/windows/release-health/release-information) to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch the option 'Keep personal files and apps' will be grayed out. The command line would be **setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx**, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be **setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43**.
+> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 semi-annual channel](/windows/release-health/release-information) to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch the option 'Keep personal files and apps' will be grayed out. The command line would be **setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx**, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be **setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43**.
>
> **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
>
@@ -278,9 +278,4 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
[Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
-[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
-
-
-
-
-
+[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
\ No newline at end of file
diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md
index 562773ef21..b032bc97ff 100644
--- a/windows/deployment/upgrade/windows-error-reporting.md
+++ b/windows/deployment/upgrade/windows-error-reporting.md
@@ -67,8 +67,8 @@ The event will also contain links to log files that can be used to perform a det
## Related topics
-[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
+[Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.md)
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
-[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
+[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
\ No newline at end of file
diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
index 080018fb21..783c1f9bac 100644
--- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
+++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
@@ -22,7 +22,7 @@ You can upgrade from an earlier version of Windows, which means you can install
## Migrate files and settings
Migration tools are available to transfer settings from one computer that is running Windows to another. These tools transfer only the program settings, not the programs themselves.
-For more information about application compatibility, see the [Application Compatibility Toolkit (ACT)](https://go.microsoft.com/fwlink/p/?LinkId=131349).
+For more information about application compatibility, see the [Application Compatibility Toolkit (ACT)](/previous-versions/windows/server/cc722055(v=ws.10)).
The User State Migration Tool (USMT) 10.0 is an application intended for administrators who are performing large-scale automated deployments. For deployment to a small number of computers or for individually customized deployments, you can use Windows Easy Transfer.
@@ -41,7 +41,7 @@ You can use USMT to automate migration during large deployments of the Windows o
Whether you are upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations:
### Application compatibility
-For more information about application compatibility in Windows, see [Use Upgrade Readiness to manage Windows upgrades](https://docs.microsoft.com/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades).
+For more information about application compatibility in Windows, see [Use Upgrade Readiness to manage Windows upgrades](/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades).
### Multilingual Windows image upgrades
When performing multilingual Windows upgrades, cross-language upgrades are not supported by USMT. If you are upgrading or migrating an operating system with multiple language packs installed, you can upgrade or migrate only to the system default user interface (UI) language. For example, if English is the default but you have a Spanish language pack installed, you can upgrade or migrate only to English.
@@ -72,9 +72,4 @@ This feature is disabled if this registry key value exists and is configured to
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md
index 0a5069eff9..21a5526eb4 100644
--- a/windows/deployment/usmt/migrate-application-settings.md
+++ b/windows/deployment/usmt/migrate-application-settings.md
@@ -69,7 +69,7 @@ Next, you should go through the user interface and make a list of all of the ava
**How To Determine Where Each Setting is Stored**
-1. Download a file and registry monitoring tool, such as the Regmon and Filemon tools, from the [Windows Sysinternals Web site](https://go.microsoft.com/fwlink/p/?linkid=36109).
+1. Download a file and registry monitoring tool, such as the Regmon and Filemon tools, from the [Windows Sysinternals Web site](/sysinternals/).
2. Shut down as many applications as possible to limit the registry and file system activity on the computer.
@@ -165,9 +165,3 @@ To speed up the time it takes to collect and migrate the data, you can migrate o
-
-
-
-
-
-
diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md
index d029f8d029..be0c340cac 100644
--- a/windows/deployment/usmt/offline-migration-reference.md
+++ b/windows/deployment/usmt/offline-migration-reference.md
@@ -96,7 +96,7 @@ The following table defines the supported combination of online and offline oper
**Note**
-It is possible to run the ScanState tool while the drive remains encrypted by suspending Windows BitLocker Drive Encryption before booting into WinPE. For more information, see [this Microsoft site](https://go.microsoft.com/fwlink/p/?LinkId=190314).
+It is possible to run the ScanState tool while the drive remains encrypted by suspending Windows BitLocker Drive Encryption before booting into WinPE. For more information, see [this Microsoft site](/previous-versions/windows/it-pro/windows-7/ee424315(v=ws.10)).
@@ -261,9 +261,3 @@ The following XML example illustrates some of the elements discussed earlier in
-
-
-
-
-
-
diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md
index acf803b701..12e28aaad6 100644
--- a/windows/deployment/usmt/usmt-best-practices.md
+++ b/windows/deployment/usmt/usmt-best-practices.md
@@ -49,7 +49,7 @@ This topic discusses general and security-related best practices when using User
- **Chkdsk.exe**
- We recommend that you run Chkdsk.exe before running the ScanState and LoadState tools. Chkdsk.exe creates a status report for a hard disk drive and lists and corrects common errors. For more information about the Chkdsk.exe tool, see [Chkdsk](https://go.microsoft.com/fwlink/p/?LinkId=140244).
+ We recommend that you run Chkdsk.exe before running the ScanState and LoadState tools. Chkdsk.exe creates a status report for a hard disk drive and lists and corrects common errors. For more information about the Chkdsk.exe tool, see [Chkdsk](/previous-versions/windows/it-pro/windows-xp/bb490876(v=technet.10)).
- **Migrate in groups**
@@ -152,9 +152,3 @@ As the authorized administrator, it is your responsibility to protect the privac
-
-
-
-
-
-
diff --git a/windows/deployment/usmt/usmt-common-issues.md b/windows/deployment/usmt/usmt-common-issues.md
index 44a264cb28..73a37999d2 100644
--- a/windows/deployment/usmt/usmt-common-issues.md
+++ b/windows/deployment/usmt/usmt-common-issues.md
@@ -281,7 +281,7 @@ Scanstate /ui:S1-5-21-124525095-708259637-1543119021*
The wild card (\*) at the end of the SID will migrate the *SID*\_Classes key as well.
-You can also use patterns for SIDs that identify generic users or groups. For example, you can use the */ue:\*-500* option to exclude the local administrator accounts. For more information about Windows SIDs, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=190277).
+You can also use patterns for SIDs that identify generic users or groups. For example, you can use the */ue:\*-500* option to exclude the local administrator accounts. For more information about Windows SIDs, see [this Microsoft Web site](/troubleshoot/windows-server/identity/security-identifiers-in-windows).
### My script to wipe the disk fails after running the ScanState tool on a 64-bit system.
@@ -333,9 +333,3 @@ You should also reboot the machine.
-
-
-
-
-
-
diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md
index 8c39400821..45c699be37 100644
--- a/windows/deployment/usmt/usmt-hard-link-migration-store.md
+++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md
@@ -73,7 +73,7 @@ A hard link can only be created for a file on the same volume. If you copy a har
-For more information about hard links, please see [Hard Links and Junctions](https://go.microsoft.com/fwlink/p/?LinkId=132934)
+For more information about hard links, please see [Hard Links and Junctions](/windows/win32/fileio/hard-links-and-junctions)
In most aspects, a hard-link migration store is identical to an uncompressed migration store. It is located where specified by the Scanstate command-line tool and you can view the contents of the store by using Windows® Explorer. Once created, it can be deleted or copied to another location without changing user state. Restoring a hard-link migration store is similar to restoring any other migration store; however, as with creating the store, the same hard-link functionality is used to keep files in-place.
@@ -231,8 +231,3 @@ The following XML sample specifies that files locked by an application under the
-
-
-
-
-
diff --git a/windows/deployment/usmt/usmt-requirements.md b/windows/deployment/usmt/usmt-requirements.md
index 525801e93b..1bb916cf7a 100644
--- a/windows/deployment/usmt/usmt-requirements.md
+++ b/windows/deployment/usmt/usmt-requirements.md
@@ -91,11 +91,11 @@ You can migrate a 32-bit operating system to a 64-bit operating system. However,
USMT does not support any of the Windows Server® operating systems, Windows 2000, Windows XP, or any of the starter editions for Windows Vista or Windows 7.
USMT for Windows 10 should not be used for migrating from Windows 7 to Windows 8.1. It is meant to migrate to Windows 10.
-For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User’s Guide](https://go.microsoft.com/fwlink/p/?LinkId=246564).
+For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User’s Guide](/previous-versions/windows/server/dd560801(v=ws.10)).
## Windows PE
-- **Must use latest version of Window PE.** For example, to migrate to Windows 10, you'll need Windows PE 5.1. For more info, see [What's New in Windows PE](https://msdn.microsoft.com/library/windows/hardware/dn938350.aspx).
+- **Must use latest version of Window PE.** For example, to migrate to Windows 10, you'll need Windows PE 5.1. For more info, see [What's New in Windows PE](/windows-hardware/manufacture/desktop/whats-new-in-windows-pe-s14).
## Credentials
@@ -154,9 +154,3 @@ This documentation assumes that IT professionals using USMT understand command-l
-
-
-
-
-
-
diff --git a/windows/deployment/usmt/usmt-resources.md b/windows/deployment/usmt/usmt-resources.md
index 4866b61aaf..e76eb8f6b7 100644
--- a/windows/deployment/usmt/usmt-resources.md
+++ b/windows/deployment/usmt/usmt-resources.md
@@ -20,7 +20,7 @@ ms.topic: article
## USMT Online Resources
-- [ADK Release Notes](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx)
+- [ADK Release Notes](/windows-hardware/get-started/what-s-new-in-kits-and-tools)
- Microsoft Visual Studio
@@ -43,9 +43,4 @@ ms.topic: article
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/deployment/usmt/usmt-return-codes.md b/windows/deployment/usmt/usmt-return-codes.md
index ba8e6da7c1..44089d6d19 100644
--- a/windows/deployment/usmt/usmt-return-codes.md
+++ b/windows/deployment/usmt/usmt-return-codes.md
@@ -54,7 +54,7 @@ As a best practice, we recommend that you set verbosity level to 5, **/v**:5
Error messages provide more detailed information about the migration problem than the associated return code. For example, the **ScanState**, **LoadState**, or **USMTUtils** tool might return a code of "11” (for “USMT\_INVALID\_PARAMETERS") and a related error message that reads "/key and /keyfile both specified". The error message is displayed at the command prompt and is identified in the **ScanState**, **LoadState**, or **USMTUtils** log files to help you determine why the return code was received.
-You can obtain more information about any listed Windows application programming interface (API) system error codes by typing **net helpmsg** on the command line and, then typing the error code number. For more information about System Error Codes, see [this Microsoft Web site](https://go.microsoft.com/fwlink/p/?LinkId=147060).
+You can obtain more information about any listed Windows application programming interface (API) system error codes by typing **net helpmsg** on the command line and, then typing the error code number. For more information about System Error Codes, see [this Microsoft Web site](/windows/win32/debug/system-error-codes--0-499-).
## Troubleshooting Return Codes and Error Messages
@@ -779,9 +779,3 @@ The following table lists each return code by numeric value, along with the asso
-
-
-
-
-
-
diff --git a/windows/deployment/usmt/usmt-technical-reference.md b/windows/deployment/usmt/usmt-technical-reference.md
index 3c31b7bf4b..df6b881969 100644
--- a/windows/deployment/usmt/usmt-technical-reference.md
+++ b/windows/deployment/usmt/usmt-technical-reference.md
@@ -18,7 +18,7 @@ ms.custom: seo-marvel-apr2020
# User State Migration Tool (USMT) Technical Reference
The User State Migration Tool (USMT) is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals.
-Download the Windows ADK [from this website](https://go.microsoft.com/fwlink/p/?LinkID=526803).
+Download the Windows ADK [from this website](/windows-hardware/get-started/adk-install).
**USMT support for Microsoft Office**
>USMT in the Windows ADK for Windows 10, version 1511 (10.1.10586.0) supports migration of user settings for installations of Microsoft Office 2003, 2007, 2010, and 2013.
@@ -38,7 +38,7 @@ USMT also includes a set of three modifiable .xml files:
Additionally, you can create custom .xml files to support your migration needs. You can also create a Config.xml file to specify files or settings to exclude from the migration.
-USMT tools can be used on several versions of Windows operating systems, for more information, see [USMT Requirements](usmt-requirements.md). For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User's Guide](https://go.microsoft.com/fwlink/p/?LinkId=246564).
+USMT tools can be used on several versions of Windows operating systems, for more information, see [USMT Requirements](usmt-requirements.md). For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 User's Guide](/previous-versions/windows/server/dd560801(v=ws.10)).
## In this section
|Topic |Description|
@@ -49,13 +49,8 @@ USMT tools can be used on several versions of Windows operating systems, for mor
|[User State Migration Toolkit (USMT) Reference](usmt-reference.md)|Includes reference information for migration planning, migration best practices, command-line syntax, using XML, and requirements for using USMT.|
## Related topics
-- [Windows Assessment and Deployment Kit](https://msdn.microsoft.com/library/windows/hardware/dn247001.aspx)
+- [Windows Assessment and Deployment Kit](/previous-versions/windows/it-pro/windows-8.1-and-8/dn247001(v=win.10))
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/deployment/usmt/usmt-test-your-migration.md b/windows/deployment/usmt/usmt-test-your-migration.md
index b3ec645a60..6581385a86 100644
--- a/windows/deployment/usmt/usmt-test-your-migration.md
+++ b/windows/deployment/usmt/usmt-test-your-migration.md
@@ -30,7 +30,7 @@ Running the ScanState and LoadState tools with the **/v**:5 option crea
-After you have determined that the pilot migration successfully migrated the specified files and settings, you are ready to add USMT to the server that is running Microsoft Endpoint Configuration Manager, or a non-Microsoft management technology. For more information, see [Manage user state in Configuration Manager](https://docs.microsoft.com/configmgr/osd/get-started/manage-user-state).
+After you have determined that the pilot migration successfully migrated the specified files and settings, you are ready to add USMT to the server that is running Microsoft Endpoint Configuration Manager, or a non-Microsoft management technology. For more information, see [Manage user state in Configuration Manager](/configmgr/osd/get-started/manage-user-state).
**Note**
For testing purposes, you can create an uncompressed store using the **/hardlink /nocompress** option. When compression is disabled, the ScanState tool saves the files and settings to a hidden folder named "File" at *StorePath*\\USMT. You can use the uncompressed store to view what USMT has stored or to troubleshoot a problem, or you can run an antivirus utility against the files. Additionally, you can also use the **/listfiles** command-line option and the diagnostic log to list the files that were gathered and to troubleshoot problems with your migration.
@@ -42,4 +42,4 @@ For testing purposes, you can create an uncompressed store using the **/hardlink
[Plan Your Migration](usmt-plan-your-migration.md)
-[Log Files](usmt-log-files.md)
+[Log Files](usmt-log-files.md)
\ No newline at end of file
diff --git a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
index 2152530861..c9c2d3cd28 100644
--- a/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
+++ b/windows/deployment/usmt/usmt-what-does-usmt-migrate.md
@@ -59,7 +59,7 @@ This section describes the user data that USMT migrates by default, using the Mi
My Documents, My Video, My Music, My Pictures, desktop files, Start menu, Quick Launch settings, and Favorites.
>[!IMPORTANT]
- >Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout).
+ >Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](./usmt-common-issues.md#usmt-does-not-migrate-the-start-layout).
- **Folders from the All Users and Public profiles.** When you specify the MigUser.xml file, USMT also migrates the following from the **All Users** profile in Windows® XP, or the **Public** profile in Windows Vista, Windows 7, or Windows 8:
@@ -413,7 +413,7 @@ You should also note the following:
### Start menu layout
-Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](https://docs.microsoft.com/windows/deployment/usmt/usmt-common-issues#usmt-does-not-migrate-the-start-layout).
+Starting in Windows 10, version 1607 the USMT does not migrate the Start menu layout. To migrate a user's Start menu, you must export and then import settings using the Windows PowerShell cmdlets **Export-StartLayout** and **Import-StartLayout**. For more information, see [USMT common issues](./usmt-common-issues.md#usmt-does-not-migrate-the-start-layout).
## Related topics
@@ -422,9 +422,3 @@ Starting in Windows 10, version 1607 the USMT does not migrate the Start menu la
-
-
-
-
-
-
diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md
index 2399213435..9f2a90a4f5 100644
--- a/windows/deployment/usmt/usmt-xml-elements-library.md
+++ b/windows/deployment/usmt/usmt-xml-elements-library.md
@@ -3082,7 +3082,7 @@ Syntax:
[Recommended settings for VDI desktops](https://docs.microsoft.com/windows-server/remote/remote-desktop-services/rds-vdi-recommendations)
-
[Licensing the Windows Desktop for VDI Environments](https://download.microsoft.com/download/1/1/4/114A45DD-A1F7-4910-81FD-6CAF401077D0/Microsoft%20VDI%20and%20VDA%20FAQ%20v3%200.pdf)
-
+
[Recommended settings for VDI desktops](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations)
+
[Licensing the Windows Desktop for VDI Environments](https://download.microsoft.com/download/1/1/4/114A45DD-A1F7-4910-81FD-6CAF401077D0/Microsoft%20VDI%20and%20VDA%20FAQ%20v3%200.pdf)
\ No newline at end of file
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index 79c1279f78..f32ee0d61e 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -134,9 +134,9 @@ To verify your Active Directory-based activation configuration, complete the fol
> [!NOTE]
> If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used.
>
- > To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-management-tool).
+ > To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](./volume-activation-management-tool.md).
## See also
-- [Volume Activation for Windows 10](volume-activation-windows-10.md)
+- [Volume Activation for Windows 10](volume-activation-windows-10.md)
\ No newline at end of file
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index c1068fe146..f9cfcf33ac 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -40,7 +40,7 @@ There are three possible scenarios for volume activation of Windows 10 or Windo
- Host KMS on a computer running Windows Server 2012 R2
- Host KMS on a computer running an earlier version of Windows
-Check out [Windows 10 Volume Activation Tips](https://blogs.technet.microsoft.com/askcore/2015/09/15/windows-10-volume-activation-tips/).
+Check out [Windows 10 Volume Activation Tips](/archive/blogs/askcore/windows-10-volume-activation-tips).
## Key Management Service in Windows 10
@@ -60,7 +60,7 @@ To activate, use the slmgr.vbs command. Open an elevated command prompt and run
3. Follow the voice prompts and write down the responded 48-digit confirmation ID for OS activation.
4. Run `slmgr.vbs /atp \
|
+| Additional Requirements |
|
## Related topics
-- [Install and Configure VAMT](install-configure-vamt.md)
+- [Install and Configure VAMT](install-configure-vamt.md)
\ No newline at end of file
diff --git a/windows/deployment/volume-activation/volume-activation-windows-10.md b/windows/deployment/volume-activation/volume-activation-windows-10.md
index a820b9e25b..5bbee80b37 100644
--- a/windows/deployment/volume-activation/volume-activation-windows-10.md
+++ b/windows/deployment/volume-activation/volume-activation-windows-10.md
@@ -45,9 +45,9 @@ This guide provides information and step-by-step guidance to help you choose a v
Because most organizations will not immediately switch all computers to Windows 10, practical volume activation strategies must also take in to account how to work with the Windows 8.1, Windows 7, Windows Server 2012, and Windows Server 2008 R2 operating systems. This guide discusses how the new volume activation tools can support earlier operating systems, but it does not discuss the tools that are provided with earlier operating system versions.
-Volume activation -and the need for activation itself- is not new, and this guide does not review all of its concepts and history. You can find additional background in the appendices of this guide. For more information, see [Volume Activation Overview](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831612(v=ws.11)).
+Volume activation -and the need for activation itself- is not new, and this guide does not review all of its concepts and history. You can find additional background in the appendices of this guide. For more information, see [Volume Activation Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831612(v=ws.11)).
-If you would like additional information about planning a volume activation deployment specifically for Windows 7 and Windows Server 2008 R2, please see the [Volume Activation Planning Guide for Windows 7](https://go.microsoft.com/fwlink/p/?LinkId=618210).
+If you would like additional information about planning a volume activation deployment specifically for Windows 7 and Windows Server 2008 R2, please see the [Volume Activation Planning Guide for Windows 7](/previous-versions/tn-archive/dd878528(v=technet.10)).
To successfully plan and implement a volume activation strategy, you must:
@@ -69,4 +69,4 @@ Keep in mind that the method of activation does not change an organization’s r
- [Activate clients running Windows 10](activate-windows-10-clients-vamt.md)
- [Monitor activation](monitor-activation-client.md)
- [Use the Volume Activation Management Tool](use-the-volume-activation-management-tool-client.md)
-- [Appendix: Information sent to Microsoft during activation](appendix-information-sent-to-microsoft-during-activation-client.md)
+- [Appendix: Information sent to Microsoft during activation](appendix-information-sent-to-microsoft-during-activation-client.md)
\ No newline at end of file
diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md
index 1a47bd0cf9..3bda096ca5 100644
--- a/windows/deployment/windows-10-deployment-posters.md
+++ b/windows/deployment/windows-10-deployment-posters.md
@@ -36,5 +36,5 @@ The Configuration Manager poster is one page in landscape mode (17x11). Click th
## See also
-[Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot)
-[Scenarios to deploy enterprise operating systems with Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems)
\ No newline at end of file
+[Overview of Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot)
+[Scenarios to deploy enterprise operating systems with Configuration Manager](/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems)
\ No newline at end of file
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index 2146d2fb9f..6bba5bcd04 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -24,7 +24,7 @@ ms.topic: article
To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task.
The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories.
-- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home).
+- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](/microsoft-365/enterprise/desktop-deployment-center-home).
- Note: Once you have deployed Windows 10 in your organization, it is important to stay up to date by [creating a deployment plan](update/create-deployment-plan.md) for Windows 10 feature updates.
- Dynamic deployment methods enable you to configure applications and settings for specific use cases.
- Traditional deployment methods use existing tools to deploy operating system images.
@@ -42,7 +42,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured.
-Overview of Windows Autopilot
+Overview of Windows Autopilot
@@ -55,7 +55,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old.
-Perform an in-place upgrade to Windows 10 with MDT
Perform an in-place upgrade to Windows 10 using Configuration Manager
+Perform an in-place upgrade to Windows 10 with MDT
Perform an in-place upgrade to Windows 10 using Configuration Manager
@@ -70,7 +70,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
Switch from Windows 10 Pro to Enterprise when a subscribed user signs in.
-Windows 10 Subscription Activation
+Windows 10 Subscription Activation
@@ -82,7 +82,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
The device is automatically joined to AAD and configured by MDM.
-Azure Active Directory integration with MDM
+Azure Active Directory integration with MDM
@@ -94,7 +94,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices.
-Configure devices without MDM
+Configure devices without MDM
@@ -109,7 +109,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
Deploy a new device, or wipe an existing device and deploy with a fresh image.
- Deploy a Windows 10 image using MDT
Deploy Windows 10 using PXE and Configuration Manager
+ Deploy a Windows 10 image using MDT
Deploy Windows 10 using PXE and Configuration Manager
@@ -121,7 +121,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state.
- Refresh a Windows 7 computer with Windows 10
Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager
+ Refresh a Windows 7 computer with Windows 10
Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager
@@ -133,7 +133,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device.
- Replace a Windows 7 computer with a Windows 10 computer
Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
+ Replace a Windows 7 computer with a Windows 10 computer
Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
@@ -100,17 +100,17 @@ Windows 10 Enterprise edition has a number of features that are unavailable in
For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](https://technet.microsoft.com/itpro/windows/manage/customize-windows-10-start-screens-by-using-group-policy). |
-| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it cannot recover.
For more information on these settings, see [Unbranded Boot](https://msdn.microsoft.com/library/windows/hardware/mt571997(v=vs.85).aspx). |
-| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
For more information on these settings, see [Custom Logon](https://msdn.microsoft.com/library/windows/hardware/mt571990(v=vs.85).aspx). |
-| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.
For more information on these settings, see [Shell Launcher](https://msdn.microsoft.com/library/windows/hardware/mt571994(v=vs.85).aspx). |
-| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This is not desirable on devices intended for a dedicated purpose.
For more information on these settings, see [Keyboard Filter](https://msdn.microsoft.com/library/windows/hardware/mt587088(v=vs.85).aspx). |
-| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.
For more information on these settings, see [Unified Write Filter](https://msdn.microsoft.com/library/windows/hardware/mt572001(v=vs.85).aspx). |
+| Start layout customization | You can deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](/windows/configuration/customize-windows-10-start-screens-by-using-group-policy). |
+| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it cannot recover.
For more information on these settings, see [Unbranded Boot](/windows-hardware/customize/enterprise/unbranded-boot). |
+| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
For more information on these settings, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon). |
+| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.
For more information on these settings, see [Shell Launcher](/windows-hardware/customize/enterprise/shell-launcher). |
+| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This is not desirable on devices intended for a dedicated purpose.
For more information on these settings, see [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter). |
+| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.
For more information on these settings, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter). |
## Related topics
[Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md)
-
[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/)
+
[Connect domain-joined devices to Azure AD for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan)
[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
-
[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)
+
[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)
\ No newline at end of file
diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md
index 38a56db227..a90baefd20 100644
--- a/windows/deployment/windows-10-media.md
+++ b/windows/deployment/windows-10-media.md
@@ -59,7 +59,7 @@ For packages published to Windows Server Update Services (WSUS), you’ll also n
When you approve one of these packages, it applies to all of the editions.
-This Semi-Annual Channel release of Windows 10 continues the Windows as a service methodology. For more information about implementing Windows as a service in your organization in order to stay up to date with Windows, see [Update Windows 10 in the enterprise](https://aka.ms/waas).
+This Semi-Annual Channel release of Windows 10 continues the Windows as a service methodology. For more information about implementing Windows as a service in your organization in order to stay up to date with Windows, see [Update Windows 10 in the enterprise](./update/index.md).
### Language packs
@@ -73,7 +73,7 @@ See the following example for Windows 10, version 1709:
### Features on demand
-[Features on demand](https://blogs.technet.microsoft.com/mniehaus/2015/08/31/adding-features-including-net-3-5-to-windows-10/) can be downloaded by searching for "**Windows 10 Enterprise Features on Demand**" and then following the same download process that is described above.
+[Features on demand](/archive/blogs/mniehaus/adding-features-including-net-3-5-to-windows-10) can be downloaded by searching for "**Windows 10 Enterprise Features on Demand**" and then following the same download process that is described above.
Features on demand is a method for adding features to your Windows 10 image that aren’t included in the base operating system image.
@@ -81,17 +81,12 @@ Features on demand is a method for adding features to your Windows 10 image that
## Related topics
[Microsoft Volume Licensing Service Center (VLSC) User Guide](https://www.microsoft.com/download/details.aspx?id=10585)
-
[Volume Activation for Windows 10](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-windows-10)
-
[Plan for volume activation](https://docs.microsoft.com/windows/deployment/volume-activation/plan-for-volume-activation-client)
+
[Volume Activation for Windows 10](./volume-activation/volume-activation-windows-10.md)
+
[Plan for volume activation](./volume-activation/plan-for-volume-activation-client.md)
[VLSC downloads FAQ](https://www.microsoft.com/Licensing/servicecenter/Help/FAQDetails.aspx?id=150)
[Download and burn an ISO file on the volume licensing site (VLSC)](https://support.microsoft.com/help/2472143/download-and-burn-an-iso-file-on-the-volume-licensing-site-vlsc)
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index 8e1f84c95e..7e6d238721 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -36,7 +36,7 @@ The PoC environment is a virtual network running on Hyper-V with three virtual m
- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been shadow-copied from a physical computer on your corporate network.
->This guide uses the Hyper-V server role. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work.
+>This guide uses the Hyper-V server role. If you do not complete all steps in a single session, consider using [checkpoints](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn818483(v=ws.11)) and [saved states](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee247418(v=ws.10)) to pause, resume, or restart your work.
## In this guide
@@ -130,7 +130,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi
- Progress: wait for files to be copied
- Confirmation: click **Finish**
- >For purposes of this test lab, we will only add the prerequisite .NET Framework feature. Commerical applications (ex: Microsoft Office) will not be added to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library.
+ >For purposes of this test lab, we will only add the prerequisite .NET Framework feature. Commerical applications (ex: Microsoft Office) will not be added to the deployment share. For information about adding applications, see the [Add applications](./deploy-windows-mdt/create-a-windows-10-reference-image.md) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library.
11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- Task sequence ID: **REFW10X64-001**
@@ -367,7 +367,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
ScanStateArgs=/all
```
- For more information, see [ScanState Syntax](https://technet.microsoft.com/library/cc749015.aspx).
+ For more information, see [ScanState Syntax](/previous-versions/windows/it-pro/windows-vista/cc749015(v=ws.10)).
4. Click **Edit Bootstap.ini** and replace text in the file with the following text:
@@ -398,7 +398,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
2. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** checkbox, and then click **OK**.
-3. Verify the monitoring service is working as expected by opening the following link on SRV1 in Internet Explorer: [http://localhost:9800/MDTMonitorEvent/](http://localhost:9800/MDTMonitorEvent/). If you do not see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](https://blogs.technet.microsoft.com/mniehaus/2012/05/10/troubleshooting-mdt-2012-monitoring/).
+3. Verify the monitoring service is working as expected by opening the following link on SRV1 in Internet Explorer: [http://localhost:9800/MDTMonitorEvent/](http://localhost:9800/MDTMonitorEvent/). If you do not see "**You have created a service**" at the top of the page, see [Troubleshooting MDT 2012 Monitoring](/archive/blogs/mniehaus/troubleshooting-mdt-2012-monitoring).
4. Close Internet Explorer.
@@ -491,7 +491,7 @@ This section will demonstrate how to export user data from an existing client co
cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs
```
- **Note**: For more information on tools for viewing log files and to assist with troubleshooting, see [Configuration Manager Tools](https://docs.microsoft.com/configmgr/core/support/tools).
+ **Note**: For more information on tools for viewing log files and to assist with troubleshooting, see [Configuration Manager Tools](/configmgr/core/support/tools).
5. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**.
@@ -647,12 +647,6 @@ Also see [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-
## Related Topics
-[Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741)
+[Microsoft Deployment Toolkit](/mem/configmgr/mdt/)
[Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
-
-
-
-
-
-
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index 180f2dd30b..3e6aea0068 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -36,7 +36,7 @@ The PoC environment is a virtual network running on Hyper-V with three virtual m
- **SRV1**: A dual-homed contoso.com domain member server, DNS server, and default gateway providing NAT service for the PoC network.
- **PC1**: A contoso.com member computer running Windows 7, Windows 8, or Windows 8.1 that has been cloned from a physical computer on your corporate network for testing purposes.
->This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](https://technet.microsoft.com/library/dn818483.aspx) and [saved states](https://technet.microsoft.com/library/ee247418.aspx) to pause, resume, or restart your work.
+>This guide leverages the Hyper-V server role to perform procedures. If you do not complete all steps in a single session, consider using [checkpoints](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn818483(v=ws.11)) and [saved states](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee247418(v=ws.10)) to pause, resume, or restart your work.
>Multiple features and services are installed on SRV1 in this guide. This is not a typical installation, and is only done to set up a lab environment with a bare minimum of resources. However, if less than 4 GB of RAM is allocated to SRV1 in the Hyper-V console, some procedures will be extremely slow to complete. If resources are limited on the Hyper-V host, consider reducing RAM allocation on DC1 and PC1, and then increasing the RAM allocation on SRV1. You can adjust RAM allocation for a VM by right-clicking the VM in the Hyper-V Manager console, clicking **Settings**, clicking **Memory**, and modifying the value next to **Maximum RAM**.
@@ -116,7 +116,7 @@ Topics and procedures in this guide are summarized in the following table. An es
New-NetFirewallRule -DisplayName "SQL Debugger/RPC" -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow
```
-6. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://docs.microsoft.com/windows-hardware/get-started/adk-install) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 2004. Installation might require several minutes to acquire all components.
+6. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](/windows-hardware/get-started/adk-install) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 2004. Installation might require several minutes to acquire all components.
## Install Microsoft Endpoint Configuration Manager
@@ -218,7 +218,7 @@ Topics and procedures in this guide are summarized in the following table. An es
> [!IMPORTANT]
> This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/).
-> If your organization qualifies and does not already have an MSDN subscription, you can obtain a [free MSDN subscription with BizSpark](https://docs.microsoft.com/archive/blogs/zainnab/bizspark-free-msdn-subscription-for-start-up-companies/).
+> If your organization qualifies and does not already have an MSDN subscription, you can obtain a [free MSDN subscription with BizSpark](/archive/blogs/zainnab/bizspark-free-msdn-subscription-for-start-up-companies/).
1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host.
@@ -867,7 +867,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
"\\SRV1\c$\Program Files\Microsoft Configuration Manager\Client\CCMSetup.exe" /Uninstall
```
- >If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by CCMSetup /Uninstall and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the Configuration Manager client](https://blogs.technet.microsoft.com/michaelgriswold/2013/01/02/manual-removal-of-the-sccm-client/).
+ >If PC1 still has Configuration Manager registry settings that were applied by Group Policy, startup scripts, or other policies in its previous domain, these might not all be removed by CCMSetup /Uninstall and can cause problems with installation or registration of the client in its new environment. It might be necessary to manually remove these settings if they are present. For more information, see [Manual removal of the Configuration Manager client](/archive/blogs/michaelgriswold/manual-removal-of-the-sccm-client).
9. On PC1, temporarily stop Windows Update from queuing items for download and clear all BITS jobs from the queue. From an elevated command prompt, type:
@@ -1080,4 +1080,4 @@ In the Configuration Manager console, in the Software Library workspace under Op
## Related Topics
-[System Center 2012 Configuration Manager Survival Guide](https://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide.aspx#Step-by-Step_Guides)
+[System Center 2012 Configuration Manager Survival Guide](https://social.technet.microsoft.com/wiki/contents/articles/7075.system-center-2012-configuration-manager-survival-guide.aspx#Step-by-Step_Guides)
\ No newline at end of file
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 86d6e33e83..319121950d 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -193,7 +193,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
- You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example:
+ You can also identify Hyper-V support using [tools](/archive/blogs/taylorb/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v) provided by the processor manufacturer, the [msinfo32](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731397(v=ws.11)) tool, or you can download the [coreinfo](/sysinternals/downloads/coreinfo) utility and run it, as shown in the following example:
C:\>coreinfo -v
@@ -441,7 +441,7 @@ Notes:
#### Prepare a generation 1 VM
-1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
+1. Download the [Disk2vhd utility](/sysinternals/downloads/disk2vhd), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
>You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
@@ -465,7 +465,7 @@ Notes:
#### Prepare a generation 2 VM
-1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
+1. Download the [Disk2vhd utility](/sysinternals/downloads/disk2vhd), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
>You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
@@ -498,7 +498,7 @@ Notes:
#### Prepare a generation 1 VM from a GPT disk
-1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
+1. Download the [Disk2vhd utility](/sysinternals/downloads/disk2vhd), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
>You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
@@ -527,7 +527,7 @@ Notes:
Enhanced session mode
-**Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer.
+**Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer.
To ensure that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
@@ -707,7 +707,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
2. Click **Next** to accept the default settings, read the license terms and click **I accept**, provide an administrator password of pass@word1, and click **Finish**.
3. Click **Ctrl+Alt+Del** in the upper left corner of the virtual machine connection window, and then sign in to DC1 using the Administrator account.
-4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM.
+4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM.
5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway:
@@ -1107,9 +1107,3 @@ Use the following procedures to verify that the PoC environment is configured pr
[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
-
-
-
-
-
-
diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md
index bd8b4b1db5..b9533e33af 100644
--- a/windows/deployment/windows-10-pro-in-s-mode.md
+++ b/windows/deployment/windows-10-pro-in-s-mode.md
@@ -46,7 +46,7 @@ A number of other transformations are possible depending on which version and ed
Use the following information to switch to Windows 10 Pro through the Microsoft Store.
> [!IMPORTANT]
-> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare-metal recovery (BMR)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
+> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare-metal recovery (BMR)](/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
## Switch one device through the Microsoft Store
Use the following information to switch to Windows 10 Pro through the Microsoft Store or by navigating to **Settings** and then **Activation** on the device.
@@ -80,12 +80,12 @@ To set this, go to **Device configuration > Profiles > Windows 10 and later > Ed
## S mode management with CSPs
-In addition to using Microsoft Intune or another modern device management tool to manage S mode, you can also use the [WindowsLicensing](https://docs.microsoft.com/windows/client-management/mdm/windowslicensing-csp) configuration service provider (CSP). In Windows 10, version 1809, we added S mode functionality that lets you switch devices, block devices from switching, and check the status (whether a device is in S mode).
+In addition to using Microsoft Intune or another modern device management tool to manage S mode, you can also use the [WindowsLicensing](/windows/client-management/mdm/windowslicensing-csp) configuration service provider (CSP). In Windows 10, version 1809, we added S mode functionality that lets you switch devices, block devices from switching, and check the status (whether a device is in S mode).
## Related topics
[FAQs](https://support.microsoft.com/help/4020089/windows-10-in-s-mode-faq)
```
-The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate. This key comes from [Appendix A: KMS Client Setup Keys](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)) in the Volume Activation guide. It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro.
+The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate. This key comes from [Appendix A: KMS Client Setup Keys](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)) in the Volume Activation guide. It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro.
#### Scenario #3
@@ -215,12 +215,12 @@ If you’re running Windows 7, it can be more work. A wipe-and-load approach w
The following policies apply to acquisition and renewal of licenses on devices:
- Devices that have been upgraded will attempt to renew licenses about every 30 days, and must be connected to the Internet to successfully acquire or renew a license.
- If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10 Pro or Windows 10 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew.
-- Up to five devices can be upgraded for each user license.
+- Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, the operating system on the computer to which a user has not logged in the longest will revert to Windows 10 Pro or Windows 10 Pro Education.
- If a device meets the requirements and a licensed user signs in on that device, it will be upgraded.
Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
-When you have the required Azure AD subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Azure AD](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal).
+When you have the required Azure AD subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Azure AD](/azure/active-directory/active-directory-licensing-whatis-azure-portal).
### Existing Enterprise deployments
@@ -252,7 +252,7 @@ changepk.exe /ProductKey %ProductKey%
Enterprise Agreement/Software Assurance (EA/SA):
-- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#enabling-subscription-activation-with-an-existing-ea).
+- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](./deploy-enterprise-licenses.md#enabling-subscription-activation-with-an-existing-ea).
- The license administrator can assign seats to Azure AD users with the same process that is used for O365.
@@ -278,6 +278,6 @@ Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscr
## Related topics
-[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/)
[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
-[Windows 10 Pro Education](https://docs.microsoft.com/education/windows/test-windows10s-for-edu)
-[Introduction to Microsoft Intune in the Azure portal](https://docs.microsoft.com/intune/what-is-intune)
+[Windows 10 Pro Education](/education/windows/test-windows10s-for-edu)
+[Introduction to Microsoft Intune in the Azure portal](/intune/what-is-intune)
\ No newline at end of file
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index e974dc183f..32f6f138c1 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -34,7 +34,7 @@ With Windows 10, version 1703 both Windows 10 Enterprise E3 and Windows 10 Enter
- Devices with a current Windows 10 Pro license can be seamlessly upgraded to Windows 10 Enterprise.
- Product key-based Windows 10 Enterprise software licenses can be transitioned to Windows 10 Enterprise subscriptions.
-Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-whatis).
+Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](/azure/active-directory/connect/active-directory-aadconnectsync-whatis).
## Subscription Activation for Windows 10 Education
@@ -61,7 +61,7 @@ To support Inherited Activation, both the host computer and the VM must be runni
## The evolution of deployment
-> The original version of this section can be found at [Changing between Windows SKUs](https://blogs.technet.microsoft.com/mniehaus/2017/10/09/changing-between-windows-skus/).
+> The original version of this section can be found at [Changing between Windows SKUs](/archive/blogs/mniehaus/changing-between-windows-skus).
The following figure illustrates how deploying Windows 10 has evolved with each release. With this release, deployment is automatic.
@@ -88,10 +88,10 @@ The following figure illustrates how deploying Windows 10 has evolved with each
### Windows 10 Enterprise requirements
> [!NOTE]
-> The following requirements do not apply to general Windows 10 activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](https://docs.microsoft.com/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines).
+> The following requirements do not apply to general Windows 10 activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines).
> [!NOTE]
-> Currently, Subscription Activation is only available on commercial tenants and is not currently available on US GCC or GCC High tenants.
+> Currently, Subscription Activation is only available on commercial tenants and is currently not available on US GCC, GCC High, or DoD tenants.
For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following:
@@ -105,7 +105,7 @@ If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade ben
#### Multi-factor authentication
-An issue has been identified with Hybrid Azure AD joined devices that have enabled [multi-factor authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription.
+An issue has been identified with Hybrid Azure AD joined devices that have enabled [multi-factor authentication](/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription.
To resolve this issue:
@@ -134,7 +134,7 @@ If the device is running Windows 10, version 1809 or later:
- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
> [!IMPORTANT]
-> If Windows 10 Pro is converted to Windows 10 Pro Education by [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
+> If Windows 10 Pro is converted to Windows 10 Pro Education by [using benefits available in Store for Education](/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
## Benefits
@@ -200,7 +200,7 @@ To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the f
cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43
+[Connect domain-joined devices to Azure AD for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan)
[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
-[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)
+[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)
\ No newline at end of file
diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md
index d8d6f47273..13b1ae3cea 100644
--- a/windows/deployment/windows-adk-scenarios-for-it-pros.md
+++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md
@@ -18,67 +18,67 @@ ms.topic: article
# Windows ADK for Windows 10 scenarios for IT Pros
-The [Windows Assessment and Deployment Kit](https://go.microsoft.com/fwlink/p/?LinkId=526803) (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. For an overview of what's new in the Windows ADK for Windows 10, see [What's new in kits and tools](https://msdn.microsoft.com/library/windows/hardware/dn927348.aspx).
+The [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. For an overview of what's new in the Windows ADK for Windows 10, see [What's new in kits and tools](/windows-hardware/get-started/what-s-new-in-kits-and-tools).
-In previous releases of Windows, the Windows ADK docs were published on both TechNet and the MSDN Hardware Dev Center. Starting with the Windows 10 release, Windows ADK documentation is available on the MSDN Hardware Dev Center. For the Windows 10 ADK reference content, see [Desktop manufacturing](https://msdn.microsoft.com/library/windows/hardware/dn938361.aspx).
+In previous releases of Windows, the Windows ADK docs were published on both TechNet and the MSDN Hardware Dev Center. Starting with the Windows 10 release, Windows ADK documentation is available on the MSDN Hardware Dev Center. For the Windows 10 ADK reference content, see [Desktop manufacturing](/windows-hardware/manufacture/desktop/).
Here are some key scenarios that will help you find the content on the MSDN Hardware Dev Center.
### Create a Windows image using command-line tools
-[DISM](https://msdn.microsoft.com/library/windows/hardware/dn898558.aspx) is used to mount and service Windows images.
+[DISM](/windows-hardware/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows) is used to mount and service Windows images.
Here are some things you can do with DISM:
-- [Mount an offline image](https://msdn.microsoft.com/library/windows/hardware/dn938321.aspx)
-- [Add drivers to an offline image](https://msdn.microsoft.com/library/windows/hardware/dn898469.aspx)
-- [Enable or disable Windows features](https://msdn.microsoft.com/library/windows/hardware/dn898567.aspx)
-- [Add or remove packages](https://msdn.microsoft.com/library/windows/hardware/dn898481.aspx)
-- [Add language packs](https://msdn.microsoft.com/library/windows/hardware/dn898470.aspx)
-- [Add Universal Windows apps](https://msdn.microsoft.com/library/windows/hardware/dn898600.aspx)
-- [Upgrade the Windows edition](https://msdn.microsoft.com/library/windows/hardware/dn898500.aspx)
+- [Mount an offline image](/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism)
+- [Add drivers to an offline image](/windows-hardware/manufacture/desktop/add-and-remove-drivers-to-an-offline-windows-image)
+- [Enable or disable Windows features](/windows-hardware/manufacture/desktop/enable-or-disable-windows-features-using-dism)
+- [Add or remove packages](/windows-hardware/manufacture/desktop/add-or-remove-packages-offline-using-dism)
+- [Add language packs](/windows-hardware/manufacture/desktop/add-language-packs-to-windows)
+- [Add Universal Windows apps](/windows-hardware/manufacture/desktop/preinstall-apps-using-dism)
+- [Upgrade the Windows edition](/windows-hardware/manufacture/desktop/change-the-windows-image-to-a-higher-edition-using-dism)
-[Sysprep](https://msdn.microsoft.com/library/windows/hardware/dn938335.aspx) prepares a Windows installation for imaging and allows you to capture a customized installation.
+[Sysprep](/windows-hardware/manufacture/desktop/sysprep--system-preparation--overview) prepares a Windows installation for imaging and allows you to capture a customized installation.
Here are some things you can do with Sysprep:
-- [Generalize a Windows installation](https://msdn.microsoft.com/library/windows/hardware/dn938334.aspx)
-- [Customize the default user profile](https://msdn.microsoft.com/library/windows/hardware/dn898521.aspx)
-- [Use answer files](https://msdn.microsoft.com/library/windows/hardware/dn938346.aspx)
+- [Generalize a Windows installation](/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation)
+- [Customize the default user profile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile)
+- [Use answer files](/windows-hardware/manufacture/desktop/use-answer-files-with-sysprep)
-[Windows PE (WinPE)](https://msdn.microsoft.com/library/windows/hardware/dn938389.aspx) is a small operating system used to boot a computer that does not have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system.
+[Windows PE (WinPE)](/windows-hardware/manufacture/desktop/winpe-intro) is a small operating system used to boot a computer that does not have an operating system. You can boot to Windows PE and then install a new operating system, recover data, or repair an existing operating system.
Here are ways you can create a WinPE image:
-- [Create a bootable USB drive](https://msdn.microsoft.com/library/windows/hardware/dn938386.aspx)
-- [Create a Boot CD, DVD, ISO, or VHD](https://msdn.microsoft.com/library/windows/hardware/dn938385.aspx)
+- [Create a bootable USB drive](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive)
+- [Create a Boot CD, DVD, ISO, or VHD](/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive)
-[Windows Recovery Environment (Windows RE)](https://msdn.microsoft.com/library/windows/hardware/dn938364.aspx) is a recovery environment that can repair common operating system problems.
+[Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is a recovery environment that can repair common operating system problems.
Here are some things you can do with Windows RE:
-- [Customize Windows RE](https://msdn.microsoft.com/library/windows/hardware/dn898523.aspx)
-- [Push-button reset](https://msdn.microsoft.com/library/windows/hardware/dn938307.aspx)
+- [Customize Windows RE](/windows-hardware/manufacture/desktop/customize-windows-re)
+- [Push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview)
-[Windows System Image Manager (Windows SIM)](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx) helps you create answer files that change Windows settings and run scripts during installation.
+[Windows System Image Manager (Windows SIM)](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference) helps you create answer files that change Windows settings and run scripts during installation.
Here are some things you can do with Windows SIM:
-- [Create answer file](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx)
-- [Add a driver path to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915062.aspx)
-- [Add a package to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915066.aspx)
-- [Add a custom command to an answer file](https://msdn.microsoft.com/library/windows/hardware/dn915058.aspx)
+- [Create answer file](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file)
+- [Add a driver path to an answer file](/windows-hardware/customize/desktop/wsim/add-a-device-driver-path-to-an-answer-file)
+- [Add a package to an answer file](/windows-hardware/customize/desktop/wsim/add-a-package-to-an-answer-file)
+- [Add a custom command to an answer file](/windows-hardware/customize/desktop/wsim/add-a-custom-command-to-an-answer-file)
-For a list of settings you can change, see [Unattended Windows Setup Reference](https://msdn.microsoft.com/library/windows/hardware/dn923277.aspx) on the MSDN Hardware Dev Center.
+For a list of settings you can change, see [Unattended Windows Setup Reference](/windows-hardware/customize/desktop/unattend/) on the MSDN Hardware Dev Center.
### Create a Windows image using Windows ICD
-Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](https://msdn.microsoft.com/library/windows/hardware/dn916113.aspx) streamlines the customizing and provisioning of a Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), Windows 10 Mobile, or Windows 10 IoT Core (IoT Core) image.
+Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd) streamlines the customizing and provisioning of a Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), Windows 10 Mobile, or Windows 10 IoT Core (IoT Core) image.
Here are some things you can do with Windows ICD:
-- [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107.aspx)
-- [Export a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916110.aspx)
+- [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
+- [Export a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
- [Build and deploy an image for Windows 10 for desktop editions](https://msdn.microsoft.com/library/windows/hardware/dn916105.aspx)
### IT Pro Windows deployment tools
@@ -90,9 +90,4 @@ There are also a few tools included in the Windows ADK that are specific to IT P
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md
deleted file mode 100644
index b2e8164e4c..0000000000
--- a/windows/deployment/windows-autopilot/TOC.md
+++ /dev/null
@@ -1,2 +0,0 @@
-# [Windows Autopilot deployment](index.yml)
-## [Get started](demonstrate-deployment-on-vm.md)
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/TOC.yml b/windows/deployment/windows-autopilot/TOC.yml
new file mode 100644
index 0000000000..0881334396
--- /dev/null
+++ b/windows/deployment/windows-autopilot/TOC.yml
@@ -0,0 +1,5 @@
+- name: Windows Autopilot deployment
+ href: index.yml
+ items:
+ - name: Get started
+ href: demonstrate-deployment-on-vm.md
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index 8a07ad9b20..d132aa99a6 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -30,8 +30,8 @@ To get started with Windows Autopilot, you should try it out with a virtual mach
In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM using Hyper-V.
> [!NOTE]
-> Although there are [multiple platforms](add-devices.md#registering-devices) available to enable Autopilot, this lab primarily uses Intune.
-
+> Although there are [multiple platforms](/mem/autopilot/add-devices#registering-devices) available to enable Autopilot, this lab primarily uses Intune.
+>
> Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual.
The following video provides an overview of the process:
@@ -45,15 +45,15 @@ The following video provides an overview of the process:
These are the things you'll need to complete this lab:
+Windows 10 installation media Windows 10 Professional or Enterprise (ISO file) for a supported version of Windows 10, semi-annual channel. If you do not already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise. Internet access If you are behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the Internet. Internet access If you are behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the Internet. Hyper-V or a physical device running Windows 10 The guide assumes that you will use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V. A Premium Intune account This guide will describe how to obtain a free 30-day trial premium account that can be used to complete the lab. An account with Azure AD Premium license This guide will describe how to obtain a free 30-day trial Azure AD Premium subscription that can be used to complete the lab.
[Enable Hyper-V](#enable-hyper-v)
@@ -113,7 +113,7 @@ Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once.
-> Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
+Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
@@ -123,30 +123,36 @@ When you are prompted to restart the computer, choose **Yes**. The computer migh
After installation is complete, open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt, or by typing **Hyper-V** in the Start menu search box.
-To read more about Hyper-V, see [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/) and [Hyper-V on Windows Server](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server).
+To read more about Hyper-V, see [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/) and [Hyper-V on Windows Server](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server).
## Create a demo VM
-Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell.
+Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell.
To use Windows PowerShell, we just need to know two things:
1. The location of the Windows 10 ISO file.
- - In the example, we assume the location is **c:\iso\win10-eval.iso**.
+
+ In the example, we assume the location is **c:\iso\win10-eval.iso**.
+
2. The name of the network interface that connects to the Internet.
- - In the example, we use a Windows PowerShell command to determine this automatically.
+
+ In the example, we use a Windows PowerShell command to determine this automatically.
After we have set the ISO file location and determined the name of the appropriate network interface, we can install Windows 10.
### Set ISO file location
-You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
-- When asked to select a platform, choose **64 bit**.
+You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise from [Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
+
+When asked to select a platform, choose **64 bit**.
After you download this file, the name will be extremely long (ex: 19042.508.200927-1902.20h2_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
1. So that it is easier to type and remember, rename the file to **win10-eval.iso**.
+
2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**.
+
3. If you wish to use a different name and location for the file, you must modify the Windows PowerShell commands below to use your custom name and directory.
### Determine network adapter name
@@ -239,7 +245,8 @@ After the VM restarts, during OOBE, it's fine to select **Set up for personal us
Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state.
- 
+ > [!div class="mx-imgBorder"]
+ > 
To create a checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
@@ -252,9 +259,9 @@ Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see
## Capture the hardware ID
> [!NOTE]
-> Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you're not going to use the OA3 Tool to capture the full 4K HH for various reasons (you'd have to install the OA3 tool, your device couldn't have a volume license version of Windows, it's a more complicated process than using a PS script, etc.). Instead, you'll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
+> Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you're not going to use the OA3 Tool to capture the full 4K HH for various reasons (you'd have to install the OA3 tool, your device couldn't have a volume license version of Windows, it's a more complicated process than using a PowerShell script, etc.). Instead, you'll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
-Follow these steps to run the PS script:
+Follow these steps to run the PowerShell script:
1. **On the client VM**: Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device:
@@ -267,62 +274,62 @@ Follow these steps to run the PS script:
Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
```
-When you are prompted to install the NuGet package, choose **Yes**.
+1. When you are prompted to install the NuGet package, choose **Yes**.
-See the sample output below. A 'dir' command is issued at the end to show the file that was created.
+ See the sample output below. A **dir** command is issued at the end to show the file that was created.
-
-PS C:\> md c:\HWID
+ ```console
+ PS C:\> md c:\HWID
+
+ Directory: C:\
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ d----- 11/13/2020 3:00 PM HWID
+
+
+ PS C:\Windows\system32> Set-Location c:\HWID
+ PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
+ PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
+
+ NuGet provider is required to continue
+ PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
+ provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
+ 'C:\Users\user1\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
+ 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and
+ import the NuGet provider now?
+ [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
+ PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
+ PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
+ Gathered details for device with serial number: 1804-7078-6805-7405-0796-0675-17
+ PS C:\HWID> dir
+
+
+ Directory: C:\HWID
+
+
+ Mode LastWriteTime Length Name
+ ---- ------------- ------ ----
+ -a---- 11/13/2020 3:01 PM 8184 AutopilotHWID.csv
+
+
+ PS C:\HWID>
+ ```
+
+1. Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH.
- Directory: C:\
+ > [!NOTE]
+ > Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
+ 
-Mode LastWriteTime Length Name
----- ------------- ------ ----
-d----- 11/13/2020 3:00 PM HWID
+ You will need to upload this data into Intune to register your device for Autopilot, so the next step is to transfer this file to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
+ If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
-PS C:\Windows\system32> Set-Location c:\HWID
-PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
-PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
-
-NuGet provider is required to continue
-PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
- provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
-'C:\Users\user1\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
- 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and
-import the NuGet provider now?
-[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
-PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
-PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
-Gathered details for device with serial number: 1804-7078-6805-7405-0796-0675-17
-PS C:\HWID> dir
-
-
- Directory: C:\HWID
-
-
-Mode LastWriteTime Length Name
----- ------------- ------ ----
--a---- 11/13/2020 3:01 PM 8184 AutopilotHWID.csv
-
-
-PS C:\HWID>
-
-
-Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH.
-
-> [!NOTE]
-> Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
-
-
-
-You will need to upload this data into Intune to register your device for Autopilot, so the next step is to transfer this file to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
-
-If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
-
-> [!NOTE]
-> When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
+ > [!NOTE]
+ > When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
## Reset the VM back to Out-Of-Box-Experience (OOBE)
@@ -413,7 +420,7 @@ Optional: see the following video for an overview of the process.
> [!video https://www.youtube.com/embed/IpLIZU_j7Z0]
-First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](https://docs.microsoft.com/microsoft-store/windows-store-for-business-overview) to create a new one.
+First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](/microsoft-store/windows-store-for-business-overview) to create a new one.
Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) using your test account by clicking **Sign in** on the upper-right-corner of the main page.
@@ -446,14 +453,17 @@ Pick one:
The Autopilot deployment profile wizard will ask for a device group, so we must create one first. To create a device group:
1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Groups** > **New group**.
+
2. In the **Group** blade:
1. For **Group type**, choose **Security**.
2. Type a **Group name** and **Group description** (ex: Autopilot Lab).
3. Azure AD roles can be assigned to the group: **No**
4. For **Membership type**, choose **Assigned**.
+
3. Click **Members** and add the Autopilot VM to the group. See the following example:
- 
+ > [!div class="mx-imgBorder"]
+ > 
4. Click **Create**.
@@ -461,11 +471,13 @@ The Autopilot deployment profile wizard will ask for a device group, so we must
To create a Windows Autopilot profile, scroll back to the left hand pane and click **Devices**, then under **Enroll devices | Windows enrollment** select **Deployment Profiles**.
-
+> [!div class="mx-imgBorder"]
+> 
Click on **Create profile** and then select **Windows PC**.
-
+> [!div class="mx-imgBorder"]
+> 
On the **Create profile** blade, use the following values:
@@ -481,7 +493,7 @@ Click **Next** to continue with the **Out-of-box experience (OOBE)** settings:
|---|---|
| Deployment mode | User-driven |
| Join to Azure AD as | Azure AD joined |
-| Microsoft Sofware License Terms | Hide |
+| Microsoft Software License Terms | Hide |
| Privacy Settings | Hide |
| Hide change account options | Hide |
| User account type | Standard |
@@ -504,6 +516,7 @@ Click **Next** to continue with the **Assignments** settings:
Click on **OK** and then click on **Create**.
+> [!NOTE]
> If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile).
### Create a Windows Autopilot deployment profile using MSfB
@@ -524,15 +537,18 @@ To CREATE the profile:
Select your device from the **Devices** list:
-
+> [!div class="mx-imgBorder"]
+> 
On the Autopilot deployment dropdown menu, select **Create new profile**:
-
+> [!div class="mx-imgBorder"]
+> 
Name the profile, choose your desired settings, and then click **Create**:
-
+> [!div class="mx-imgBorder"]
+> 
The new profile is added to the Autopilot deployment list.
@@ -540,11 +556,13 @@ To ASSIGN the profile:
To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown:
-
+> [!div class="mx-imgBorder"]
+> 
Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column:
-
+> [!div class="mx-imgBorder"]
+> 
> [!IMPORTANT]
> The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
@@ -553,7 +571,8 @@ Confirm the profile was successfully assigned to the intended device by checking
If you shut down your VM after the last reset, it's time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
-
+> [!div class="mx-imgBorder"]
+> 
Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
@@ -568,35 +587,38 @@ Also, make sure to wait at least 30 minutes from the time you've [configured com
Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
-
+> [!div class="mx-imgBorder"]
+> 
Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done.
> [!TIP]
-> If you receive a message that "Something went wrong" and it "Looks like we can't connect to the URL for your organization's MDM terms of use", verify that you have correctly [assigned licenses](https://docs.microsoft.com/mem/intune/fundamentals/licenses-assign) to the current user.
+> If you receive a message that "Something went wrong" and it "Looks like we can't connect to the URL for your organization's MDM terms of use", verify that you have correctly [assigned licenses](/mem/intune/fundamentals/licenses-assign) to the current user.
Windows Autopilot will now take over to automatically join your device into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoint you've created to go through this process again with different settings.
## Remove devices from Autopilot
-To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found at [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Remove devices by using wipe, retire, or manually unenrolling the device](https://docs.microsoft.com/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below.
+To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found at [Enroll Windows devices in Intune by using Windows Autopilot](/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Remove devices by using wipe, retire, or manually unenrolling the device](/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below.
### Delete (deregister) Autopilot device
You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into the MEM admin center, then navigate to **Intune > Devices > All Devices**. Select the device you want to delete, then click the Delete button along the top menu.
-
+> [!div class="mx-imgBorder"]
+> 
This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune.
> [!NOTE]
-> A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
+> A device will only appear in the All devices list once it has booted. The latter (**Windows Autopilot Deployment Program** > **Devices**) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
To remove the device from the Autopilot program, select the device and click **Delete**. You will get a popup dialog box to confirm deletion.
-
+> [!div class="mx-imgBorder"]
+> 
At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
@@ -610,7 +632,7 @@ Starting with Windows 8, the host computer's microprocessor must support second
To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
-
+```console
C:>systeminfo
...
@@ -618,15 +640,16 @@ Hyper-V Requirements: VM Monitor Mode Extensions: Yes
Virtualization Enabled In Firmware: Yes
Second Level Address Translation: Yes
Data Execution Prevention Available: Yes
-
+```
In this example, the computer supports SLAT and Hyper-V.
+> [!NOTE]
> If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
-You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [Coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example:
+You can also identify Hyper-V support using [tools](/archive/blogs/taylorb/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v) provided by the processor manufacturer, the [msinfo32](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731397(v=ws.11)) tool, or you can download the [Coreinfo](/sysinternals/downloads/coreinfo) utility and run it, as shown in the following example:
-
+```console
C:>coreinfo -v
Coreinfo v3.31 - Dump information on system CPU and memory topology
@@ -639,7 +662,7 @@ Microcode signature: 0000001B
HYPERVISOR - Hypervisor is present
VMX * Supports Intel hardware-assisted virtualization
EPT * Supports Intel extended page tables (SLAT)
-
+```
> [!NOTE]
> A 64-bit operating system is required to run Hyper-V.
@@ -662,7 +685,8 @@ Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-ms
Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
-
+> [!div class="mx-imgBorder"]
+> 
After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps.
@@ -680,7 +704,8 @@ Under **App Type**, select **Windows app (Win32)**:
On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**:
-
+> [!div class="mx-imgBorder"]
+> 
On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
@@ -688,8 +713,10 @@ On the **App Information Configure** blade, provide a friendly name, description
On the **Program Configuration** blade, supply the install and uninstall commands:
+```console
Install: msiexec /i "npp.7.6.3.installer.x64.msi" /q
Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
+```
> [!NOTE]
> Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
@@ -702,11 +729,13 @@ Click **OK** to save your input and activate the **Requirements** blade.
On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
-
+> [!div class="mx-imgBorder"]
+> 
Next, configure the **Detection rules**. For our purposes, we will select manual format:
-
+> [!div class="mx-imgBorder"]
+> 
Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule:
@@ -716,7 +745,8 @@ Click **OK** twice to save, as you back out to the main **Add app** blade again
**Return codes**: For our purposes, leave the return codes at their default values:
-
+> [!div class="mx-imgBorder"]
+> 
Click **OK** to exit.
@@ -726,11 +756,13 @@ Click the **Add** button to finalize and save your app package.
Once the indicator message says the addition has completed.
-
+> [!div class="mx-imgBorder"]
+> 
You will be able to find your app in your app list:
-
+> [!div class="mx-imgBorder"]
+> 
#### Assign the app to your Intune profile
@@ -739,19 +771,22 @@ You will be able to find your app in your app list:
In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu:
-
+> [!div class="mx-imgBorder"]
+> 
Select **Add Group** to open the **Add group** pane that is related to the app.
-For our purposes, select **Required** from the **Assignment type** dropdown menu:
+For our purposes, select **Required** from the **Assignment type** dropdown menu.
+> [!NOTE]
> **Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
Select **Included Groups** and assign the groups you previously created that will use this app:
-
+> [!div class="mx-imgBorder"]
+> 
In the **Select groups** pane, click the **Select** button.
@@ -761,11 +796,12 @@ In the **Add group** pane, select **OK**.
In the app **Assignments** pane, select **Save**.
-
+> [!div class="mx-imgBorder"]
+> 
At this point, you have completed steps to add a Win32 app to Intune.
-For more information on adding apps to Intune, see [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps-win32-app-management).
+For more information on adding apps to Intune, see [Intune Standalone - Win32 app management](/intune/apps-win32-app-management).
### Add Office 365
@@ -783,15 +819,17 @@ Under **App Type**, select **Office 365 Suite > Windows 10**:
Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel:
-
+> [!div class="mx-imgBorder"]
+> 
Click **OK**.
In the **App Suite Information** pane, enter a unique suite name, and a suitable description.
-> Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
+Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
-
+> [!div class="mx-imgBorder"]
+> 
Click **OK**.
@@ -808,19 +846,21 @@ Click **OK** and then click **Add**.
In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu:
-
+> [!div class="mx-imgBorder"]
+> 
Select **Add Group** to open the **Add group** pane that is related to the app.
-For our purposes, select **Required** from the **Assignment type** dropdown menu:
+For our purposes, select **Required** from the **Assignment type** dropdown menu.
-> **Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
+**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
Select **Included Groups** and assign the groups you previously created that will use this app:
-
+> [!div class="mx-imgBorder"]
+> 
In the **Select groups** pane, click the **Select** button.
@@ -834,7 +874,7 @@ In the app **Assignments** pane, select **Save**.
At this point, you have completed steps to add Office to Intune.
-For more information on adding Office apps to Intune, see [Assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/intune/apps-add-office365).
+For more information on adding Office apps to Intune, see [Assign Office 365 apps to Windows 10 devices with Microsoft Intune](/intune/apps-add-office365).
If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate:
@@ -855,4 +895,4 @@ If you installed both the win32 app (Notepad++) and Office (just Excel) per the
DDS Device Directory Service OOBE Out of the Box Experience VM Virtual Machine
v10c.events.data.microsoft.com
v10.vortex-win.data.microsoft.com |
-| [Windows Error Reporting](https://docs.microsoft.com/windows/win32/wer/windows-error-reporting) | watson.telemetry.microsoft.com
watson.microsoft.com
umwatsonc.telemetry.microsoft.com
umwatsonc.events.data.microsoft.com
*-umwatsonc.events.data.microsoft.com
ceuswatcab01.blob.core.windows.net
ceuswatcab02.blob.core.windows.net
eaus2watcab01.blob.core.windows.net
eaus2watcab02.blob.core.windows.net
weus2watcab01.blob.core.windows.net
weus2watcab02.blob.core.windows.net |
+| [Windows Error Reporting](/windows/win32/wer/windows-error-reporting) | watson.telemetry.microsoft.com
watson.microsoft.com
umwatsonc.telemetry.microsoft.com
umwatsonc.events.data.microsoft.com
*-umwatsonc.events.data.microsoft.com
ceuswatcab01.blob.core.windows.net
ceuswatcab02.blob.core.windows.net
eaus2watcab01.blob.core.windows.net
eaus2watcab02.blob.core.windows.net
weus2watcab01.blob.core.windows.net
weus2watcab02.blob.core.windows.net |
|Authentication | login.live.com
IMPORTANT: This endpoint is used for device authentication. We do not recommend disabling this endpoint.|
-| [Online Crash Analysis](https://docs.microsoft.com/windows/win32/dxtecharts/crash-dump-analysis) | oca.telemetry.microsoft.com
oca.microsoft.com
kmwatsonc.telemetry.microsoft.com
*-kmwatsonc.telemetry.microsoft.com |
+| [Online Crash Analysis](/windows/win32/dxtecharts/crash-dump-analysis) | oca.telemetry.microsoft.com
oca.microsoft.com
kmwatsonc.telemetry.microsoft.com
*-kmwatsonc.telemetry.microsoft.com |
|Settings | settings-win.data.microsoft.com
IMPORTANT: This endpoint is used to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft. We do not recommend disabling this endpoint. This endpoint does not upload Windows diagnostic data |
### Data access
@@ -110,7 +110,7 @@ Here’s a summary of the types of data that is included with each setting:
| --- | --- | --- | --- | --- |
| **Diagnostic data events** | No Windows diagnostic data sent. | Minimum data required to keep the device secure, up to date, and performing as expected. | Additional data about the websites you browse, how Windows and apps are used and how they perform, and device activity. The additional data helps Microsoft to fix and improve products and services for all users. | Additional data about the websites you browse, how Windows and apps are used and how they perform. This data also includes data about device activity, and enhanced error reporting that helps Microsoft to fix and improve products and services for all users.|
| **Crash Metadata** | N/A | Yes | Yes | Yes |
-| **Crash Dumps** | N/A | No | Triage dumps only
For more information about crash dumps, see [Windows Error Reporting](https://docs.microsoft.com/windows/win32/wer/windows-error-reporting). | Full memory dumps
For more information about crash dumps, see [Windows Error Reporting](https://docs.microsoft.com/windows/win32/wer/windows-error-reporting). |
+| **Crash Dumps** | N/A | No | Triage dumps only
For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting). | Full memory dumps
For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting). |
| **Diagnostic logs** | N/A | No | No | Yes |
| **Data collection** | N/A | 100% | Sampling applies | Sampling applies |
@@ -167,7 +167,7 @@ Enhanced diagnostic data includes data about the websites you browse, how Window
- Device-specific events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events.
- - All crash dump types, except for heap dumps and full dumps. For more information about crash dumps, see [Windows Error Reporting](https://docs.microsoft.com/windows/win32/wer/windows-error-reporting).
+ - All crash dump types, except for heap dumps and full dumps. For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting).
### Optional diagnostic data
@@ -184,14 +184,14 @@ Optional diagnostic data, previously labeled as **Full**, includes more detailed
- Enhanced error reporting, including the memory state of the device when a system or app crash occurs (which may unintentionally contain user content, such as parts of a file you were using when the problem occurred). Crash data is never used for Tailored experiences.
>[!Note]
->Crash dumps collected in optional diagnostic data may unintentionally contain personal data, such as portions of memory from a document and a web page. For more information about crash dumps, see [Windows Error Reporting](https://docs.microsoft.com/windows/win32/wer/windows-error-reporting).
+>Crash dumps collected in optional diagnostic data may unintentionally contain personal data, such as portions of memory from a document and a web page. For more information about crash dumps, see [Windows Error Reporting](/windows/win32/wer/windows-error-reporting).
## Manage enterprise diagnostic data
Use the steps in this section to configure the diagnostic data settings for Windows and Windows Server in your organization.
>[!IMPORTANT]
->These diagnostic data settings only apply to components, features, and apps that are considered a part of the Windows operating system. Third-party apps and other Microsoft apps, such as Microsoft Office, that customers install may also collect and send diagnostic data using their own controls. You should work with your app vendors to understand their diagnostic data policy, and how you can opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of privacy controls for Microsoft 365 Apps for enterprise](https://docs.microsoft.com/deployoffice/privacy/overview-privacy-controls). If you would like to control Windows data collection that is not Windows diagnostic data, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
+>These diagnostic data settings only apply to components, features, and apps that are considered a part of the Windows operating system. Third-party apps and other Microsoft apps, such as Microsoft Office, that customers install may also collect and send diagnostic data using their own controls. You should work with your app vendors to understand their diagnostic data policy, and how you can opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of privacy controls for Microsoft 365 Apps for enterprise](/deployoffice/privacy/overview-privacy-controls). If you would like to control Windows data collection that is not Windows diagnostic data, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
You can configure your device's diagnostic data settings using the management tools you’re already using, such as Group Policy or MDM.
@@ -222,14 +222,14 @@ You can use Group Policy to set your organization’s diagnostic data setting:
### Use MDM to manage diagnostic data collection
-Use [Policy Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) to apply the System/AllowTelemetry MDM policy.
+Use [Policy Configuration Service Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) to apply the System/AllowTelemetry MDM policy.
## Limit optional diagnostic data for Desktop Analytics
-For more information about how to limit the diagnostic data to the minimum required by Desktop Analytics, see [Enable data sharing for Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/enable-data-sharing).
+For more information about how to limit the diagnostic data to the minimum required by Desktop Analytics, see [Enable data sharing for Desktop Analytics](/mem/configmgr/desktop-analytics/enable-data-sharing).
## Change privacy settings on a single server
-You can also change the privacy settings on a server running either the Azure Stack HCI operating system or Windows Server. For more information, see [Change privacy settings on individual servers](https://docs.microsoft.com/azure-stack/hci/manage/change-privacy-settings).
+You can also change the privacy settings on a server running either the Azure Stack HCI operating system or Windows Server. For more information, see [Change privacy settings on individual servers](/azure-stack/hci/manage/change-privacy-settings).
-To manage privacy settings in your enterprise as a whole, see [Manage enterprise diagnostic data](#manage-enterprise-diagnostic-data).
+To manage privacy settings in your enterprise as a whole, see [Manage enterprise diagnostic data](#manage-enterprise-diagnostic-data).
\ No newline at end of file
diff --git a/windows/privacy/deploy-data-processor-service-windows.md b/windows/privacy/deploy-data-processor-service-windows.md
index 76db1e584d..dbc0883936 100644
--- a/windows/privacy/deploy-data-processor-service-windows.md
+++ b/windows/privacy/deploy-data-processor-service-windows.md
@@ -57,9 +57,9 @@ The following endpoints need to be reachable from devices enrolled into the data
For additional information, see the “device authentication” and “diagnostic data” sections in the endpoint articles for each respective Windows version:
-[Windows 10, version 1809 endpoints](https://docs.microsoft.com/Windows/privacy/manage-Windows-1809-endpoints)
+[Windows 10, version 1809 endpoints](./manage-windows-1809-endpoints.md)
-[Windows 10, version 1903 endpoints](https://docs.microsoft.com/Windows/privacy/manage-Windows-1903-endpoints)
+[Windows 10, version 1903 endpoints](./manage-windows-1903-endpoints.md)
### Deploying data processor service for Windows Enterprise
You can use either Group Policy or an MDM solution to deploy the data processor service for Windows Enterprise to your supported devices.
@@ -68,7 +68,7 @@ In Group Policy, to enable data collection through the data processor service fo
If you wish to disable, at any time, switch the same setting to **disabled**. The default state of the above setting is **disabled**.
-To use an MDM solution, such as [Microsoft Intune](https://docs.microsoft.com/intune/custom-settings-Windows-10), to deploy the data processor service for Windows Enterprise to your supported devices, use the following custom OMA-URI setting configuration:
+To use an MDM solution, such as [Microsoft Intune](/intune/custom-settings-Windows-10), to deploy the data processor service for Windows Enterprise to your supported devices, use the following custom OMA-URI setting configuration:
- **Name:** System/AllowCommercialDataPipeline
- **OMA-URI:** ./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline
@@ -88,7 +88,7 @@ To perform user-based DSRs, the data processor service for Windows Enterprise re
If your environment is cloud-only and managed in Azure, or all your devices are Azure AD joined - you don’t need to take any further action.
If your environment uses on-premises Active Directory to manage identities - Azure AD Connect synchronization is required, and your environment needs to be configured for hybrid Azure AD join.
-To learn more, visit [How To: Plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) and [Azure AD Connect sync: Understand and customize synchronization](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-whatis).
+To learn more, visit [How To: Plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) and [Azure AD Connect sync: Understand and customize synchronization](/azure/active-directory/hybrid/how-to-connect-sync-whatis).
Once you have Azure AD join or hybrid Azure AD join in place, you can learn more about executing user-based DSRs, by visiting this [page](https://review.docs.microsoft.com/microsoft-365/compliance/gdpr-dsr-windows?branch=siosulli-wps&view=o365-worldwide).
diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md
index c70d65a6ce..3b40651ee2 100644
--- a/windows/privacy/diagnostic-data-viewer-overview.md
+++ b/windows/privacy/diagnostic-data-viewer-overview.md
@@ -44,7 +44,7 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn
Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page.
> [!Important]
-> It's possible that your Windows device doesn't have the Microsoft Store available (for example, Windows Server). If this is the case, see [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2094264).
+> It's possible that your Windows device doesn't have the Microsoft Store available (for example, Windows Server). If this is the case, see [Diagnostic Data Viewer for PowerShell](./microsoft-diagnosticdataviewer.md).
### Start the Diagnostic Data Viewer
You can start this app from the **Settings** panel.
diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json
index bb7dfb718c..29f46358f8 100644
--- a/windows/privacy/docfx.json
+++ b/windows/privacy/docfx.json
@@ -55,7 +55,7 @@
"jborsecnik",
"tiburd",
"garycentric"
- ],
+ ]
},
"searchScope": ["Windows 10"]
},
@@ -63,5 +63,4 @@
"template": [],
"dest": "privacy",
"markdownEngineName": "markdig"
- }
}
diff --git a/windows/privacy/index.yml b/windows/privacy/index.yml
index b9b6ce81fd..da814f7791 100644
--- a/windows/privacy/index.yml
+++ b/windows/privacy/index.yml
@@ -152,7 +152,7 @@ productDirectory:
# summary: cardsummary3
# url: file1.md OR https://docs.microsoft.com/file3
# # footer (optional)
-# footer: "footertext [linktext](https://docs.microsoft.com/footerfile)"
+# footer: "footertext [linktext](/footerfile)"
# additionalContent section (optional)
# Card with links style
@@ -164,7 +164,7 @@ additionalContent:
- title: View and manage Windows 10 connection endpoints
links:
- text: Manage Windows 10 connection endpoints
- url: manage-windows-endpoints.md
+ url: ./manage-windows-2004-endpoints.md
- text: Manage connection endpoints for non-Enterprise editions of Windows 10
url: windows-endpoints-2004-non-enterprise-editions.md
- text: Manage connections from Windows to Microsoft services
@@ -175,8 +175,8 @@ additionalContent:
- text: Windows 10 on Trust Center
url: https://www.microsoft.com/en-us/trustcenter/cloudservices/windows10
- text: GDPR on Microsoft 365 Compliance solutions
- url: https://docs.microsoft.com/microsoft-365/compliance/gdpr
+ url: /microsoft-365/compliance/gdpr
- text: Support for GDPR Accountability on Service Trust Portal
url: https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted
# footer (optional)
- # footer: "footertext [linktext](https://docs.microsoft.com/footerfile)"
+ # footer: "footertext [linktext](/footerfile)"
\ No newline at end of file
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index 1c68d554a4..62db4259a1 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -21,22 +21,22 @@ ms.date: 12/1/2020
- Windows 10 Enterprise 1903 version and newer
-This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
+This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
>[!IMPORTANT]
>- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic)
> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
> - There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows 10 devices.
>- For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features.
->- To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
+>- To ensure CSPs take priority over Group Policies in case of conflicts, use the [ControlPolicyConflict](/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy.
>- The **Get Help** and **Give us Feedback** links in Windows may no longer work after applying some or all of the MDM/CSP settings.
>[!Warning]
>If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Remove Everything" option the >Windows Restricted Traffic Limited Functionality settings will need to be re-applied in order re-restrict the device's egress traffic. >To do this the client must be re-enrolled to the Microsoft Intune service. Egress traffic may occur during the period prior to the re->application of the Restricted Traffic Limited Functionality settings. If the user executes a "Reset this PC" with the "Keep my files" >option the Restricted Traffic Limited Functionality settings are retained on the device, and therefore the client will remain in a >Restricted Traffic configuration during and after the "Keep my files" reset, and no re-enrollment is required.
-For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](https://docs.microsoft.com/intune/).
+For more information on Microsoft Intune please see [Transform IT service delivery for your modern workplace](https://www.microsoft.com/en-us/enterprise-mobility-security/microsoft-intune?rtc=1) and [Microsoft Intune documentation](/intune/).
-For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies and Registry settings see [Manage connections from Windows 10 operating system components to Microsoft services](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services).
+For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies and Registry settings see [Manage connections from Windows 10 operating system components to Microsoft services](./manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email to **telmhelp**@**microsoft.com**.
@@ -45,31 +45,31 @@ We are always striving to improve our documentation and welcome your feedback. Y
The following table lists management options for each setting.
-For Windows 10, the following MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
+For Windows 10, the following MDM policies are available in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
1. **Automatic Root Certificates Update**
1. MDM Policy: There is intentionally no MDM available for Automatic Root Certificate Update. This MDM does not exist since it would prevent the operation and management of MDM management of devices.
1. **Cortana and Search**
- 1. MDM Policy: [Experience/AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana). Choose whether to let Cortana install and run on the device. **Set to 0 (zero)**
- 1. MDM Policy: [Search/AllowSearchToUseLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation). Choose whether Cortana and Search can provide location-aware search results. **Set to 0 (zero)**
+ 1. MDM Policy: [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana). Choose whether to let Cortana install and run on the device. **Set to 0 (zero)**
+ 1. MDM Policy: [Search/AllowSearchToUseLocation](/windows/client-management/mdm/policy-csp-search#search-allowsearchtouselocation). Choose whether Cortana and Search can provide location-aware search results. **Set to 0 (zero)**
1. **Date & Time**
- 1. MDM Policy: [Settings/AllowDateTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-settings#settings-allowdatetime). Allows the user to change date and time settings. **Set to 0 (zero)**
+ 1. MDM Policy: [Settings/AllowDateTime](/windows/client-management/mdm/policy-csp-settings#settings-allowdatetime). Allows the user to change date and time settings. **Set to 0 (zero)**
1. **Device metadata retrieval**
- 1. MDM Policy: [DeviceInstallation/PreventDeviceMetadataFromNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork). Choose whether to prevent Windows from retrieving device metadata from the Internet. **Set to Enabled**
+ 1. MDM Policy: [DeviceInstallation/PreventDeviceMetadataFromNetwork](/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork). Choose whether to prevent Windows from retrieving device metadata from the Internet. **Set to Enabled**
1. **Find My Device**
- 1. MDM Policy: [Experience/AllowFindMyDevice](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice). This policy turns on Find My Device. **Set to 0 (zero)**
+ 1. MDM Policy: [Experience/AllowFindMyDevice](/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice). This policy turns on Find My Device. **Set to 0 (zero)**
1. **Font streaming**
- 1. MDM Policy: [System/AllowFontProviders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowfontproviders). Setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. **Set to 0 (zero)**
+ 1. MDM Policy: [System/AllowFontProviders](/windows/client-management/mdm/policy-csp-system#system-allowfontproviders). Setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. **Set to 0 (zero)**
1. **Insider Preview builds**
- 1. MDM Policy: [System/AllowBuildPreview](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowbuildpreview). This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. **Set to 0 (zero)**
+ 1. MDM Policy: [System/AllowBuildPreview](/windows/client-management/mdm/policy-csp-system#system-allowbuildpreview). This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. **Set to 0 (zero)**
-1. **Internet Explorer** The following Microsoft Internet Explorer MDM policies are available in the [Internet Explorer CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer)
- 1. MDM Policy: [InternetExplorer/AllowSuggestedSites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-allowsuggestedsites). Recommends websites based on the user’s browsing activity. **Set to Disabled**
+1. **Internet Explorer** The following Microsoft Internet Explorer MDM policies are available in the [Internet Explorer CSP](/windows/client-management/mdm/policy-csp-internetexplorer)
+ 1. MDM Policy: [InternetExplorer/AllowSuggestedSites](/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-allowsuggestedsites). Recommends websites based on the user’s browsing activity. **Set to Disabled**
1. MDM Policy: [InternetExplorer/PreventManagingSmartScreenFilter]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-preventmanagingsmartscreenfilter). Prevents the user from managing Windows Defender SmartScreen, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware. **Set to String** with Value:
1. **\
**Set to 0 (zero)**
- 1. MDM Policy: [EnableOfflineMapsAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-maps#maps-enableofflinemapsautoupdate). Disables the automatic download and update of map data. **Set to 0 (zero)**
+ 1. MDM Policy: [AllowOfflineMapsDownloadOverMeteredConnection](/windows/client-management/mdm/policy-csp-maps). Allows the download and update of map data over metered connections.
**Set to 0 (zero)**
+ 1. MDM Policy: [EnableOfflineMapsAutoUpdate](/windows/client-management/mdm/policy-csp-maps#maps-enableofflinemapsautoupdate). Disables the automatic download and update of map data. **Set to 0 (zero)**
1. **OneDrive**
- 1. MDM Policy: [DisableOneDriveFileSync](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-disableonedrivefilesync). Allows IT Admins to prevent apps and features from working with files on OneDrive. **Set to 1 (one)**
+ 1. MDM Policy: [DisableOneDriveFileSync](/windows/client-management/mdm/policy-csp-system#system-disableonedrivefilesync). Allows IT Admins to prevent apps and features from working with files on OneDrive. **Set to 1 (one)**
1. Ingest the ADMX - To get the latest OneDrive ADMX file you need an up-to-date Windows 10 client. The ADMX files are located under the following path: %LocalAppData%\Microsoft\OneDrive\ there's a folder with the current OneDrive build (e.g. "18.162.0812.0001"). There is a folder named "adm" which contains the admx and adml policy definition files.
1. MDM Policy: Prevent Network Traffic before User SignIn. **PreventNetworkTrafficPreUserSignIn**. The OMA-URI value is: **./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC\~Policy\~OneDriveNGSC/PreventNetworkTrafficPreUserSignIn**, Data type: **String**, Value: **\
REG_DWORD: ConnectedSearchUseWeb
Value: 0 |
->[!IMPORTANT]
+> [!IMPORTANT]
> Using the Group Policy editor these steps are required for all supported versions of Windows 10, however they are not required for devices running Windows 10, version 1607 or Windows Server 2016.
-1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Defender Firewall with Advanced Security** > **Windows Defender Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**.
+1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Defender Firewall with Advanced Security** > **Windows Defender Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**.
-2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts.
+2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts.
-3. On the **Rule Type** page, click **Program**, and then click **Next**.
+3. On the **Rule Type** page, click **Program**, and then click **Next**.
-4. On the **Program** page, click **This program path**, type **%windir%\\systemapps\\Microsoft.Windows.Cortana\_cw5n1h2txyewy\\SearchUI.exe**, and then click **Next**.
+4. On the **Program** page, click **This program path**, type **%windir%\\systemapps\\Microsoft.Windows.Cortana\_cw5n1h2txyewy\\SearchUI.exe**, and then click **Next**.
-5. On the **Action** page, click **Block the connection**, and then click **Next**.
+5. On the **Action** page, click **Block the connection**, and then click **Next**.
-6. On the **Profile** page, ensure that the **Domain**, **Private**, and **Public** check boxes are selected, and then click **Next**.
+6. On the **Profile** page, ensure that the **Domain**, **Private**, and **Public** check boxes are selected, and then click **Next**.
-7. On the **Name** page, type a name for the rule, such as **Cortana firewall configuration**, and then click **Finish.**
+7. On the **Name** page, type a name for the rule, such as **Cortana firewall configuration**, and then click **Finish.**
-8. Right-click the new rule, click **Properties**, and then click **Protocols and Ports**.
+8. Right-click the new rule, click **Properties**, and then click **Protocols and Ports**.
-9. Configure the **Protocols and Ports** page with the following info, and then click **OK**.
+9. Configure the **Protocols and Ports** page with the following info, and then click **OK**.
- - For **Protocol type**, choose **TCP**.
+ - For **Protocol type**, choose **TCP**.
- - For **Local port**, choose **All Ports**.
+ - For **Local port**, choose **All Ports**.
- - For **Remote port**, choose **All ports**.
+ - For **Remote port**, choose **All ports**.
-or-
-- Create a new REG_SZ registry setting named **{0DE40C8E-C126-4A27-9371-A27DAB1039F7}** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\FirewallRules** and set it to a value of **v2.25|Action=Block|Active=TRUE|Dir=Out|Protocol=6|App=%windir%\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\searchUI.exe|Name=Block outbound Cortana|**
+- Create a new REG_SZ registry setting named **{0DE40C8E-C126-4A27-9371-A27DAB1039F7}** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\FirewallRules** and set it to a value of **v2.25|Action=Block|Active=TRUE|Dir=Out|Protocol=6|App=%windir%\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\searchUI.exe|Name=Block outbound Cortana|**
If your organization tests network traffic, do not use a network proxy as Windows Firewall does not block proxy traffic. Instead, use a network traffic analyzer. Based on your needs, there are many network traffic analyzers available at no cost.
@@ -338,7 +338,7 @@ After that, configure the following:
-or-
-- Create a new REG_DWORD registry setting named **Enabled** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient** and set it to **0 (zero)**.
+- Create a new REG_DWORD registry setting named **Enabled** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient** and set it to **0 (zero)**.
### 4. Device metadata retrieval
@@ -412,10 +412,10 @@ To turn off Insider Preview builds for Windows 10:
- Create a new REG_DWORD registry setting named **AllowBuildPreview** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PreviewBuilds** with a **value of 0 (zero)**
-
### 8. Internet Explorer
+
> [!NOTE]
->When attempting to use Internet Explorer on any edition of Windows Server be aware there are restrictions enforced by [Enhanced Security Configuration (ESC)](https://support.microsoft.com/help/815141/ie-enhanced-security-configuration-changes-browsing-experience). The following Group Policies and Registry Keys are for user interactive scenarios rather than the typical idle traffic scenario. Find the Internet Explorer Group Policy objects under **Computer Configuration > Administrative Templates > Windows Components > Internet Explorer** and make these settings:
+> When attempting to use Internet Explorer on any edition of Windows Server be aware there are restrictions enforced by [Enhanced Security Configuration (ESC)](https://support.microsoft.com/help/815141/ie-enhanced-security-configuration-changes-browsing-experience). The following Group Policies and Registry Keys are for user interactive scenarios rather than the typical idle traffic scenario. Find the Internet Explorer Group Policy objects under **Computer Configuration > Administrative Templates > Windows Components > Internet Explorer** and make these settings:
| Policy | Description |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
@@ -458,11 +458,11 @@ To turn off the home page:
-or-
-- Create a new REG_SZ registry setting named **Start Page** in **HKEY_Current_User\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main** with a **about:blank**
+- Create a new REG_SZ registry setting named **Start Page** in **HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main** with a **about:blank**
-and -
-- Create a new REG_DWORD registry setting named **HomePage** in **HKEY_Current_User\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Control Panel** with a **1 (one)**
+- Create a new REG_DWORD registry setting named **HomePage** in **HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Control Panel** with a **1 (one)**
To configure the First Run Wizard:
@@ -471,7 +471,7 @@ To configure the First Run Wizard:
-or-
-- Create a new REG_DWORD registry setting named **DisableFirstRunCustomize** in **HKEY_Current_User\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main** with a **1 (one)**
+- Create a new REG_DWORD registry setting named **DisableFirstRunCustomize** in **HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main** with a **1 (one)**
To configure the behavior for a new tab:
@@ -480,7 +480,7 @@ To configure the behavior for a new tab:
-or-
-- Create a new REG_DWORD registry setting named **NewTabPageShow** in **HKEY_Current_User\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\TabbedBrowsing** with a **0 (zero)**
+- Create a new REG_DWORD registry setting named **NewTabPageShow** in **HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\TabbedBrowsing** with a **0 (zero)**
### 8.1 ActiveX control blocking
@@ -489,31 +489,31 @@ ActiveX control blocking periodically downloads a new list of out-of-date Active
You can turn this off by:
-- **Enable** the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Features** > **Add-on Management** > **Turn off Automatic download of the ActiveX VersionList**
+- **Enable** the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Features** > **Add-on Management** > **Turn off Automatic download of the ActiveX VersionList**
-or-
-- Changing the REG_DWORD registry setting **HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to **0 (zero)**.
+- Changing the REG_DWORD registry setting **HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to **0 (zero)**.
-For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/library/dn761713.aspx).
+For more info, see [Out-of-date ActiveX control blocking](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).
### 9. License Manager
You can turn off License Manager related traffic by setting the following registry entry:
-- Add a REG_DWORD value named **Start** to **HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LicenseManager** and set the **value to 4**
+- Add a REG_DWORD value named **Start** to **HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LicenseManager** and set the **value to 4**
-- The value 4 is to disable the service. Here are the available options to set the registry:
+- The value 4 is to disable the service. Here are the available options to set the registry:
- - **0x00000000** = Boot
+ - **0x00000000** = Boot
- - **0x00000001** = System
+ - **0x00000001** = System
- - **0x00000002** = Automatic
+ - **0x00000002** = Automatic
- - **0x00000003** = Manual
+ - **0x00000003** = Manual
- - **0x00000004** = Disabled
+ - **0x00000004** = Disabled
### 10. Live Tiles
@@ -523,7 +523,7 @@ To turn off Live Tiles:
-or-
-- Create a REG_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a **value of 1 (one)**
+- Create a REG_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a **value of 1 (one)**
In Windows 10 Mobile, you must also unpin all tiles that are pinned to Start.
@@ -544,7 +544,7 @@ To turn off the Windows Mail app:
### 12. Microsoft Account
-Use the below setting to prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. For example, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
+Use the below setting to prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. For example, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
To disable the Microsoft Account Sign-In Assistant:
@@ -553,7 +553,7 @@ To disable the Microsoft Account Sign-In Assistant:
### 13. Microsoft Edge
-Use Group Policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730682) and [Configure Microsoft Edge policy settings on Windows](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge).
+Use Group Policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730682) and [Configure Microsoft Edge policy settings on Windows](/DeployEdge/configure-microsoft-edge).
### 13.1 Microsoft Edge Group Policies
@@ -567,8 +567,8 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
| Configure Do Not Track | Choose whether employees can send Do Not Track headers.
**Set to Enabled** |
| Configure Password Manager | Choose whether employees can save passwords locally on their devices.
**Set to Disabled** |
| Configure search suggestions in Address Bar | Choose whether the Address Bar shows search suggestions.
**Set to Disabled** |
-| Configure Windows Defender SmartScreen (Windows 10, version 1703) | Choose whether Windows Defender SmartScreen is turned on or off.
**Set to Disabled** |
-| Allow web content on New Tab page | Choose whether a new tab page appears.
**Set to Disabled** |
+| Configure Windows Defender SmartScreen (Windows 10, version 1703) | Choose whether Windows Defender SmartScreen is turned on or off.
**Set to Disabled** |
+| Allow web content on New Tab page | Choose whether a new tab page appears.
**Set to Disabled** |
| Configure Start pages | Choose the Start page for domain-joined devices.
**Enabled** and **Set this to <
**Set to: Enable** |
| Allow Microsoft Compatibility List | Choose whether to use the Microsoft Compatibility List in Microsoft Edge.
**Set to: Disabled** |
@@ -590,7 +590,7 @@ Alternatively, you can configure the following Registry keys as described:
| Choose whether employees can configure Compatibility View. | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation
REG_DWORD: MSCompatibilityMode
Value: **0**|
-For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/available-policies).
+For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](/microsoft-edge/deploy/available-policies).
### 14. Network Connection Status Indicator
@@ -644,11 +644,11 @@ To turn off OneDrive in your organization:
-and-
-- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent OneDrive from generating network traffic until the user signs in to OneDrive (Enable)**
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent OneDrive from generating network traffic until the user signs in to OneDrive (Enable)**
-or-
-- Create a REG_DWORD registry setting named **PreventNetworkTrafficPreUserSignIn** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OneDrive** with a **value of 1 (one)**
+- Create a REG_DWORD registry setting named **PreventNetworkTrafficPreUserSignIn** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OneDrive** with a **value of 1 (one)**
### 17. Preinstalled apps
@@ -660,9 +660,9 @@ To remove the News app:
- Right-click the app in Start, and then click **Uninstall**.
-or-
->[!IMPORTANT]
+> [!IMPORTANT]
> If you have any issues with these commands, restart the system and try the scripts again.
->
+
- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-and-
@@ -933,7 +933,7 @@ To turn off **Location for this device**:
- Click the **Change** button in the UI.
-or-
-
+
- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**.
-or-
@@ -943,7 +943,7 @@ To turn off **Location for this device**:
To turn off **Allow apps to access your location**:
- Turn off the feature in the UI.
-
+
-or-
- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location** and set the **Select a setting** box to **Force Deny**.
@@ -952,7 +952,7 @@ To turn off **Allow apps to access your location**:
- Create a REG_DWORD registry setting named **LetAppsAccessLocation** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a **value of 2 (two)**.
-
+
To turn off **Location history**:
- Erase the history using the **Clear** button in the UI.
@@ -1035,15 +1035,15 @@ To turn off **Let apps access my notifications**:
### 18.6 Speech
-In the **Speech** area, you can configure the functionality as such:
+In the **Speech** area, you can configure the functionality as such:
To turn off dictation of your voice, speaking to Cortana and other apps, and to prevent sending your voice input to Microsoft Speech services:
-- Toggle the Settings -> Privacy -> Speech -> **Online speech recognition** switch to **Off**
+- Toggle the Settings -> Privacy -> Speech -> **Online speech recognition** switch to **Off**
-or-
-- **Disable** the Group Policy: **Computer Configuration > Administrative Templates > Control Panel > Regional and Language Options > Allow users to enable online speech recognition services**
+- **Disable** the Group Policy: **Computer Configuration > Administrative Templates > Control Panel > Regional and Language Options > Allow users to enable online speech recognition services**
-or-
@@ -1052,12 +1052,11 @@ To turn off dictation of your voice, speaking to Cortana and other apps, and to
If you're running at Windows 10, version 1703 up to and including Windows 10, version 1803, you can turn off updates to the speech recognition and speech synthesis models:
-- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Speech** > **Allow automatic update of Speech Data**
+- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Speech** > **Allow automatic update of Speech Data**
-or-
-- Create a REG_DWORD registry setting named **AllowSpeechModelUpdate** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Speech** with a **value of 0 (zero)**
-
+- Create a REG_DWORD registry setting named **AllowSpeechModelUpdate** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Speech** with a **value of 0 (zero)**
### 18.7 Account info
@@ -1076,8 +1075,7 @@ To turn off **Let apps access my name, picture, and other account info**:
-or-
-- Create a REG_DWORD registry setting named **LetAppsAccessAccountInfo** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
-
+- Create a REG_DWORD registry setting named **LetAppsAccessAccountInfo** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a **value of 2 (two)**.
To turn off **Choose the apps that can access your account info**:
@@ -1112,7 +1110,7 @@ To turn off **Let apps access my calendar**:
-or-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar**. Set the **Select a setting** box to **Force Deny**.
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar**. Set the **Select a setting** box to **Force Deny**.
-or-
@@ -1180,15 +1178,15 @@ To turn off **Choose apps that can read or send messages**:
- Turn off the feature in the UI for each app.
-**To turn off Message Sync**
+**To turn off Message Sync**
+
+- Create a REG_DWORD registry setting named **AllowMessageSync** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Messaging** and set the **value to 0 (zero)**.
-- Create a REG_DWORD registry setting named **AllowMessageSync** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Messaging** and set the **value to 0 (zero)**.
-
-or-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Messaging**
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Messaging**
- - Set the **Allow Message Service Cloud Sync** to **Disable**.
+ - Set the **Allow Message Service Cloud Sync** to **Disable**.
### 18.13 Phone calls
@@ -1238,7 +1236,7 @@ In the **Other Devices** area, you can choose whether devices that aren't paired
To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**:
-- Turn off the feature in the UI by going to Settings > Privacy > Other devices > "Communicate with unpaired devices. Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone" and **Turn it OFF**.
+- Turn off the feature in the UI by going to Settings > Privacy > Other devices > "Communicate with unpaired devices. Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone" and **Turn it OFF**.
-or-
@@ -1263,7 +1261,7 @@ To turn off **Let your apps use your trusted devices (hardware you've already co
### 18.16 Feedback & diagnostics
-In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
+In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
To change how frequently **Windows should ask for my feedback**:
@@ -1314,7 +1312,7 @@ To change the level of diagnostic and usage data sent when you **Send your devic
> [!NOTE]
> If the **Security** option is configured by using Group Policy or the Registry, the value will not be reflected in the UI. The **Security** option is only available in Windows 10 Enterprise edition.
-
+
To turn off tailored experiences with relevant tips and recommendations by using your diagnostics data:
@@ -1334,7 +1332,7 @@ To turn off tailored experiences with relevant tips and recommendations by using
-or-
-- Create a REG_DWORD registry setting named **DisableTailoredExperiencesWithDiagnosticData** in **HKEY_Current_User\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of **1**
+- Create a REG_DWORD registry setting named **DisableTailoredExperiencesWithDiagnosticData** in **HKEY_CURRENT_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a **value of 1 (one)**
### 18.17 Background apps
@@ -1388,7 +1386,7 @@ To turn this off:
-or-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access Tasks**. Set the **Select a setting** box to **Force Deny**.
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access Tasks**. Set the **Select a setting** box to **Force Deny**.
-or-
@@ -1414,50 +1412,50 @@ To turn this off:
### 18.21 Inking & Typing
-In the **Inking & Typing** area you can configure the functionality as such:
+In the **Inking & Typing** area you can configure the functionality as such:
To turn off Inking & Typing data collection:
-- In the UI go to **Settings -> Privacy -> Diagnostics & Feedback -> Improve inking and typing** and turn it to **Off**
+- In the UI go to **Settings -> Privacy -> Diagnostics & Feedback -> Improve inking and typing** and turn it to **Off**
-OR-
-
+
**Disable** the Group Policy: **Computer Configuration > Administrative Templates > Windows Components > Text Input > Improve inking and typing recognition**
-
+
-and-
-
+
**Disable** the Group Policy: **User Configuration > Administrative Templates > Control Panel > Regional and Language Options > Handwriting personalization > Turn off automatic learning**
-
+
-OR-
- Set **RestrictImplicitTextCollection** registry REG_DWORD setting in **HKEY_CURRENT_USER\Software\Microsoft\InputPersonalization** to a **value of 1 (one)**
-and-
-
+
- Set **RestrictImplicitInkCollection** registry REG_DWORD setting in **HKEY_CURRENT_USER\Software\Microsoft\InputPersonalization** to a **value of 1 (one)**
### 18.22 Activity History
-In the **Activity History** area, you can choose turn Off tracking of your Activity History.
+In the **Activity History** area, you can choose turn Off tracking of your Activity History.
To turn this Off in the UI:
-- Turn **Off** the feature in the UI by going to Settings -> Privacy -> Activity History and **un-checking** the **Store my activity history on this device** AND **unchecking** the **Send my activity History to Microsoft** checkboxes
+- Turn **Off** the feature in the UI by going to Settings -> Privacy -> Activity History and **un-checking** the **Store my activity history on this device** AND **unchecking** the **Send my activity History to Microsoft** checkboxes
-OR-
-- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **OS Policies** named **Enables Activity Feed**
+- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **OS Policies** named **Enables Activity Feed**
-and-
-- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **OS Policies** named **Allow publishing of User Activities**
+- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **OS Policies** named **Allow publishing of User Activities**
-and-
-- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **OS Policies** > named **Allow upload of User Activities**
+- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **OS Policies** > named **Allow upload of User Activities**
-OR-
-
+
- Create a REG_DWORD registry setting named **EnableActivityFeed** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)**
-and-
@@ -1467,14 +1465,14 @@ To turn this Off in the UI:
-and-
- Create a REG_DWORD registry setting named **UploadUserActivities** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)**
-
+
### 18.23 Voice Activation
-In the **Voice activation** area, you can choose turn Off apps ability to listen for a Voice keyword.
+In the **Voice activation** area, you can choose turn Off apps ability to listen for a Voice keyword.
To turn this Off in the UI:
-- Turn **Off** the feature in the UI by going to **Settings -> Privacy -> Voice activation** and toggle **Off** the **Allow apps to use voice activation** AND also toggle **Off** the **Allow apps to use voice activation when this device is locked**
+- Turn **Off** the feature in the UI by going to **Settings -> Privacy -> Voice activation** and toggle **Off** the **Allow apps to use voice activation** AND also toggle **Off** the **Allow apps to use voice activation when this device is locked**
-OR-
@@ -1486,7 +1484,7 @@ To turn this Off in the UI:
-OR-
-
+
- Create a REG_DWORD registry setting named **LetAppsActivateWithVoice** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a **value of 2 (two)**
-and-
@@ -1494,7 +1492,6 @@ To turn this Off in the UI:
- Create a REG_DWORD registry setting named **LetAppsActivateWithVoiceAboveLock** in **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy** with a **value of 2 (two)**
-
### 19. Software Protection Platform
Enterprise customers can manage their Windows activation status with volume licensing using an on-premises Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following:
@@ -1517,11 +1514,11 @@ Enterprise customers can manage their Windows activation status with volume lice
**For Windows Server 2016:**
-- Create a REG_DWORD registry setting named **NoAcquireGT** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
+- Create a REG_DWORD registry setting named **NoAcquireGT** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a **value of 1 (one)**.
->[!NOTE]
->Due to a known issue the **Turn off KMS Client Online AVS Validation** group policy does not work as intended on Windows Server 2016, the **NoAcquireGT** value needs to be set instead.
->The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
+> [!NOTE]
+> Due to a known issue the **Turn off KMS Client Online AVS Validation** group policy does not work as intended on Windows Server 2016; the **NoAcquireGT** value needs to be set instead.
+> The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
### 20. Storage health
@@ -1542,7 +1539,7 @@ You can control if your settings are synchronized:
-or-
-- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync**. Leave the "Allow users to turn syncing on" checkbox **unchecked**.
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync**. Leave the "Allow users to turn syncing on" checkbox **unchecked**.
-or-
@@ -1553,14 +1550,14 @@ To turn off Messaging cloud sync:
> [!NOTE]
> There is no Group Policy corresponding to this registry key.
-- Create a REG_DWORD registry setting named **CloudServiceSyncEnabled** in **HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Messaging** and set to a **value of 0 (zero)**.
+- Create a REG_DWORD registry setting named **CloudServiceSyncEnabled** in **HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Messaging** and set to a **value of 0 (zero)**.
### 22. Teredo
-You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](https://technet.microsoft.com/library/cc722030.aspx).
+You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](/previous-versions/windows/it-pro/windows-vista/cc722030(v=ws.10)).
->[!NOTE]
->If you disable Teredo, some XBOX gaming features and Delivery Optimization (with Group or Internet peering) will not work.
+> [!NOTE]
+> If you disable Teredo, some XBOX gaming features and Delivery Optimization (with Group or Internet peering) will not work.
- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **TCPIP Settings** > **IPv6 Transition Technologies** > **Set Teredo State** and set it to **Disabled State**.
@@ -1571,14 +1568,14 @@ You can disable Teredo by using Group Policy or by using the netsh.exe command.
### 23. Wi-Fi Sense
->[!IMPORTANT]
->Beginning with Windows 10, version 1803, Wi-Fi Sense is no longer available. The following section only applies to Windows 10, version 1709 and prior. Please see [Connecting to open Wi-Fi hotspots in Windows 10](https://privacy.microsoft.com/en-us/windows-10-open-wi-fi-hotspots) for more details.
+> [!IMPORTANT]
+> Beginning with Windows 10, version 1803, Wi-Fi Sense is no longer available. The following section only applies to Windows 10, version 1709 and prior. Please see [Connecting to open Wi-Fi hotspots in Windows 10](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) for more details.
Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them.
To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**:
-- Turn off the feature in the UI in Settings > Network & Internet > Wi-Fi
+- Turn off the feature in the UI in Settings > Network & Internet > Wi-Fi
-or-
@@ -1593,12 +1590,12 @@ When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings scr
### 24. Windows Defender
-You can disconnect from the Microsoft Antimalware Protection Service.
+You can disconnect from the Microsoft Antimalware Protection Service.
->[!IMPORTANT]
->**Required Steps BEFORE setting the Windows Defender Group Policy or RegKey on Windows 10 version 1903**
->1. Ensure Windows and Windows Defender are fully up to date.
->2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link and then scroll down to the Tamper Protection toggle to set it to **Off**.
+> [!IMPORTANT]
+> **Required Steps BEFORE setting the Windows Defender Group Policy or RegKey on Windows 10 version 1903**
+> 1. Ensure Windows and Windows Defender are fully up to date.
+> 2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link and then scroll down to the Tamper Protection toggle to set it to **Off**.
- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** and then select **Disabled** from the drop-down box named **Join Microsoft MAPS**
@@ -1638,7 +1635,7 @@ You can stop downloading **Definition Updates**:
-and-
-- **Remove** the **DefinitionUpdateFileSharesSources** reg value if it exists under **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Signature Updates**
+- **Remove** the **DefinitionUpdateFileSharesSources** reg value if it exists under **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Signature Updates**
You can turn off **Malicious Software Reporting Tool (MSRT) diagnostic data**:
@@ -1646,7 +1643,7 @@ You can turn off **Malicious Software Reporting Tool (MSRT) diagnostic data**:
- Set the REG_DWORD value **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to **1**.
> [!NOTE]
-> There is no Group Policy to turn off the Malicious Software Reporting Tool diagnostic data.
+> There is no Group Policy to turn off the Malicious Software Reporting Tool diagnostic data.
You can turn off **Enhanced Notifications** as follows:
@@ -1655,7 +1652,7 @@ You can turn off **Enhanced Notifications** as follows:
-or-
-- **Enable** the Group Policy **Turn off enhanced notifications** under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Reporting**.
+- **Enable** the Group Policy **Turn off enhanced notifications** under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Reporting**.
-or-
@@ -1666,7 +1663,7 @@ You can turn off **Enhanced Notifications** as follows:
To disable Windows Defender SmartScreen:
-In Group Policy, configure:
+In Group Policy, configure:
- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure Windows Defender SmartScreen** to be **Disabled**
@@ -1695,7 +1692,7 @@ In Group Policy, configure:
Windows Spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface or Group Policy.
-If you're running Windows 10, version 1607 or later, you need to:
+If you're running Windows 10, version 1607 or later, you need to:
- **Enable** the following Group Policy **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features**
@@ -1714,7 +1711,7 @@ If you're running Windows 10, version 1607 or later, you need to:
-or-
-- Create a new REG_DWORD registry setting named **NoLockScreen** in **HKEY_Local_Machine\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a **value of 1 (one)**
+- Create a new REG_DWORD registry setting named **NoLockScreen** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a **value of 1 (one)**
-AND-
@@ -1732,27 +1729,27 @@ If you're running Windows 10, version 1607 or later, you need to:
- Apply the Group Policies:
- - **Enable** the **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image and logon image** Group Policy.
+ - **Enable** the **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image and logon image** Group Policy.
- Add **C:\\windows\\web\\screen\\lockscreen.jpg** as the location in the **Path to local lock screen image** box.
- Check the **Turn off fun facts, tips, tricks, and more on lock screen** check box.
> [!NOTE]
- > This will only take effect if the policy is applied before the first logon.
- > If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device,
- > you can **Enable** the **Do not display the lock screen** policy under **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization**
+ > This will only take effect if the policy is applied before the first logon.
+ > If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device,
+ > you can **Enable** the **Do not display the lock screen** policy under **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization**
>
- > Alternatively, you can create a new REG_SZ registry setting named **LockScreenImage** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization**
- > with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG_DWORD registry setting named **LockScreenOverlaysDisabled** in
+ > Alternatively, you can create a new REG_SZ registry setting named **LockScreenImage** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization**
+ > with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG_DWORD registry setting named **LockScreenOverlaysDisabled** in
> **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of **1 (one)**.
>
- > The Group Policy for the **LockScreenOverlaysDisabled** regkey is **Force a specific default lock screen and logon image** that is under **Control Panel** **Personalization**.
+ > The Group Policy for the **LockScreenOverlaysDisabled** registry key is **Force a specific default lock screen and logon image** that is under **Control Panel** **Personalization**.
\-AND-
- - Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips** to **Enabled**
+ - Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips** to **Enabled**
-or-
@@ -1766,10 +1763,9 @@ If you're running Windows 10, version 1607 or later, you need to:
-or-
- - Create a new REG_DWORD registry setting named **DisableWindowsConsumerFeatures** in **HKEY_LOCAL_MACHINE\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a **value of 1 (one)**
-
-
-This policy setting controls whether the lock screen appears for users. The Do not display the lock screen Group Policy should be set to Enable to prevent the lock screen from being displayed. The Group Computer Configuration\Administrative templates\Control Panel\Personalization!Do not display the lock screen.
+ - Create a new REG_DWORD registry setting named **DisableWindowsConsumerFeatures** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a **value of 1 (one)**
+
+This policy setting controls whether the lock screen appears for users. The Do not display the lock screen Group Policy should be set to Enable to prevent the lock screen from being displayed. The Group Computer Configuration\Administrative templates\Control Panel\Personalization!Do not display the lock screen.
If you enable this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC.
@@ -1838,7 +1834,7 @@ You can find the Delivery Optimization Group Policy objects under **Computer Con
| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.|
-For a comprehensive list of Delivery Optimization Policies, see [Delivery Optimization Reference](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference).
+For a comprehensive list of Delivery Optimization Policies, see [Delivery Optimization Reference](/windows/deployment/update/waas-delivery-optimization-reference).
### 28.3 Delivery Optimization
@@ -1846,7 +1842,7 @@ For a comprehensive list of Delivery Optimization Policies, see [Delivery Optimi
-or-
-- Create a new REG_DWORD registry setting named **DODownloadMode** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization** to a value of **99 (Ninety-nine)**.
+- Create a new REG_DWORD registry setting named **DODownloadMode** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization** to a value of **99 (Ninety-nine)**.
For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730684).
@@ -1866,23 +1862,23 @@ You can turn off Windows Update by setting the following registry entries:
-and-
-- Add a REG_SZ value named **WUServer** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and ensure it is blank with a space character **" "**.
+- Add a REG_SZ value named **WUServer** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and ensure it is blank with a space character **" "**.
-and-
-- Add a REG_SZ value named **WUStatusServer** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and ensure it is blank with a space character **" "**.
+- Add a REG_SZ value named **WUStatusServer** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and ensure it is blank with a space character **" "**.
-and-
-- Add a REG_SZ value named **UpdateServiceUrlAlternate** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and ensure it is blank with a space character **" "**.
+- Add a REG_SZ value named **UpdateServiceUrlAlternate** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and ensure it is blank with a space character **" "**.
-and-
-- Add a REG_DWORD value named **UseWUServer** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\WindowsUpdate\\AU** and set the value to 1.
+- Add a REG_DWORD value named **UseWUServer** to **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\WindowsUpdate\\AU** and set the **value to 1 (one)**.
-OR-
-- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations** to **Enabled**
+- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations** to **Enabled**
-and-
@@ -1890,11 +1886,11 @@ You can turn off Windows Update by setting the following registry entries:
-and-
-- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** to **Enabled** and ensure all Option settings (Intranet Update Service, Intranet Statistics Server, Alternate Download Server) are set to **" "**
+- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** to **Enabled** and ensure all Option settings (Intranet Update Service, Intranet Statistics Server, Alternate Download Server) are set to **" "**
-and-
-- Set the Group Policy **User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Remove access to use all Windows Update features** to **Enabled** and then set **Computer Configurations** to **0 (zero)**.
+- Set the Group Policy **User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Remove access to use all Windows Update features** to **Enabled** and then set **Computer Configurations** to **0 (zero)**.
You can turn off automatic updates by doing the following. This is not recommended.
@@ -1904,18 +1900,17 @@ You can turn off automatic updates by doing the following. This is not recommend
For China releases of Windows 10 there is one additional Regkey to be set to prevent traffic:
-- Add a REG_DWORD value named **HapDownloadEnabled** to **HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LexiconUpdate\\loc_0804** and set the value to 0.
+- Add a REG_DWORD value named **HapDownloadEnabled** to **HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LexiconUpdate\\loc_0804** and set the **value to 0 (zero)**.
-
### Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline
-|Allowed traffic endpoints|
-| --- |
+|Allowed traffic endpoints|
+| --- |
|activation-v2.sls.microsoft.com/*|
|crl.microsoft.com/pki/crl/*|
|ocsp.digicert.com/*|
|www.microsoft.com/pkiops/*|
-To learn more, see [Device update management](https://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](https://technet.microsoft.com/library/cc720539.aspx).
+To learn more, see [Device update management](/windows/client-management/mdm/device-update-management) and [Configure Automatic Updates by using Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc720539(v=ws.10)).
diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md
index 8ec7b613c3..8c9ec8ec64 100644
--- a/windows/privacy/manage-windows-1709-endpoints.md
+++ b/windows/privacy/manage-windows-1709-endpoints.md
@@ -456,4 +456,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
-- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints)
+- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
diff --git a/windows/privacy/manage-windows-1803-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md
index 9525d0fed9..88aab3a7f9 100644
--- a/windows/privacy/manage-windows-1803-endpoints.md
+++ b/windows/privacy/manage-windows-1803-endpoints.md
@@ -461,4 +461,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
-- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints)
+- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md
index 6ff4c469cf..15d0315e1a 100644
--- a/windows/privacy/manage-windows-1809-endpoints.md
+++ b/windows/privacy/manage-windows-1809-endpoints.md
@@ -399,7 +399,7 @@ The following endpoint is used to retrieve Skype configuration values. To turn o
## Windows Defender
The following endpoint is used for Windows Defender when Cloud-based Protection is enabled.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. For a detailed list of Microsoft Defender Antivirus cloud service connections, see [Allow connections to the Microsoft Defender Antivirus cloud service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud-service).
+If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. For a detailed list of Microsoft Defender Antivirus cloud service connections, see [Allow connections to the Microsoft Defender Antivirus cloud service](/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud-service).
| Source process | Protocol | Destination |
|:--------------:|:--------:|:------------|
@@ -497,4 +497,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
-- [Network endpoints for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints)
+- [Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md
index 9aa743d944..6045eb3da4 100644
--- a/windows/privacy/manage-windows-1903-endpoints.md
+++ b/windows/privacy/manage-windows-1903-endpoints.md
@@ -187,6 +187,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
-- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints)
-
-
+- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md
index 9fe2ca8cc1..5ef89fdb59 100644
--- a/windows/privacy/manage-windows-1909-endpoints.md
+++ b/windows/privacy/manage-windows-1909-endpoints.md
@@ -137,4 +137,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
-- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints)
+- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md
index aea5913427..6e2d31cd9a 100644
--- a/windows/privacy/manage-windows-2004-endpoints.md
+++ b/windows/privacy/manage-windows-2004-endpoints.md
@@ -138,4 +138,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
-- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints)
+- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md
index 0d7d37c2fe..4378cb0b1d 100644
--- a/windows/privacy/manage-windows-20H2-endpoints.md
+++ b/windows/privacy/manage-windows-20H2-endpoints.md
@@ -156,4 +156,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
-- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints)
+- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md
index e1011307d6..a33a9a416e 100644
--- a/windows/privacy/windows-10-and-privacy-compliance.md
+++ b/windows/privacy/windows-10-and-privacy-compliance.md
@@ -49,7 +49,7 @@ The following table provides an overview of the Windows 10 privacy settings pres
| Feature/Setting | Description | Supporting Content | Privacy Statement |
| --- | --- | --- | --- |
-| Diagnostic Data |
Previously known as basic diagnostic data, required diagnostic data includes information about your device, its settings, capabilities, and whether it is performing properly, whether a device is ready for an update, and whether there are factors that may impede the ability to receive updates, such as low battery, limited disk space, or connectivity through a paid network. You can find out what is collected with required diagnostic data [here](https://docs.microsoft.com/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004).
Previously known as full diagnostic data, optional diagnostic data includes more detailed information about your device and its settings, capabilities, and device health. When you choose to send optional diagnostic data, required diagnostic data will always be included. You can find out the types of optional diagnostic data collected [here](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data).
[Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
+| Diagnostic Data |
Previously known as basic diagnostic data, required diagnostic data includes information about your device, its settings, capabilities, and whether it is performing properly, whether a device is ready for an update, and whether there are factors that may impede the ability to receive updates, such as low battery, limited disk space, or connectivity through a paid network. You can find out what is collected with required diagnostic data [here](./required-windows-diagnostic-data-events-and-fields-2004.md).
Previously known as full diagnostic data, optional diagnostic data includes more detailed information about your device and its settings, capabilities, and device health. When you choose to send optional diagnostic data, required diagnostic data will always be included. You can find out the types of optional diagnostic data collected [here](./windows-diagnostic-data.md).
[Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
| Inking and typing diagnostics | Microsoft collects optional inking and typing diagnostic data to improve the language recognition and suggestion capabilities of apps and services running on Windows. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
| Speech | Use your voice for dictation and to talk to Cortana and other apps that use Windows cloud-based speech recognition. Microsoft collects voice data to help improve speech services. | [Learn more](https://support.microsoft.com/help/4468250/windows-10-speech-voice-activation-inking-typing-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#mainspeechinkingtypingmodule) |
| Location | Get location-based experiences like directions and weather. Let Windows and apps request your location and allow Microsoft to use your location data to improve location services. | [Learn more](https://support.microsoft.com/help/4468240/windows-10-location-service-and-privacy) |[Privacy Statement](https://privacy.microsoft.com/privacystatement#mainlocationservicesmotionsensingmodule) |
@@ -57,7 +57,7 @@ The following table provides an overview of the Windows 10 privacy settings pres
| Tailored Experiences | Let Microsoft offer you tailored experiences based on the diagnostic data you choose to send. Tailored experiences include personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. | [Learn more](https://support.microsoft.com/help/4468236/diagnostics-feedback-and-privacy-in-windows-10-microsoft-privacy) | [Privacy Statement](https://privacy.microsoft.com/privacystatement#maindiagnosticsmodule) |
| Advertising Id | Apps can use advertising ID to provide more personalized advertising in accordance with the privacy policy of the app provider. | [Learn more](https://support.microsoft.com/help/4459081/windows-10-general-privacy-settings) | [Privacy statement](https://support.microsoft.com/help/4459081/windows-10-general-privacy-settings) |
| Activity History/Timeline – Cloud Sync | If you want Windows Timeline and other Windows features to help you continue what you were doing, even when you switch devices, send Microsoft your activity history, which includes info about websites you browse and how you use apps and services. | [Learn more](https://support.microsoft.com/help/4468227/windows-10-activity-history-and-your-privacy-microsoft-privacy) | [Privacy statement](https://privacy.microsoft.com/privacystatement#mainactivityhistorymodule) |
-| Cortana |
Cortana has powerful configuration options, specifically optimized for a business. By signing in with an Azure Active Directory (Azure AD) account, enterprise users can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.
[Cortana integration in your business or enterprise](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-overview) | [Privacy statement](https://privacy.microsoft.com/privacystatement#maincortanamodule) |
+| Cortana |
Cortana has powerful configuration options, specifically optimized for a business. By signing in with an Azure Active Directory (Azure AD) account, enterprise users can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.
[Cortana integration in your business or enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) | [Privacy statement](https://privacy.microsoft.com/privacystatement#maincortanamodule) |
### 1.2 Data collection monitoring
@@ -85,15 +85,15 @@ The following table provides an overview of the privacy settings discussed earli
| Feature/Setting | GP/MDM Documentation | Default State if the Setup experience is suppressed | State to stop/minimize data collection |
|---|---|---|---|
-| [Speech](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-speech) | Group Policy:
**Computer Configuration** > **Control Panel** > **Regional and Language Options** > **Allow users to enable online speech recognition services**
MDM: [Privacy/AllowInputPersonalization](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off | Off |
-| [Location](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location) | Group Policy:
**Computer Configuration** > **Windows Components** > **App Privacy** > **Let Windows apps access location**
MDM: [Privacy/LetAppsAccessLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off (Windows 10, version 1903 and later) | Off |
-| [Find my device](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#find-my-device) | Group Policy:
**Computer Configuration** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**
MDM: [Experience/AllFindMyDevice](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice) | Off | Off |
-| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md#manage-enterprise-diagnostic-data) | Group Policy:
**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry**
MDM: [System/AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | Desktop editions:
Required diagnostic data (Windows 10, version 1903 and later)
Server editions:
Required diagnostic data | Security and block endpoints |
-| [Inking and typing diagnostics](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-ink) | Group Policy:
**Computer Configuration** > **Windows Components** > **Text Input** > **Improve inking and typing recognition**
MDM: [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | Off (Windows 10, version 1809 and later) | Off |
-| Tailored Experiences | Group Policy:
**User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**
MDM: [Experience/AllowTailoredExperiencesWithDiagnosticData](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowtailoredexperienceswithdiagnosticdata) | Off | Off |
-| Advertising ID | Group Policy:
**Computer Configuration** > **System** > **User Profile** > **Turn off the advertising Id**
MDM: [Privacy/DisableAdvertisingId](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Off | Off |
-| Activity History/Timeline – Cloud Sync | Group Policy:
**Computer Configuration** > **System** > **OS Policies** > **Allow upload of User Activities**
MDM: [Privacy/EnableActivityFeed](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-enableactivityfeed) | Off | Off |
-| [Cortana](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#2-cortana-and-search) | Group Policy:
**Computer Configuration** > **Windows Components** > **Search** > **Allow Cortana**
MDM: [Experience/AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | Off | Off |
+| [Speech](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-speech) | Group Policy:
**Computer Configuration** > **Control Panel** > **Regional and Language Options** > **Allow users to enable online speech recognition services**
MDM: [Privacy/AllowInputPersonalization](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off | Off |
+| [Location](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location) | Group Policy:
**Computer Configuration** > **Windows Components** > **App Privacy** > **Let Windows apps access location**
MDM: [Privacy/LetAppsAccessLocation](/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | Off (Windows 10, version 1903 and later) | Off |
+| [Find my device](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#find-my-device) | Group Policy:
**Computer Configuration** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**
MDM: [Experience/AllFindMyDevice](/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice) | Off | Off |
+| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md#manage-enterprise-diagnostic-data) | Group Policy:
**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry**
MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | Desktop editions:
Required diagnostic data (Windows 10, version 1903 and later)
Server editions:
Required diagnostic data | Security and block endpoints |
+| [Inking and typing diagnostics](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-ink) | Group Policy:
**Computer Configuration** > **Windows Components** > **Text Input** > **Improve inking and typing recognition**
MDM: [TextInput/AllowLinguisticDataCollection](/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | Off (Windows 10, version 1809 and later) | Off |
+| Tailored Experiences | Group Policy:
**User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**
MDM: [Experience/AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-csp-experience#experience-allowtailoredexperienceswithdiagnosticdata) | Off | Off |
+| Advertising ID | Group Policy:
**Computer Configuration** > **System** > **User Profile** > **Turn off the advertising Id**
MDM: [Privacy/DisableAdvertisingId](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Off | Off |
+| Activity History/Timeline – Cloud Sync | Group Policy:
**Computer Configuration** > **System** > **OS Policies** > **Allow upload of User Activities**
MDM: [Privacy/EnableActivityFeed](/windows/client-management/mdm/policy-csp-privacy#privacy-enableactivityfeed) | Off | Off |
+| [Cortana](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#2-cortana-and-search) | Group Policy:
**Computer Configuration** > **Windows Components** > **Search** > **Allow Cortana**
MDM: [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | Off | Off |
### 2.3 Guidance for configuration options
@@ -103,7 +103,7 @@ This section provides general details and links to more detailed information, as
Windows deployment can be configured using several different methods that provide an administrator with options for control, including how a device is set up, which options are enabled by default, and what the user is able to change on the device after they log on.
-If you want the ability to fully control and apply restrictions on data being sent back to Microsoft, you can use [Configuration Manager](https://docs.microsoft.com/mem/configmgr/) as a deployment solution. Configuration Manager can be used to deploy a customized boot image using a variety of [deployment methods](https://docs.microsoft.com/mem/configmgr/osd/get-started/prepare-for-operating-system-deployment). You can further restrict any Configuration Manager-specific diagnostic data from being sent back to Microsoft by turning off this setting as outlined in the instructions [here](https://docs.microsoft.com/mem/configmgr/core/plan-design/diagnostics/frequently-asked-questions).
+If you want the ability to fully control and apply restrictions on data being sent back to Microsoft, you can use [Configuration Manager](/mem/configmgr/) as a deployment solution. Configuration Manager can be used to deploy a customized boot image using a variety of [deployment methods](/mem/configmgr/osd/get-started/prepare-for-operating-system-deployment). You can further restrict any Configuration Manager-specific diagnostic data from being sent back to Microsoft by turning off this setting as outlined in the instructions [here](/mem/configmgr/core/plan-design/diagnostics/frequently-asked-questions).
Alternatively, your administrators can also choose to use Windows Autopilot. Autopilot lessens the overall burden of deployment while allowing administrators to fully customize the out-of-box experience. However, since Windows Autopilot is a cloud-based solution, administrators should be aware that a minimal set of device identifiers are sent back to Microsoft during initial device boot up. This device-specific information is used to identify the device so that it can receive the administrator-configured Autopilot profile and policies.
@@ -121,11 +121,11 @@ For more details, see [Manage connections from Windows operating system componen
Some Windows components, apps, and related services transfer data to Microsoft network endpoints. An administrator may want to block these endpoints for their organization to meet their specific compliance objectives.
-[Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) provides a list of endpoints for the latest Windows 10 release, along with descriptions of any functionality that would be impacted by restricting data collection. Details for additional Windows versions can be found on the [Windows Privacy site](https://docs.microsoft.com/windows/privacy/) under the **Manage Windows 10 connection endpoints** section of the left-hand navigation menu.
+[Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) provides a list of endpoints for the latest Windows 10 release, along with descriptions of any functionality that would be impacted by restricting data collection. Details for additional Windows versions can be found on the [Windows Privacy site](./index.yml) under the **Manage Windows 10 connection endpoints** section of the left-hand navigation menu.
#### _2.3.4 Limited functionality baseline_
-An organization may want to further minimize the amount of data sent back to Microsoft or shared with Microsoft apps by managing the connections and configuring additional settings on their devices. Similar to [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines), Microsoft has released a limited functionality baseline focused on configuring settings to minimize the data sent back to Microsoft. However, the functionality of the device could be impacted by applying these settings. The [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) article provides details on how to apply the baseline, along with the full list of settings covered in the baseline and the functionality that would be impacted. Administrators that don’t want to apply the baseline can still find details on how to configure each setting individually to find the right balance between data sharing and impact to functionality for their organization.
+An organization may want to further minimize the amount of data sent back to Microsoft or shared with Microsoft apps by managing the connections and configuring additional settings on their devices. Similar to [Windows security baselines](/windows/security/threat-protection/windows-security-baselines), Microsoft has released a limited functionality baseline focused on configuring settings to minimize the data sent back to Microsoft. However, the functionality of the device could be impacted by applying these settings. The [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) article provides details on how to apply the baseline, along with the full list of settings covered in the baseline and the functionality that would be impacted. Administrators that don’t want to apply the baseline can still find details on how to configure each setting individually to find the right balance between data sharing and impact to functionality for their organization.
>[!IMPORTANT]
>We recommend that you fully test any modifications to these settings before deploying them in your organization.
@@ -140,7 +140,7 @@ Windows 10, version 1803 and newer allows users to change their diagnostic data
#### _2.3.7 Diagnostic data: Managing device-based data delete_
-Windows 10, version 1809 and newer allows a user to delete diagnostic data collected from their device by using **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. An administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet.
+Windows 10, version 1809 and newer allows a user to delete diagnostic data collected from their device by using **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. An administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet.
An administrator can disable a user’s ability to delete their device’s diagnostic data by setting the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Disable deleting diagnostic data** or the MDM policy `DisableDeviceDelete`.
@@ -151,7 +151,7 @@ This section discusses the different methods Microsoft provides for users and ad
### 3.1 Delete
-Users can delete their device-based data by going to **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. Administrators can also use the [Clear-WindowsDiagnosticData](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet.
+Users can delete their device-based data by going to **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button under the **Delete diagnostic data** heading. Administrators can also use the [Clear-WindowsDiagnosticData](/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet.
### 3.2 View
@@ -183,28 +183,28 @@ Windows Server follows the same mechanisms as Windows 10 for handling of persona
### 5.2 Surface Hub
-[Surface Hub](https://docs.microsoft.com/surface-hub/) is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. To delete the Windows diagnostic data sent to Microsoft for Surface Hub, you can use the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store
+[Surface Hub](/surface-hub/) is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. To delete the Windows diagnostic data sent to Microsoft for Surface Hub, you can use the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store
>[!IMPORTANT]
>Apps and services that run on Windows but are not considered part of Windows will manage data collection using their own controls. Please contact the publisher for further guidance on how to control the data collection and transmission of these apps and services.
-An administrator can configure privacy-related settings, such as choosing to only send required diagnostic data. Surface Hub does not support Group Policy for centralized management. However, administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, see [Manage settings with an MDM provider (Surface Hub)](https://docs.microsoft.com/surface-hub/manage-settings-with-mdm-for-surface-hub).
+An administrator can configure privacy-related settings, such as choosing to only send required diagnostic data. Surface Hub does not support Group Policy for centralized management. However, administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, see [Manage settings with an MDM provider (Surface Hub)](/surface-hub/manage-settings-with-mdm-for-surface-hub).
### 5.3 Desktop Analytics
-[Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview) is a set of solutions for Azure Portal that provide you with extensive data about the state of devices in your deployment. Desktop Analytics is a separate offering from Windows 10 and is dependent on enabling a minimum set of data collection on the device to function.
+[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) is a set of solutions for Azure Portal that provide you with extensive data about the state of devices in your deployment. Desktop Analytics is a separate offering from Windows 10 and is dependent on enabling a minimum set of data collection on the device to function.
### 5.4 Microsoft Managed Desktop
-[Microsoft Managed Desktop (MMD)](https://docs.microsoft.com/microsoft-365/managed-desktop/service-description/?view=o365-worldwide) is a service that provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows 10 Enterprise edition, Office 365 ProPlus, and Microsoft security services.
+[Microsoft Managed Desktop (MMD)](/microsoft-365/managed-desktop/service-description/?view=o365-worldwide) is a service that provides your users with a secure modern experience and always keeps devices up to date with the latest versions of Windows 10 Enterprise edition, Office 365 ProPlus, and Microsoft security services.
## Additional Resources
* [Microsoft Trust Center: GDPR Overview](https://www.microsoft.com/trust-center/privacy/gdpr-overview)
* [Microsoft Trust Center: Privacy at Microsoft](https://www.microsoft.com/trust-center/privacy)
-* [Windows IT Pro Docs](https://docs.microsoft.com/windows/#pivot=it-pro)
+* [Windows IT Pro Docs](/windows/#pivot=it-pro)
* [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
* [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
* [Privacy at Microsoft](https://privacy.microsoft.com/privacy-report)
* [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md)
-* [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/)
+* [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/)
\ No newline at end of file
diff --git a/windows/privacy/windows-diagnostic-data-1703.md b/windows/privacy/windows-diagnostic-data-1703.md
index ffa7858d15..1137e6a744 100644
--- a/windows/privacy/windows-diagnostic-data-1703.md
+++ b/windows/privacy/windows-diagnostic-data-1703.md
@@ -21,7 +21,7 @@ ms.reviewer:
**Applies to:**
- Windows 10, version 1703
-Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also helps us improve Windows and, for users who have turned on “tailored experiences”, can be used to provide more relevant tips and recommendations to tailor Microsoft products to the user’s needs. This article describes all types diagnostic data collected by Windows at the Full diagnostic data level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1709 Basic level diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709) and [Windows 10, version 1703 Basic level diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703).
+Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also helps us improve Windows and, for users who have turned on “tailored experiences”, can be used to provide more relevant tips and recommendations to tailor Microsoft products to the user’s needs. This article describes all types diagnostic data collected by Windows at the Full diagnostic data level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1709 Basic level diagnostic events and fields](./basic-level-windows-diagnostic-events-and-fields-1709.md) and [Windows 10, version 1703 Basic level diagnostic events and fields](./basic-level-windows-diagnostic-events-and-fields-1703.md).
The data covered in this article is grouped into the following categories:
@@ -42,7 +42,7 @@ Most diagnostic events contain a header of common data:
| Category Name | Examples |
| - | - |
-| Common Data | Information that is added to most diagnostic events, if relevant and available:
|
+| Common Data | Information that is added to most diagnostic events, if relevant and available:
|
## Device, Connectivity, and Configuration data
@@ -53,7 +53,7 @@ This type of data includes details about the device, its configuration and conne
| Device properties | Information about the OS and device hardware, such as:
|
| Device capabilities | Information about the specific device capabilities such as:
|
| Device preferences and settings | Information about the device settings and user preferences such as:
|
-| Device peripherals | Information about the device peripherals such as:
|
+| Device peripherals | Information about the device peripherals such as:
|
| Device network info | Information about the device network configuration such as:
## Product and Service Usage data
@@ -107,4 +107,4 @@ This type of data gathers details about the voice, inking, and typing input feat
| Category Name | Description and Examples |
| - | - |
-| Voice, inking, and typing | Information about voice, inking, and typing features such as:
|
+| Voice, inking, and typing | Information about voice, inking, and typing features such as:
|
\ No newline at end of file
diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md
index 2fc94568eb..68ebf78103 100644
--- a/windows/privacy/windows-diagnostic-data.md
+++ b/windows/privacy/windows-diagnostic-data.md
@@ -26,7 +26,7 @@ Applies to:
- Windows 10, version 1803
- Windows 10, version 1709
-Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 20H2 required diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields).
+Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 20H2 required diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields).
In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944:2017 Information technology - Cloud computing - Cloud services and devices: Data flow, data categories, and data use](https://www.iso.org/standard/66674.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard.
@@ -141,7 +141,7 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
- Peripheral name, device model, class, manufacturer, and description
- Peripheral device state, install state, and checksum
- Driver name, package name, version, and manufacturer
-- HWID - A hardware vendor-defined ID to match a device to a driver [INF file](https://docs.microsoft.com/windows-hardware/drivers/install/hardware-ids)
+- HWID - A hardware vendor-defined ID to match a device to a driver [INF file](/windows-hardware/drivers/install/hardware-ids)
- Driver state, problem code, and checksum
- Whether driver is kernel mode, signed, and image size
@@ -249,7 +249,7 @@ This type of data includes details about the health of the device, operating sys
**For Diagnostics:**
[Pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
-- Data about the reliability of content that appears in the [Windows Spotlight](https://docs.microsoft.com/windows/configuration/windows-spotlight) (rotating lock screen images) is used for Windows Spotlight reliability investigations.
+- Data about the reliability of content that appears in the [Windows Spotlight](/windows/configuration/windows-spotlight) (rotating lock screen images) is used for Windows Spotlight reliability investigations.
- Timing data about how quickly Cortana responds to voice commands is used to improve Cortana listening performance.
- Timing data about how quickly the facial recognition feature starts up and finishes is used to improve facial recognition performance.
- Data about when an Application Window fails to appear is used to investigate issues with Application Window reliability and performance.
@@ -512,4 +512,4 @@ Here are the data identification qualifiers and the ISO/IEC 19944:2017 reference
- **Pseudonymized Data** 8.3.3 Pseudonymized data. Microsoft usage notes are as defined.
- **Anonymized Data** 8.3.5 Anonymized data. Microsoft usage notes are as defined.
-- **Aggregated Data** 8.3.6 Aggregated data. Microsoft usage notes are as defined.
+- **Aggregated Data** 8.3.6 Aggregated data. Microsoft usage notes are as defined.
\ No newline at end of file
diff --git a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md
index 944800a1d5..bf3d037942 100644
--- a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md
@@ -23,7 +23,7 @@ ms.reviewer:
- Windows 10 Professional, version 1709
- Windows 10 Education, version 1709
-In addition to the endpoints listed for [Windows 10 Enterprise](https://docs.microsoft.com/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services), the following endpoints are available on other editions of Windows 10, version 1709.
+In addition to the endpoints listed for [Windows 10 Enterprise](./manage-connections-from-windows-operating-system-components-to-microsoft-services.md), the following endpoints are available on other editions of Windows 10, version 1709.
We used the following methodology to derive these network endpoints:
@@ -292,4 +292,4 @@ We used the following methodology to derive these network endpoints:
| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
-| www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
+| www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
\ No newline at end of file
diff --git a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md
index a93b73468f..dfc17c31c3 100644
--- a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md
@@ -23,7 +23,7 @@ ms.reviewer:
- Windows 10 Professional, version 1803
- Windows 10 Education, version 1803
-In addition to the endpoints listed for [Windows 10 Enterprise](https://docs.microsoft.com/windows/privacy/manage-windows-1803-endpoints ), the following endpoints are available on other editions of Windows 10, version 1803.
+In addition to the endpoints listed for [Windows 10 Enterprise](./manage-windows-1803-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1803.
We used the following methodology to derive these network endpoints:
@@ -162,4 +162,4 @@ We used the following methodology to derive these network endpoints:
| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. |
| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. |
| wd-prod-cp-us-west-3-fe.westus.cloudapp.azure.com | HTTPS | Azure front end traffic |
-| www.bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
+| www.bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
\ No newline at end of file
diff --git a/windows/release-information/docfx.json b/windows/release-information/docfx.json
index 40211ae3b7..111809e6f2 100644
--- a/windows/release-information/docfx.json
+++ b/windows/release-information/docfx.json
@@ -50,7 +50,7 @@
"jborsecnik",
"tiburd",
"garycentric"
- ],
+ ]
},
"fileMetadata": {},
"template": [],
diff --git a/windows/security/TOC.md b/windows/security/TOC.md
deleted file mode 100644
index 6ac5b43506..0000000000
--- a/windows/security/TOC.md
+++ /dev/null
@@ -1,6 +0,0 @@
-# [Security](index.yml)
-## [Identity and access management](identity-protection/index.md)
-## [Information protection](information-protection/index.md)
-## [Threat protection](threat-protection/index.md)
-
-
diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml
new file mode 100644
index 0000000000..70e61e303f
--- /dev/null
+++ b/windows/security/TOC.yml
@@ -0,0 +1,9 @@
+- name: Security
+ href: index.yml
+ items:
+ - name: Identity and access management
+ href: identity-protection/index.md
+ - name: Information protection
+ href: information-protection/index.md
+ - name: Threat protection
+ href: threat-protection/index.md
diff --git a/windows/security/identity-protection/TOC.md b/windows/security/identity-protection/TOC.md
deleted file mode 100644
index 16e55efb95..0000000000
--- a/windows/security/identity-protection/TOC.md
+++ /dev/null
@@ -1,75 +0,0 @@
-# [Identity and access management](index.md)
-
-## [Technical support policy for lost or forgotten passwords](password-support-policy.md)
-
-## [Access Control Overview](access-control/access-control.md)
-### [Dynamic Access Control Overview](access-control/dynamic-access-control.md)
-### [Security identifiers](access-control/security-identifiers.md)
-### [Security Principals](access-control/security-principals.md)
-### [Local Accounts](access-control/local-accounts.md)
-### [Active Directory Accounts](access-control/active-directory-accounts.md)
-### [Microsoft Accounts](access-control/microsoft-accounts.md)
-### [Service Accounts](access-control/service-accounts.md)
-### [Active Directory Security Groups](access-control/active-directory-security-groups.md)
-### [Special Identities](access-control/special-identities.md)
-
-### [User Account Control](user-account-control\user-account-control-overview.md)
-#### [How User Account Control works](user-account-control\how-user-account-control-works.md)
-#### [User Account Control security policy settings](user-account-control\user-account-control-security-policy-settings.md)
-#### [User Account Control Group Policy and registry key settings](user-account-control\user-account-control-group-policy-and-registry-key-settings.md)
-
-## [Windows Hello for Business](hello-for-business/index.yml)
-
-## [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md)
-### [How Credential Guard works](credential-guard/credential-guard-how-it-works.md)
-### [Credential Guard Requirements](credential-guard/credential-guard-requirements.md)
-### [Manage Credential Guard](credential-guard/credential-guard-manage.md)
-### [Hardware readiness tool](credential-guard/dg-readiness-tool.md)
-### [Credential Guard protection limits](credential-guard/credential-guard-protection-limits.md)
-### [Considerations when using Credential Guard](credential-guard/credential-guard-considerations.md)
-### [Credential Guard: Additional mitigations](credential-guard/additional-mitigations.md)
-### [Credential Guard: Known issues](credential-guard/credential-guard-known-issues.md)
-
-## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md)
-
-## [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md)
-### [How Smart Card Sign-in Works in Windows](smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md)
-#### [Smart Card Architecture](smart-cards/smart-card-architecture.md)
-#### [Certificate Requirements and Enumeration](smart-cards/smart-card-certificate-requirements-and-enumeration.md)
-#### [Smart Card and Remote Desktop Services](smart-cards/smart-card-and-remote-desktop-services.md)
-#### [Smart Cards for Windows Service](smart-cards/smart-card-smart-cards-for-windows-service.md)
-#### [Certificate Propagation Service](smart-cards/smart-card-certificate-propagation-service.md)
-#### [Smart Card Removal Policy Service](smart-cards/smart-card-removal-policy-service.md)
-### [Smart Card Tools and Settings](smart-cards/smart-card-tools-and-settings.md)
-#### [Smart Cards Debugging Information](smart-cards/smart-card-debugging-information.md)
-#### [Smart Card Group Policy and Registry Settings](smart-cards/smart-card-group-policy-and-registry-settings.md)
-#### [Smart Card Events](smart-cards/smart-card-events.md)
-
-### [Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-overview.md)
-#### [Understanding and Evaluating Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-understanding-and-evaluating.md)
-##### [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-cards\virtual-smart-card-get-started.md)
-##### [Use Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-use-virtual-smart-cards.md)
-##### [Deploy Virtual Smart Cards](virtual-smart-cards\virtual-smart-card-deploy-virtual-smart-cards.md)
-##### [Evaluate Virtual Smart Card Security](virtual-smart-cards\virtual-smart-card-evaluate-security.md)
-#### [Tpmvscmgr](virtual-smart-cards\virtual-smart-card-tpmvscmgr.md)
-
-## [Enterprise Certificate Pinning](enterprise-certificate-pinning.md)
-
-## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)
-
-## [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md)
-
-## [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md)
-
-## [VPN technical guide](vpn\vpn-guide.md)
-### [VPN connection types](vpn\vpn-connection-type.md)
-### [VPN routing decisions](vpn\vpn-routing.md)
-### [VPN authentication options](vpn\vpn-authentication.md)
-### [VPN and conditional access](vpn\vpn-conditional-access.md)
-### [VPN name resolution](vpn\vpn-name-resolution.md)
-### [VPN auto-triggered profile options](vpn\vpn-auto-trigger-profile.md)
-### [VPN security features](vpn\vpn-security-features.md)
-### [VPN profile options](vpn\vpn-profile-options.md)
-### [How to configure Diffie Hellman protocol over IKEv2 VPN connections](vpn\how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md)
-### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md)
-### [Optimizing Office 365 traffic with the Windows 10 VPN client](vpn\vpn-office-365-optimization.md)
diff --git a/windows/security/identity-protection/TOC.yml b/windows/security/identity-protection/TOC.yml
new file mode 100644
index 0000000000..6d3b4a3ff6
--- /dev/null
+++ b/windows/security/identity-protection/TOC.yml
@@ -0,0 +1,134 @@
+- name: Identity and access management
+ href: index.md
+ items:
+ - name: Technical support policy for lost or forgotten passwords
+ href: password-support-policy.md
+ - name: Access Control Overview
+ href: access-control/access-control.md
+ items:
+ - name: Dynamic Access Control Overview
+ href: access-control/dynamic-access-control.md
+ - name: Security identifiers
+ href: access-control/security-identifiers.md
+ - name: Security Principals
+ href: access-control/security-principals.md
+ - name: Local Accounts
+ href: access-control/local-accounts.md
+ - name: Active Directory Accounts
+ href: access-control/active-directory-accounts.md
+ - name: Microsoft Accounts
+ href: access-control/microsoft-accounts.md
+ - name: Service Accounts
+ href: access-control/service-accounts.md
+ - name: Active Directory Security Groups
+ href: access-control/active-directory-security-groups.md
+ - name: Special Identities
+ href: access-control/special-identities.md
+ - name: User Account Control
+ href: user-account-control\user-account-control-overview.md
+ items:
+ - name: How User Account Control works
+ href: user-account-control\how-user-account-control-works.md
+ - name: User Account Control security policy settings
+ href: user-account-control\user-account-control-security-policy-settings.md
+ - name: User Account Control Group Policy and registry key settings
+ href: user-account-control\user-account-control-group-policy-and-registry-key-settings.md
+ - name: Windows Hello for Business
+ href: hello-for-business/index.yml
+ - name: Protect derived domain credentials with Credential Guard
+ href: credential-guard/credential-guard.md
+ items:
+ - name: How Credential Guard works
+ href: credential-guard/credential-guard-how-it-works.md
+ - name: Credential Guard Requirements
+ href: credential-guard/credential-guard-requirements.md
+ - name: Manage Credential Guard
+ href: credential-guard/credential-guard-manage.md
+ - name: Hardware readiness tool
+ href: credential-guard/dg-readiness-tool.md
+ - name: Credential Guard protection limits
+ href: credential-guard/credential-guard-protection-limits.md
+ - name: Considerations when using Credential Guard
+ href: credential-guard/credential-guard-considerations.md
+ - name: "Credential Guard: Additional mitigations"
+ href: credential-guard/additional-mitigations.md
+ - name: "Credential Guard: Known issues"
+ href: credential-guard/credential-guard-known-issues.md
+ - name: Protect Remote Desktop credentials with Remote Credential Guard
+ href: remote-credential-guard.md
+ - name: Smart Cards
+ href: smart-cards/smart-card-windows-smart-card-technical-reference.md
+ items:
+ - name: How Smart Card Sign-in Works in Windows
+ href: smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+ items:
+ - name: Smart Card Architecture
+ href: smart-cards/smart-card-architecture.md
+ - name: Certificate Requirements and Enumeration
+ href: smart-cards/smart-card-certificate-requirements-and-enumeration.md
+ - name: Smart Card and Remote Desktop Services
+ href: smart-cards/smart-card-and-remote-desktop-services.md
+ - name: Smart Cards for Windows Service
+ href: smart-cards/smart-card-smart-cards-for-windows-service.md
+ - name: Certificate Propagation Service
+ href: smart-cards/smart-card-certificate-propagation-service.md
+ - name: Smart Card Removal Policy Service
+ href: smart-cards/smart-card-removal-policy-service.md
+ - name: Smart Card Tools and Settings
+ href: smart-cards/smart-card-tools-and-settings.md
+ items:
+ - name: Smart Cards Debugging Information
+ href: smart-cards/smart-card-debugging-information.md
+ - name: Smart Card Group Policy and Registry Settings
+ href: smart-cards/smart-card-group-policy-and-registry-settings.md
+ - name: Smart Card Events
+ href: smart-cards/smart-card-events.md
+ - name: Virtual Smart Cards
+ href: virtual-smart-cards\virtual-smart-card-overview.md
+ items:
+ - name: Understanding and Evaluating Virtual Smart Cards
+ href: virtual-smart-cards\virtual-smart-card-understanding-and-evaluating.md
+ items:
+ - name: "Get Started with Virtual Smart Cards: Walkthrough Guide"
+ href: virtual-smart-cards\virtual-smart-card-get-started.md
+ - name: Use Virtual Smart Cards
+ href: virtual-smart-cards\virtual-smart-card-use-virtual-smart-cards.md
+ - name: Deploy Virtual Smart Cards
+ href: virtual-smart-cards\virtual-smart-card-deploy-virtual-smart-cards.md
+ - name: Evaluate Virtual Smart Card Security
+ href: virtual-smart-cards\virtual-smart-card-evaluate-security.md
+ - name: Tpmvscmgr
+ href: virtual-smart-cards\virtual-smart-card-tpmvscmgr.md
+ - name: Enterprise Certificate Pinning
+ href: enterprise-certificate-pinning.md
+ - name: Install digital certificates on Windows 10 Mobile
+ href: installing-digital-certificates-on-windows-10-mobile.md
+ - name: Windows 10 credential theft mitigation guide abstract
+ href: windows-credential-theft-mitigation-guide-abstract.md
+ - name: Configure S/MIME for Windows 10 and Windows 10 Mobile
+ href: configure-s-mime.md
+ - name: VPN technical guide
+ href: vpn\vpn-guide.md
+ items:
+ - name: VPN connection types
+ href: vpn\vpn-connection-type.md
+ - name: VPN routing decisions
+ href: vpn\vpn-routing.md
+ - name: VPN authentication options
+ href: vpn\vpn-authentication.md
+ - name: VPN and conditional access
+ href: vpn\vpn-conditional-access.md
+ - name: VPN name resolution
+ href: vpn\vpn-name-resolution.md
+ - name: VPN auto-triggered profile options
+ href: vpn\vpn-auto-trigger-profile.md
+ - name: VPN security features
+ href: vpn\vpn-security-features.md
+ - name: VPN profile options
+ href: vpn\vpn-profile-options.md
+ - name: How to configure Diffie Hellman protocol over IKEv2 VPN connections
+ href: vpn\how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+ - name: How to use single sign-on (SSO) over VPN and Wi-Fi connections
+ href: vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+ - name: Optimizing Office 365 traffic with the Windows 10 VPN client
+ href: vpn\vpn-office-365-optimization.md
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 61288f4b01..079ce945b4 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -101,16 +101,16 @@ The permissions attached to an object depend on the type of object. For example,
When you set permissions, you specify the level of access for groups and users. For example, you can let one user read the contents of a file, let another user make changes to the file, and prevent all other users from accessing the file. You can set similar permissions on printers so that certain users can configure the printer and other users can only print.
-When you need to change the permissions on a file, you can run Windows Explorer, right-click the file name, and click **Properties**. On the **Security** tab, you can change permissions on the file. For more information, see [Managing Permissions](https://technet.microsoft.com/library/cc770962.aspx).
+When you need to change the permissions on a file, you can run Windows Explorer, right-click the file name, and click **Properties**. On the **Security** tab, you can change permissions on the file. For more information, see [Managing Permissions](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770962(v=ws.11)).
**Note**
-Another kind of permissions, called share permissions, is set on the Sharing tab of a folder's **Properties** page or by using the Shared Folder Wizard. For more information see [Share and NTFS Permissions on a File Server](https://technet.microsoft.com/library/cc754178.aspx).
+Another kind of permissions, called share permissions, is set on the Sharing tab of a folder's **Properties** page or by using the Shared Folder Wizard. For more information see [Share and NTFS Permissions on a File Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754178(v=ws.11)).
### Ownership of objects
-An owner is assigned to an object when that object is created. By default, the owner is the creator of the object. No matter what permissions are set on an object, the owner of the object can always change the permissions. For more information, see [Manage Object Ownership](https://technet.microsoft.com/library/cc732983.aspx).
+An owner is assigned to an object when that object is created. By default, the owner is the creator of the object. No matter what permissions are set on an object, the owner of the object can always change the permissions. For more information, see [Manage Object Ownership](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732983(v=ws.11)).
### Inheritance of permissions
@@ -134,13 +134,8 @@ For more information about auditing, see [Security Auditing Overview](/windows/d
## See also
-- For more information about access control and authorization, see [Access Control and Authorization Overview](https://technet.microsoft.com/library/jj134043(v=ws.11).aspx).
+- For more information about access control and authorization, see [Access Control and Authorization Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/jj134043(v=ws.11)).
-
-
-
-
-
diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md
index f207928d15..8ac3729427 100644
--- a/windows/security/identity-protection/access-control/active-directory-accounts.md
+++ b/windows/security/identity-protection/access-control/active-directory-accounts.md
@@ -480,7 +480,7 @@ Each default local account in Active Directory has a number of account settings
@@ -44,10 +44,10 @@ For a UWP VPN plug-in, the app vendor controls the authentication method to be u
## Configure authentication
-See [EAP configuration](https://msdn.microsoft.com/library/windows/hardware/mt168513.aspx) for EAP XML configuration.
+See [EAP configuration](/windows/client-management/mdm/eap-configuration) for EAP XML configuration.
>[!NOTE]
->To configure Windows Hello for Business authentication, follow the steps in [EAP configuration](https://msdn.microsoft.com/library/windows/hardware/mt168513.aspx) to create a smart card certificate. [Learn more about Windows Hello for Business.](https://technet.microsoft.com/itpro/windows/keep-secure/manage-identity-verification-using-microsoft-passport)
+>To configure Windows Hello for Business authentication, follow the steps in [EAP configuration](/windows/client-management/mdm/eap-configuration) to create a smart card certificate. [Learn more about Windows Hello for Business.](../hello-for-business/hello-identity-verification.md)
The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP).
@@ -62,4 +62,4 @@ The following image shows the field for EAP XML in a Microsoft Intune VPN profil
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
+- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index 59ffc5f231..e929ec1a15 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -31,14 +31,14 @@ VPN profiles in Windows 10 can be configured to connect automatically on the lau
The app identifier for a desktop app is a file path. The app identifier for a UWP app is a package family name.
-[Find a package family name (PFN) for per-app VPN configuration](https://docs.microsoft.com/intune/deploy-use/find-a-pfn-for-per-app-vpn)
+[Find a package family name (PFN) for per-app VPN configuration](/intune/deploy-use/find-a-pfn-for-per-app-vpn)
## Name-based trigger
You can configure a domain name-based rule so that a specific domain name triggers the VPN connection.
-Name-based auto-trigger can be configured using the VPNv2/*ProfileName*/DomainNameInformationList/dniRowId/AutoTrigger setting in the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
+Name-based auto-trigger can be configured using the VPNv2/*ProfileName*/DomainNameInformationList/dniRowId/AutoTrigger setting in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
There are four types of name-based triggers:
@@ -76,12 +76,12 @@ Should a management tool remove or add the same profile name back and set **Alwa
This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffices. The VPN stack will look at the DNS suffix on the physical interface and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered.
-Trusted network detection can be configured using the VPNv2/*ProfileName*/TrustedNetworkDetection setting in the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx).
+Trusted network detection can be configured using the VPNv2/*ProfileName*/TrustedNetworkDetection setting in the [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp).
## Configure app-triggered VPN
-See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration.
+See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) for XML configuration.
The following image shows associating an app to a VPN connection in a VPN Profile configuration policy using Microsoft Intune.
@@ -100,4 +100,4 @@ After you add an associated app, if you select the **Only these apps can use thi
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
+- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md
index 0d608b647c..393bf3b90b 100644
--- a/windows/security/identity-protection/vpn/vpn-conditional-access.md
+++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md
@@ -24,18 +24,18 @@ The VPN client is now able to integrate with the cloud-based Conditional Access
Conditional Access Platform components used for Device Compliance include the following cloud-based services:
-- [Conditional Access Framework](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
+- [Conditional Access Framework](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
-- [Azure AD Connect Health](https://docs.microsoft.com/azure/active-directory/connect-health/active-directory-aadconnect-health)
+- [Azure AD Connect Health](/azure/active-directory/connect-health/active-directory-aadconnect-health)
-- [Windows Health Attestation Service](https://technet.microsoft.com/itpro/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices#device-health-attestation) (optional)
+- [Windows Health Attestation Service](../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md#device-health-attestation) (optional)
- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA.
-See also [Always On VPN deployment for Windows Server and Windows 10](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
+See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When that certificate expires, the client will again check with Azure AD for health validation before a new certificate is issued.
-- [Microsoft Intune device compliance policies](https://docs.microsoft.com/intune/deploy-use/introduction-to-device-compliance-policies-in-microsoft-intune) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
+- [Microsoft Intune device compliance policies](/intune/deploy-use/introduction-to-device-compliance-policies-in-microsoft-intune) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
- Antivirus status
- Auto-update status and update compliance
@@ -44,8 +44,8 @@ See also [Always On VPN deployment for Windows Server and Windows 10](https://do
- Device health attestation state (validated against attestation service after query)
The following client-side components are also required:
-- [HealthAttestation Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn934876.aspx)
-- [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) DeviceCompliance node settings
+- [HealthAttestation Configuration Service Provider (CSP)](/windows/client-management/mdm/healthattestation-csp)
+- [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) DeviceCompliance node settings
- Trusted Platform Module (TPM)
## VPN device compliance
@@ -103,17 +103,17 @@ When a VPNv2 Profile is configured with \
[Getting Started with Group Managed Service Accounts](https://technet.microsoft.com/library/jj128431(v=ws.11).aspx) |
+| **Product evaluation** | [What's New for Managed Service Accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831451(v=ws.11))
[Getting Started with Group Managed Service Accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj128431(v=ws.11)) |
| **Deployment** | [Windows Server 2012: Group Managed Service Accounts - Ask Premier Field Engineering (PFE) Platforms - Site Home - TechNet Blogs](https://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx) |
-| **Related technologies** | [Security Principals](security-principals.md)
[What's new in Active Directory Domain Services](https://technet.microsoft.com/library/mt163897.aspx) |
+| **Related technologies** | [Security Principals](security-principals.md)
[What's new in Active Directory Domain Services](/windows-server/identity/whats-new-active-directory-domain-services) |
\ No newline at end of file
diff --git a/windows/security/identity-protection/change-history-for-access-protection.md b/windows/security/identity-protection/change-history-for-access-protection.md
index d76e6bc56d..935d64a947 100644
--- a/windows/security/identity-protection/change-history-for-access-protection.md
+++ b/windows/security/identity-protection/change-history-for-access-protection.md
@@ -27,10 +27,10 @@ This topic lists new and updated topics in the [Access protection](index.md) doc
## June 2017
|New or changed topic |Description |
|---------------------|------------|
-|[How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md) | New |
+|[How hardware-based containers help protect Windows 10](/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows) | New |
## March 2017
|New or changed topic |Description |
|---------------------|------------|
-|[Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.|
+|[Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.|
\ No newline at end of file
diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md
index cab91d6db4..5e92d8bddd 100644
--- a/windows/security/identity-protection/configure-s-mime.md
+++ b/windows/security/identity-protection/configure-s-mime.md
@@ -39,10 +39,10 @@ A digitally signed message reassures the recipient that the message hasn't been
## Prerequisites
-- [S/MIME is enabled for Exchange accounts](https://go.microsoft.com/fwlink/p/?LinkId=718217) (on-premises and Office 365). Users can’t use S/MIME signing and encryption with a personal account such as Outlook.com.
+- [S/MIME is enabled for Exchange accounts](/microsoft-365/security/office-365-security/s-mime-for-message-signing-and-encryption) (on-premises and Office 365). Users can’t use S/MIME signing and encryption with a personal account such as Outlook.com.
- Valid Personal Information Exchange (PFX) certificates are installed on the device.
- - [How to Create PFX Certificate Profiles in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkID=718215)
+ - [How to Create PFX Certificate Profiles in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/mt131410(v=technet.10))
- [Enable access to company resources using certificate profiles with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=718216)
- [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)
@@ -90,4 +90,4 @@ When you receive a signed email, the app provide feature to install correspondin
-
+
\ No newline at end of file
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index 885c697548..ca6a1c8da0 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -80,7 +80,7 @@ CertReq -EnrollCredGuardCert MachineAuthentication
#### How a certificate issuance policy can be used for access control
-Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/library/dd378897(v=ws.10).aspx) on TechNet.
+Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378897(v=ws.10)) on TechNet.
**To see the issuance policies available**
@@ -133,7 +133,7 @@ Authentication policies have the following requirements:
To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
-To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/library/dn486813(v=ws.11).aspx).
+To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486813(v=ws.11)).
## Appendix: Scripts
@@ -610,4 +610,4 @@ write-host $tmp -Foreground Red
```
> [!NOTE]
-> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
+> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
\ No newline at end of file
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
index b69fe341ce..d04097f751 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
@@ -34,7 +34,7 @@ When you enable Windows Defender Credential Guard, you can no longer use NTLM cl
When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. Use constrained or resource-based Kerberos delegation instead.
## 3rd Party Security Support Providers Considerations
-Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it does not allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](https://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
+Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it does not allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package) on MSDN.
## Upgrade Considerations
As the depth and breadth of protections provided by Windows Defender Credential Guard are increased, subsequent releases of Windows 10 with Windows Defender Credential Guard running may impact scenarios that were working in the past. For example, Windows Defender Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Test scenarios required for operations in an organization before upgrading a device using Windows Defender Credential Guard.
@@ -62,11 +62,11 @@ As a result Credential Guard can no longer decrypt protected data. VBS creates a
Since Credential Manager cannot decrypt saved Windows Credentials, they are deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard.
### Domain-joined device’s automatically provisioned public key
-Beginning with Windows 10 and Windows Server 2016, domain-devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](https://docs.microsoft.com/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
+Beginning with Windows 10 and Windows Server 2016, domain-devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
-Since Credential Guard cannot decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless additional policies are deployed, there should not be a loss of functionality. If a device is configured to only use public key, then it cannot authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](https://docs.microsoft.com/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
+Since Credential Guard cannot decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless additional policies are deployed, there should not be a loss of functionality. If a device is configured to only use public key, then it cannot authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
-Also if any access control checks including authentication policies require devices to have either the KEY TRUST IDENTITY (S-1-18-4) or FRESH PUBLIC KEY IDENTITY (S-1-18-3) well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](https://msdn.microsoft.com/library/cc980032.aspx).
+Also if any access control checks including authentication policies require devices to have either the KEY TRUST IDENTITY (S-1-18-4) or FRESH PUBLIC KEY IDENTITY (S-1-18-3) well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab).
### Breaking DPAPI on domain-joined devices
On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery is not possible.
@@ -91,11 +91,11 @@ Once the device has connectivity to the domain controllers, DPAPI recovers the u
#### Impact of DPAPI failures on Windows Information Protection
When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection. The impact includes: Outlook 2016 is unable to start and work protected documents cannot be opened. If DPAPI is working, then newly created work data is protected and can be accessed.
-**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://docs.microsoft.com/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
+**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
## See also
**Related videos**
-[What is virtualization-based security?](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/what-is-virtualization-based-security)
+[What is virtualization-based security?](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/what-is-virtualization-based-security)
\ No newline at end of file
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
index 0780c5d0c4..703848eaf3 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@@ -22,7 +22,7 @@ ms.reviewer:
- Windows 10
- Windows Server 2016
-Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when it is enabled. For further information, see [Application requirements](https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
+Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when it is enabled. For further information, see [Application requirements](/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
The following known issue has been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/help/4051033):
@@ -54,7 +54,7 @@ The following issue affects the Java GSS API. See the following Oracle bug datab
- [JDK-8161921: Windows 10 Windows Defender Credential Guard does not allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921)
-When Windows Defender Credential Guard is enabled on Windows 10, the Java GSS API will not authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and will not provide the TGT session key to applications regardless of registry key settings. For further information see [Application requirements](https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
+When Windows Defender Credential Guard is enabled on Windows 10, the Java GSS API will not authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and will not provide the TGT session key to applications regardless of registry key settings. For further information see [Application requirements](/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
The following issue affects Cisco AnyConnect Secure Mobility Client:
@@ -77,7 +77,7 @@ The following issue affects Citrix applications:
- [KB4032786 High CPU usage in the LSAISO process on Windows 10 or Windows Server 2016](https://support.microsoft.com/help/4032786)
-For further technical information on LSAISO.exe, see the MSDN article: [Isolated User Mode (IUM) Processes](https://msdn.microsoft.com/library/windows/desktop/mt809132(v=vs.85).aspx)
+For further technical information on LSAISO.exe, see the MSDN article: [Isolated User Mode (IUM) Processes](/windows/win32/procthread/isolated-user-mode--ium--processes)
\** Registration is required to access this article.
@@ -107,4 +107,4 @@ Windows Defender Credential Guard is not supported by either these products, pro
This is not a comprehensive list. Check whether your product vendor, product version, or computer system, supports Windows Defender Credential Guard on systems that run Windows 10 or specific versions of Windows 10. Specific computer system models may be incompatible with Windows Defender Credential Guard.
- Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.
+ Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.
\ No newline at end of file
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index 27f4be1157..7e9ef6ad60 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -43,7 +43,7 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will
4. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**.
-5. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. Check [this article](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) for more details.
+5. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. Check [this article](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) for more details.
@@ -59,8 +59,11 @@ To enforce processing of the group policy, you can run ```gpupdate /force```.
3. Click **Profiles** > **Create Profile** > **Endpoint protection** > **Windows Defender Credential Guard**.
-> [!NOTE]
-> It will enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock.
+ > [!NOTE]
+ > It will enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock.
+
+> [!TIP]
+> You can also configure Credential Guard by using an account protection profile in endpoint security. See [Account protection policy settings for endpoint security in Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security-account-protection-profile-settings).
### Enable Windows Defender Credential Guard by using the registry
@@ -117,23 +120,23 @@ You can do this by using either the Control Panel or the Deployment Image Servic
2. Enable virtualization-based security:
- - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard.
+ 1. Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard.
- - Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.
+ 1. Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.
- - Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**.
+ 1. Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**.
3. Enable Windows Defender Credential Guard:
- - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA.
+ 1. Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA.
- - Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it.
+ 1. Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it.
4. Close Registry Editor.
> [!NOTE]
-> You can also enable Windows Defender Credential Guard by setting the registry entries in the [FirstLogonCommands](https://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
+> You can also enable Windows Defender Credential Guard by setting the registry entries in the [FirstLogonCommands](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-firstlogoncommands) unattend setting.
@@ -164,7 +167,8 @@ You can view System Information to check that Windows Defender Credential Guard
Here's an example:
- 
+ > [!div class="mx-imgBorder"]
+ > 
You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
@@ -258,16 +262,15 @@ To disable Windows Defender Credential Guard, you can use the following set of p
> [!NOTE]
> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit commands after turning off all virtualization-based security Group Policy and registry settings:
>
- >```
+ >```console
>bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
>bcdedit /set vsmlaunchtype off
>```
-> [!NOTE]
-> Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. These options will be made available with future Gen 2 VMs.
+For more info on virtualization-based security and HVCI, see [Enable virtualization-based protection of code integrity](../../threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md).
-For more info on virtualization-based security and HVCI, see [Enable virtualization-based protection of code integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
-).
+> [!NOTE]
+> Credential Guard and Device Guard are not supported when using Azure Gen 1 VMs. These options are available with Gen 2 VMs only.
@@ -275,7 +278,7 @@ For more info on virtualization-based security and HVCI, see [Enable virtualizat
You can also disable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
-```console
+```powershell
DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot
```
@@ -291,6 +294,3 @@ From the host, you can disable Windows Defender Credential Guard for a virtual m
```powershell
Set-VMSecurity -VMName
Users of these sites can use any browser that supports WebAuthn Windows 10 APIs for password-less authentication
@@ -42,6 +42,4 @@ Developers of FIDO2 authentication keys should use the new Windows 10 APIs, to e
This also implies browsers or apps on Windows 10 will no longer have direct access to above transports for FIDO related messaging.
#### Where can developers learn more?
-The new Windows 10 APIs are documented on [GitHub](https://github.com/Microsoft/webauthn)
-
-
+The new Windows 10 APIs are documented on [GitHub](https://github.com/Microsoft/webauthn)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index e6e5fa20c1..b7018e4477 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -356,7 +356,7 @@ The Group Policy object contains the policy settings needed to trigger Windows H
> * PIN **must** be in at least one of the groups
> * Trusted signals **must** be combined with another credential provider
> * You cannot use the same unlock factor to satisfy both categories. Therefore, if you include any credential provider in both categories, it means it can satisfy either category, but not both.
-> * The multifactor unlock feature is also supported via the Passport for Work CSP. See [Passport For Work CSP](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp) for more information.
+> * The multifactor unlock feature is also supported via the Passport for Work CSP. See [Passport For Work CSP](/windows/client-management/mdm/passportforwork-csp) for more information.
1. Start the **Group Policy Management Console** (gpmc.msc).
@@ -395,4 +395,4 @@ Multi-factor unlock writes events to event log under **Application and Services
|5520|Unlock policy not configured|
|6520|Warning event|
|7520|Error event|
-|8520|Success event|
+|8520|Success event|
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index 22d05b8312..ab73eab4f9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -28,9 +28,9 @@ Windows Hello for Business works exclusively with the Active Directory Federatio
The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts.
-If your environment exceeds either of these factors or needs to provide SAML artifact resolution, token replay detection, or needs Active Directory Federation Services to operate in a federated provider role, then your deployment needs to use a SQL for your configuration database. To deploy the Active Directory Federation Services using SQL as its configuration database, please review the [Deploying a Federation Server Farm](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist.
+If your environment exceeds either of these factors or needs to provide SAML artifact resolution, token replay detection, or needs Active Directory Federation Services to operate in a federated provider role, then your deployment needs to use a SQL for your configuration database. To deploy the Active Directory Federation Services using SQL as its configuration database, please review the [Deploying a Federation Server Farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist.
-If your environment has an existing instance of Active Directory Federation Services, then you’ll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update. If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment. If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment.
+If your environment has an existing instance of Active Directory Federation Services, then you’ll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update. If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment. If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment.
Ensure you apply the Windows Server 2016 Update to all nodes in the farm after you have successfully completed the upgrade.
@@ -148,7 +148,7 @@ Windows Server 2012 or later domain controllers support Group Managed Service Ac
GMSA uses the Microsoft Key Distribution Service that is located on Windows Server 2012 or later domain controllers. Windows uses the Microsoft Key Distribution Service to protect secrets stored and used by the GMSA. Before you can create a GMSA, you must first create a root key for the service. You can skip this if your environment already uses GMSA.
>[!NOTE]
-> If the [default object creation quota for security principles](https://docs.microsoft.com/openspecs/windows_protocols/ms-adts/d55ca655-109b-4175-902a-3e9d60833012) is set, you will need to change it for the Group Managed Service Account in order to be able to register new devices.
+> If the [default object creation quota for security principles](/openspecs/windows_protocols/ms-adts/d55ca655-109b-4175-902a-3e9d60833012) is set, you will need to change it for the Group Managed Service Account in order to be able to register new devices.
#### Create KDS Root Key
@@ -403,7 +403,7 @@ Approximately 60 days prior to enrollment agent certificate’s expiration, the
### Service Connection Point (SCP) in Active Directory for ADFS Device Registration Service
> [!NOTE]
-> Normally this script is not needed, as enabling Device Registration via the ADFS Management console already creates the objects. You can validate the SCP using the script below. For detailed information about the Device Registration Service, see [Configuring Device Registration](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn614658(v=ws.11)?redirectedfrom=MSDN).
+> Normally this script is not needed, as enabling Device Registration via the ADFS Management console already creates the objects. You can validate the SCP using the script below. For detailed information about the Device Registration Service, see [Configuring Device Registration](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn614658(v=ws.11)).
Now you will add the Service connection Point to ADFS device registration Service for your Active directory by running the following script:
@@ -576,4 +576,4 @@ For detailed information about the certificate, use `Certutil -q -v
-or-
Token was not found in the Authorization header.
-or-
Failed to read one or more objects.
-or-
The request sent to the server was invalid.
-or-
User does not have permissions to join to Azure AD. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure AD and rejoin.
Allow user(s) to join to Azure AD under Azure AD Device settings.
| 0x801C03EE | Attestation failed. | Sign out and then sign in again. |
| 0x801C03EF | The AIK certificate is no longer valid. | Sign out and then sign in again. |
-| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](https://docs.microsoft.com/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in AAD and the Primary SMTP address are the same in the proxy address.
+| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in AAD and the Primary SMTP address are the same in the proxy address.
| 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. |
| | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. |
| 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. |
@@ -110,4 +110,4 @@ For errors listed in this table, contact Microsoft Support for assistance.
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
- [Windows Hello and password changes](hello-and-password-changes.md)
- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index ae0af27fe6..eb89236d09 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -35,11 +35,11 @@ sections:
- question: Can I use Windows Hello for Business key trust and RDP?
answer: |
- Remote Desktop Protocol (RDP) does not currently support using key-based authentication and self-signed certificates as supplied credentials. RDP with supplied credentials is currently only supported with certificate-based deployments. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard).
+ Remote Desktop Protocol (RDP) does not currently support using key-based authentication and self-signed certificates as supplied credentials. RDP with supplied credentials is currently only supported with certificate-based deployments. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
- question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Configuration Manager?
answer: |
- Windows Hello for Business deployments using Configuration Manager should follow the hybrid deployment model that uses Active Directory Federation Services. Starting in Configuration Manager version 1910, certificate-based authentication with Windows Hello for Business settings isn't supported. Key-based authentication is still valid with Configuration Manager. For more information, see [Windows Hello for Business settings in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-hello-for-business-settings).
+ Windows Hello for Business deployments using Configuration Manager should follow the hybrid deployment model that uses Active Directory Federation Services. Starting in Configuration Manager version 1910, certificate-based authentication with Windows Hello for Business settings isn't supported. Key-based authentication is still valid with Configuration Manager. For more information, see [Windows Hello for Business settings in Configuration Manager](/configmgr/protect/deploy-use/windows-hello-for-business-settings).
- question: How many users can enroll for Windows Hello for Business on a single Windows 10 computer?
answer: |
@@ -59,7 +59,7 @@ sections:
It is possible to Azure AD register a domain joined device. If the domain joined device has a convenience PIN, login with the convenience PIN will no longer work. This configuration is not supported by Windows Hello for Business.
- For more information please read [Azure AD registered devices](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-register).
+ For more information please read [Azure AD registered devices](/azure/active-directory/devices/concept-azure-ad-register).
- question: I have Windows Server 2016 domain controller(s), so why is the Key Admins group missing?
answer: |
@@ -134,7 +134,7 @@ sections:
- question: What attributes are synchronized by Azure AD Connect with Windows Hello for Business?
answer: |
- Review [Azure AD Connect sync: Attributes synchronized to Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that sync based on scenarios. The base scenarios that include Windows Hello for Business are the [Windows 10](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include additional attributes.
+ Review [Azure AD Connect sync: Attributes synchronized to Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that sync based on scenarios. The base scenarios that include Windows Hello for Business are the [Windows 10](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include additional attributes.
- question: Is Windows Hello for Business multi-factor authentication?
answer: |
@@ -142,7 +142,7 @@ sections:
- question: What are the biometric requirements for Windows Hello for Business?
answer: |
- Read [Windows Hello biometric requirements](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information.
+ Read [Windows Hello biometric requirements](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information.
- question: Can I use both a PIN and biometrics to unlock my device?
answer: |
@@ -204,7 +204,7 @@ sections:
- question: Can I use third-party authentication providers with Windows Hello for Business?
answer: |
- Yes, if you're using federated hybrid deployment, you can use any third-party that provides an Active Directory Federation Services (AD FS) multi-factor authentication adapter. A list of third-party MFA adapters can be found [here](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods).
+ Yes, if you're using federated hybrid deployment, you can use any third-party that provides an Active Directory Federation Services (AD FS) multi-factor authentication adapter. A list of third-party MFA adapters can be found [here](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods).
- question: Does Windows Hello for Business work with third-party federation servers?
answer: |
@@ -212,10 +212,10 @@ sections:
| Protocol | Description |
| :---: | :--- |
- | [[MS-KPP]: Key Provisioning Protocol](https://msdn.microsoft.com/library/mt739755.aspx) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. |
- | [[MS-OAPX]: OAuth 2.0 Protocol Extensions](https://msdn.microsoft.com/library/dn392779.aspx)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and login hints. |
- | [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](https://msdn.microsoft.com/library/mt590278.aspx) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (the OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. |
- | [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](https://msdn.microsoft.com/library/mt766592.aspx) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define additional claims to carry information about the user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define additional provider meta-data that enables the discovery of the issuer of access tokens and gives additional information about provider capabilities. |
+ | [[MS-KPP]: Key Provisioning Protocol](/openspecs/windows_protocols/ms-kpp/25ff7bd8-50e3-4769-af23-bcfd0b4d4567) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. |
+ | [[MS-OAPX]: OAuth 2.0 Protocol Extensions](/openspecs/windows_protocols/ms-oapx/7612efd4-f4c8-43c3-aed6-f5c5ce359da2)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and login hints. |
+ | [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](/openspecs/windows_protocols/ms-oapxbc/2f7d8875-0383-4058-956d-2fb216b44706) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (the OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. |
+ | [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](/openspecs/windows_protocols/ms-oidce/718379cf-8bc1-487e-962d-208aeb8e70ee) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define additional claims to carry information about the user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define additional provider meta-data that enables the discovery of the issuer of access tokens and gives additional information about provider capabilities. |
- question: Does Windows Hello for Business work with Mac and Linux clients?
answer: |
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
index 470d856d45..0b13b8388a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
@@ -34,7 +34,7 @@ To improve productivity, Azure Active Directory provides your users with a broad
> [!NOTE]
> For more details about the way Windows Hello for Business interacts with Azure AD Multi-Factor Authentication and Conditional Access, see [this article](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/why-are-my-users-not-prompted-for-mfa-as-expected/ba-p/1449032).
-Read [Conditional access in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-azure-portal) to learn more about Conditional Access. Afterwards, read [Getting started with conditional access in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-azure-portal-get-started) to start deploying Conditional access.
+Read [Conditional access in Azure Active Directory](/azure/active-directory/active-directory-conditional-access-azure-portal) to learn more about Conditional Access. Afterwards, read [Getting started with conditional access in Azure Active Directory](/azure/active-directory/active-directory-conditional-access-azure-portal-get-started) to start deploying Conditional access.
## Related topics
@@ -45,4 +45,4 @@ Read [Conditional access in Azure Active Directory](https://docs.microsoft.com/a
* [Windows Hello and password changes](hello-and-password-changes.md)
* [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
* [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-* [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
+* [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
index 028fdd4868..f62a626f0a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
@@ -22,27 +22,28 @@ ms.reviewer:
**Requirements**
* Hybrid and On-premises Windows Hello for Business deployments
-* Enterprise Joined or Hybrid Azure joined devices
+* Enterprise joined or Hybrid Azure joined devices
* Windows 10, version 1709
+* Certificate trust
> [!NOTE]
> This feature was previously known as **Privileged Credential** but was renamed to **Dual Enrollment** to prevent any confusion with the **Privileged Access Workstation** feature.
> [!IMPORTANT]
-> Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature. Microsoft encourages enterprises to use the Privileged Access Workstations for their privileged credential users. Enterprises can consider Windows Hello for Business dual enrollment in situations where the Privileged Access feature cannot be used. Read [Privileged Access Workstations](https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstations) for more information.
+> Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature. Microsoft encourages enterprises to use the Privileged Access Workstations for their privileged credential users. Enterprises can consider Windows Hello for Business dual enrollment in situations where the Privileged Access feature cannot be used. Read [Privileged Access Workstations](/windows-server/identity/securing-privileged-access/privileged-access-workstations) for more information.
Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device.
By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices.
-With this setting, administrative users can sign-in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign-in and out, or use fast user switching when alternating between privileged and non-privileged workloads.
+With this setting, administrative users can sign in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command-line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign in and out, or use fast user switching when alternating between privileged and non-privileged workloads.
> [!IMPORTANT]
> You must configure a Windows 10 computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business. Dual enrollment is a special setting that is configured on the Windows Hello container during creation.
## Configure Windows Hello for Business Dual Enrollment
-In this task you will
+In this task, you will
* Configure Active Directory to support Domain Administrator enrollment
* Configure Dual Enrollment using Group Policy
@@ -53,7 +54,7 @@ The designed Windows Hello for Business configuration gives the **Key Admins** (
Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute.
-Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
+Sign in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the **Key Admins** (or **KeyCredential Admins**) group on the AdminSDHolder object.
```dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink```
@@ -76,7 +77,7 @@ You configure Windows 10 to support dual enrollment using the computer configura
4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC.
5. Restart computers targeted by this Group Policy object.
-The computer is ready for dual enrollment. Sign-in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign-out and sign-in as the non-privileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.
+The computer is ready for dual enrollment. Sign in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign out and sign in as the non-privileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.
## Related topics
@@ -87,4 +88,4 @@ The computer is ready for dual enrollment. Sign-in as the privileged user first
* [Windows Hello and password changes](hello-and-password-changes.md)
* [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
* [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-* [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
+* [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index e558366ee8..542ece9a6b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -125,10 +125,10 @@ On-premises deployments provide users with the ability to reset forgotten PINs e
3. Follow the instructions provided by the provisioning process
4. When finished, unlock your desktop using your newly created PIN.
-You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - **General limitations**](https://docs.microsoft.com/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
+You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - **General limitations**](/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
> [!NOTE]
-> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience).
+> Visit the [Windows Hello for Business Videos](./hello-videos.md) page and watch [Windows Hello for Business forgotten PIN user experience](./hello-videos.md#windows-hello-for-business-forgotten-pin-user-experience).
## Related topics
@@ -139,4 +139,4 @@ You may find that PIN reset from settings only works post login, and that the "l
- [Windows Hello and password changes](hello-and-password-changes.md)
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index 4ce58b8818..30dc6c78e6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -25,7 +25,7 @@ ms.reviewer:
- Cloud only, Hybrid, and On-premises only Windows Hello for Business deployments
- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
-Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This functionality is not supported for key trust deployments. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard).
+Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This functionality is not supported for key trust deployments. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
Microsoft continues to investigate supporting using keys trust for supplied credentials in a future release.
@@ -52,7 +52,7 @@ Windows Hello for Business emulates a smart card for application compatibility.
### Compatibility
-Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a [MDM URI](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it.
+Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a [MDM URI](/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it.
> [!div class="mx-imgBorder"]
> 
@@ -69,4 +69,4 @@ Users appreciate convenience of biometrics and administrators value the security
- [Windows Hello and password changes](hello-and-password-changes.md)
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
index cb21e54fe3..a90f1587c2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@@ -35,7 +35,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
| Phase | Description |
| :----: | :----------- |
-|A | Authentication begins when the users dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.|
+|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.|
|B | The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce. The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory.|
|C | Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.|
|D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
@@ -47,9 +47,12 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
| Phase | Description |
| :----: | :----------- |
-|A | Authentication to Active Directory from a Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After the provider locates an active 2016 domain controller, the provider uses the private key to sign the Kerberos pre-authentication data.|
+|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After the provider locates an active 2016 domain controller, the provider uses the private key to sign the Kerberos pre-authentication data.|
|B | The Kerberos provider sends the signed pre-authentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.
The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed pre-authentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
-|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not be revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
+
+> [!NOTE]
+> You might have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on the Azure AD joined device, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT and trigger authenticate against your DC (if LOS to DC is available) to get Kerberos. It no longer uses AD FS to authenticate for Windows Hello for Business sign-ins.
## Azure AD join authentication to Active Directory using a Certificate
@@ -57,18 +60,22 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
| Phase | Description |
| :----: | :----------- |
-|A | Authentication to Active Directory from a Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider use the private key to sign the Kerberos pre-authentication data.|
+|A | Authentication to Active Directory from a Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos pre-authentication data.|
|B | The Kerberos provider sends the signed pre-authentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.
The domain controller determines the certificate is not self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and has not been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed pre-authentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
-|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not be revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
+
+> [!NOTE]
+> You may have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.
+
## Hybrid Azure AD join authentication using a Key
| Phase | Description |
| :----: | :----------- |
-|A | Authentication begins when the users dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
+|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
|B | The Kerberos provider sends the signed pre-authentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.
The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed pre-authentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
-|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not be revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
|D | After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
|E | Lsass informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce.|
@@ -82,9 +89,9 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
| Phase | Description |
| :----: | :----------- |
-|A | Authentication begins when the users dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
+|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
|B | The Kerberos provider sends the signed pre-authentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.
The domain controller determines the certificate is not self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and has not been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed pre-authentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
-|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not be revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
|D | After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
|E | Lsass informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce.|
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index cf3fb265d2..af9083a431 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -60,7 +60,7 @@ In the issued AIK certificate, a special OID is added to attest that endorsement
[Endorsement Key](#endorsement-key), [Storage Root Key](#storage-root-key), [Trusted Platform Module](#trusted-platform-module)
### More information
-- [Windows Client Certificate Enrollment Protocol: Glossary](https://msdn.microsoft.com/library/cc249746.aspx#gt_70efa425-6b46-462f-911d-d399404529ab)
+- [Windows Client Certificate Enrollment Protocol: Glossary](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_70efa425-6b46-462f-911d-d399404529ab)
- [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
@@ -71,7 +71,7 @@ Azure AD Join is intended for organizations that desire to be cloud-first or clo
[Join Type](#join-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined)
### More information
-- [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction).
+- [Introduction to device management in Azure Active Directory](/azure/active-directory/device-management-introduction).
[Return to Top](hello-how-it-works-technology.md)
## Azure AD Registered
@@ -80,7 +80,7 @@ The goal of Azure AD registered devices is to provide you with support for the B
[Azure AD Joined](#azure-ad-joined), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Join Type](#join-type)
### More information
-- [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction)
+- [Introduction to device management in Azure Active Directory](/azure/active-directory/device-management-introduction)
[Return to Top](hello-how-it-works-technology.md)
@@ -105,10 +105,10 @@ The Windows Hello for Business Cloud deployment is exclusively for organizations
In Windows 10, Cloud Experience Host is an application used while joining the workplace environment or Azure AD for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC.
### Related topics
-[Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification), [Managed Windows Hello in Organization](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-manage-in-organization)
+[Windows Hello for Business](./hello-identity-verification.md), [Managed Windows Hello in Organization](./hello-manage-in-organization.md)
### More information
-- [Windows Hello for Business and Device Registration](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration)
+- [Windows Hello for Business and Device Registration](./hello-how-it-works-device-registration.md)
[Return to Top](hello-how-it-works-technology.md)
@@ -144,7 +144,7 @@ For certain devices that use firmware-based TPM produced by Intel or Qualcomm, t
[Attestation Identity Keys](#attestation-identity-keys), [Storage Root Key](#storage-root-key), [Trusted Platform Module](#trusted-platform-module)
### More information
-- [Understand the TPM endorsement key](https://go.microsoft.com/fwlink/p/?LinkId=733952).
+- [Understand the TPM endorsement key](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770443(v=ws.11)).
- [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
[Return to Top](hello-how-it-works-technology.md)
@@ -155,7 +155,7 @@ Primarily for large enterprise organizations with more complex authentication re
[Hybrid Deployment](#hybrid-deployment), [Managed Environment](#managed-environment), [Pass-through authentication](#pass-through-authentication), [Password Hash Sync](#password-hash-sync)
### More information
-- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/azure/security/azure-ad-choose-authn)
+- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](/azure/security/azure-ad-choose-authn)
[Return to Top](hello-how-it-works-technology.md)
## Hybrid Azure AD Joined
@@ -170,7 +170,7 @@ If your environment has an on-premises AD footprint and you also want benefit fr
[Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Hybrid Deployment](#hybrid-deployment)
### More information
-- [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction)
+- [Introduction to device management in Azure Active Directory](/azure/active-directory/device-management-introduction)
[Return to Top](hello-how-it-works-technology.md)
## Hybrid Deployment
@@ -196,7 +196,7 @@ Joining a device is an extension to registering a device. This means, it provide
[Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined)
### More information
-- [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction)
+- [Introduction to device management in Azure Active Directory](/azure/active-directory/device-management-introduction)
[Return to Top](hello-how-it-works-technology.md)
## Key Trust
@@ -234,7 +234,7 @@ Provides a simple password validation for Azure AD authentication services using
### More information
-- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/azure/security/azure-ad-choose-authn)
+- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](/azure/security/azure-ad-choose-authn)
[Return to Top](hello-how-it-works-technology.md)
## Password Hash Sync
@@ -244,7 +244,7 @@ The simplest way to enable authentication for on-premises directory objects in A
[Federated Environment](#federated-environment), [Managed Environment](#managed-environment), [Pass-through authentication](#pass-through-authentication)
### More information
-- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/azure/security/azure-ad-choose-authn)
+- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](/azure/security/azure-ad-choose-authn)
[Return to Top](hello-how-it-works-technology.md)
## Primary Refresh Token
@@ -252,7 +252,7 @@ SSO relies on special tokens obtained for each of the types of applications abov
The PRT is initially obtained during Windows Logon (user sign-in/unlock) in a similar way the Kerberos TGT is obtained. This is true for both Azure AD joined and hybrid Azure AD joined devices. In personal devices registered with Azure AD, the PRT is initially obtained upon Add Work or School Account (in a personal device the account to unlock the device is not the work account but a consumer account e.g. hotmail.com, live.com, outlook.com, etc.).
-The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. Please also note that the PRT contains information about the device. This means that if you have any [device-based conditional access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-policy-connected-applications) policy set on an application, without the PRT, access will be denied.
+The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. Please also note that the PRT contains information about the device. This means that if you have any [device-based conditional access](/azure/active-directory/active-directory-conditional-access-policy-connected-applications) policy set on an application, without the PRT, access will be denied.
[Return to Top](#technology-and-terms)
## Storage Root Key
@@ -285,7 +285,7 @@ A TPM implements controls that meet the specification described by the Trusted C
- The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
- The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
-Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-recommendations).
+Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](../../information-protection/tpm/tpm-recommendations.md).
Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0.
@@ -315,5 +315,4 @@ In a simplified manner, the TPM is a passive component with limited resources. I
### More information
- [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
-[Return to Top](hello-how-it-works-technology.md)
-
+[Return to Top](hello-how-it-works-technology.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index d9ccb2db53..8e0a208a86 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -37,13 +37,13 @@ Before adding Azure Active Directory (Azure AD) joined devices to your existing
- Network infrastructure in place to reach your on-premises domain controller. If the machines are external, this can be achieved using any VPN solution.
### Azure Active Directory Connect synchronization
-Azure AD join, as well as hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure. To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you are using a key or a certificate. Ensure you have Azure AD Connect installed and functioning properly. To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect).
+Azure AD join, as well as hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure. To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you are using a key or a certificate. Ensure you have Azure AD Connect installed and functioning properly. To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect).
If you upgraded your Active Directory schema to the Windows Server 2016 schema after installing Azure AD Connect, run Azure AD Connect and run **Refresh directory schema** from the list of tasks.
### Azure Active Directory Device Registration
-A fundamental prerequisite of all cloud and hybrid Windows Hello for Business deployments is device registration. A user cannot provision Windows Hello for Business unless the device from which they are trying to provision has registered with Azure Active Directory. For more information about device registration, read [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/devices/overview).
+A fundamental prerequisite of all cloud and hybrid Windows Hello for Business deployments is device registration. A user cannot provision Windows Hello for Business unless the device from which they are trying to provision has registered with Azure Active Directory. For more information about device registration, read [Introduction to device management in Azure Active Directory](/azure/active-directory/devices/overview).
You can use the **dsregcmd.exe** command to determine if your device is registered to Azure Active Directory.
@@ -247,7 +247,7 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
7. Repeat this procedure on all your domain controllers.
> [!NOTE]
-> You can configure domain controllers to automatically enroll and renew their certificates. Automatic certificate enrollment helps prevent authentication outages due to expired certificates. Refer to the [Windows Hello Deployment Guides](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-deployment-guide) to learn how to deploy automatic certificate enrollment for domain controllers.
+> You can configure domain controllers to automatically enroll and renew their certificates. Automatic certificate enrollment helps prevent authentication outages due to expired certificates. Refer to the [Windows Hello Deployment Guides](./hello-deployment-guide.md) to learn how to deploy automatic certificate enrollment for domain controllers.
> [!IMPORTANT]
> If you are not using automatic certificate enrollment, create a calendar reminder to alert you two months before the certificate expiration date. Send the reminder to multiple people in the organization to ensure more than one or two people know when these certificates expire.
@@ -333,7 +333,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
13. Sign out of the Microsoft Endpoint Manager admin center.
> [!IMPORTANT]
-> For more details about the actual experience after everything has been configured, please see [Windows Hello for Business and Authentication](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication).
+> For more details about the actual experience after everything has been configured, please see [Windows Hello for Business and Authentication](./hello-how-it-works-authentication.md).
## Section Review
> [!div class="checklist"]
@@ -347,4 +347,3 @@ Sign-in a workstation with access equivalent to a _domain user_.
> * Configure Windows Hello for Business Device Enrollment
If you plan on using certificates for on-premises single-sign on, perform the additional steps in [Using Certificates for On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md).
-
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 1c550a85f6..da0e139923 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -396,7 +396,7 @@ Certificate enrollment for Azure AD joined devices occurs over the Internet. As
Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs. This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests). Microsoft Intune sends these requests to Azure AD Application Proxies.
-Azure AD Application proxies are serviced by lightweight Application Proxy Connector agents. See [What is Application Proxy](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy#what-is-application-proxy) for more details. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Azure AD Application Proxies. You can create connector groups in Azure Active Directory to assign specific connectors to service specific applications.
+Azure AD Application proxies are serviced by lightweight Application Proxy Connector agents. See [What is Application Proxy](/azure/active-directory/manage-apps/application-proxy#what-is-application-proxy) for more details. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Azure AD Application Proxies. You can create connector groups in Azure Active Directory to assign specific connectors to service specific applications.
Connector group automatically round-robin, load balance the Azure AD Application proxy requests to the connectors within the assigned connector group. This ensures Windows Hello for Business certificate requests have multiple dedicated Azure AD Application Proxy connectors exclusively available to satisfy enrollment requests. Load balancing the NDES servers and connectors should ensure users enroll their Windows Hello for Business certificates in a timely manner.
@@ -712,4 +712,4 @@ You have successfully completed the configuration. Add users that need to enrol
> * Install and Configure the NDES Role
> * Configure Network Device Enrollment Services to work with Microsoft Intune
> * Download, Install, and Configure the Intune Certificate Connector
-> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile)
+> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
index 0088ba56ad..284db3b991 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
@@ -76,7 +76,7 @@ Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 o
### Configure a Production Public Key Infrastructure
-If you do have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session.
+If you do have an existing public key infrastructure, please review [Certification Authority Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)) for instructions on how to configure your public key infrastructure using the information from your design session.
### Section Review ###
@@ -88,7 +88,7 @@ If you do have an existing public key infrastructure, please review [Certificati
## Azure Active Directory ##
You’ve prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities.
-The next step of the deployment is to follow the [Creating an Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/active-directory-howto-tenant) process to provision an Azure tenant for your organization.
+The next step of the deployment is to follow the [Creating an Azure AD tenant](/azure/active-directory/develop/active-directory-howto-tenant) process to provision an Azure tenant for your organization.
### Section Review
@@ -100,7 +100,7 @@ The next step of the deployment is to follow the [Creating an Azure AD tenant](h
## Multifactor Authentication Services
Windows Hello for Business uses multi-factor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multi-factor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA
-Review the [What is Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works.
+Review the [What is Azure AD Multi-Factor Authentication](/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works.
### Azure AD Multi-Factor Authentication (MFA) Cloud ###
> [!IMPORTANT]
@@ -112,16 +112,16 @@ Review the [What is Azure AD Multi-Factor Authentication](https://docs.microsoft
> If you have one of these subscriptions or licenses, skip the Azure MFA Adapter section.
#### Azure MFA Provider ####
-If your organization uses Azure MFA on a per-consumption model (no licenses), then review the [Create a Multifactor Authentication Provider](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider) section to create an Azure MFA Authentication provider and associate it with your Azure tenant.
+If your organization uses Azure MFA on a per-consumption model (no licenses), then review the [Create a Multifactor Authentication Provider](/azure/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider) section to create an Azure MFA Authentication provider and associate it with your Azure tenant.
#### Configure Azure MFA Settings ####
-Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure AD Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings.
+Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure AD Multi-Factor Authentication settings](/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings.
#### Azure MFA User States ####
-After you have completed configuring your Azure MFA settings, you want to review configure [User States](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users.
+After you have completed configuring your Azure MFA settings, you want to review configure [User States](/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users.
### Azure MFA via ADFS 2016 ###
-Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the [Configure AD FS 2016 and Azure MFA](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa) section
+Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the [Configure AD FS 2016 and Azure MFA](/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa) section
### Section Review
@@ -147,4 +147,4 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation
3. New Installation Baseline (*You are here*)
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
-6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
+6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index 81afb0421e..1abceb0c9a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -30,7 +30,7 @@ Your environment is federated and you are ready to configure device registration
> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment.
>[!TIP]
->Refer to the [Tutorial: Configure hybrid Azure Active Directory join for federated domains](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-federated-domains) to learn more about setting up Azure Active Directory Connect for a simplified join flow for Azure AD device registration.
+>Refer to the [Tutorial: Configure hybrid Azure Active Directory join for federated domains](/azure/active-directory/devices/hybrid-azuread-join-federated-domains) to learn more about setting up Azure Active Directory Connect for a simplified join flow for Azure AD device registration.
Use this three-phased approach for configuring device registration.
1. [Configure devices to register in Azure](#configure-azure-for-device-registration)
@@ -43,7 +43,7 @@ Use this three-phased approach for configuring device registration.
> * Azure AD joined devices
> * Hybrid Azure AD joined devices
>
-> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](https://docs.microsoft.com/azure/active-directory/device-management-introduction)
+> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](/azure/active-directory/device-management-introduction)
>[!IMPORTANT]
> To use hybrid identity with Azure Active Directory and device WriteBack features, you must use the built-in GUI with the [latest updates for ADConnect](https://www.microsoft.com/download/details.aspx?id=47594).
@@ -51,7 +51,7 @@ Use this three-phased approach for configuring device registration.
## Configure Azure for Device Registration
Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
-To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-setup/)
+To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](/azure/active-directory/devices/device-management-azure-portal)
## Configure Active Directory to support Azure device synchronization
@@ -93,23 +93,23 @@ Sign-in to the domain controller hosting the schema master operational role usin
### Setup Active Directory Federation Services
-If you are new to AD FS and federation services, you should review [Understanding Key AD FS Concepts](https://docs.microsoft.com/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts) to prior to designing and deploying your federation service.
-Review the [AD FS Design guide](https://docs.microsoft.com/windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2) to plan your federation service.
+If you are new to AD FS and federation services, you should review [Understanding Key AD FS Concepts](/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts) to prior to designing and deploying your federation service.
+Review the [AD FS Design guide](/windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2) to plan your federation service.
-Once you have your AD FS design ready, review [Deploying a Federation Server farm](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) to configure AD FS in your environment.
+Once you have your AD FS design ready, review [Deploying a Federation Server farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) to configure AD FS in your environment.
> [!IMPORTANT]
> During your AD FS deployment, skip the **Configure a federation server with Device Registration Service** and the **Configure Corporate DNS for the Federation Service and DRS** procedures.
-The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016)
+The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016)
#### ADFS Web Proxy ###
Federation server proxies are computers that run AD FS software that have been configured manually to act in the proxy role. You can use federation server proxies in your organization to provide intermediary services between an Internet client and a federation server that is behind a firewall on your corporate network.
-Use the [Setting of a Federation Proxy](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/checklist--setting-up-a-federation-server-proxy) checklist to configure AD FS proxy servers in your environment.
+Use the [Setting of a Federation Proxy](/windows-server/identity/ad-fs/deployment/checklist--setting-up-a-federation-server-proxy) checklist to configure AD FS proxy servers in your environment.
### Deploy Azure AD Connect
-Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](https://go.microsoft.com/fwlink/?LinkId=615771).
+Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](https://go.microsoft.com/fwlink/?LinkId=615771).
-When you are ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**.
+When you are ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**.
### Create AD objects for AD FS Device Authentication
If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration.
@@ -205,7 +205,7 @@ When you're using AD FS, you need to enable the following WS-Trust endpoints:
`/adfs/services/trust/13/certificatemixed`
> [!WARNING]
-> Both **adfs/services/trust/2005/windowstransport** and **adfs/services/trust/13/windowstransport** should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy. To learn more on how to disable WS-Trust Windows endpoints, see [Disable WS-Trust Windows endpoints on the proxy](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#disable-ws-trust-windows-endpoints-on-the-proxy-ie-from-extranet). You can see what endpoints are enabled through the AD FS management console under **Service** > **Endpoints**.
+> Both **adfs/services/trust/2005/windowstransport** and **adfs/services/trust/13/windowstransport** should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy. To learn more on how to disable WS-Trust Windows endpoints, see [Disable WS-Trust Windows endpoints on the proxy](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#disable-ws-trust-windows-endpoints-on-the-proxy-ie-from-extranet). You can see what endpoints are enabled through the AD FS management console under **Service** > **Endpoints**.
> [!NOTE]
>If you don’t have AD FS as your on-premises federation service, follow the instructions from your vendor to make sure they support WS-Trust 1.3 or 2005 endpoints and that these are published through the Metadata Exchange file (MEX).
@@ -340,8 +340,8 @@ In the claim above,
- `$
## Federation ##
Windows Hello for Business hybrid certificate trust requires Active Directory being federated with Azure Active Directory and needs Windows Server 2016 Active Directory Federation Services or newer. Windows Hello for Business hybrid certificate trust doesn’t support Managed Azure Active Directory using Pass-through authentication or password hash sync. All nodes in the AD FS farm must run the same version of AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices.
-The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016)
+The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016)
### Section Review ###
> [!div class="checklist"]
@@ -152,4 +152,4 @@ If your environment is already federated and supports Azure device registration,
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
-6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
+6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
index 2857501f75..4de8c1ff50 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
@@ -26,7 +26,7 @@ ms.reviewer:
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.
-It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](https://docs.microsoft.com/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514).
+It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514).
This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment.
@@ -53,4 +53,4 @@ Regardless of the baseline you choose, your next step is to familiarize yourself
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. [Device Registration](hello-hybrid-cert-trust-devreg.md)
5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
-6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
+6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index c9ea9e18f9..355c24f66a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -57,7 +57,7 @@ The remainder of the provisioning includes Windows Hello for Business requesting
>
> The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval.
> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
-> Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
+> Read [Azure AD Connect sync: Scheduler](/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
>
> [!NOTE]
> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Azure AD Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completing the provisioning. The update needs to be installed on the federation servers.
@@ -81,5 +81,4 @@ The certificate authority validates the certificate was signed by the registrati
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings-policy.md)
-6. Sign-in and Provision (*You are here*)
-
+6. Sign-in and Provision (*You are here*)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index 958991988c..3765f94152 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -79,7 +79,7 @@ Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 o
## Configure a Production Public Key Infrastructure
-If you do not have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session.
+If you do not have an existing public key infrastructure, please review [Certification Authority Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)) for instructions on how to configure your public key infrastructure using the information from your design session.
> [!IMPORTANT]
> For Azure AD joined device to authenticate to and use on-premises resources, ensure you:
@@ -98,7 +98,7 @@ If you do not have an existing public key infrastructure, please review [Certifi
## Azure Active Directory
You've prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities.
-The next step of the deployment is to follow the [Creating an Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/active-directory-howto-tenant) process to provision an Azure tenant for your organization.
+The next step of the deployment is to follow the [Creating an Azure AD tenant](/azure/active-directory/develop/active-directory-howto-tenant) process to provision an Azure tenant for your organization.
### Section Review
@@ -110,7 +110,7 @@ The next step of the deployment is to follow the [Creating an Azure AD tenant](h
## Multifactor Authentication Services
Windows Hello for Business uses multifactor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multifactor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA or a third-party MFA adapter
-Review the [What is Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works.
+Review the [What is Azure AD Multi-Factor Authentication](/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works.
### Azure AD Multi-Factor Authentication (MFA) Cloud
@@ -124,13 +124,13 @@ Review the [What is Azure AD Multi-Factor Authentication](https://docs.microsoft
#### Configure Azure MFA Settings
-Review the [Configure Azure AD Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings.
+Review the [Configure Azure AD Multi-Factor Authentication settings](/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings.
#### Azure MFA User States
-After you have completed configuring your Azure MFA settings, you want to review [How to require two-step verification for a user](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users.
+After you have completed configuring your Azure MFA settings, you want to review [How to require two-step verification for a user](/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users.
### Azure MFA via ADFS
-Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the [Configure AD FS 2016 and Azure MFA](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa) section.
+Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the [Configure AD FS 2016 and Azure MFA](/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa) section.
### Section Review
@@ -156,5 +156,4 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
-7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
-
+7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
index 314df80eac..e7ab21b989 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
@@ -32,14 +32,14 @@ You are ready to configure device registration for your hybrid environment. Hybr
> * Azure AD joined devices
> * Hybrid Azure AD joined devices
>
-> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](https://docs.microsoft.com/azure/active-directory/device-management-introduction)
+> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](/azure/active-directory/device-management-introduction)
## Configure Azure for Device Registration
Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
-To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-setup/).
+To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](/azure/active-directory/devices/device-management-azure-portal).
-Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-manual) page. In the **Configuration steps** section, identify your configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark.
+Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](/azure/active-directory/devices/hybrid-azuread-join-manual) page. In the **Configuration steps** section, identify your configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark.
@@ -53,4 +53,4 @@ Next, follow the guidance on the [How to configure hybrid Azure Active Directory
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. Configure Azure Device Registration (*You are here*)
6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
-7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
+7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
index 0f5cdfa98a..b2515e71f4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
@@ -27,7 +27,7 @@ ms.reviewer:
You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises.
## Deploy Azure AD Connect
-Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](https://go.microsoft.com/fwlink/?LinkId=615771).
+Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](https://go.microsoft.com/fwlink/?LinkId=615771).
> [!NOTE]
@@ -44,4 +44,4 @@ Next, you need to synchronize the on-premises Active Directory with Azure Active
4. Configure Directory Synchronization (*You are here*)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
-7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
+7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 1a946e82dc..addb6018f5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -73,8 +73,8 @@ The minimum required Enterprise certificate authority that can be used with Wind
* Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].
* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5).
* The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name.
-* The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](https://docs.microsoft.com/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template.
-* The domain controller certificate must be installed in the local computer's certificate store. See [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki) for details.
+* The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template.
+* The domain controller certificate must be installed in the local computer's certificate store. See [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](./hello-hybrid-cert-whfb-settings-pki.md) for details.
> [!IMPORTANT]
@@ -97,14 +97,14 @@ Organizations using older directory synchronization technology, such as DirSync
### Section Review
> [!div class="checklist"]
> * Azure Active Directory Connect directory synchronization
-> * [Upgrade from DirSync](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-dirsync-upgrade-get-started)
-> * [Upgrade from Azure AD Sync](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-upgrade-previous-version)
+> * [Upgrade from DirSync](/azure/active-directory/connect/active-directory-aadconnect-dirsync-upgrade-get-started)
+> * [Upgrade from Azure AD Sync](/azure/active-directory/connect/active-directory-aadconnect-upgrade-previous-version)
## Federation with Azure
-You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/hybrid/whatis-phs) or [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later.
+You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](/azure/active-directory/hybrid/whatis-phs) or [Azure Active Directory Pass-through-Authentication](/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later.
> [!div class="checklist"]
> * Non-federated environments
@@ -166,4 +166,4 @@ For federated and non-federated environments, start with **Configure Windows Hel
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
-7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
+7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
index 63743f3ea2..d8a1b0a961 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
@@ -26,7 +26,7 @@ ms.reviewer:
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid key trust scenario.
-It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](https://docs.microsoft.com/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514).
+It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514).
This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment.
@@ -51,4 +51,4 @@ Your next step is to familiarize yourself with the prerequisites needed for the
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
-7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
+7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
index 5a790c046a..9c149abb04 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
@@ -55,7 +55,7 @@ The remainder of the provisioning includes Windows Hello for Business requesting
> [!IMPORTANT]
> The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval.
> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
-> Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
+> Read [Azure AD Connect sync: Scheduler](/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
@@ -68,4 +68,4 @@ The remainder of the provisioning includes Windows Hello for Business requesting
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
-7. Sign-in and Provision(*You are here*)
+7. Sign-in and Provision(*You are here*)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
index 3bd0bbe112..e3fbad8b54 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
@@ -29,7 +29,7 @@ In hybrid deployments, users register the public portion of their Windows Hello
### Group Memberships for the Azure AD Connect Service Account
>[!IMPORTANT]
-> If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**. For more detail see [Configure Hybrid Windows Hello for Business: Directory Synchronization](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync).
+> If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**. For more detail see [Configure Hybrid Windows Hello for Business: Directory Synchronization](./hello-hybrid-cert-whfb-settings-dir-sync.md).
The KeyAdmins global group provides the Azure AD Connect service with the permissions needed to read and write the public key to Active Directory.
@@ -60,4 +60,4 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
6. Configure Windows Hello for Business settings: Directory Synchronization (*You are here*)
-7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
+7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
index 7ab3353cab..7c662edce9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@@ -81,13 +81,9 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
> [!NOTE]
-> The certificate for the CA issuing the domain controller certificate must be included in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a multi-tier CA hierarchy or a third-party CA, this may not be done by default. If the Domain Controller certificate does not directly chain to a CA certificate in the NTAuth store, user authentication will fail.
-
-The following PowerShell command can be used to check all certificates in the NTAuth store:
-
-```powershell
-Certutil -viewstore -enterprise NTAuth
-```
+> A domain controller's certificate must chain to a certificate in the NTAuth store in Active Directory. By default, online "Enterprise" Active Directory Certificate Authority certificates are added to the NTAuth store at installation time. If you are using a third-party CA, this is not done by default. If the domain controller certificate does not chain to a trusted CA in the NTAuth store, user authentication will fail.
+>
+> You can view an AD forest's NTAuth store (NTAuthCertificates) using PKIVIEW.MSC from an ADCS CA. Open PKIView.msc, then click the Action menu -> Manage AD Containers. To see all certificates in the NTAuth store, run **Certutil -viewstore -enterprise NTAuth** from the command-line interface (Cmd.exe).
### Publish Certificate Templates to a Certificate Authority
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
index d7355b0c32..f39befdec4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
@@ -75,7 +75,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory
> [!NOTE]
-> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more details about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows 10 device settings to enable Windows Hello for Business in Intune](https://docs.microsoft.com/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp). For more details about policy conflicts, see [Policy conflicts from multiple policy sources](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-manage-in-organization#policy-conflicts-from-multiple-policy-sources)
+> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more details about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows 10 device settings to enable Windows Hello for Business in Intune](/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more details about policy conflicts, see [Policy conflicts from multiple policy sources](./hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
#### Enable Windows Hello for Business
@@ -180,4 +180,4 @@ Users must receive the Windows Hello for Business group policy settings and have
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
6. Configure Windows Hello for Business policy settings (*You are here*)
-7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
+7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index d53a57bff1..ddb05b73ac 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -77,4 +77,4 @@ The table shows the minimum requirements for each deployment.
| Azure Account, optional for Azure MFA billing | Azure Account, optional for Azure MFA billing |
> [!IMPORTANT]
-> For Windows Hello for Business key trust deployments, if you have several domains, at least one Windows Server Domain Controller 2016 or newer is required for each domain. For more information, see the [planning guide](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers).
+> For Windows Hello for Business key trust deployments, if you have several domains, at least one Windows Server Domain Controller 2016 or newer is required for each domain. For more information, see the [planning guide](./hello-adequate-domain-controllers.md).
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index 2a2c07e715..99491fb5c3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -28,9 +28,9 @@ Windows Hello for Business works exclusively with the Active Directory Federatio
The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts.
-If your environment exceeds either of these factors or needs to provide SAML artifact resolution, token replay detection, or needs Active Directory Federation Services to operate in a federated provider role, then your deployment needs to use a SQL for your configuration database. To deploy the Active Directory Federation Services using SQL as its configuration database, please review the [Deploying a Federation Server Farm](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist.
+If your environment exceeds either of these factors or needs to provide SAML artifact resolution, token replay detection, or needs Active Directory Federation Services to operate in a federated provider role, then your deployment needs to use a SQL for your configuration database. To deploy the Active Directory Federation Services using SQL as its configuration database, please review the [Deploying a Federation Server Farm](/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist.
-If your environment has an existing instance of Active Directory Federation Services, then you’ll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update. If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment. If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment.
+If your environment has an existing instance of Active Directory Federation Services, then you’ll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update. If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment. If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment.
Ensure you apply the Windows Server 2016 Update to all nodes in the farm after you have successfully completed the upgrade.
@@ -347,4 +347,4 @@ Before you continue with the deployment, validate your deployment progress by re
2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
3. Prepare and Deploy Windows Server 2016 Active Directory Federation Services (*You are here*)
4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md)
-5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
+5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
index 1a4dcd1e37..c2c52074f8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security, mobile
author: dansimp
audience: ITPro
-ms.author: dolmont
+ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
index ce54bf0ffb..90a492218c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
@@ -29,13 +29,13 @@ ms.reviewer:
Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option.
-For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](https://docs.microsoft.com/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
+For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
-Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-authentication-policies).
+Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
## Follow the Windows Hello for Business on premises certificate trust deployment guide
1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md)
4. Validate and Deploy Multifactor Authentication Services (MFA) (*You are here*)
-5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
+5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
index 7a49cdb675..08e787ef60 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
@@ -53,7 +53,7 @@ Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 o
## Configure a Production Public Key Infrastructure
-If you do have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session.
+If you do have an existing public key infrastructure, please review [Certification Authority Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)) for instructions on how to configure your public key infrastructure using the information from your design session.
### Configure Domain Controller Certificates
@@ -258,4 +258,4 @@ Use the event logs to monitor certificate enrollment and archive. Review the co
2. Validate and Configure Public Key Infrastructure (*You are here*)
3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md)
4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md)
-5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
+5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index c21280812b..ab8e875aaa 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -187,7 +187,7 @@ For more information about using the PIN recovery service for PIN reset see [Win
## MDM policy settings for Windows Hello for Business
-The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkId=692070).
+The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](/windows/client-management/mdm/passportforwork-csp).
>[!IMPORTANT]
>Starting in Windows 10, version 1607, all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP.
@@ -422,4 +422,4 @@ If you want to use Windows Hello for Business with certificates, you'll need a d
- [Windows Hello and password changes](hello-and-password-changes.md)
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 80d8f81611..00fa16c254 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -29,7 +29,7 @@ In Windows 10, Windows Hello for Business replaces passwords with strong two-fa
Windows Hello addresses the following problems with passwords:
- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
- Server breaches can expose symmetric network credentials (passwords).
-- Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673).
+- Passwords are subject to [replay attacks](/previous-versions/dotnet/netframework-4.0/aa738652(v=vs.100)).
- Users can inadvertently expose their passwords due to [phishing attacks](https://go.microsoft.com/fwlink/p/?LinkId=615674).
Windows Hello lets users authenticate to:
@@ -94,7 +94,7 @@ For details, see [How Windows Hello for Business works](hello-how-it-works.md).
Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello but still use certificates on their domain controllers as a root of trust.
-Windows Hello for Business with a key does not support supplied credentials for RDP. RDP does not support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard).
+Windows Hello for Business with a key does not support supplied credentials for RDP. RDP does not support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
## Learn more
@@ -102,9 +102,9 @@ Windows Hello for Business with a key does not support supplied credentials for
[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/en-us/itshowcase/implementing-windows-hello-for-business-at-microsoft)
-[Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy
+[Introduction to Windows Hello](/learn/?l=eH7yoY2BC_9106218949), video presentation on Microsoft Virtual Academy
-[Windows Hello face authentication](https://go.microsoft.com/fwlink/p/?LinkId=626024)
+[Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication)
[Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](https://go.microsoft.com/fwlink/p/?LinkId=533890)
@@ -121,4 +121,4 @@ Windows Hello for Business with a key does not support supplied credentials for
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
-
+
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 57805caf8b..9bec345719 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -96,10 +96,10 @@ A deployment's trust type defines how each Windows Hello for Business client aut
The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
-The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
+The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](./hello-hybrid-cert-trust-prereqs.md#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
> [!NOTE]
-> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard).
+> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
#### Device registration
@@ -112,11 +112,11 @@ The built-in Windows Hello for Business provisioning experience creates a hardwa
#### Multifactor authentication
> [!IMPORTANT]
-> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who require multi-factor authentication for their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1, 2019 will be able to download the latest version, future updates and generate activation credentials as usual. See [Getting started with the Azure AD Multi-Factor Authentication Server](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfaserver-deploy) for more details.
+> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who require multi-factor authentication for their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1, 2019 will be able to download the latest version, future updates and generate activation credentials as usual. See [Getting started with the Azure AD Multi-Factor Authentication Server](/azure/active-directory/authentication/howto-mfaserver-deploy) for more details.
The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication. The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.
-Cloud only and hybrid deployments provide many choices for multi-factor authentication. On-premises deployments must use a multi-factor authentication that provides an AD FS multi-factor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure AD Multi-Factor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).
+Cloud only and hybrid deployments provide many choices for multi-factor authentication. On-premises deployments must use a multi-factor authentication that provides an AD FS multi-factor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure AD Multi-Factor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).
> [!NOTE]
> Azure AD Multi-Factor Authentication is available through:
> * Microsoft Enterprise Agreement
@@ -334,11 +334,11 @@ If box **1a** on your planning worksheet reads **cloud only** or **hybrid**, wri
If box **1a** on your planning worksheet reads **on-premises**, and box **1f** reads **AD FS with third party**, write **No** in box **6a** on your planning worksheet. Otherwise, write **Yes** in box **6a** as you need an Azure account for per-consumption MFA billing. Write **No** in box **6b** on your planning worksheet—on-premises deployments do not use the cloud directory.
-Windows Hello for Business does not require an Azure AD premium subscription. However, some dependencies, such as [MDM automatic enrollment](https://docs.microsoft.com/mem/intune/enrollment/quickstart-setup-auto-enrollment) and [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) do.
+Windows Hello for Business does not require an Azure AD premium subscription. However, some dependencies, such as [MDM automatic enrollment](/mem/intune/enrollment/quickstart-setup-auto-enrollment) and [Conditional Access](/azure/active-directory/conditional-access/overview) do.
If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet.
-If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multi-Factor Authentication through the use of security defaults. Some Azure AD Multi-Factor Authentication features require a license. For more details, see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing).
+If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multi-Factor Authentication through the use of security defaults. Some Azure AD Multi-Factor Authentication features require a license. For more details, see [Features and licenses for Azure AD Multi-Factor Authentication](/azure/active-directory/authentication/concept-mfa-licensing).
If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature.
@@ -348,4 +348,4 @@ If boxes **2a** or **2b** read **modern management** and you want devices to aut
## Congratulations, You're Done
-Your Windows Hello for Business planning worksheet should be complete. This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they are used. The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment. With this worksheet, you'll be able to identify key elements of your Windows Hello for Business deployment.
+Your Windows Hello for Business planning worksheet should be complete. This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they are used. The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment. With this worksheet, you'll be able to identify key elements of your Windows Hello for Business deployment.
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
index d924d3f98c..a17d30b55f 100644
--- a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
+++ b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
@@ -21,7 +21,7 @@ ms.reviewer:
> Some information relates to pre-released product that may change before it is commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-Microsoft has been aligned with the [FIDO Alliance](https://fidoalliance.org/) with a mission to replace passwords with an easy to use, strong 2FA credential. We have been working with our partners to extensively test and deliver a seamless and secure authentication experience to end users. See [FIDO2 security keys features and providers](https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys).
+Microsoft has been aligned with the [FIDO Alliance](https://fidoalliance.org/) with a mission to replace passwords with an easy to use, strong 2FA credential. We have been working with our partners to extensively test and deliver a seamless and secure authentication experience to end users. See [FIDO2 security keys features and providers](/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys).
The [FIDO2 CTAP specification](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html) contains a few optional features and extensions which are crucial to provide that seamless and secure experience.
@@ -33,4 +33,3 @@ A security key **MUST** implement the following features and extensions from the
| 2 | Client pin | This feature enables you to protect your credentials with a second factor and applies to security keys that do not have an user interface|
| 3 | hmac-secret | This extension ensures you can sign-in to your device when it's off-line or in airplane mode |
| 4 | Multiple accounts per RP | This feature ensures you can use the same security key across multiple services like Microsoft Account (MSA) and Azure Active Directory (AAD) |
-
diff --git a/windows/security/identity-protection/hello-for-business/reset-security-key.md b/windows/security/identity-protection/hello-for-business/reset-security-key.md
index d2a4db9205..732dff8677 100644
--- a/windows/security/identity-protection/hello-for-business/reset-security-key.md
+++ b/windows/security/identity-protection/hello-for-business/reset-security-key.md
@@ -24,7 +24,7 @@ ms.reviewer:
>This operation will wipe everything from your security key and reset it to factory defaults. **All data and credentials will be cleared.**
-A [Microsoft-compatible security key](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key) can be reset via Settings app ( Settings > Accounts > Sign-in options > Security key ).
+A [Microsoft-compatible security key](./microsoft-compatible-security-key.md) can be reset via Settings app ( Settings > Accounts > Sign-in options > Security key ).
Follow the instructions in the Settings app and look for specific instructions based on your security key manufacturer below:
@@ -37,4 +37,4 @@ Follow the instructions in the Settings app and look for specific instructions b
>[!NOTE]
>The steps to reset your security key may vary based on the security key manufacturer.
->If your security key is not listed here, please reach out to your security key manufacturer for reset instructions.
+>If your security key is not listed here, please reach out to your security key manufacturer for reset instructions.
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
index 00b0bd2e95..5e24e71b64 100644
--- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
@@ -61,7 +61,7 @@ Containers can contain several types of key material:
- An authentication key, which is always an asymmetric public–private key pair. This key pair is generated during registration. It must be unlocked each time it’s accessed, by using either the user’s PIN or a previously generated biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key.
- Virtual smart card keys are generated when a virtual smart card is generated and stored securely in the container. They’re available whenever the user’s container is unlocked.
- The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP keys). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways:
- - The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES), described more fully in [Network Device Enrollment Service Guidance](https://technet.microsoft.com/library/hh831498.aspx). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container.
+ - The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES), described more fully in [Network Device Enrollment Service Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831498(v=ws.11)). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container.
- The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don’t have or need a PKI.
## How keys are protected
@@ -122,4 +122,4 @@ Windows Hello depends on having compatible IDPs available to it. As of this writ
- [Windows Hello and password changes](../hello-and-password-changes.md)
- [Windows Hello errors during PIN creation](../hello-errors-during-pin-creation.md)
- [Event ID 300 - Windows Hello successfully created](../hello-event-300.md)
-- [Windows Hello biometrics in the enterprise](../hello-biometrics-in-enterprise.md)
+- [Windows Hello biometrics in the enterprise](../hello-biometrics-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md b/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md
index fc906d9e08..9cf1ca34c2 100644
--- a/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md
+++ b/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md
@@ -32,7 +32,7 @@ Certificates in Windows 10 Mobile are primarily used for the following purposes
>[!WARNING]
->In Windows 10, Version 1607, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. [Learn more about this known issue in Version 1607](https://go.microsoft.com/fwlink/p/?LinkId=786764)
+>In Windows 10, Version 1607, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. [Learn more about this known issue in Version 1607](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management)
## Install certificates using Microsoft Edge
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index d3fb9810b8..57bbf194fc 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -56,7 +56,7 @@ Use the following table to compare different Remote Desktop connection security
| Feature | Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode |
|--------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server |
-| **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.
For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). |
+| **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.
For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](/security-updates/SecurityAdvisories/2016/2871997). |
| **Helps prevent** | N/A |
|
|
| **Credentials supported from the remote desktop client device** |
|
|
| **Access** | **Users allowed**, that is, members of Remote Desktop Users group of remote host. | **Users allowed**, that is, members of Remote Desktop Users of remote host. | **Administrators only**, that is, only members of Administrators group of remote host. |
@@ -66,8 +66,8 @@ Use the following table to compare different Remote Desktop connection security
-For further technical information, see [Remote Desktop Protocol](https://msdn.microsoft.com/library/aa383015(v=vs.85).aspx)
-and [How Kerberos works](https://technet.microsoft.com/library/cc961963.aspx(d=robot)).
+For further technical information, see [Remote Desktop Protocol](/windows/win32/termserv/remote-desktop-protocol)
+and [How Kerberos works](/previous-versions/windows/it-pro/windows-2000-server/cc961963(v=technet.10)).
@@ -112,7 +112,7 @@ There are no hardware requirements for Windows Defender Remote Credential Guard.
> [!NOTE]
> Remote Desktop client devices running earlier versions, at minimum Windows 10 version 1607, only support signed-in credentials, so the client device must also be joined to an Active Directory domain. Both Remote Desktop client and server must either be joined to the same domain, or the Remote Desktop server can be joined to a domain that has a trust relationship to the client device's domain.
>
-> GPO [Remote host allows delegation of non-exportable credentials](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialsdelegation) should be enabled for delegation of non-exportable credentials.
+> GPO [Remote host allows delegation of non-exportable credentials](/windows/client-management/mdm/policy-csp-credentialsdelegation) should be enabled for delegation of non-exportable credentials.
- For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication.
@@ -193,4 +193,4 @@ mstsc.exe /remoteGuard
- No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own.
-- The server and client must authenticate using Kerberos.
+- The server and client must authenticate using Kerberos.
\ No newline at end of file
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index f8baa1b11c..635a9631d6 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -78,7 +78,7 @@ Example:
**certutil -dspublish NTAuthCA** <*CertFile*> **"CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=engineering,DC=contoso,DC=com"**
-For information about this option for the command-line tool, see [-dsPublish](https://technet.microsoft.com/library/cc732443(v=ws.11).aspx#BKMK_dsPublish).
+For information about this option for the command-line tool, see [-dsPublish](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#BKMK_dsPublish).
### Remote Desktop Services and smart card sign-in across domains
@@ -86,7 +86,7 @@ To enable remote access to resources in an enterprise, the root certificate for
**certutil -scroots update**
-For information about this option for the command-line tool, see [-SCRoots](https://technet.microsoft.com/library/cc732443(v=ws.11).aspx#BKMK_SCRoots).
+For information about this option for the command-line tool, see [-SCRoots](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#BKMK_SCRoots).
For Remote Desktop Services across domains, the KDC certificate of the RD Session Host server must also be present in the client computer's NTAUTH store. To add the store, run the following command at the command line:
@@ -94,7 +94,7 @@ For Remote Desktop Services across domains, the KDC certificate of the RD Sessio
Where <*CertFile*> is the root certificate of the KDC certificate issuer.
-For information about this option for the command-line tool, see [-addstore](https://technet.microsoft.com/library/cc732443(v=ws.11).aspx#BKMK_addstore).
+For information about this option for the command-line tool, see [-addstore](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#BKMK_addstore).
> **Note** If you use the credential SSP on computers running the supported versions of the operating system that are designated in the **Applies To** list at the beginning of this topic: To sign in with a smart card from a computer that is not joined to a domain, the smart card must contain the root certification of the domain controller. A public key infrastructure (PKI) secure channel cannot be established without the root certification of the domain controller.
@@ -104,4 +104,4 @@ The UPN in the certificate must include a domain that can be resolved. Otherwise
## See also
-[How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
+[How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index bb2559ccf0..0663f9a479 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -33,7 +33,7 @@ For smart cards, Windows supports a provider architecture that meets the secure
- [Smart card subsystem architecture](#smart-card-subsystem-architecture)
## Credential provider architecture
@@ -342,4 +342,4 @@ If a smart card is registered by a CSP and a smart card minidriver, the one that
CSPs and KSPs are meant to be written only if specific functionality is not available in the current smart card minidriver architecture. For example, the smart card minidriver architecture supports hardware security modules, so a minidriver could be written for a hardware security module, and a CSP or KSP may not be required unless it is needed to support algorithms that are not implemented in the Base CSP or smart card KSP.
-For more information about how to write a smart card minidriver, CSP, or KSP, see [Smart Card Minidrivers](https://msdn.microsoft.com/windows/hardware/drivers/smartcard/smart-card-minidrivers).
+For more information about how to write a smart card minidriver, CSP, or KSP, see [Smart Card Minidrivers](/windows-hardware/drivers/smartcard/smart-card-minidrivers).
\ No newline at end of file
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index 3d76ae2b17..ef209588b9 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -160,7 +160,7 @@ Following are the steps that are performed during a smart card sign-in:
> **Note** A SID is created for each user or group at the time a user account or a group account is created within the local security accounts database or within AD DS. The SID never changes, even if the user or group account is renamed.
-For more information about the Kerberos protocol, see [Microsoft Kerberos](https://msdn.microsoft.com/library/windows/desktop/aa378747(v=vs.85).aspx).
+For more information about the Kerberos protocol, see [Microsoft Kerberos](/windows/win32/secauthn/microsoft-kerberos).
By default, the KDC verifies that the client's certificate contains the smart card client authentication EKU szOID\_KP\_SMARTCARD\_LOGON. However, if enabled, the **Allow certificates with no extended key usage certificate attribute** Group Policy setting allows the KDC to not require the SC-LOGON EKU. SC-LOGON EKU is not required for account mappings that are based on the public key.
@@ -238,7 +238,7 @@ The following figure illustrates the process of mapping user accounts for sign-i
-NT\_AUTH policy is best described in the CERT\_CHAIN\_POLICY\_NT\_AUTH parameter section of the CertVerifyCertificateChainPolicy function. For more information, see [CertVerifyCertificateChainPolicy](https://msdn.microsoft.com/library/aa377163.aspx).
+NT\_AUTH policy is best described in the CERT\_CHAIN\_POLICY\_NT\_AUTH parameter section of the CertVerifyCertificateChainPolicy function. For more information, see [CertVerifyCertificateChainPolicy](/windows/win32/api/wincrypt/nf-wincrypt-certverifycertificatechainpolicy).
## Smart card sign-in for a single user with one certificate into multiple accounts
@@ -318,9 +318,8 @@ To deploy root certificates on a smart card for the currently joined domain, you
**certutil -scroots update**
-For more information about this option for the command-line tool, see [-SCRoots](https://technet.microsoft.com/library/cc732443(v=ws.11).aspx#BKMK_SCRoots).
+For more information about this option for the command-line tool, see [-SCRoots](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#BKMK_SCRoots).
## See also
-[How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
-
+[How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index 824c20a5f1..1135c404d0 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -38,7 +38,7 @@ Debugging and tracing smart card issues requires a variety of tools and approach
## Certutil
-For a complete description of Certutil including examples that show how to use it, see [Certutil \[W2012\]](https://technet.microsoft.com/library/cc732443(v=ws.11).aspx).
+For a complete description of Certutil including examples that show how to use it, see [Certutil \[W2012\]](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)).
### List certificates available on the smart card
@@ -115,11 +115,11 @@ To stop a trace:
You can use these resources to troubleshoot these protocols and the KDC:
-- [Kerberos and LDAP Troubleshooting Tips](https://technet.microsoft.com/library/bb463167.aspx).
+- [Kerberos and LDAP Troubleshooting Tips](/previous-versions/tn-archive/bb463167(v=technet.10)).
- [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit). You can use the trace log tool in this SDK to debug Kerberos authentication failures.
-To begin tracing, you can use `Tracelog`. Different components use different control GUIDs as explained in these examples. For more information, see [`Tracelog`](https://msdn.microsoft.com/library/windows/hardware/ff552994.aspx).
+To begin tracing, you can use `Tracelog`. Different components use different control GUIDs as explained in these examples. For more information, see [`Tracelog`](/windows-hardware/drivers/devtest/tracelog).
### NTLM
@@ -176,7 +176,7 @@ If you used the registry key settings shown in the previous table, look for the
- KDC: %systemroot%\\tracing\\kdcsvc
-To decode event trace files, you can use `Tracefmt` (tracefmt.exe). `Tracefmt` is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. `Tracefmt` can display the messages in the Command Prompt window or save them in a text file. It is located in the \\tools\\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [`Tracefmt`](https://msdn.microsoft.com/library/ff552974.aspx).
+To decode event trace files, you can use `Tracefmt` (tracefmt.exe). `Tracefmt` is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. `Tracefmt` can display the messages in the Command Prompt window or save them in a text file. It is located in the \\tools\\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [`Tracefmt`](/windows-hardware/drivers/devtest/tracefmt).
## Smart Card service
@@ -243,8 +243,8 @@ CryptoAPI 2.0 Diagnostics is available in Windows versions that support CryptoAP
CryptoAPI 2.0 Diagnostics logs events in the Windows event log. The logs contain detailed information about certificate chain validation, certificate store operations, and signature verification. This information makes it easier to identify the causes of issues and reduces the time required for diagnosis.
-For more information about CryptoAPI 2.0 Diagnostics, see [Troubleshooting an Enterprise PKI](https://technet.microsoft.com/library/cc771463.aspx).
+For more information about CryptoAPI 2.0 Diagnostics, see [Troubleshooting an Enterprise PKI](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771463(v=ws.11)).
## See also
-[Smart Card Technical Reference](smart-card-windows-smart-card-technical-reference.md)
+[Smart Card Technical Reference](smart-card-windows-smart-card-technical-reference.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
index a168874b63..badf574468 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
@@ -135,7 +135,7 @@ For configuration information about the TPM ownerAuth registry key, see the Grou
-For information about EAS policies, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287(v=ws.11).aspx).
+For information about EAS policies, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)).
#### Managed and unmanaged cards
@@ -270,7 +270,7 @@ The most common scenario in an organization is reissuing virtual smart cards, wh
The anti-hammering behavior of a TPM virtual smart card is different from that of a physical smart card. A physical smart card blocks itself after the user enters the wrong PIN a few times. A TPM virtual smart card enters a timed delay after the user enters the wrong PIN a few times. If the TPM is in the timed-delay mode, when the user attempts to use the TPM virtual smart card, the user is notified that the card is blocked. Furthermore, if you enable the integrated unlock functionality, the user can see the user interface to unlock the virtual smart card and change the PIN. Unlocking the virtual smart card does not reset the TPM lockout. The user needs to perform an extra step to reset the TPM lockout or wait for the timed delay to expire.
-For more information about setting the Allow Integrated Unblock policy, see [Allow Integrated Unblock screen to be displayed at the time of logon](https://docs.microsoft.com/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon).
+For more information about setting the Allow Integrated Unblock policy, see [Allow Integrated Unblock screen to be displayed at the time of logon](../smart-cards/smart-card-group-policy-and-registry-settings.md#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon).
## See also
@@ -282,4 +282,4 @@ For more information about setting the Allow Integrated Unblock policy, see [All
[Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md)
-[Tpmvscmgr](virtual-smart-card-tpmvscmgr.md)
+[Tpmvscmgr](virtual-smart-card-tpmvscmgr.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
index 29bb2adede..1ef7fb2c75 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
@@ -105,7 +105,7 @@ Starting with Windows 8.1, application developers can build into their apps the
Starting with Windows 8.1, Microsoft Store app developers are able to build apps that have the capability to prompt the user to reset or unblock and change a virtual smart card PIN. This places more responsibility on the user to maintain their virtual smart card but it can also provide a more consistent user experience and administration experience in your organization.
-For more information about developing Microsoft Store apps with these capabilities, see [Trusted Platform Module Virtual Smart Card Management Protocol](https://msdn.microsoft.com/library/hh880895.aspx).
+For more information about developing Microsoft Store apps with these capabilities, see [Trusted Platform Module Virtual Smart Card Management Protocol](/openspecs/windows_protocols/ms-tpmvsc/10bd67d7-4580-4e38-a6e9-ec3be00033b6).
For more information about managing these capabilities in virtual smart cards, see [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md).
@@ -131,4 +131,4 @@ To use the virtual smart card technology, computers must be running one of the f
- [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
- [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md)
- [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md)
-- [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md)
+- [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
index c37a9a9b29..0b086ea53a 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
@@ -41,7 +41,7 @@ The Create command sets up new virtual smart cards on the user’s system. It re
| /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it is equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft Endpoint Configuration Manager. |
| /machine | Allows you to specify the name of a remote computer on which the virtual smart card can be created. This can be used in a domain environment only, and it relies on DCOM. For the command to succeed in creating a virtual smart card on a different computer, the user running this command must be a member in the local administrators group on the remote computer. |
| /pinpolicy | If **/pin prompt** is used, **/pinpolicy** allows you to specify the following PIN policy options:
**minlen** <minimum PIN length>
If not specified, defaults to 8. The lower bound is 4.
**maxlen** <maximum PIN length>
If not specified, defaults to 127. The upper bound is 127.
**uppercase** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**
**lowercase** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**
**digits** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**
**specialchars** Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**
When using **/pinpolicy**, PIN characters must be printable ASCII characters. |
-| /attestation | Configures attestation (subject only). This attestation uses an [Attestation Identity Key (AIK) certificate](https://msdn.microsoft.com/library/mt766230.aspx#gt_89a2ba3c-80af-4d1f-88b3-06ec3489fd5a) as a trust anchor to vouch that the virtual smart card keys and certificates are truly hardware bound. The attestation methods are:
**AIK_AND_CERT** Creates an AIK and obtains an AIK certificate from the Microsoft cloud certification authority (CA). This requires the device to have a TPM with an [EK certificate](https://msdn.microsoft.com/library/cc249746.aspx#gt_6aaaff7f-d380-44fb-91d3-b985e458eb6d). If this option is specified and there is no network connectivity, it is possible that creation of the virtual smart card will fail.
**AIK_ONLY** Creates an AIK but does not obtain an AIK certificate. |
+| /attestation | Configures attestation (subject only). This attestation uses an [Attestation Identity Key (AIK) certificate](/openspecs/windows_protocols/ms-dha/a4a71926-3639-4d62-b915-760c2483f489#gt_89a2ba3c-80af-4d1f-88b3-06ec3489fd5a) as a trust anchor to vouch that the virtual smart card keys and certificates are truly hardware bound. The attestation methods are:
**AIK_AND_CERT** Creates an AIK and obtains an AIK certificate from the Microsoft cloud certification authority (CA). This requires the device to have a TPM with an [EK certificate](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_6aaaff7f-d380-44fb-91d3-b985e458eb6d). If this option is specified and there is no network connectivity, it is possible that creation of the virtual smart card will fail.
**AIK_ONLY** Creates an AIK but does not obtain an AIK certificate. |
| /? | Displays Help for this command. |
### Parameters for Destroy command
@@ -89,4 +89,4 @@ The following command will create a TPM virtual smart card with the default valu
## Additional references
-- [Virtual Smart Card Overview](virtual-smart-card-overview.md)
+- [Virtual Smart Card Overview](virtual-smart-card-overview.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
index 30671f6e4a..cb9d870d46 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
@@ -40,13 +40,13 @@ To create and delete TPM virtual smart cards for end users, the Tpmvscmgr comman
Virtual smart cards can also be created and deleted by using APIs. For more information, see the following classes and interfaces:
-- [TpmVirtualSmartCardManager](https://msdn.microsoft.com/library/windows/desktop/hh707171(v=vs.85).aspx)
+- [TpmVirtualSmartCardManager](/previous-versions/windows/desktop/legacy/hh707171(v=vs.85))
-- [RemoteTpmVirtualSmartCardManager](https://msdn.microsoft.com/library/windows/desktop/hh707166(v=vs.85).aspx)
+- [RemoteTpmVirtualSmartCardManager](/previous-versions/windows/desktop/legacy/hh707166(v=vs.85))
-- [ITpmVirtualSmartCardManager](https://msdn.microsoft.com/library/windows/desktop/hh707160(v=vs.85).aspx)
+- [ITpmVirtualSmartCardManager](/windows/win32/api/tpmvscmgr/nn-tpmvscmgr-itpmvirtualsmartcardmanager)
-- [ITPMVirtualSmartCardManagerStatusCallBack](https://msdn.microsoft.com/library/windows/desktop/hh707161(v=vs.85).aspx)
+- [ITPMVirtualSmartCardManagerStatusCallBack](/windows/win32/api/tpmvscmgr/nn-tpmvscmgr-itpmvirtualsmartcardmanagerstatuscallback)
You can use APIs that were introduced in the Windows.Device.SmartCards namespace in Windows Server 2012 R2 and Windows 8.1 to build Microsoft Store apps to manage the full lifecycle of virtual smart cards. For information about how to build an app to do this, see [Strong Authentication: Building Apps That Leverage Virtual Smart Cards in Enterprise, BYOD, and Consumer Environments | Build 2013 | Channel 9](https://channel9.msdn.com/events/build/2013/2-041).
@@ -66,9 +66,9 @@ The following table describes the features that can be developed in a Microsoft
For more information about these Windows APIs, see:
-- [Windows.Devices.SmartCards namespace (Windows)](https://msdn.microsoft.com/library/windows/apps/windows.devices.smartcards.aspx)
+- [Windows.Devices.SmartCards namespace (Windows)](/uwp/api/Windows.Devices.SmartCards)
-- [Windows.Security.Cryptography.Certificates namespace (Windows)](https://msdn.microsoft.com/library/windows/apps/windows.security.cryptography.certificates.aspx)
+- [Windows.Security.Cryptography.Certificates namespace (Windows)](/uwp/api/Windows.Security.Cryptography.Certificates)
## Distinguishing TPM-based virtual smart cards from physical smart cards
@@ -100,4 +100,4 @@ Sometimes, due to frequent incorrect PIN attempts from a user, the TPM may enter
## See also
-For information about authentication, confidentiality, and data integrity use cases, see [Virtual Smart Card Overview](virtual-smart-card-overview.md).
+For information about authentication, confidentiality, and data integrity use cases, see [Virtual Smart Card Overview](virtual-smart-card-overview.md).
\ No newline at end of file
diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
index 97ee24eb64..bbb6ddc586 100644
--- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@@ -22,13 +22,13 @@ To secure the connections, update the configuration of VPN servers and clients b
## VPN server
-For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-VpnServerConfiguration](https://docs.microsoft.com/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps) to configure the tunnel type. This makes all IKE exchanges on IKEv2 tunnel use the secure configuration.
+For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-VpnServerConfiguration](/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps) to configure the tunnel type. This makes all IKE exchanges on IKEv2 tunnel use the secure configuration.
```powershell
Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy
```
-On an earlier versions of Windows Server, run [Set-VpnServerIPsecConfiguration](https://technet.microsoft.com/library/hh918373(v=wps.620).aspx). Since `Set-VpnServerIPsecConfiguration` doesn’t have `-TunnelType`, the configuration applies to all tunnel types on the server.
+On an earlier versions of Windows Server, run [Set-VpnServerIPsecConfiguration](/previous-versions/windows/powershell-scripting/hh918373(v=wps.620)). Since `Set-VpnServerIPsecConfiguration` doesn’t have `-TunnelType`, the configuration applies to all tunnel types on the server.
```powershell
Set-VpnServerIPsecConfiguration -CustomPolicy
@@ -37,10 +37,9 @@ Set-VpnServerIPsecConfiguration -CustomPolicy
## VPN client
For VPN client, you need to configure each VPN connection.
-For example, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](https://docs.microsoft.com/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps) and specify the name of the connection:
+For example, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps) and specify the name of the connection:
```powershell
Set-VpnConnectionIPsecConfiguration -ConnectionName EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2) EAP-Transport Layer Security (EAP-TLS) Protected Extensible Authentication Protocol (PEAP) Protected Extensible Authentication Protocol (PEAP) Tunneled Transport Layer Security (TTLS)
-protectors -get \> C:\\Protectors**](https://docs.microsoft.com/windows-server/administration/windows-commands/manage-bde-protectors) |Exports information about the protection methods that are used for the BitLocker encryption key. |
-|[**reagentc /info \> C:\\reagent.txt**](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reagentc-command-line-options) |Exports information about an online or offline image about the current status of the Windows Recovery Environment (WindowsRE) and any available recovery image. |
-|[**get-BitLockerVolume \| fl**](https://docs.microsoft.com/powershell/module/bitlocker/get-bitlockervolume?view=win10-ps) |Gets information about volumes that BitLocker Drive Encryption can protect. |
+|[**get-tpm \> C:\\TPM.txt**](/powershell/module/trustedplatformmodule/get-tpm?view=win10-ps) |Exports information about the local computer's Trusted Platform Module (TPM). This cmdlet shows different values depending on whether the TPM chip is version 1.2 or 2.0. This cmdlet is not supported in Windows 7. |
+|[**manage-bde –status \> C:\\BDEStatus.txt**](/windows-server/administration/windows-commands/manage-bde-status) |Exports information about the general encryption status of all drives on the computer. |
+|[**manage-bde c:
-protectors -get \> C:\\Protectors**](/windows-server/administration/windows-commands/manage-bde-protectors) |Exports information about the protection methods that are used for the BitLocker encryption key. |
+|[**reagentc /info \> C:\\reagent.txt**](/windows-hardware/manufacture/desktop/reagentc-command-line-options) |Exports information about an online or offline image about the current status of the Windows Recovery Environment (WindowsRE) and any available recovery image. |
+|[**get-BitLockerVolume \| fl**](/powershell/module/bitlocker/get-bitlockervolume?view=win10-ps) |Gets information about volumes that BitLocker Drive Encryption can protect. |
## Review the configuration information
@@ -99,8 +99,8 @@ Open an elevated Windows PowerShell window, and run each of the following comman
|Command |Notes |
| - | - |
- |[**gpresult /h \
|
-|TimeStamp |Int |Uses the [FILETIME structure](https://msdn.microsoft.com/library/windows/desktop/ms724284(v=vs.85).aspx) to represent the time that the event happened. |
+|TimeStamp |Int |Uses the [FILETIME structure](/windows/win32/api/minwinbase/ns-minwinbase-filetime) to represent the time that the event happened. |
|Policy |String |How the work data was shared to the personal location:
|
|Justification |String |Not implemented. This will always be either blank or NULL.
**Note**
Reserved for future use to collect the user justification for changing from **Work** to **Personal**. |
|Object |String |A description of the shared work data. For example, if an employee opens a work file by using a personal app, this would be the file path. |
@@ -165,7 +165,7 @@ Use Windows Event Forwarding to collect and aggregate your WIP audit events. You
2. In the console tree under **Application and Services Logs\Microsoft\Windows**, click **EDP-Audit-Regular** and **EDP-Audit-TCB**.
## Collect WIP audit logs using Azure Monitor
-You can collect audit logs using Azure Monitor. See [Windows event log data sources in Azure Monitor.](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs)
+You can collect audit logs using Azure Monitor. See [Windows event log data sources in Azure Monitor.]()
**To view the WIP events in Azure Monitor**
1. Use an existing or create a new Log Analytics workspace.
@@ -179,7 +179,7 @@ You can collect audit logs using Azure Monitor. See [Windows event log data sour
>[!NOTE]
>If using Windows Events Logs, the event log names can be found under Properties of the event in the Events folder (Application and Services Logs\Microsoft\Windows, click EDP-Audit-Regular and EDP-Audit-TCB).
-3. Download Microsoft [Monitoring Agent](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#install-the-agent-using-dsc-in-azure-automation).
+3. Download Microsoft [Monitoring Agent](/azure/azure-monitor/platform/agent-windows#install-the-agent-using-dsc-in-azure-automation).
4. To get MSI for Intune installation as stated in the Azure Monitor article, extract: MMASetup-.exe /c /t:
Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary key. More information on Workspace ID and Primary key can be found in **Log Analytics** > **Advanced Settings**.
@@ -199,6 +199,6 @@ Event | where EventLog == "Microsoft-Windows-EDP-Audit-TCB/Admin"
```
## Additional resources
-- [How to deploy app via Intune](https://docs.microsoft.com/intune/apps-add)
-- [How to create Log workspace](https://docs.microsoft.com/azure/azure-monitor/learn/quick-create-workspace)
-- [How to use Microsoft Monitoring Agents for Windows](https://docs.microsoft.com/azure/azure-monitor/platform/agents-overview)
+- [How to deploy app via Intune](/intune/apps-add)
+- [How to create Log workspace](/azure/azure-monitor/learn/quick-create-workspace)
+- [How to use Microsoft Monitoring Agents for Windows](/azure/azure-monitor/platform/agents-overview)
\ No newline at end of file
diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
index 629994e90f..02d631b6db 100644
--- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
@@ -28,7 +28,7 @@ If you don't already have an EFS DRA certificate, you'll need to create and extr
The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices.
>[!IMPORTANT]
->If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).
If your DRA certificate has expired, you won't be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
+>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](/previous-versions/technet-magazine/cc162507(v=msdn.10)) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](/previous-versions/tn-archive/cc875821(v=technet.10)).
If your DRA certificate has expired, you won't be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
## Manually create an EFS DRA certificate
@@ -141,16 +141,16 @@ After signing in, the necessary WIP key info is automatically downloaded and emp
3. Sign-in to Azure AD as the employee and verify that the files now open
## Related topics
-- [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx)
+- [Security Watch Deploying EFS: Part 1](/previous-versions/technet-magazine/cc162507(v=msdn.10))
-- [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx)
+- [Protecting Data by Using EFS to Encrypt Hard Drives](/previous-versions/tn-archive/cc875821(v=technet.10))
- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md)
- [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md)
-- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA)
+- [Creating a Domain-Based Recovery Agent](/previous-versions/tn-archive/cc875821(v=technet.10)#EJAA)
>[!Note]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to this article](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to this article](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
index a124fbdd24..a605d96688 100644
--- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
@@ -30,7 +30,7 @@ Follow these steps to associate your WIP policy with your organization's existin
**To associate your policies**
-1. Create your VPN profile. For info about how to do this, see [How to configure VPN settings in Microsoft Intune](https://docs.microsoft.com/intune-azure/configure-devices/how-to-configure-vpn-settings) and [How to create custom VPN profiles in Microsoft Intune](https://docs.microsoft.com/intune-azure/configure-devices/create-custom-vpn-profiles#create-a-custom-configuration).
+1. Create your VPN profile. For info about how to do this, see [How to configure VPN settings in Microsoft Intune](/intune-azure/configure-devices/how-to-configure-vpn-settings) and [How to create custom VPN profiles in Microsoft Intune](/intune-azure/configure-devices/create-custom-vpn-profiles#create-a-custom-configuration).
2. Open the Microsoft Intune mobile application management console, click **Device configuration**, and then click **Create Profile**.
@@ -76,4 +76,4 @@ After you’ve created your VPN policy, you'll need to deploy it to the same gro
>[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
index ac44e2f1bd..2d7684c08c 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
@@ -232,7 +232,7 @@ Path Publisher
Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
### Add an AppLocker policy file
-For this example, we're going to add an AppLocker XML file to the **App Rules** list. You'll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
+For this example, we're going to add an AppLocker XML file to the **App Rules** list. You'll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](../../threat-protection/windows-defender-application-control/applocker/applocker-overview.md) content.
**To create an app rule and xml file using the AppLocker tool**
1. Open the Local Security Policy snap-in (SecPol.msc).
@@ -456,7 +456,7 @@ There are no default locations included with WIP, you must add each of your netw
After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
- For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
+ For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](/previous-versions/tn-archive/cc512680(v=technet.10)) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
## Choose your optional WIP-related settings
After you've decided where your protected apps can access enterprise data on your network, you'll be asked to decide if you want to add any optional WIP settings.
@@ -484,7 +484,7 @@ After you've decided where your protected apps can access enterprise data on you
- **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you're migrating between Mobile Device Management (MDM) solutions.
- - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell). If you don't specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to.
+ - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](/azure/information-protection/administer-powershell). If you don't specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to.
2. After you pick all of the settings you want to include, click **Summary**.
@@ -500,11 +500,11 @@ After you've finished configuring your policy, you can review all of your info o
## Deploy the WIP policy
After you've created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
-- [Operations and Maintenance for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708224)
+- [Operations and Maintenance for Compliance Settings in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699357(v=technet.10))
-- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708225)
+- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg712268(v=technet.10))
-- [How to Deploy Configuration Baselines in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708226)
+- [How to Deploy Configuration Baselines in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/hh219289(v=technet.10))
## Related topics
@@ -512,4 +512,4 @@ After you've created your WIP policy, you'll need to deploy it to your organizat
- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
-- [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
+- [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
\ No newline at end of file
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 9cd06e39f6..c10b2990b3 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -29,18 +29,18 @@ Microsoft Intune has an easy way to create and deploy a Windows Information Prot
You can create an app protection policy in Intune either with device enrollment for MDM or without device enrollment for MAM. The process to create either policy is similar, but there are important differences:
- MAM has additional **Access** settings for Windows Hello for Business.
-- MAM can [selectively wipe company data](https://docs.microsoft.com/intune/apps-selective-wipe) from a user's personal device.
-- MAM requires an [Azure Active Directory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses).
+- MAM can [selectively wipe company data](/intune/apps-selective-wipe) from a user's personal device.
+- MAM requires an [Azure Active Directory (Azure AD) Premium license](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses).
- An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM.
- MAM supports only one user per device.
- MAM can only manage [enlightened apps](enlightened-microsoft-apps-and-wip.md).
-- Only MDM can use [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) policies.
+- Only MDM can use [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) policies.
- If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access.
## Prerequisites
-Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Directory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery relies on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM.
+Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Directory (Azure AD) Premium license](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery relies on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM.
## Configure the MDM or MAM provider
@@ -224,7 +224,7 @@ This section covers two examples of using an AppLocker XML file to the **Protect
- [Create a Packaged App rule for Store apps](#create-a-packaged-app-rule-for-store-apps)
- [Create an Executable rule for unsigned apps](#create-an-executable-rule-for-unsigned-apps)
-For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
+For more info about AppLocker, see the [AppLocker](../../threat-protection/windows-defender-application-control/applocker/applocker-overview.md) content.
#### Create a Packaged App rule for Store apps
@@ -427,7 +427,6 @@ For each cloud resource, you may also optionally specify a proxy server from you
Be aware that all traffic routed through your Internal proxy servers is considered enterprise.
Separate multiple resources with the "|" delimiter.
-If you don’t use proxy servers, you must also include the "," delimiter just before the "|".
For example:
```console
@@ -447,7 +446,7 @@ For example:
URL <,proxy>|URL <,proxy>|/*AppCompat*/
```
-When you use this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the **Domain joined or marked as compliant** option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.
+When you use this string, we recommend that you also turn on [Azure Active Directory Conditional Access](/azure/active-directory/active-directory-conditional-access), using the **Domain joined or marked as compliant** option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.
Value format with proxy:
@@ -557,7 +556,7 @@ Decide if you want Windows to look for additional network settings:
After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data.
>[!Important]
->Using a DRA certificate isn’t mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://docs.microsoft.com/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate) topic.
+>Using a DRA certificate isn’t mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](/previous-versions/tn-archive/cc512680(v=technet.10)) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate) topic.
**To upload your DRA certificate**
1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
@@ -591,11 +590,11 @@ After you've decided where your protected apps can access enterprise data on you
- **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option.
-**Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they are copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template’s license. Only users with permission to that template will be able to read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp).
+**Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they are copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template’s license. Only users with permission to that template will be able to read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp).
- **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files.
- If you don’t specify an [RMS template](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates), it’s a regular EFS file using a default RMS template that all users can access.
+ If you don’t specify an [RMS template](/information-protection/deploy-use/configure-custom-templates), it’s a regular EFS file using a default RMS template that all users can access.
- **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive.
@@ -620,13 +619,13 @@ You can restrict which files are protected by WIP when they are downloaded from
- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
-- [What is Azure Rights Management?](https://docs.microsoft.com/information-protection/understand-explore/what-is-azure-rms)
+- [What is Azure Rights Management?](/information-protection/understand-explore/what-is-azure-rms)
-- [Create a Windows Information Protection (WIP) protection policy using Microsoft Intune](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/overview-create-wip-policy)
+- [Create a Windows Information Protection (WIP) protection policy using Microsoft Intune](./overview-create-wip-policy.md)
-- [Intune MAM Without Enrollment](https://blogs.technet.microsoft.com/configmgrdogs/2016/02/04/intune-mam-without-enrollment/)
+- [Intune MAM Without Enrollment](/archive/blogs/configmgrdogs/intune-mam-without-enrollment)
- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/)
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+> [!NOTE]
+> Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
index c1cd7193c0..1b1d1ef266 100644
--- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
@@ -89,7 +89,7 @@ This table provides info about the most common problems you might encounter whil
ActiveX controls should be used with caution.
Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP.
- We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.
+
For more info, see Out-of-date ActiveX control blocking.We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.
For more info, see Out-of-date ActiveX control blocking.
Resilient File System (ReFS) isn't currently supported with WIP.
@@ -115,7 +115,7 @@ This table provides info about the most common problems you might encounter whil
WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager.
- Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders. You can configure this parameter, as described here.
If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see Can't open files offline when you use Offline Files and Windows Information Protection.
+ Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders. You can configure this parameter, as described here.
If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see Can't open files offline when you use Offline Files and Windows Information Protection.
@@ -159,4 +159,4 @@ Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook,
> [!NOTE]
-> Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+> Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
index bf2e926154..5114046477 100644
--- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
@@ -28,12 +28,12 @@ This list provides all of the tasks and settings that are required for the opera
|Task|Description|
|----|-----------|
|Add at least one app to the **Protected apps** list in your WIP policy.|You must have at least one app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics.|
-|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage the WIP protection mode for your enterprise data](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
+|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage the WIP protection mode for your enterprise data](./create-wip-policy-using-configmgr.md#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
|Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.
Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
|Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.
Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.|
-|Include your Data Recovery Agent (DRA) certificate.|Starting with Windows 10, version 1703, this field is optional. But we strongly recommend that you add a certificate.
This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://technet.microsoft.com/itpro/windows/keep-secure/create-and-verify-an-efs-dra-certificate) topic.|
+|Include your Data Recovery Agent (DRA) certificate.|Starting with Windows 10, version 1703, this field is optional. But we strongly recommend that you add a certificate.
This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](./create-and-verify-an-efs-dra-certificate.md) topic.|
>[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index 336a37f408..424341046d 100644
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -42,7 +42,7 @@ You’ll need this software to run WIP in your enterprise:
|Operating system | Management solution |
|-----------------|---------------------|
-|Windows 10, version 1607 or later | Microsoft Intune
-OR-
Microsoft Endpoint Configuration Manager
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt697634.aspx) documentation.|
+|Windows 10, version 1607 or later | Microsoft Intune
-OR-
Microsoft Endpoint Configuration Manager
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp) documentation.|
## What is enterprise data control?
Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people can’t share anything and it’s all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure.
@@ -160,4 +160,4 @@ After deciding to use WIP in your enterprise, you need to:
>[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
index d2ff6e2a2f..69b104f1b4 100644
--- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
@@ -44,7 +44,7 @@ This table includes the recommended URLs to add to your Enterprise Cloud Resourc
You can add other work-only apps to the Cloud Resource list, or you can create a packaged app rule for the .exe file to protect every file the app creates or modifies. Depending on how the app is accessed, you might want to add both.
-For Office 365 endpoints, see [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges).
+For Office 365 endpoints, see [Office 365 URLs and IP address ranges](/office365/enterprise/urls-and-ip-address-ranges).
Office 365 endpoints are updated monthly.
Allow the domains listed in section number 46 Allow Required and add also add the apps.
Note that apps from officeapps.live.com can also store personal data.
@@ -57,4 +57,4 @@ We recommended adding these URLs if you use the Neutral Resources network settin
+
\ No newline at end of file
diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md
index 7679c60ed8..1e97616ee8 100644
--- a/windows/security/information-protection/windows-information-protection/wip-learning.md
+++ b/windows/security/information-protection/windows-information-protection/wip-learning.md
@@ -48,9 +48,9 @@ Once you have the apps and websites showing up in the WIP Learning logging repor
## Use the WIP section of Device Health
-You can use Device Health to adjust your WIP protection policy. See [Using Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-using#windows-information-protection) to learn more.
+You can use Device Health to adjust your WIP protection policy. See [Using Device Health](/windows/deployment/update/device-health-using#windows-information-protection) to learn more.
-If you want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information.
+If you want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](/windows/deployment/update/device-health-get-started) for more information.
Once you have WIP policies in place, by using the WIP section of Device Health, you can:
@@ -59,7 +59,7 @@ Once you have WIP policies in place, by using the WIP section of Device Health,
## Use Device Health and Intune to adjust WIP protection policy
-The information needed for the following steps can be found using Device Health, which you will first have to set up. Learn more about how you can [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor).
+The information needed for the following steps can be found using Device Health, which you will first have to set up. Learn more about how you can [Monitor the health of devices with Device Health](/windows/deployment/update/device-health-monitor).
1. In **Device Health** click the app you want to add to your policy and copy the **WipAppId**.
@@ -114,4 +114,4 @@ The information needed for the following steps can be found using Device Health,
When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes)
>[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
deleted file mode 100644
index dae95369d9..0000000000
--- a/windows/security/threat-protection/TOC.md
+++ /dev/null
@@ -1,744 +0,0 @@
-# [Threat protection](index.md)
-
-## [Security administration]()
-
-### [Attack surface reduction]()
-
-#### [Hardware-based isolation]()
-
-##### [Hardware-based isolation evaluation](microsoft-defender-application-guard/test-scenarios-md-app-guard.md)
-
-##### [Application isolation]()
-###### [Application guard overview](microsoft-defender-application-guard/md-app-guard-overview.md)
-###### [System requirements](microsoft-defender-application-guard/reqs-md-app-guard.md)
-###### [Install Microsoft Defender Application Guard](microsoft-defender-application-guard/install-md-app-guard.md)
-###### [Install Microsoft Defender Application Guard Extension](microsoft-defender-application-guard/md-app-guard-browser-extension.md)
-
-##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
-###### [Audit Application control policies](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
-
-##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
-
-##### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
-
-#### [Device control]()
-##### [Code integrity](device-guard/enable-virtualization-based-protection-of-code-integrity.md)
-##### [Control USB devices](device-control/control-usb-devices-using-intune.md)
-##### [Device control report](device-control/device-control-report.md)
-
-#### [Network firewall]()
-##### [Network firewall overview](windows-firewall/windows-firewall-with-advanced-security.md)
-##### [Network firewall evaluation](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
-
-### [Next-generation protection]()
-#### [Next-generation protection overview](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)
-#### [Evaluate next-generation protection](microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md)
-
-#### [Configure next-generation protection]()
-##### [Configure Microsoft Defender Antivirus features](microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md)
-
-##### [Use Microsoft cloud-delivered protection](microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
-###### [Enable cloud-delivered protection](microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md)
-###### [Specify the cloud-delivered protection level](microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md)
-###### [Configure and validate network connections](microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md)
-###### [Prevent security settings changes with tamper protection](microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md)
-###### [Enable Block at first sight](microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md)
-###### [Configure the cloud block timeout period](microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md)
-
-##### [Configure behavioral, heuristic, and real-time protection]()
-###### [Configuration overview](microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md)
-###### [Detect and block Potentially Unwanted Applications](microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)
-###### [Enable and configure always-on protection and monitoring](microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md)
-
-##### [Antivirus on Windows Server](microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md)
-
-##### [Antivirus compatibility]()
-###### [Compatibility charts](microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)
-###### [Use limited periodic antivirus scanning](microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md)
-
-##### [Manage next-generation protection in your business]()
-###### [Management overview](microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md)
-###### [Use Microsoft Intune and Microsoft Endpoint Manager to manage next-generation protection](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md)
-###### [Use Group Policy settings to manage next-generation protection](microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md)
-###### [Use PowerShell cmdlets to manage next-generation protection](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md)
-###### [Use Windows Management Instrumentation (WMI) to manage next-generation protection](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md)
-###### [Use the mpcmdrun.exe command line tool to manage next-generation protection](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md)
-
-##### [Deploy, manage updates, and report on antivirus]()
-###### [Preparing to deploy](microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md)
-###### [Deploy and enable antivirus](microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md)
-###### [Deployment guide for VDI environments](microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md)
-
-###### [Report on antivirus protection]()
-###### [Review protection status and alerts](microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md)
-###### [Troubleshoot antivirus reporting in Update Compliance](microsoft-defender-antivirus/troubleshoot-reporting.md)
-###### [Learn about the recent updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md)
-###### [Manage protection and security intelligence updates](microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md)
-###### [Manage when protection updates should be downloaded and applied](microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md)
-###### [Manage updates for endpoints that are out of date](microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md)
-###### [Manage event-based forced updates](microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md)
-###### [Manage updates for mobile devices and VMs](microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
-
-##### [Customize, initiate, and review the results of scans and remediation]()
-###### [Configuration overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
-
-###### [Configure and validate exclusions in antivirus scans](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
-###### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
-###### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
-###### [Configure antivirus exclusions Windows Server](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
-###### [Common mistakes when defining exclusions](microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md)
-###### [Configure scanning antivirus options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md)
-###### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md)
-###### [Configure scheduled scans](microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-###### [Configure and run scans](microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md)
-###### [Review scan results](microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md)
-###### [Run and review the results of an offline scan](microsoft-defender-antivirus/microsoft-defender-offline.md)
-
-##### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
-
-##### [Manage scans and remediation]()
-###### [Management overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
-
-###### [Configure and validate exclusions in antivirus scans]()
-###### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
-###### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
-###### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
-###### [Configure antivirus exclusions on Windows Server](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
-
-###### [Configure scanning options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md)
-
-##### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md)
-###### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md)
-###### [Configure scheduled scans](microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-###### [Configure and run scans](microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md)
-###### [Review scan results](microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md)
-###### [Run and review the results of an offline scan](microsoft-defender-antivirus/microsoft-defender-offline.md)
-###### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
-
-#### [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md)
-#### [Better together: Microsoft Defender Antivirus and Office 365](microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md)
-
-## Reference
-
-### [Troubleshoot Microsoft Defender Antivirus]()
-
-#### [Troubleshoot Microsoft Defender Antivirus issues](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md)
-#### [Troubleshoot Microsoft Defender Antivirus migration issues](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md)
-
-
-## [Security intelligence](intelligence/index.md)
-### [Understand malware & other threats](intelligence/understanding-malware.md)
-#### [Prevent malware infection](intelligence/prevent-malware-infection.md)
-#### [Malware names](intelligence/malware-naming.md)
-#### [Coin miners](intelligence/coinminer-malware.md)
-#### [Exploits and exploit kits](intelligence/exploits-malware.md)
-#### [Fileless threats](intelligence/fileless-threats.md)
-#### [Macro malware](intelligence/macro-malware.md)
-#### [Phishing](intelligence/phishing.md)
-#### [Ransomware](intelligence/ransomware-malware.md)
-#### [Rootkits](intelligence/rootkits-malware.md)
-#### [Supply chain attacks](intelligence/supply-chain-malware.md)
-#### [Tech support scams](intelligence/support-scams.md)
-#### [Trojans](intelligence/trojans-malware.md)
-#### [Unwanted software](intelligence/unwanted-software.md)
-#### [Worms](intelligence/worms-malware.md)
-### [How Microsoft identifies malware and PUA](intelligence/criteria.md)
-### [Submit files for analysis](intelligence/submission-guide.md)
-### [Safety Scanner download](intelligence/safety-scanner-download.md)
-### [Industry collaboration programs](intelligence/cybersecurity-industry-partners.md)
-#### [Virus information alliance](intelligence/virus-information-alliance-criteria.md)
-#### [Microsoft virus initiative](intelligence/virus-initiative-criteria.md)
-#### [Coordinated malware eradication](intelligence/coordinated-malware-eradication.md)
-### [Information for developers]()
-#### [Software developer FAQ](intelligence/developer-faq.md)
-#### [Software developer resources](intelligence/developer-resources.md)
-
-## Windows Certifications
-
-### [FIPS 140 Validations](fips-140-validation.md)
-### [Common Criteria Certifications](windows-platform-common-criteria.md)
-
-
-## More Windows 10 security
-
-### [The Windows Security app](windows-defender-security-center/windows-defender-security-center.md)
-#### [Customize the Windows Security app for your organization](windows-defender-security-center/wdsc-customize-contact-information.md)
-#### [Hide Windows Security app notifications](windows-defender-security-center/wdsc-hide-notifications.md)
-#### [Manage Windows Security app in Windows 10 in S mode](windows-defender-security-center/wdsc-windows-10-in-s-mode.md)
-#### [Virus and threat protection](windows-defender-security-center/wdsc-virus-threat-protection.md)
-#### [Account protection](windows-defender-security-center/wdsc-account-protection.md)
-#### [Firewall and network protection](windows-defender-security-center/wdsc-firewall-network-protection.md)
-#### [App and browser control](windows-defender-security-center/wdsc-app-browser-control.md)
-#### [Device security](windows-defender-security-center/wdsc-device-security.md)
-#### [Device performance and health](windows-defender-security-center/wdsc-device-performance-health.md)
-#### [Family options](windows-defender-security-center/wdsc-family-options.md)
-
-
-### [Microsoft Defender SmartScreen](microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md)
-#### [Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md)
-#### [Set up and use Microsoft Defender SmartScreen on individual devices](microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md)
-
-
-### [Windows Sandbox](windows-sandbox/windows-sandbox-overview.md)
-#### [Windows Sandbox architecture](windows-sandbox/windows-sandbox-architecture.md)
-#### [Windows Sandbox configuration](windows-sandbox/windows-sandbox-configure-using-wsb-file.md)
-
-### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-
-### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
-
-### [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md)
-
-### [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
-
-### [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-intrusion-detection.md)
-
-### [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
-
-### [Security auditing](auditing/security-auditing-overview.md)
-
-#### [Basic security audit policies](auditing/basic-security-audit-policies.md)
-##### [Create a basic audit policy for an event category](auditing/create-a-basic-audit-policy-settings-for-an-event-category.md)
-##### [Apply a basic audit policy on a file or folder](auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md)
-##### [View the security event log](auditing/view-the-security-event-log.md)
-
-##### [Basic security audit policy settings](auditing/basic-security-audit-policy-settings.md)
-###### [Audit account logon events](auditing/basic-audit-account-logon-events.md)
-###### [Audit account management](auditing/basic-audit-account-management.md)
-###### [Audit directory service access](auditing/basic-audit-directory-service-access.md)
-###### [Audit logon events](auditing/basic-audit-logon-events.md)
-###### [Audit object access](auditing/basic-audit-object-access.md)
-###### [Audit policy change](auditing/basic-audit-policy-change.md)
-###### [Audit privilege use](auditing/basic-audit-privilege-use.md)
-###### [Audit process tracking](auditing/basic-audit-process-tracking.md)
-###### [Audit system events](auditing/basic-audit-system-events.md)
-
-#### [Advanced security audit policies](auditing/advanced-security-auditing.md)
-##### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md)
-##### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md)
-###### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md)
-###### [How to list XML elements in \
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](https://technet.microsoft.com/library/hh831425.aspx).
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](https://technet.microsoft.com/library/hh831425.aspx).
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Domain Controller | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](/windows-server/identity/solution-guides/scenario--central-access-policy).
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](/windows-server/identity/solution-guides/scenario--central-access-policy).
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](/windows-server/identity/solution-guides/scenario--central-access-policy).
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
-- [4818](event-4818.md)(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
-
+- [4818](event-4818.md)(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-certification-services.md b/windows/security/threat-protection/auditing/audit-certification-services.md
index 24af233cc3..82fe1eac16 100644
--- a/windows/security/threat-protection/auditing/audit-certification-services.md
+++ b/windows/security/threat-protection/auditing/audit-certification-services.md
@@ -55,9 +55,9 @@ Role-specific subcategories are outside the scope of this document.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | IF | IF | IF | IF | IF – if a server has the [Active Directory Certificate Services](https://technet.microsoft.com/windowsserver/dd448615.aspx) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. |
-| Member Server | IF | IF | IF | IF | IF – if a server has the [Active Directory Certificate Services](https://technet.microsoft.com/windowsserver/dd448615.aspx) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. |
-| Workstation | No | No | No | No | [Active Directory Certificate Services](https://technet.microsoft.com/windowsserver/dd448615.aspx) (AD CS) role cannot be installed on client OS. |
+| Domain Controller | IF | IF | IF | IF | IF – if a server has the [Active Directory Certificate Services](/windows/deployment/deploy-whats-new) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. |
+| Member Server | IF | IF | IF | IF | IF – if a server has the [Active Directory Certificate Services](/windows/deployment/deploy-whats-new) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. |
+| Workstation | No | No | No | No | [Active Directory Certificate Services](/windows/deployment/deploy-whats-new) (AD CS) role cannot be installed on client OS. |
- 4868: The certificate manager denied a pending certificate request.
@@ -119,4 +119,4 @@ Role-specific subcategories are outside the scope of this document.
- 4897: Role separation enabled.
-- 4898: Certificate Services loaded a template.
+- 4898: Certificate Services loaded a template.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-access.md b/windows/security/threat-protection/auditing/audit-directory-service-access.md
index db603d8330..608ddbfc4f 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-access.md
@@ -30,7 +30,7 @@ This subcategory allows you to audit when an Active Directory Domain Services (A
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | No | Yes | No | Yes | It is better to track changes to Active Directory objects through the [Audit Directory Service Changes](audit-directory-service-changes.md) subcategory. However, [Audit Directory Service Changes](audit-directory-service-changes.md) doesn’t give you information about failed access attempts, so we recommend Failure auditing in this subcategory to track failed access attempts to Active Directory objects.
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects. |
+| Domain Controller | No | Yes | No | Yes | It is better to track changes to Active Directory objects through the [Audit Directory Service Changes](audit-directory-service-changes.md) subcategory. However, [Audit Directory Service Changes](audit-directory-service-changes.md) doesn’t give you information about failed access attempts, so we recommend Failure auditing in this subcategory to track failed access attempts to Active Directory objects.
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](/windows/win32/secauthz/access-control-lists) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects. |
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
@@ -38,5 +38,4 @@ This subcategory allows you to audit when an Active Directory Domain Services (A
- [4662](event-4662.md)(S, F): An operation was performed on an object.
-- [4661](event-4661.md)(S, F): A handle to an object was requested.
-
+- [4661](event-4661.md)(S, F): A handle to an object was requested.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-changes.md b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
index f81b20e2a5..2141bbae5e 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-changes.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
@@ -26,7 +26,7 @@ Audit Directory Service Changes determines whether the operating system generate
Auditing of directory service objects can provide information about the old and new properties of the objects that were changed.
-Audit events are generated only for objects with configured system access control lists ([SACLs](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx)), and only when they are accessed in a manner that matches their [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema.
+Audit events are generated only for objects with configured system access control lists ([SACLs](/windows/win32/secauthz/access-control-lists)), and only when they are accessed in a manner that matches their [SACL](/windows/win32/secauthz/access-control-lists) settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema.
This subcategory only logs events on domain controllers.
@@ -36,7 +36,7 @@ This subcategory triggers events when an Active Directory object was modified, c
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes | No | Yes | No | It is important to track actions related to high value or critical Active Directory objects, for example, changes to [AdminSDHolder](https://technet.microsoft.com/magazine/2009.09.sdadminholder.aspx) container or Domain Admins group objects.
This subcategory shows you what actions were performed. If you want to track failed access attempts for Active Directory objects you need to take a look at [Audit Directory Service Access](audit-directory-service-access.md) subcategory.
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Domain Controller | Yes | No | Yes | No | It is important to track actions related to high value or critical Active Directory objects, for example, changes to [AdminSDHolder](/previous-versions/technet-magazine/ee361593(v=msdn.10)) container or Domain Admins group objects.
This subcategory shows you what actions were performed. If you want to track failed access attempts for Active Directory objects you need to take a look at [Audit Directory Service Access](audit-directory-service-access.md) subcategory.
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](/windows/win32/secauthz/access-control-lists) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
@@ -50,5 +50,4 @@ This subcategory triggers events when an Active Directory object was modified, c
- [5139](event-5139.md)(S): A directory service object was moved.
-- [5141](event-5141.md)(S): A directory service object was deleted.
-
+- [5141](event-5141.md)(S): A directory service object was deleted.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-dpapi-activity.md b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
index 7c346e1e52..9661ffe602 100644
--- a/windows/security/threat-protection/auditing/audit-dpapi-activity.md
+++ b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
@@ -22,7 +22,7 @@ ms.technology: mde
- Windows Server 2016
-Audit [DPAPI](https://msdn.microsoft.com/library/ms995355.aspx) Activity determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface ([DPAPI](https://msdn.microsoft.com/library/ms995355.aspx)).
+Audit [DPAPI](/previous-versions/ms995355(v=msdn.10)) Activity determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface ([DPAPI](/previous-versions/ms995355(v=msdn.10))).
**Event volume**: Low.
@@ -40,5 +40,4 @@ Audit [DPAPI](https://msdn.microsoft.com/library/ms995355.aspx) Activity determi
- [4694](event-4694.md)(S, F): Protection of auditable protected data was attempted.
-- [4695](event-4695.md)(S, F): Unprotection of auditable protected data was attempted.
-
+- [4695](event-4695.md)(S, F): Unprotection of auditable protected data was attempted.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md
index ef4138dc66..98f61fc786 100644
--- a/windows/security/threat-protection/auditing/audit-file-system.md
+++ b/windows/security/threat-protection/auditing/audit-file-system.md
@@ -22,19 +22,19 @@ ms.technology: mde
- Windows Server 2016
> [!NOTE]
-> For more details about applicability on older operating system versions, read the article [Audit File System](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319068(v=ws.11)).
+> For more details about applicability on older operating system versions, read the article [Audit File System](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319068(v=ws.11)).
Audit File System determines whether the operating system generates audit events when users attempt to access file system objects.
-Audit events are generated only for objects that have configured system access control lists ([SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx)s), and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx).
+Audit events are generated only for objects that have configured system access control lists ([SACL](/windows/win32/secauthz/access-control-lists)s), and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the [SACL](/windows/win32/secauthz/access-control-lists).
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL.
These events are essential for tracking activity for file objects that are sensitive or valuable and require extra monitoring.
-**Event volume**: Varies, depending on how file system [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx)s are configured.
+**Event volume**: Varies, depending on how file system [SACL](/windows/win32/secauthz/access-control-lists)s are configured.
-No audit events are generated for the default file system [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx)s.
+No audit events are generated for the default file system [SACL](/windows/win32/secauthz/access-control-lists)s.
This subcategory allows you to audit user attempts to access file system objects, file system object deletion and permissions change operations and hard link creation actions.
@@ -42,7 +42,7 @@ Only one event, “[4658](event-4658.md): The handle to an object was closed,”
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | IF | IF | IF | IF | We strongly recommend that you develop a File System Security Monitoring policy and define appropriate [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx)s for file system objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx)s. Otherwise the auditing log will be overloaded with useless information.
Failure events can show you unsuccessful attempts to access specific file system objects.
Consider enabling this subcategory for critical computers first, after you develop a File System Security Monitoring policy for them. |
+| Domain Controller | IF | IF | IF | IF | We strongly recommend that you develop a File System Security Monitoring policy and define appropriate [SACL](/windows/win32/secauthz/access-control-lists)s for file system objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess [SACL](/windows/win32/secauthz/access-control-lists)s. Otherwise the auditing log will be overloaded with useless information.
Failure events can show you unsuccessful attempts to access specific file system objects.
Consider enabling this subcategory for critical computers first, after you develop a File System Security Monitoring policy for them. |
| Member Server | IF | IF | IF | IF | |
| Workstation | IF | IF | IF | IF | |
@@ -62,4 +62,4 @@ Only one event, “[4658](event-4658.md): The handle to an object was closed,”
- [5051](event-5051.md)(-): A file was virtualized.
-- [4670](event-4670.md)(S): Permissions on an object were changed.
+- [4670](event-4670.md)(S): Permissions on an object were changed.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
index e45f321af3..e4829f1e56 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
@@ -22,7 +22,7 @@ ms.technology: mde
- Windows Server 2016
-Audit Filtering Platform Connection determines whether the operating system generates audit events when connections are allowed or blocked by the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx).
+Audit Filtering Platform Connection determines whether the operating system generates audit events when connections are allowed or blocked by the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page).
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
@@ -54,5 +54,4 @@ This subcategory contains Windows Filtering Platform events about blocked and al
- [5158](event-5158.md)(S): The Windows Filtering Platform has permitted a bind to a local port.
-- [5159](event-5159.md)(F): The Windows Filtering Platform has blocked a bind to a local port.
-
+- [5159](event-5159.md)(F): The Windows Filtering Platform has blocked a bind to a local port.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
index fabd2a6b86..d6131681ec 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
@@ -22,7 +22,7 @@ ms.technology: mde
- Windows Server 2016
-Audit Filtering Platform Packet Drop determines whether the operating system generates audit events when packets are dropped by the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx).
+Audit Filtering Platform Packet Drop determines whether the operating system generates audit events when packets are dropped by the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page).
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
@@ -40,5 +40,4 @@ A high rate of dropped packets *may* indicate that there have been attempts to g
- [5152](event-5152.md)(F): The Windows Filtering Platform blocked a packet.
-- [5153](event-5153.md)(S): A more restrictive Windows Filtering Platform filter has blocked a packet.
-
+- [5153](event-5153.md)(S): A more restrictive Windows Filtering Platform filter has blocked a packet.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
index 72b892151f..b3a9837cd5 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
@@ -21,7 +21,7 @@ ms.technology: mde
- Windows 10
- Windows Server 2016
-Audit Filtering Platform Policy Change allows you to audit events generated by changes to the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx) (WFP), such as the following:
+Audit Filtering Platform Policy Change allows you to audit events generated by changes to the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) (WFP), such as the following:
- IPsec services status.
@@ -111,4 +111,4 @@ Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to
- 5474(F): PAStore Engine failed to load directory storage IPsec policy on the computer.
-- 5477(F): PAStore Engine failed to add quick mode filter.
+- 5477(F): PAStore Engine failed to add quick mode filter.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
index 555de3229e..3bbaa165ef 100644
--- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
+++ b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
@@ -32,7 +32,7 @@ This subcategory contains events about issued TGSs and failed TGS requests.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | IF | Yes | Yes | Yes | Expected volume is very high on domain controllers.
IF - We recommend Success auditing, because you will see all Kerberos Service Ticket requests (TGS requests), which are part of service use and access requests by specific accounts. Also, you can see the IP address from which this account requested TGS, when TGS was requested, which encryption type was used, and so on. For recommendations for using and analyzing the collected information, see our [***Security Monitoring Recommendations***](https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events).
We recommend Failure auditing, because you will see all failed requests and be able to investigate the reason for failure. You will also be able to detect Kerberos issues or possible attack attempts. |
+| Domain Controller | IF | Yes | Yes | Yes | Expected volume is very high on domain controllers.
IF - We recommend Success auditing, because you will see all Kerberos Service Ticket requests (TGS requests), which are part of service use and access requests by specific accounts. Also, you can see the IP address from which this account requested TGS, when TGS was requested, which encryption type was used, and so on. For recommendations for using and analyzing the collected information, see our [***Security Monitoring Recommendations***](./appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
We recommend Failure auditing, because you will see all failed requests and be able to investigate the reason for failure. You will also be able to detect Kerberos issues or possible attack attempts. |
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
@@ -42,4 +42,4 @@ This subcategory contains events about issued TGSs and failed TGS requests.
- [4770](event-4770.md)(S): A Kerberos service ticket was renewed.
-- [4773](event-4773.md)(F): A Kerberos service ticket request failed.
+- [4773](event-4773.md)(F): A Kerberos service ticket request failed.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-kernel-object.md b/windows/security/threat-protection/auditing/audit-kernel-object.md
index 35d10b40fa..f93ad96e33 100644
--- a/windows/security/threat-protection/auditing/audit-kernel-object.md
+++ b/windows/security/threat-protection/auditing/audit-kernel-object.md
@@ -24,11 +24,11 @@ ms.technology: mde
Audit Kernel Object determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.
-Only kernel objects with a matching system access control list ([SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx)) generate security audit events. The audits generated are usually useful only to developers.
+Only kernel objects with a matching system access control list ([SACL](/windows/win32/secauthz/access-control-lists)) generate security audit events. The audits generated are usually useful only to developers.
Typically, kernel objects are given SACLs only if the AuditBaseObjects or AuditBaseDirectories auditing options are enabled.
-The “[Audit: Audit the access of global system objects](https://technet.microsoft.com/library/jj852233.aspx)” policy setting controls the default SACL of kernel objects.
+The “[Audit: Audit the access of global system objects](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852233(v=ws.11))” policy setting controls the default SACL of kernel objects.
**Event volume**: High.
@@ -46,7 +46,4 @@ The “[Audit: Audit the access of global system objects](https://technet.micros
- [4660](event-4660.md)(S): An object was deleted.
-- [4663](event-4663.md)(S): An attempt was made to access an object.
-
-
-
+- [4663](event-4663.md)(S): An attempt was made to access an object.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-network-policy-server.md b/windows/security/threat-protection/auditing/audit-network-policy-server.md
index 78f17fb1a1..d6ac9d53e5 100644
--- a/windows/security/threat-protection/auditing/audit-network-policy-server.md
+++ b/windows/security/threat-protection/auditing/audit-network-policy-server.md
@@ -29,15 +29,15 @@ This subcategory generates events only if NAS or IAS role is installed on the se
NAP events can be used to help understand the overall health of the network.
-**Event volume**: Medium to High on servers that are running [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS).
+**Event volume**: Medium to High on servers that are running [Network Policy Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732912(v=ws.11)) (NPS).
Role-specific subcategories are outside the scope of this document.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
-| Domain Controller | IF | IF | IF | IF | IF – if a server has the [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. |
-| Member Server | IF | IF | IF | IF | IF – if a server has the [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. |
-| Workstation | No | No | No | No | [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS) role cannot be installed on client OS. |
+| Domain Controller | IF | IF | IF | IF | IF – if a server has the [Network Policy Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732912(v=ws.11)) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. |
+| Member Server | IF | IF | IF | IF | IF – if a server has the [Network Policy Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732912(v=ws.11)) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. |
+| Workstation | No | No | No | No | [Network Policy Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732912(v=ws.11)) (NPS) role cannot be installed on client OS. |
- 6272: Network Policy Server granted access to a user.
@@ -55,4 +55,4 @@ Role-specific subcategories are outside the scope of this document.
- 6279: Network Policy Server locked the user account due to repeated failed authentication attempts.
-- 6280: Network Policy Server unlocked the user account.
+- 6280: Network Policy Server unlocked the user account.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
index d50fe53957..c123e22ef8 100644
--- a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
@@ -44,9 +44,9 @@ Logon events are essential to understanding user activity and detecting potentia
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible Kerberos replay attacks, terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.
Failure events will show you when requested credentials [CredSSP](https://msdn.microsoft.com/library/cc226764.aspx) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. |
-| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.
Failure events will show you when requested credentials [CredSSP](https://msdn.microsoft.com/library/cc226764.aspx) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. |
-| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.
Failure events will show you when requested credentials [CredSSP](https://msdn.microsoft.com/library/cc226764.aspx) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. |
+| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible Kerberos replay attacks, terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.
Failure events will show you when requested credentials [CredSSP](/openspecs/windows_protocols/ms-cssp/85f57821-40bb-46aa-bfcb-ba9590b8fc30) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. |
+| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.
Failure events will show you when requested credentials [CredSSP](/openspecs/windows_protocols/ms-cssp/85f57821-40bb-46aa-bfcb-ba9590b8fc30) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. |
+| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.
Failure events will show you when requested credentials [CredSSP](/openspecs/windows_protocols/ms-cssp/85f57821-40bb-46aa-bfcb-ba9590b8fc30) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. |
**Events List:**
@@ -68,5 +68,4 @@ Logon events are essential to understanding user activity and detecting potentia
- [5632](event-5632.md)(S): A request was made to authenticate to a wireless network.
-- [5633](event-5633.md)(S): A request was made to authenticate to a wired network.
-
+- [5633](event-5633.md)(S): A request was made to authenticate to a wired network.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md
index 8b5fa48820..70a672e969 100644
--- a/windows/security/threat-protection/auditing/audit-registry.md
+++ b/windows/security/threat-protection/auditing/audit-registry.md
@@ -22,7 +22,7 @@ ms.technology: mde
- Windows Server 2016
-Audit Registry allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists ([SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx)s) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL.
+Audit Registry allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists ([SACL](/windows/win32/secauthz/access-control-lists)s) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL.
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a registry object that has a matching SACL.
@@ -30,7 +30,7 @@ If success auditing is enabled, an audit entry is generated each time any accoun
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | IF | IF | IF | IF | We strongly recommend that you develop a Registry Objects Security Monitoring policy and define appropriate [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx)s for registry objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx)s. Otherwise the auditing log will be overloaded with useless information.
Failure events can show you unsuccessful attempts to access specific registry objects.
Consider enabling this subcategory for critical computers first, after you develop a Registry Objects Security Monitoring policy for them. |
+| Domain Controller | IF | IF | IF | IF | We strongly recommend that you develop a Registry Objects Security Monitoring policy and define appropriate [SACL](/windows/win32/secauthz/access-control-lists)s for registry objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess [SACL](/windows/win32/secauthz/access-control-lists)s. Otherwise the auditing log will be overloaded with useless information.
Failure events can show you unsuccessful attempts to access specific registry objects.
Consider enabling this subcategory for critical computers first, after you develop a Registry Objects Security Monitoring policy for them. |
| Member Server | IF | IF | IF | IF | |
| Workstation | IF | IF | IF | IF | |
@@ -48,5 +48,4 @@ If success auditing is enabled, an audit entry is generated each time any accoun
- [5039](event-5039.md)(-): A registry key was virtualized.
-- [4670](event-4670.md)(S): Permissions on an object were changed.
-
+- [4670](event-4670.md)(S): Permissions on an object were changed.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-removable-storage.md b/windows/security/threat-protection/auditing/audit-removable-storage.md
index d09d98cb1d..b0ec0466fe 100644
--- a/windows/security/threat-protection/auditing/audit-removable-storage.md
+++ b/windows/security/threat-protection/auditing/audit-removable-storage.md
@@ -22,7 +22,7 @@ ms.technology: mde
- Windows Server 2016
-Audit Removable Storage allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated for all objects and all types of access requested, with no dependency on object’s [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx).
+Audit Removable Storage allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated for all objects and all types of access requested, with no dependency on object’s [SACL](/windows/win32/secauthz/access-control-lists).
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -36,7 +36,4 @@ Audit Removable Storage allows you to audit user attempts to access file system
- [4658](event-4658.md)(S): The handle to an object was closed.
-- [4663](event-4663.md)(S): An attempt was made to access an object.
-
-
-
+- [4663](event-4663.md)(S): An attempt was made to access an object.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md
index 2d23fcdcce..022b451082 100644
--- a/windows/security/threat-protection/auditing/audit-sam.md
+++ b/windows/security/threat-protection/auditing/audit-sam.md
@@ -22,7 +22,7 @@ ms.technology: mde
- Windows Server 2016
-Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager ([SAM](https://technet.microsoft.com/library/cc756748(v=ws.10).aspx)) objects.
+Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager ([SAM](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10))) objects.
The Security Account Manager (SAM) is a database that is present on computers running Windows operating systems that stores user accounts and security descriptors for users on the local computer.
@@ -40,7 +40,7 @@ The Security Account Manager (SAM) is a database that is present on computers ru
If you configure this policy setting, an audit event is generated when a SAM object is accessed. Success audits record successful attempts, and failure audits record unsuccessful attempts.
-Only a [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) for SAM\_SERVER can be modified.
+Only a [SACL](/windows/win32/secauthz/access-control-lists) for SAM\_SERVER can be modified.
Changes to user and group objects are tracked by the Account Management audit category. However, user accounts with enough privileges could potentially alter the files in which the account and password information is stored in the system, bypassing any Account Management events.
@@ -50,10 +50,10 @@ For information about reducing the number of events generated in this subcategor
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](https://technet.microsoft.com/library/cc756748(v=ws.10).aspx) level. |
-| Member Server | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](https://technet.microsoft.com/library/cc756748(v=ws.10).aspx) level. |
-| Workstation | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](https://technet.microsoft.com/library/cc756748(v=ws.10).aspx) level. |
+| Domain Controller | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10)) level. |
+| Member Server | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10)) level. |
+| Workstation | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10)) level. |
**Events List:**
-- [4661](event-4661.md)(S, F): A handle to an object was requested.
+- [4661](event-4661.md)(S, F): A handle to an object was requested.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
index 2f23c9cbcc..fe6ad3206b 100644
--- a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
+++ b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
@@ -50,7 +50,7 @@ Audit Sensitive Privilege Use contains events that show the usage of sensitive p
- Take ownership of files or other objects
-The use of two privileges, “Back up files and directories” and “Restore files and directories,” generate events only if the “[Audit: Audit the use of Backup and Restore privilege](https://technet.microsoft.com/library/jj852206.aspx)” Group Policy setting is enabled on the computer or device. We do not recommend enabling this Group Policy setting because of the high number of events recorded.
+The use of two privileges, “Back up files and directories” and “Restore files and directories,” generate events only if the “[Audit: Audit the use of Backup and Restore privilege](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852206(v=ws.11))” Group Policy setting is enabled on the computer or device. We do not recommend enabling this Group Policy setting because of the high number of events recorded.
This subcategory also contains informational events from the file system Transaction Manager.
@@ -73,6 +73,4 @@ If you configure this policy setting, an audit event is generated when sensitive
- [4985](event-4985.md)(S): The state of a transaction has changed.
>[!NOTE]
-> The event “[4985](event-4985.md)(S): The state of a transaction has changed" from [Audit File System](audit-file-system.md) subcategory also generates in this subcategory. See description of event [4985](event-4985.md) in [Audit File System](audit-file-system.md) subcategory.
-
-
+> The event “[4985](event-4985.md)(S): The state of a transaction has changed" from [Audit File System](audit-file-system.md) subcategory also generates in this subcategory. See description of event [4985](event-4985.md) in [Audit File System](audit-file-system.md) subcategory.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-special-logon.md b/windows/security/threat-protection/auditing/audit-special-logon.md
index b17dccbcb1..c852e45990 100644
--- a/windows/security/threat-protection/auditing/audit-special-logon.md
+++ b/windows/security/threat-protection/auditing/audit-special-logon.md
@@ -38,9 +38,9 @@ This subcategory allows you to audit events generated by special logons such as
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](https://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature.
At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](https://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature.
At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](https://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature.
At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Domain Controller | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/special-groups-auditing-via-group-policy-preferences/ba-p/395095) related events, you must enable this subcategory for Success audit if you use this feature.
At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/special-groups-auditing-via-group-policy-preferences/ba-p/395095) related events, you must enable this subcategory for Success audit if you use this feature.
At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/special-groups-auditing-via-group-policy-preferences/ba-p/395095) related events, you must enable this subcategory for Success audit if you use this feature.
At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
diff --git a/windows/security/threat-protection/auditing/audit-system-integrity.md b/windows/security/threat-protection/auditing/audit-system-integrity.md
index b461299ea0..f9be77c1eb 100644
--- a/windows/security/threat-protection/auditing/audit-system-integrity.md
+++ b/windows/security/threat-protection/auditing/audit-system-integrity.md
@@ -42,9 +42,9 @@ Violations of security subsystem integrity are critical and could indicate a pot
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.
The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](https://technet.microsoft.com/library/dd348642(v=ws.10).aspx) failure events. |
-| Member Server | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.
The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](https://technet.microsoft.com/library/dd348642(v=ws.10).aspx) failure events. |
-| Workstation | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.
The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](https://technet.microsoft.com/library/dd348642(v=ws.10).aspx) failure events. |
+| Domain Controller | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.
The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) failure events. |
+| Member Server | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.
The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) failure events. |
+| Workstation | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.
The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) failure events. |
**Events List:**
@@ -70,5 +70,4 @@ Violations of security subsystem integrity are critical and could indicate a pot
- [6281](event-6281.md)(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
-- [6410](event-6410.md)(F): Code integrity determined that a file does not meet the security requirements to load into a process.
-
+- [6410](event-6410.md)(F): Code integrity determined that a file does not meet the security requirements to load into a process.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
index 266ab2e3c9..c53c887d1f 100644
--- a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
+++ b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
@@ -18,7 +18,7 @@ ms.technology: mde
Audit Token Right Adjusted allows you to audit events generated by adjusting the privileges of a token.
-For more information, see [Security Monitoring: A Possible New Way to Detect Privilege Escalation](https://blogs.technet.microsoft.com/nathangau/2018/01/25/security-monitoring-a-possible-new-way-to-detect-privilege-escalation/).
+For more information, see [Security Monitoring: A Possible New Way to Detect Privilege Escalation](/archive/blogs/nathangau/security-monitoring-a-possible-new-way-to-detect-privilege-escalation).
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -30,4 +30,4 @@ For more information, see [Security Monitoring: A Possible New Way to Detect Pri
- [4703](event-4703.md)(S): A user right was adjusted.
-**Event volume**: High.
+**Event volume**: High.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md
index 8dbb841dce..8d6a8dfd16 100644
--- a/windows/security/threat-protection/auditing/event-1104.md
+++ b/windows/security/threat-protection/auditing/event-1104.md
@@ -29,7 +29,7 @@ ms.technology: mde
This event generates every time Windows security log becomes full.
-This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “[Do not overwrite events (Clear logs manually)](https://technet.microsoft.com/library/cc778402(v=ws.10).aspx)”.
+This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “[Do not overwrite events (Clear logs manually)](/previous-versions/windows/it-pro/windows-server-2003/cc778402(v=ws.10))”.
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -69,5 +69,4 @@ This event generates, for example, if the maximum size of Security Event Log fil
## Security Monitoring Recommendations
-- If the Security event log retention method is set to “[Do not overwrite events (Clear logs manually)](https://technet.microsoft.com/library/cc778402(v=ws.10).aspx)”, then this event will indicate that log file is full and you need to perform immediate actions, for example, archive the log or clear it.
-
+- If the Security event log retention method is set to “[Do not overwrite events (Clear logs manually)](/previous-versions/windows/it-pro/windows-server-2003/cc778402(v=ws.10))”, then this event will indicate that log file is full and you need to perform immediate actions, for example, archive the log or clear it.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md
index c08fa7be61..ca327249e4 100644
--- a/windows/security/threat-protection/auditing/event-1105.md
+++ b/windows/security/threat-protection/auditing/event-1105.md
@@ -29,7 +29,7 @@ ms.technology: mde
This event generates every time Windows security log becomes full and new event log file was created.
-This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “[Archive the log when full, do not overwrite events](https://technet.microsoft.com/library/cc721981.aspx)”.
+This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “[Archive the log when full, do not overwrite events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc721981(v=ws.11))”.
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -100,5 +100,4 @@ The time in this event is always in ***GMT+0/UTC+0*** time zone.
For 1105(S): Event log automatic backup.
-- Typically it’s an informational event and no actions are needed. But if your baseline settings are not set to [Archive the log when full, do not overwrite events](https://technet.microsoft.com/library/cc721981.aspx), then this event will be a sign that some settings are not set to baseline settings or were changed.
-
+- Typically it’s an informational event and no actions are needed. But if your baseline settings are not set to [Archive the log when full, do not overwrite events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc721981(v=ws.11)), then this event will be a sign that some settings are not set to baseline settings or were changed.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-1108.md b/windows/security/threat-protection/auditing/event-1108.md
index cd3bf45ca4..440e411f38 100644
--- a/windows/security/threat-protection/auditing/event-1108.md
+++ b/windows/security/threat-protection/auditing/event-1108.md
@@ -77,7 +77,7 @@ For example, event 1108 might be generated after an incorrect [4703](event-4703.
***Field Descriptions:***
-**%1** \[Type = UnicodeString\]: the name of [security event source](https://msdn.microsoft.com/library/windows/desktop/aa363661(v=vs.85).aspx) from which event was received for processing. You can see all registered security event source names in this registry path: “HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security”. Here is an example:
+**%1** \[Type = UnicodeString\]: the name of [security event source](/windows/win32/eventlog/event-sources) from which event was received for processing. You can see all registered security event source names in this registry path: “HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security”. Here is an example:
@@ -85,5 +85,4 @@ For example, event 1108 might be generated after an incorrect [4703](event-4703.
For 1108(S): The event logging service encountered an error while processing an incoming event published from %1.
-- We recommend monitoring for all events of this type and checking what the cause of the error was.
-
+- We recommend monitoring for all events of this type and checking what the cause of the error was.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4610.md b/windows/security/threat-protection/auditing/event-4610.md
index b85a2d5918..aba324fd61 100644
--- a/windows/security/threat-protection/auditing/event-4610.md
+++ b/windows/security/threat-protection/auditing/event-4610.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates every time [Authentication Package](https://msdn.microsoft.com/library/windows/desktop/aa374733(v=vs.85).aspx) has been loaded by the Local Security Authority ([LSA](https://msdn.microsoft.com/library/windows/desktop/aa378326(v=vs.85).aspx)).
+This event generates every time [Authentication Package](/windows/win32/secauthn/authentication-packages) has been loaded by the Local Security Authority ([LSA](/windows/win32/secauthn/lsa-authentication)).
Each time the system starts, the LSA loads the Authentication Package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Authentication Packages** registry value and performs the initialization sequence for every package located in these DLLs.
@@ -69,9 +69,9 @@ Each time the system starts, the LSA loads the Authentication Package DLLs from
***Field Descriptions:***
-**Authentication Package Name** \[Type = UnicodeString\]**:** the name of loaded [Authentication Package](https://msdn.microsoft.com/library/windows/desktop/aa374733(v=vs.85).aspx). The format is: DLL\_PATH\_AND\_NAME: AUTHENTICATION\_PACKAGE\_NAME.
+**Authentication Package Name** \[Type = UnicodeString\]**:** the name of loaded [Authentication Package](/windows/win32/secauthn/authentication-packages). The format is: DLL\_PATH\_AND\_NAME: AUTHENTICATION\_PACKAGE\_NAME.
-By default the only one Authentication Package loaded by Windows 10 is “[MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0](https://msdn.microsoft.com/library/windows/desktop/aa378753(v=vs.85).aspx)”.
+By default the only one Authentication Package loaded by Windows 10 is “[MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0](/windows/win32/secauthn/msv1-0-authentication-package)”.
## Security Monitoring Recommendations
@@ -79,5 +79,4 @@ For 4610(S): An authentication package has been loaded by the Local Security Aut
- Report all “**Authentication Package Name**” not equals “C:\\Windows\\system32\\msv1\_0.DLL : MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0”, because by default this is the only Authentication Package loaded by Windows 10.
-- Typically this event has an informational purpose. If you have a pre-defined list of allowed Authentication Packages in the system, then you can check whether “**Authentication Package Name”** is in your defined list.
-
+- Typically this event has an informational purpose. If you have a pre-defined list of allowed Authentication Packages in the system, then you can check whether “**Authentication Package Name”** is in your defined list.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4611.md b/windows/security/threat-protection/auditing/event-4611.md
index c3174b766e..50583e6f70 100644
--- a/windows/security/threat-protection/auditing/event-4611.md
+++ b/windows/security/threat-protection/auditing/event-4611.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event indicates that a logon process has registered with the Local Security Authority ([LSA](https://msdn.microsoft.com/library/windows/desktop/aa378326(v=vs.85).aspx)). Also, logon requests will now be accepted from this source.
+This event indicates that a logon process has registered with the Local Security Authority ([LSA](/windows/win32/secauthn/lsa-authentication)). Also, logon requests will now be accepted from this source.
At the technical level, the event does not come from the registration of a trusted logon process, but from a confirmation that the process is a trusted logon process. If it is a trusted logon process, the event generates.
@@ -111,5 +111,4 @@ For 4611(S): A trusted logon process has been registered with the Local Security
- Typically this event has an informational purpose. If you defined the list of allowed Logon Processes in the system, then you can check is “**Logon Process Name”** field value in the allow list or not.
--
-
+-
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4614.md b/windows/security/threat-protection/auditing/event-4614.md
index 5bc966978c..ca4c161420 100644
--- a/windows/security/threat-protection/auditing/event-4614.md
+++ b/windows/security/threat-protection/auditing/event-4614.md
@@ -27,9 +27,9 @@ ms.technology: mde
***Event Description:***
-This event generates every time a Notification Package has been loaded by the [Security Account Manager](https://technet.microsoft.com/library/cc756748(v=ws.10).aspx).
+This event generates every time a Notification Package has been loaded by the [Security Account Manager](/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10)).
-In reality, starting with Windows Vista, a notification package should be interpreted as afs [Password Filter](https://msdn.microsoft.com/library/windows/desktop/ms721882(v=vs.85).aspx).
+In reality, starting with Windows Vista, a notification package should be interpreted as afs [Password Filter](/windows/win32/secmgmt/password-filters).
Password Filters are DLLs that are loaded or called when passwords are set or changed.
@@ -79,5 +79,4 @@ Each time a system starts, it loads the notification package DLLs from **HKEY\_L
For 4614(S): A notification package has been loaded by the Security Account Manager.
-- Typically this event has an informational purpose. If you defined the list of allowed Notification Packages in the system, then you can check is “**Notification Package Name”** field value in the allow list or not.
-
+- Typically this event has an informational purpose. If you defined the list of allowed Notification Packages in the system, then you can check is “**Notification Package Name”** field value in the allow list or not.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4621.md b/windows/security/threat-protection/auditing/event-4621.md
index 8868b9b584..9ffb0fee15 100644
--- a/windows/security/threat-protection/auditing/event-4621.md
+++ b/windows/security/threat-protection/auditing/event-4621.md
@@ -21,7 +21,7 @@ ms.technology: mde
- Windows Server 2016
-This event is logged after a system reboots following [CrashOnAuditFail](https://technet.microsoft.com/library/cc963220.aspx?f=255&MSPPError=-2147217396). It generates when CrashOnAuditFail = 2.
+This event is logged after a system reboots following [CrashOnAuditFail](/previous-versions/windows/it-pro/windows-2000-server/cc963220(v=technet.10)?f=255&MSPPError=-2147217396). It generates when CrashOnAuditFail = 2.
There is no example of this event in this document.
@@ -43,7 +43,6 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
-- We recommend triggering an alert for any occurrence of this event. The event shows that the system halted because it could not record an auditable event in the Security Log, as described in [CrashOnAuditFail](https://technet.microsoft.com/library/cc963220.aspx?f=255&MSPPError=-2147217396).
-
-- If your computers don’t have the [CrashOnAuditFail](https://technet.microsoft.com/library/cc963220.aspx?f=255&MSPPError=-2147217396) flag enabled, then this event will be a sign that some settings are not set to baseline settings or were changed.
+- We recommend triggering an alert for any occurrence of this event. The event shows that the system halted because it could not record an auditable event in the Security Log, as described in [CrashOnAuditFail](/previous-versions/windows/it-pro/windows-2000-server/cc963220(v=technet.10)?f=255&MSPPError=-2147217396).
+- If your computers don’t have the [CrashOnAuditFail](/previous-versions/windows/it-pro/windows-2000-server/cc963220(v=technet.10)?f=255&MSPPError=-2147217396) flag enabled, then this event will be a sign that some settings are not set to baseline settings or were changed.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4622.md b/windows/security/threat-protection/auditing/event-4622.md
index 3579709147..46f54afcca 100644
--- a/windows/security/threat-protection/auditing/event-4622.md
+++ b/windows/security/threat-protection/auditing/event-4622.md
@@ -27,13 +27,13 @@ ms.technology: mde
***Event Description:***
-This event generates every time [Security Package](https://msdn.microsoft.com/library/windows/desktop/aa380501(v=vs.85).aspx) has been loaded by the Local Security Authority ([LSA](https://msdn.microsoft.com/library/windows/desktop/aa378326(v=vs.85).aspx)).
+This event generates every time [Security Package](/windows/win32/secauthn/ssp-aps-versus-ssps) has been loaded by the Local Security Authority ([LSA](/windows/win32/secauthn/lsa-authentication)).
Security Package is the software implementation of a security protocol (Kerberos, NTLM, for example). Security packages are contained in security support provider DLLs or security support provider/authentication package DLLs.
Each time the system starts, the LSA loads the Security Package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages** registry value and performs the initialization sequence for every package located in these DLLs.
-It is also possible to add security package dynamically using [AddSecurityPackage](https://msdn.microsoft.com/library/windows/desktop/dd401506(v=vs.85).aspx) function, not only during system startup process.
+It is also possible to add security package dynamically using [AddSecurityPackage](/windows/win32/api/sspi/nf-sspi-addsecuritypackagea) function, not only during system startup process.
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -101,5 +101,4 @@ These are some Security Package DLLs loaded by default in Windows 10:
For 4622(S): A security package has been loaded by the Local Security Authority.
-- Typically this event has an informational purpose. If you defined the list of allowed Security Packages in the system, then you can check is “**Security Package Name”** field value in the allow list or not.
-
+- Typically this event has an informational purpose. If you defined the list of allowed Security Packages in the system, then you can check is “**Security Package Name”** field value in the allow list or not.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md
index 49f1a0d83c..f34d8e3ae4 100644
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ b/windows/security/threat-protection/auditing/event-4624.md
@@ -17,11 +17,11 @@ ms.technology: mde
# 4624(S): An account was successfully logged on.
**Applies to**
-- Windows 10
-- Windows Server 2016
+- Windows 10
+- Windows Server 2016
-
+
***Subcategory:*** [Audit Logon](audit-logon.md)
@@ -29,59 +29,61 @@ ms.technology: mde
This event generates when a logon session is created (on destination machine). It generates on the computer that was accessed, where the session was created.
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+> [!NOTE]
+> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
***Event XML:***
```xml
-
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
- You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+ You can also correlate this process ID with a process ID in other events, for example, "[4688](event-4688.md): A new process has been created" **Process Information\\New Process ID**.
-- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
+- **Process Name** [Type = UnicodeString]**:** full path and the name of the executable for the process.
**Network Information:**
-- **Workstation Name** \[Type = UnicodeString\]**:** machine name to which logon attempt was performed.
+- **Workstation Name** [Type = UnicodeString]**:** machine name from which a logon attempt was performed.
-- **Source Network Address** \[Type = UnicodeString\]**:** IP address of machine from which logon attempt was performed.
+- **Source Network Address** [Type = UnicodeString]**:** IP address of machine from which logon attempt was performed.
- - IPv6 address or ::ffff:IPv4 address of a client.
+ - IPv6 address or ::ffff:IPv4 address of a client.
- - ::1 or 127.0.0.1 means localhost.
+ - ::1 or 127.0.0.1 means localhost.
-- **Source Port** \[Type = UnicodeString\]: source port which was used for logon attempt from remote machine.
+- **Source Port** [Type = UnicodeString]: source port which was used for logon attempt from remote machine.
- - 0 for interactive logons.
+ - 0 for interactive logons.
**Detailed Authentication Information:**
-- **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon. See event “[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority” description for more information.
+- **Logon Process** [Type = UnicodeString]**:** the name of the trusted logon process that was used for the logon. See event "[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority" description for more information.
-- **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package which was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “[4622](event-4622.md): A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
+- **Authentication Package** [Type = UnicodeString]**:** The name of the authentication package which was used for the logon authentication process. Default packages loaded on LSA startup are located in "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig" registry key. Other packages can be loaded at runtime. When a new package is loaded a "[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority" (typically for NTLM) or "[4622](event-4622.md): A security package has been loaded by the Local Security Authority" (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
- - **NTLM** – NTLM-family Authentication
+ - **NTLM** – NTLM-family Authentication
- - **Kerberos** – Kerberos authentication.
+ - **Kerberos** – Kerberos authentication.
- - **Negotiate** – the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos.
+ - **Negotiate** – the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos.
-- **Transited Services** \[Type = UnicodeString\] \[Kerberos-only\]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“New Logon\\Security ID”** that corresponds to the high-value account or accounts. |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“New Logon\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“New Logon\\Security ID”** that corresponds to the accounts that should never be used. |
-| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“New Logon\\Security ID”** for accounts that are outside the allow list. |
-| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“New Logon\\Security ID”** to see whether the account type is as expected. |
-| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
-| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“New Logon\\Security ID”** that you are concerned about. |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
+| Type of monitoring required | Recommendation |
+|-----------------------------|-------------------------|
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **"New Logon\\Security ID"** that corresponds to the high-value account or accounts. |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **"New Logon\\Security ID"** (with other information) to monitor how or when a particular account is being used. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **"New Logon\\Security ID"** that corresponds to the accounts that should never be used. |
+| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a "allow list-only" action, review the **"New Logon\\Security ID"** for accounts that are outside the allow list. |
+| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **"New Logon\\Security ID"** to see whether the account type is as expected. |
+| **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **"Subject\\Account Domain"** corresponding to accounts from another domain or "external" accounts. |
+| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **"New Logon\\Security ID"** that you are concerned about. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor "**Subject\\Account Name"** for names that don’t comply with naming conventions. |
-- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
+- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **"Subject\\Security ID"** is not SYSTEM.
-- If “**Restricted Admin**” mode must be used for logons by certain accounts, use this event to monitor logons by “**New Logon\\Security ID**” in relation to “**Logon Type**”=10 and “**Restricted Admin Mode**”=”Yes”. If “**Restricted Admin Mode**”=”No” for these accounts, trigger an alert.
+- If "**Restricted Admin**" mode must be used for logons by certain accounts, use this event to monitor logons by "**New Logon\\Security ID**" in relation to "**Logon Type**"=10 and "**Restricted Admin Mode**"="Yes". If "**Restricted Admin Mode**"="No" for these accounts, trigger an alert.
-- If you need to monitor all logon events for accounts with administrator privileges, monitor this event with “**Elevated Token**”=”Yes”.
+- If you need to monitor all logon events for accounts with administrator privileges, monitor this event with "**Elevated Token**"="Yes".
-- If you need to monitor all logon events for managed service accounts and group managed service accounts, monitor for events with “**Virtual Account**”=”Yes”.
+- If you need to monitor all logon events for managed service accounts and group managed service accounts, monitor for events with "**Virtual Account**"="Yes".
-- To monitor for a mismatch between the logon type and the account that uses it (for example, if **Logon Type** 4-Batch or 5-Service is used by a member of a domain administrative group), monitor **Logon Type** in this event.
+- To monitor for a mismatch between the logon type and the account that uses it (for example, if **Logon Type** 4-Batch or 5-Service is used by a member of a domain administrative group), monitor **Logon Type** in this event.
-- If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
+- If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
- - If the user account **“New Logon\\Security ID”** should never be used to log on from the specific **Computer:**.
+ - If the user account **"New Logon\\Security ID"** should never be used to log on from the specific **Computer:**.
- - If **New Logon\\Security ID** credentials should not be used from **Workstation Name** or **Source Network Address**.
+ - If **New Logon\\Security ID** credentials should not be used from **Workstation Name** or **Source Network Address**.
- - If a specific account, such as a service account, should only be used from your internal IP address list (or some other list of IP addresses). In this case, you can monitor for **Network Information\\Source Network Address** and compare the network address with your list of IP addresses.
+ - If a specific account, such as a service account, should only be used from your internal IP address list (or some other list of IP addresses). In this case, you can monitor for **Network Information\\Source Network Address** and compare the network address with your list of IP addresses.
- - If a particular version of NTLM is always used in your organization. In this case, you can use this event to monitor **Package Name (NTLM only)**, for example, to find events where **Package Name (NTLM only)** does not equal **NTLM V2**.
+ - If a particular version of NTLM is always used in your organization. In this case, you can use this event to monitor **Package Name (NTLM only)**, for example, to find events where **Package Name (NTLM only)** does not equal **NTLM V2**.
- - If NTLM is not used in your organization, or should not be used by a specific account (**New Logon\\Security ID**). In this case, monitor for all events where **Authentication Package** is NTLM.
+ - If NTLM is not used in your organization, or should not be used by a specific account (**New Logon\\Security ID**). In this case, monitor for all events where **Authentication Package** is NTLM.
- - If the **Authentication Package** is NTLM. In this case, monitor for **Key Length** not equal to 128, because all Windows operating systems starting with Windows 2000 support 128-bit Key Length.
+ - If the **Authentication Package** is NTLM. In this case, monitor for **Key Length** not equal to 128, because all Windows operating systems starting with Windows 2000 support 128-bit Key Length.
-- If you monitor for potentially malicious software, or software that is not authorized to request logon actions, monitor this event for **Process Name**.
-
-- If you have a trusted logon processes list, monitor for a **Logon Process** that is not from the list.
+- If you monitor for potentially malicious software, or software that is not authorized to request logon actions, monitor this event for **Process Name**.
+- If you have a trusted logon processes list, monitor for a **Logon Process** that is not from the list.
diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md
index 9dcf332398..d613787ba3 100644
--- a/windows/security/threat-protection/auditing/event-4625.md
+++ b/windows/security/threat-protection/auditing/event-4625.md
@@ -232,7 +232,7 @@ More information:
**Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”.
This issue is typically not a security issue but it can be an infrastructure or availability issue. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. |
- | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. |
-
+ | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. |
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4656.md b/windows/security/threat-protection/auditing/event-4656.md
index f0ce074332..7332ad06b8 100644
--- a/windows/security/threat-protection/auditing/event-4656.md
+++ b/windows/security/threat-protection/auditing/event-4656.md
@@ -31,7 +31,7 @@ This event indicates that specific access was requested for an object. The objec
If access was declined, a Failure event is generated.
-This event generates only if the object’s [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) has the required ACE to handle the use of specific access rights.
+This event generates only if the object’s [SACL](/windows/win32/secauthz/access-control-lists) has the required ACE to handle the use of specific access rights.
This event shows that access was requested, and the results of the request, but it doesn’t show that the operation was performed. To see that the operation was performed, check “[4663](event-4663.md)(S): An attempt was made to access an object.”
@@ -178,7 +178,7 @@ This event shows that access was requested, and the results of the request, but
| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,
%%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. |
| ReadEA
(For registry objects, this is “Enumerate sub-keys.”) | 0x8,
%%4419 | The right to read extended file attributes. |
| WriteEA | 0x10,
%%4420 | The right to write extended file attributes. |
-| Execute/Traverse | 0x20,
%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](https://msdn.microsoft.com/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE** [access right](https://msdn.microsoft.com/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. |
+| Execute/Traverse | 0x20,
%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](/windows/win32/secauthz/privileges), which ignores the **FILE\_TRAVERSE** [access right](/windows/win32/secauthz/access-rights-and-access-masks). See the remarks in [File Security and Access Rights](/windows/win32/fileio/file-security-and-access-rights) for more information. |
| DeleteChild | 0x40,
%%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. |
| ReadAttributes | 0x80,
%%4423 | The right to read file attributes. |
| WriteAttributes | 0x100,
%%4424 | The right to write file attributes. |
@@ -201,9 +201,9 @@ This event shows that access was requested, and the results of the request, but
| Privilege Name | User Right Group Policy Name | Description |
|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. |
-| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE |
+| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE |
| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
@@ -235,9 +235,9 @@ This event shows that access was requested, and the results of the request, but
| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. |
-| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. |
+| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](/windows/win32/secgloss/t-gly#_security_terminal_gly) device. |
-- **Restricted SID Count** \[Type = UInt32\]: Number of [restricted SIDs](https://msdn.microsoft.com/library/windows/desktop/aa446583(v=vs.85).aspx) in the token. Applicable to only specific **Object Types**.
+- **Restricted SID Count** \[Type = UInt32\]: Number of [restricted SIDs](/windows/win32/api/securitybaseapi/nf-securitybaseapi-createrestrictedtoken) in the token. Applicable to only specific **Object Types**.
## Security Monitoring Recommendations
@@ -279,5 +279,4 @@ For other types of objects, the following recommendations apply.
- WRITE\_DAC
- - WRITE\_OWNER
-
+ - WRITE\_OWNER
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4657.md b/windows/security/threat-protection/auditing/event-4657.md
index f7ebcac31c..e0d0985203 100644
--- a/windows/security/threat-protection/auditing/event-4657.md
+++ b/windows/security/threat-protection/auditing/event-4657.md
@@ -29,7 +29,7 @@ ms.technology: mde
This event generates when a registry key ***value*** was modified. It doesn’t generate when a registry key was modified.
-This event generates only if “Set Value" auditing is set in registry key’s [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx).
+This event generates only if “Set Value" auditing is set in registry key’s [SACL](/windows/win32/secauthz/access-control-lists).
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -181,5 +181,4 @@ For 4657(S): A registry value was modified.
- If **Object Name** is a sensitive or critical registry key for which you need to monitor any modification of its values, monitor all [4657](event-4657.md) events.
-- If **Object Name** has specific values (**Object Value Name**) and you need to monitor modifications of these values, monitor for all [4657](event-4657.md) events.
-
+- If **Object Name** has specific values (**Object Value Name**) and you need to monitor modifications of these values, monitor for all [4657](event-4657.md) events.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4660.md b/windows/security/threat-protection/auditing/event-4660.md
index db4a9fd649..7a921090fd 100644
--- a/windows/security/threat-protection/auditing/event-4660.md
+++ b/windows/security/threat-protection/auditing/event-4660.md
@@ -29,7 +29,7 @@ ms.technology: mde
This event generates when an object was deleted. The object could be a file system, kernel, or registry object.
-This event generates only if “Delete" auditing is set in object’s [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx).
+This event generates only if “Delete" auditing is set in object’s [SACL](/windows/win32/secauthz/access-control-lists).
This event doesn’t contain the name of the deleted object (only the **Handle ID**). It is better to use “[4663](event-4663.md)(S): An attempt was made to access an object” with DELETE access to track object deletion.
@@ -135,5 +135,4 @@ For 4660(S): An object was deleted.
- This event doesn’t contains the name of deleted object (only **Handle ID**). It is better to use “[4663](event-4663.md)(S): An attempt was made to access an object.” events with DELETE access to track object deletion actions.
-- For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the Kernel objects level.
-
+- For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the Kernel objects level.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4661.md b/windows/security/threat-protection/auditing/event-4661.md
index 1fd43e2292..27afd56d00 100644
--- a/windows/security/threat-protection/auditing/event-4661.md
+++ b/windows/security/threat-protection/auditing/event-4661.md
@@ -175,9 +175,9 @@ This event generates only if Success auditing is enabled for the [Audit Handle M
| Privilege Name | User Right Group Policy Name | Description |
|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. |
-| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE |
+| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE |
| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
@@ -209,11 +209,11 @@ This event generates only if Success auditing is enabled for the [Audit Handle M
| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. |
-| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. |
+| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](/windows/win32/secgloss/t-gly#_security_terminal_gly) device. |
- **Properties** \[Type = UnicodeString\]: depends on **Object Type**. This field can be empty or contain the list of the object properties that were accessed. See more detailed information in “[4661](event-4661.md): A handle to an object was requested” from [Audit SAM](audit-sam.md) subcategory.
-- **Restricted SID Count** \[Type = UInt32\]: Number of [restricted SIDs](https://msdn.microsoft.com/library/windows/desktop/aa446583(v=vs.85).aspx) in the token. Applicable to only specific **Object Types**.
+- **Restricted SID Count** \[Type = UInt32\]: Number of [restricted SIDs](/windows/win32/api/securitybaseapi/nf-securitybaseapi-createrestrictedtoken) in the token. Applicable to only specific **Object Types**.
## Security Monitoring Recommendations
@@ -221,5 +221,4 @@ For 4661(S, F): A handle to an object was requested.
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-- You can get almost the same information from “[4662](event-4662.md): An operation was performed on an object.” There are no additional recommendations for this event in this document.
-
+- You can get almost the same information from “[4662](event-4662.md): An operation was performed on an object.” There are no additional recommendations for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4662.md b/windows/security/threat-protection/auditing/event-4662.md
index 8998dbb81a..b9d488c090 100644
--- a/windows/security/threat-protection/auditing/event-4662.md
+++ b/windows/security/threat-protection/auditing/event-4662.md
@@ -29,7 +29,7 @@ ms.technology: mde
This event generates every time when an operation was performed on an Active Directory object.
-This event generates only if appropriate [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) was set for Active Directory object and performed operation meets this SACL.
+This event generates only if appropriate [SACL](/windows/win32/secauthz/access-control-lists) was set for Active Directory object and performed operation meets this SACL.
If operation failed then Failure event will be generated.
@@ -249,5 +249,4 @@ For 4662(S, F): An operation was performed on an object.
- If you need to monitor operations attempts to specific Active Directory properties, monitor for **Properties** field with specific property GUID.
-- Do not forget that **Failure** attempts are also very important to audit. Decide where you want to monitor Failure attempts based on previous recommendations.
-
+- Do not forget that **Failure** attempts are also very important to audit. Decide where you want to monitor Failure attempts based on previous recommendations.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4663.md b/windows/security/threat-protection/auditing/event-4663.md
index 367e5eb029..efa297ac08 100644
--- a/windows/security/threat-protection/auditing/event-4663.md
+++ b/windows/security/threat-protection/auditing/event-4663.md
@@ -29,7 +29,7 @@ ms.technology: mde
This event indicates that a specific operation was performed on an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
-This event generates only if object’s [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) has required ACE to handle specific access right use.
+This event generates only if object’s [SACL](/windows/win32/secauthz/access-control-lists) has required ACE to handle specific access right use.
The main difference with “[4656](event-4656.md): A handle to an object was requested.” event is that 4663 shows that access right was used instead of just requested and 4663 doesn’t have Failure events.
@@ -166,7 +166,7 @@ The main difference with “[4656](event-4656.md): A handle to an object was req
| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,
%%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. |
| ReadEA
(For registry objects, this is “Enumerate sub-keys.”) | 0x8,
%%4419 | The right to read extended file attributes. |
| WriteEA | 0x10,
%%4420 | The right to write extended file attributes. |
-| Execute/Traverse | 0x20,
%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](https://msdn.microsoft.com/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE** [access right](https://msdn.microsoft.com/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. |
+| Execute/Traverse | 0x20,
%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](/windows/win32/secauthz/privileges), which ignores the **FILE\_TRAVERSE** [access right](/windows/win32/secauthz/access-rights-and-access-masks). See the remarks in [File Security and Access Rights](/windows/win32/fileio/file-security-and-access-rights) for more information. |
| DeleteChild | 0x40,
%%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. |
| ReadAttributes | 0x80,
%%4423 | The right to read file attributes. |
| WriteAttributes | 0x100,
%%4424 | The right to write file attributes. |
@@ -225,5 +225,4 @@ For other types of objects, the following recommendations apply.
- WRITE\_DAC
- - WRITE\_OWNER
-
+ - WRITE\_OWNER
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md
index c52b274d4f..ea7d4dcf1e 100644
--- a/windows/security/threat-protection/auditing/event-4670.md
+++ b/windows/security/threat-protection/auditing/event-4670.md
@@ -29,9 +29,9 @@ ms.technology: mde
This event generates when the permissions for an object are changed. The object could be a file system, registry, or security token object.
-This event does not generate if the [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) (Auditing ACL) was changed.
+This event does not generate if the [SACL](/windows/win32/secauthz/access-control-lists) (Auditing ACL) was changed.
-Before this event can generate, certain ACEs might need to be set in the object’s [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx). For example, for a file system object, it generates only if “Change Permissions" and/or "Take Ownership” are set in the object’s SACL. For a registry key, it generates only if “Write DAC" and/or "Write Owner” are set in the object’s SACL.
+Before this event can generate, certain ACEs might need to be set in the object’s [SACL](/windows/win32/secauthz/access-control-lists). For example, for a file system object, it generates only if “Change Permissions" and/or "Take Ownership” are set in the object’s SACL. For a registry key, it generates only if “Write DAC" and/or "Write Owner” are set in the object’s SACL.
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -275,5 +275,4 @@ For file system and registry objects, the following recommendations apply.
- If you have critical registry objects for which you need to monitor all modifications (especially permissions changes and owner changes), monitor for the specific **Object\\Object Name.**
-- If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers. For example, you could monitor the **ntds.dit** file on domain controllers.
-
+- If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers. For example, you could monitor the **ntds.dit** file on domain controllers.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md
index 60e95bde44..479e31207b 100644
--- a/windows/security/threat-protection/auditing/event-4672.md
+++ b/windows/security/threat-protection/auditing/event-4672.md
@@ -124,9 +124,9 @@ You typically will see many of these events in the event log, because every logo
| Privilege Name | User Right Group Policy Name | Description |
|-------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. |
-| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE |
+| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE |
| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. We recommend that SeDebugPrivilege always be granted to Administrators, and only to Administrators. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
@@ -150,5 +150,4 @@ For 4672(S): Special privileges assigned to new logon.
-- If you are required to monitor any of the sensitive privileges in the [Event Description for this event](event-4672.md), search for those specific privileges in the event.
-
+- If you are required to monitor any of the sensitive privileges in the [Event Description for this event](event-4672.md), search for those specific privileges in the event.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md
index 579be30565..cf5ef8d500 100644
--- a/windows/security/threat-protection/auditing/event-4673.md
+++ b/windows/security/threat-protection/auditing/event-4673.md
@@ -160,7 +160,7 @@ Failure event generates when service call attempt fails.
| **Subcategory of event** | **Privilege Name:
User Right Group Policy Name** | **Description** |
|-------------------------------|------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege:
Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege:
Replace a process-level token | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
| Audit Sensitive Privilege Use | SeAuditPrivilege:
Generate security audits | With this privilege, the user can add entries to the security log. |
| Audit Sensitive Privilege Use | SeCreateTokenPrivilege:
Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
| Audit Sensitive Privilege Use | SeDebugPrivilege:
Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
@@ -197,5 +197,4 @@ For 4673(S, F): A privileged service was called.
- If you have a list of specific user rights which should never be used, or used only by a few accounts (for example, SeDebugPrivilege), trigger an alert for those “**Privileges**.”
-- If you have a list of specific user rights for which every use must be reported or monitored (for example, SeRemoteShutdownPrivilege), trigger an alert for those “**Privileges**.”
-
+- If you have a list of specific user rights for which every use must be reported or monitored (for example, SeRemoteShutdownPrivilege), trigger an alert for those “**Privileges**.”
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md
index 5eecd1f2b5..734ce174c2 100644
--- a/windows/security/threat-protection/auditing/event-4674.md
+++ b/windows/security/threat-protection/auditing/event-4674.md
@@ -182,9 +182,9 @@ Failure event generates when operation attempt fails.
| **Subcategory of event** | **Privilege Name:
User Right Group Policy Name** | **Description** |
|-------------------------------|-----------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege:
Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege:
Replace a process-level token | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
| Audit Sensitive Privilege Use | SeAuditPrivilege:
Generate security audits | With this privilege, the user can add entries to the security log. |
-| Audit Sensitive Privilege Use | SeBackupPrivilege:
Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL.
The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE |
+| Audit Sensitive Privilege Use | SeBackupPrivilege:
Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL.
The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE |
| Audit Sensitive Privilege Use | SeCreateTokenPrivilege:
Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
| Audit Sensitive Privilege Use | SeDebugPrivilege:
Debug programs | Required to debug and adjust the memory of a process owned by another account.
With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right.
This user right provides complete access to sensitive and critical operating system components. |
| Audit Sensitive Privilege Use | SeImpersonatePrivilege:
Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
@@ -225,5 +225,4 @@ For 4674(S, F): An operation was attempted on a privileged object.
- If you have a list of specific user rights which should never be used, or used only by a few accounts (for example, SeDebugPrivilege), trigger an alert for those “**Privileges**.”
-- If you have a list of specific user rights for which every use must be reported or monitored (for example, SeRemoteShutdownPrivilege), trigger an alert for those “**Privileges**.”
-
+- If you have a list of specific user rights for which every use must be reported or monitored (for example, SeRemoteShutdownPrivilege), trigger an alert for those “**Privileges**.”
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md
index 31baef1ba5..39167d9431 100644
--- a/windows/security/threat-protection/auditing/event-4688.md
+++ b/windows/security/threat-protection/auditing/event-4688.md
@@ -160,7 +160,7 @@ This event generates every time a new process starts.
- **TokenElevationTypeLimited (3):** Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
-- **Mandatory Label** \[Version 2\] \[Type = SID\]**:** SID of [integrity label](https://msdn.microsoft.com/library/windows/desktop/bb648648(v=vs.85).aspx) which was assigned to the new process. Can have one of the following values:
+- **Mandatory Label** \[Version 2\] \[Type = SID\]**:** SID of [integrity label](/windows/win32/secauthz/mandatory-integrity-control) which was assigned to the new process. Can have one of the following values:
| SID | RID | RID label | Meaning |
|--------------|------------|----------------------------------------------|------------------------|
diff --git a/windows/security/threat-protection/auditing/event-4691.md b/windows/security/threat-protection/auditing/event-4691.md
index cadefa2220..c7ea74bdd7 100644
--- a/windows/security/threat-protection/auditing/event-4691.md
+++ b/windows/security/threat-protection/auditing/event-4691.md
@@ -29,7 +29,7 @@ ms.technology: mde
This event indicates that indirect access to an object was requested.
-These events are generated for [ALPC Ports](https://msdn.microsoft.com/library/windows/desktop/aa964738(v=vs.85).aspx) access request actions.
+These events are generated for [ALPC Ports](/windows/win32/etw/alpc) access request actions.
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -137,5 +137,4 @@ These events are generated for [ALPC Ports](https://msdn.microsoft.com/library/w
For 4691(S): Indirect access to an object was requested.
-- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with ALPC Ports.
-
+- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with ALPC Ports.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4692.md b/windows/security/threat-protection/auditing/event-4692.md
index 5d421a4e9f..064c922cb4 100644
--- a/windows/security/threat-protection/auditing/event-4692.md
+++ b/windows/security/threat-protection/auditing/event-4692.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates every time that a backup is attempted for the [DPAPI](https://msdn.microsoft.com/library/ms995355.aspx) Master Key.
+This event generates every time that a backup is attempted for the [DPAPI](/previous-versions/ms995355(v=msdn.10)) Master Key.
When a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. When a Master Key is generated, DPAPI communicates with a domain controller. Domain controllers have a domain-wide public/private key pair, associated solely with DPAPI. The local DPAPI client gets the domain controller public key from a domain controller by using a mutually authenticated and privacy protected RPC call. The client encrypts the Master Key with the domain controller public key. It then stores this backup Master Key along with the Master Key protected by the user's password.
@@ -128,5 +128,4 @@ For 4692(S, F): Backup of data protection master key was attempted.
- This event is typically an informational event and it is difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting.
-> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4693.md b/windows/security/threat-protection/auditing/event-4693.md
index 705ede7a61..1359ef1968 100644
--- a/windows/security/threat-protection/auditing/event-4693.md
+++ b/windows/security/threat-protection/auditing/event-4693.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates every time that recovery is attempted for a [DPAPI](https://msdn.microsoft.com/library/ms995355.aspx) Master Key.
+This event generates every time that recovery is attempted for a [DPAPI](/previous-versions/ms995355(v=msdn.10)) Master Key.
While unprotecting data, if DPAPI cannot use the Master Key protected by the user's password, it sends the backup Master Key to a domain controller by using a mutually authenticated and privacy protected RPC call. The domain controller then decrypts the Master Key with its private key and sends it back to the client by using the same protected RPC call. This protected RPC call is used to ensure that no one listening on the network can get the Master Key.
@@ -129,5 +129,4 @@ For 4693(S, F): Recovery of data protection master key was attempted.
- For domain joined computers, **Recovery Reason** should typically be a domain controller DNS name.
-> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4694.md b/windows/security/threat-protection/auditing/event-4694.md
index 3d9e4f51cf..0b35bda1ba 100644
--- a/windows/security/threat-protection/auditing/event-4694.md
+++ b/windows/security/threat-protection/auditing/event-4694.md
@@ -21,7 +21,7 @@ ms.technology: mde
- Windows Server 2016
-This event generates if [DPAPI](https://msdn.microsoft.com/library/ms995355.aspx) [**CryptProtectData**](https://msdn.microsoft.com/library/windows/desktop/aa380261(v=vs.85).aspx)() function was used with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled.
+This event generates if [DPAPI](/previous-versions/ms995355(v=msdn.10)) [**CryptProtectData**](/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata)() function was used with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled.
There is no example of this event in this document.
@@ -65,5 +65,4 @@ There is no example of this event in this document.
- There is no recommendation for this event in this document.
-- This event is typically an informational event and it is difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting.
-
+- This event is typically an informational event and it is difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4695.md b/windows/security/threat-protection/auditing/event-4695.md
index cbca831957..9acd287be1 100644
--- a/windows/security/threat-protection/auditing/event-4695.md
+++ b/windows/security/threat-protection/auditing/event-4695.md
@@ -21,7 +21,7 @@ ms.technology: mde
- Windows Server 2016
-This event generates if [DPAPI](https://msdn.microsoft.com/library/ms995355.aspx) [CryptUnprotectData](https://msdn.microsoft.com/library/windows/desktop/aa380882(v=vs.85).aspx)() function was used to unprotect “auditable” data that was encrypted using [**CryptProtectData**](https://msdn.microsoft.com/library/windows/desktop/aa380261(v=vs.85).aspx)() function with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled.
+This event generates if [DPAPI](/previous-versions/ms995355(v=msdn.10)) [CryptUnprotectData](/windows/win32/api/dpapi/nf-dpapi-cryptunprotectdata)() function was used to unprotect “auditable” data that was encrypted using [**CryptProtectData**](/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata)() function with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled.
There is no example of this event in this document.
@@ -65,5 +65,4 @@ There is no example of this event in this document.
- There is no recommendation for this event in this document.
-- This event is typically an informational event and it is difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting.
-
+- This event is typically an informational event and it is difficult to detect any malicious activity using this event. It’s mainly used for DPAPI troubleshooting.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4697.md b/windows/security/threat-protection/auditing/event-4697.md
index 090b2436e1..870352146b 100644
--- a/windows/security/threat-protection/auditing/event-4697.md
+++ b/windows/security/threat-protection/auditing/event-4697.md
@@ -107,7 +107,7 @@ This event generates when new service was installed in the system.
Note that this is the path to the file when the service is created. If the path is changed afterwards, the change is not logged. This would have to be tracked via Process Create events.
-- **Service Type** \[Type = HexInt32\]: Indicates the [type](https://msdn.microsoft.com/library/tfdtdw0e(v=vs.110).aspx?cs-save-lang=1&cs-lang=csharp#code-snippet-1) of service that was registered with the Service Control Manager. It can be one of the following:
+- **Service Type** \[Type = HexInt32\]: Indicates the [type](/dotnet/api/system.serviceprocess.servicetype?cs-lang=csharp&cs-save-lang=1#code-snippet-1) of service that was registered with the Service Control Manager. It can be one of the following:
| Value | Service Type | Description |
|-------|---------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -158,5 +158,4 @@ For 4697(S): A service was installed in the system.
- Report all “**Service Start Type**” equals “**4**”. It is not common to install a new service in the **Disabled** state.
-- Report all “**Service Account**” not equals “**localSystem**”, “**localService**” or “**networkService**” to identify services which are running under a user account.
-
+- Report all “**Service Account**” not equals “**localSystem**”, “**localService**” or “**networkService**” to identify services which are running under a user account.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4698.md b/windows/security/threat-protection/auditing/event-4698.md
index 567815e3b8..9ca662fa59 100644
--- a/windows/security/threat-protection/auditing/event-4698.md
+++ b/windows/security/threat-protection/auditing/event-4698.md
@@ -111,7 +111,7 @@ This event generates every time a new scheduled task is created.
-- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/library/aa286548.aspx) content of the new task. For more information about the XML format for scheduled tasks, see “[XML Task Definition Format](https://msdn.microsoft.com/library/cc248308.aspx).”
+- **Task Content** \[Type = UnicodeString\]: the [XML](/previous-versions/aa286548(v=msdn.10)) content of the new task. For more information about the XML format for scheduled tasks, see “[XML Task Definition Format](/openspecs/windows_protocols/ms-tsch/0d6383e4-de92-43e7-b0bb-a60cfa36379f).”
## Security Monitoring Recommendations
@@ -123,5 +123,4 @@ For 4698(S): A scheduled task was created.
- Monitor for new tasks located in the **Task Scheduler Library** root node, that is, where **Task Name** looks like ‘\\TASK\_NAME’. Scheduled tasks that are created manually or by malware are often located in the **Task Scheduler Library** root node.
-- In the new task, if the **Task Content:** XML contains **<LogonType>Password</LogonType>** value, trigger an alert. In this case, the password for the account that will be used to run the scheduled task will be saved in Credential Manager in cleartext format, and can be extracted using Administrative privileges.
-
+- In the new task, if the **Task Content:** XML contains **<LogonType>Password</LogonType>** value, trigger an alert. In this case, the password for the account that will be used to run the scheduled task will be saved in Credential Manager in cleartext format, and can be extracted using Administrative privileges.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4699.md b/windows/security/threat-protection/auditing/event-4699.md
index 5b2861c4d1..dd814dd942 100644
--- a/windows/security/threat-protection/auditing/event-4699.md
+++ b/windows/security/threat-protection/auditing/event-4699.md
@@ -111,7 +111,7 @@ This event generates every time a scheduled task was deleted.
-- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/library/aa286548.aspx) of the deleted task. Here “[XML Task Definition Format](https://msdn.microsoft.com/library/cc248308.aspx)” you can read more about the XML format for scheduled tasks.
+- **Task Content** \[Type = UnicodeString\]: the [XML](/previous-versions/aa286548(v=msdn.10)) of the deleted task. Here “[XML Task Definition Format](/openspecs/windows_protocols/ms-tsch/0d6383e4-de92-43e7-b0bb-a60cfa36379f)” you can read more about the XML format for scheduled tasks.
## Security Monitoring Recommendations
@@ -123,5 +123,4 @@ For 4699(S): A scheduled task was deleted.
- Monitor for deleted tasks located in the **Task Scheduler Library** root node, that is, where **Task Name** looks like ‘\\TASK\_NAME’. Scheduled tasks that are created manually or by malware are often located in the **Task Scheduler Library** root node. Deletion of such tasks can be a sign of malicious activity.
-- If a highly critical scheduled task exists on some computers, and it should never be deleted, monitor for [4699](event-4699.md) events with the corresponding **Task Name**.
-
+- If a highly critical scheduled task exists on some computers, and it should never be deleted, monitor for [4699](event-4699.md) events with the corresponding **Task Name**.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4700.md b/windows/security/threat-protection/auditing/event-4700.md
index 90e9f7b574..e72f7d19f0 100644
--- a/windows/security/threat-protection/auditing/event-4700.md
+++ b/windows/security/threat-protection/auditing/event-4700.md
@@ -111,7 +111,7 @@ This event generates every time a scheduled task is enabled.
-- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/library/aa286548.aspx) of the enabled task. Here “[XML Task Definition Format](https://msdn.microsoft.com/library/cc248308.aspx)” you can read more about the XML format for scheduled tasks.
+- **Task Content** \[Type = UnicodeString\]: the [XML](/previous-versions/aa286548(v=msdn.10)) of the enabled task. Here “[XML Task Definition Format](/openspecs/windows_protocols/ms-tsch/0d6383e4-de92-43e7-b0bb-a60cfa36379f)” you can read more about the XML format for scheduled tasks.
## Security Monitoring Recommendations
@@ -119,5 +119,4 @@ For 4700(S): A scheduled task was enabled.
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-- If a highly critical scheduled task exists on some computers, and for some reason it should never be enabled, monitor for [4700](event-4700.md) events with the corresponding **Task Name**.
-
+- If a highly critical scheduled task exists on some computers, and for some reason it should never be enabled, monitor for [4700](event-4700.md) events with the corresponding **Task Name**.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4701.md b/windows/security/threat-protection/auditing/event-4701.md
index bc81734079..e407e2bbbb 100644
--- a/windows/security/threat-protection/auditing/event-4701.md
+++ b/windows/security/threat-protection/auditing/event-4701.md
@@ -111,7 +111,7 @@ This event generates every time a scheduled task is disabled.
-- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/library/aa286548.aspx) of the disabled task. Here “[XML Task Definition Format](https://msdn.microsoft.com/library/cc248308.aspx)” you can read more about the XML format for scheduled tasks.
+- **Task Content** \[Type = UnicodeString\]: the [XML](/previous-versions/aa286548(v=msdn.10)) of the disabled task. Here “[XML Task Definition Format](/openspecs/windows_protocols/ms-tsch/0d6383e4-de92-43e7-b0bb-a60cfa36379f)” you can read more about the XML format for scheduled tasks.
## Security Monitoring Recommendations
@@ -119,5 +119,4 @@ For 4701(S): A scheduled task was disabled.
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-- If a highly critical scheduled task exists on some computers, and it should never be disabled, monitor for [4701](event-4701.md) events with the corresponding **Task Name**.
-
+- If a highly critical scheduled task exists on some computers, and it should never be disabled, monitor for [4701](event-4701.md) events with the corresponding **Task Name**.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4702.md b/windows/security/threat-protection/auditing/event-4702.md
index f6d5b753e4..15d128ceef 100644
--- a/windows/security/threat-protection/auditing/event-4702.md
+++ b/windows/security/threat-protection/auditing/event-4702.md
@@ -111,7 +111,7 @@ This event generates every time scheduled task was updated/changed.
-- **Task New Content** \[Type = UnicodeString\]: the new [XML](https://msdn.microsoft.com/library/aa286548.aspx) for the updated task. Here “[XML Task Definition Format](https://msdn.microsoft.com/library/cc248308.aspx)” you can read more about the XML format for scheduled tasks.
+- **Task New Content** \[Type = UnicodeString\]: the new [XML](/previous-versions/aa286548(v=msdn.10)) for the updated task. Here “[XML Task Definition Format](/openspecs/windows_protocols/ms-tsch/0d6383e4-de92-43e7-b0bb-a60cfa36379f)” you can read more about the XML format for scheduled tasks.
## Security Monitoring Recommendations
@@ -121,5 +121,4 @@ For 4702(S): A scheduled task was updated.
- Monitor for updated scheduled tasks located in the **Task Scheduler Library** root node, that is, where **Task Name** looks like ‘\\TASK\_NAME’. Scheduled tasks that are created manually or by malware are often located in the **Task Scheduler Library** root node.
-- In the updated scheduled task, if the **Task Content:** XML contains **<LogonType>Password</LogonType>** value, trigger an alert. In this case, the password for the account that will be used to run the scheduled task will be saved in Credential Manager in cleartext format, and can be extracted using Administrative privileges.
-
+- In the updated scheduled task, if the **Task Content:** XML contains **<LogonType>Password</LogonType>** value, trigger an alert. In this case, the password for the account that will be used to run the scheduled task will be saved in Credential Manager in cleartext format, and can be extracted using Administrative privileges.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md
index e0a624d4fb..243fa17ce2 100644
--- a/windows/security/threat-protection/auditing/event-4703.md
+++ b/windows/security/threat-protection/auditing/event-4703.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates when [token privileges](https://msdn.microsoft.com/library/windows/desktop/aa446619(v=vs.85).aspx) were enabled or disabled for a specific account’s token. As of Windows 10, event 4703 is also logged by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory (Audit Authorization Policy Change), or work with a very high volume of event 4703.
+This event generates when [token privileges](/windows/win32/secauthz/enabling-and-disabling-privileges-in-c--) were enabled or disabled for a specific account’s token. As of Windows 10, event 4703 is also logged by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Endpoint Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory (Audit Authorization Policy Change), or work with a very high volume of event 4703.
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -144,9 +144,9 @@ Token privileges provide the ability to take certain system-level actions that y
| Privilege Name | User Right Group Policy Name | Description |
|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. |
-| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE |
+| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE |
| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
@@ -178,7 +178,7 @@ Token privileges provide the ability to take certain system-level actions that y
| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. |
-| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. |
+| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](/windows/win32/secgloss/t-gly#_security_terminal_gly) device. |
**Disabled Privileges** \[Type = UnicodeString\]**:** the list of disabled user rights. See possible values in the table above.
@@ -200,4 +200,4 @@ Otherwise, see the recommendations in the following table.
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.
Also check **“Target Account\\Security ID”** to see whether the change in privileges should be made on that computer for that account. |
| **User rights that should be restricted or monitored**: You might have a list of user rights that you want to restrict or monitor. | Monitor this event and compare the **“Enabled Privileges”** to your list of user rights. Trigger an alert for user rights that should not be enabled, especially on high-value servers or other computers.
For example, you might have **SeDebugPrivilege** on a list of user rights to be restricted. |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md
index d1d045bb0d..4dc7eb2c64 100644
--- a/windows/security/threat-protection/auditing/event-4704.md
+++ b/windows/security/threat-protection/auditing/event-4704.md
@@ -106,9 +106,9 @@ You will see unique event for every user.
| Privilege Name | User Right Group Policy Name | Description |
|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. |
-| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE |
+| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE |
| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
@@ -140,7 +140,7 @@ You will see unique event for every user.
| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. |
-| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. |
+| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](/windows/win32/secgloss/t-gly#_security_terminal_gly) device. |
## Security Monitoring Recommendations
@@ -158,5 +158,4 @@ For 4704(S): A user right was assigned.
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about.
Also check **“Target Account\\ Account Name”** to see whether the change in rights should be made on that computer for that account. |
| **User rights that should be restricted or monitored**: You might have a list of user rights that you want to restrict or monitor. | Monitor this event and compare the “**New Right\\User Right**” to your list of user rights, to see whether the right should be assigned to **“Target Account\\Account Name**.” Trigger an alert for user rights that should not be enabled, especially on high-value servers or other computers.
For example, your list of restricted rights might say that only administrative accounts should have **SeAuditPrivilege**. As another example, your list might say that no accounts should have **SeTcbPrivilege** or **SeDebugPrivilege**. |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
-
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md
index 317b3b23fb..9478ffd125 100644
--- a/windows/security/threat-protection/auditing/event-4705.md
+++ b/windows/security/threat-protection/auditing/event-4705.md
@@ -106,9 +106,9 @@ You will see unique event for every user.
| Privilege Name | User Right Group Policy Name | Description |
|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. |
-| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE |
+| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE |
| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
@@ -140,7 +140,7 @@ You will see unique event for every user.
| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. |
-| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. |
+| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](/windows/win32/secgloss/t-gly#_security_terminal_gly) device. |
## Security Monitoring Recommendations
@@ -157,5 +157,4 @@ For 4705(S): A user right was removed.
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Target Account\\Account Name**” to see whether user rights should be removed from that account (or whether that account should have any rights on that computer).
For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Removed Right**” should be removed from “**Target** **Account\\Account Name**” in each case. |
| **User rights that should be restricted**: You might have a list of user rights that you want to monitor. | Monitor this event and compare the **“Removed Right”** to your list of restricted rights.
Monitor this event to discover the removal of a right that should never have been granted (for example, SeTcbPrivilege), so that you can investigate further. |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
-
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4706.md b/windows/security/threat-protection/auditing/event-4706.md
index d39473364c..e0abbded89 100644
--- a/windows/security/threat-protection/auditing/event-4706.md
+++ b/windows/security/threat-protection/auditing/event-4706.md
@@ -114,7 +114,7 @@ This event is generated only on domain controllers.
|-------|------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 | TRUST\_TYPE\_DOWNLEVEL | The domain controller of the trusted domain is a computer running an operating system earlier than Windows 2000. |
| 2 | TRUST\_TYPE\_UPLEVEL | The domain controller of the trusted domain is a computer running Windows 2000 or later. |
-| 3 | TRUST\_TYPE\_MIT | The trusted domain is running a non-Windows, RFC4120-compliant Kerberos distribution. This type of trust is distinguished in that (1) a [SID](https://msdn.microsoft.com/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) is not required for the [TDO](https://msdn.microsoft.com/library/cc223126.aspx#gt_f2ceef4e-999b-4276-84cd-2e2829de5fc4), and (2) the default key types include the DES-CBC and DES-CRC encryption types (see [\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458) section 8.1). |
+| 3 | TRUST\_TYPE\_MIT | The trusted domain is running a non-Windows, RFC4120-compliant Kerberos distribution. This type of trust is distinguished in that (1) a [SID](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) is not required for the [TDO](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_f2ceef4e-999b-4276-84cd-2e2829de5fc4), and (2) the default key types include the DES-CBC and DES-CRC encryption types (see [\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458) section 8.1). |
| 4 | TRUST\_TYPE\_DCE | The trusted domain is a DCE realm. Historical reference, this value is not used in Windows. |
- **Trust Direction** \[Type = UInt32\]**:** the direction of new trust. The following table contains possible values for this field:
@@ -131,17 +131,17 @@ This event is generated only on domain controllers.
| Value | Attribute Value | Description |
|-------|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0x1 | TRUST\_ATTRIBUTE\_NON\_TRANSITIVE | If this bit is set, then the trust cannot be used transitively. For example, if domain A trusts domain B, which in turn trusts domain C, and the A<-->B trust has this attribute set, then a client in domain A cannot authenticate to a server in domain C over the A<-->B<-->C trust linkage. |
-| 0x2 | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](https://msdn.microsoft.com/library/cc223126.aspx#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](https://msdn.microsoft.com/library/cc223126.aspx#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set. |
-| 0x4 | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](https://msdn.microsoft.com/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section [4.1.2.2](https://msdn.microsoft.com/library/cc237940.aspx). |
-| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
-| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/library/cc223991.aspx).
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
+| 0x2 | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set. |
+| 0x4 | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](/openspecs/windows_protocols/ms-pac/166d8064-c863-41e1-9c23-edaaa5f36962) section [4.1.2.2](/openspecs/windows_protocols/ms-pac/55fc19f2-55ba-4251-8a6a-103dd7c66280). |
+| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) between the root domains of two [forests](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
+| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) section [3.3.5.7.5](/openspecs/windows_protocols/ms-kile/bac4dc69-352d-416c-a9f4-730b81ababb3) and [\[MS-APDS\]](/openspecs/windows_protocols/ms-apds/dd444344-fd7e-430e-b313-7e95ab9c338e) section [3.1.5](/openspecs/windows_protocols/ms-apds/f47e40e1-b9ca-47e2-b139-15a1e96b0e72).
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. |
-| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Only evaluated if SID Filtering is used.
Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
-| 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](https://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/library/cc223782.aspx).
Only evaluated on TRUST\_TYPE\_MIT |
-| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section 3.3.5.7.5.
Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. |
-| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.
Evaluated only on Windows Server 2016
Evaluated only if SID Filtering is used.
Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. |
+| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](/openspecs/windows_protocols/ms-pac/166d8064-c863-41e1-9c23-edaaa5f36962) section 4.1.2.2.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Only evaluated if SID Filtering is used.
Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
+| 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](/openspecs/windows_protocols/ms-ada3/d4b436de-0ba2-44e3-975c-9f4d8aa51885) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](https://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](/openspecs/windows_protocols/ms-adts/c964fca9-c50e-426a-9173-5bf3cb720e2e).
Only evaluated on TRUST\_TYPE\_MIT |
+| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) section 3.3.5.7.5.
Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. |
+| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](/openspecs/windows_protocols/ms-pac/166d8064-c863-41e1-9c23-edaaa5f36962) section 4.1.2.2.
Evaluated only on Windows Server 2016
Evaluated only if SID Filtering is used.
Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. |
-- **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](https://technet.microsoft.com/library/cc772633(v=ws.10).aspx) state for the new trust:
+- **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](/previous-versions/windows/it-pro/windows-server-2003/cc772633(v=ws.10)) state for the new trust:
- Enabled
@@ -151,5 +151,4 @@ This event is generated only on domain controllers.
For 4706(S): A new trust was created to a domain.
-- Any changes related to Active Directory domain trusts (especially creation of the new trust) must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change.
-
+- Any changes related to Active Directory domain trusts (especially creation of the new trust) must be monitored and alerts should be triggered. If this change was not planned, investigate the reason for the change.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4713.md b/windows/security/threat-protection/auditing/event-4713.md
index 3c7ada997e..032446b19b 100644
--- a/windows/security/threat-protection/auditing/event-4713.md
+++ b/windows/security/threat-protection/auditing/event-4713.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates when [Kerberos](https://msdn.microsoft.com/library/windows/desktop/aa378747.aspx) policy was changed.
+This event generates when [Kerberos](/windows/win32/secauthn/microsoft-kerberos) policy was changed.
This event is generated only on domain controllers.
@@ -113,5 +113,4 @@ This event shows changes in “Kerberos policy”. Here is location of Kerberos
For 4713(S): Kerberos policy was changed.
-- Any changes in Kerberos policy reported by current event must be monitored and an alert should be triggered. If this change was not planned, investigate the reason for the change.
-
+- Any changes in Kerberos policy reported by current event must be monitored and an alert should be triggered. If this change was not planned, investigate the reason for the change.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4714.md b/windows/security/threat-protection/auditing/event-4714.md
index 36dec3a969..d7c176a754 100644
--- a/windows/security/threat-protection/auditing/event-4714.md
+++ b/windows/security/threat-protection/auditing/event-4714.md
@@ -27,11 +27,11 @@ ms.technology: mde
***Event Description:***
-This event generates when a Data Recovery Agent group policy for Encrypting File System ([EFS](https://technet.microsoft.com/library/cc700811.aspx)) has changed.
+This event generates when a Data Recovery Agent group policy for Encrypting File System ([EFS](/previous-versions/tn-archive/cc700811(v=technet.10))) has changed.
-This event generates when a Data Recovery Agent certificate or [Data Recovery Agent policy](https://technet.microsoft.com/library/cc778208(v=ws.10).aspx) was changed for the computer or device.
+This event generates when a Data Recovery Agent certificate or [Data Recovery Agent policy](/previous-versions/windows/it-pro/windows-server-2003/cc778208(v=ws.10)) was changed for the computer or device.
-In the background, this event generates when the [\\HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\EFS\\EfsBlob](https://msdn.microsoft.com/library/cc232284.aspx) registry value is changed during a Group Policy update.
+In the background, this event generates when the [\\HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\EFS\\EfsBlob](/openspecs/windows_protocols/ms-gpef/34fd0504-84fc-4ad9-97ac-ee74b84419ac) registry value is changed during a Group Policy update.
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -75,5 +75,4 @@ In the background, this event generates when the [\\HKLM\\Software\\Policies\\Mi
For 4714(S): Encrypted data recovery policy was changed.
-- We recommend monitoring this event and if the change was not planned, investigate the reason for the change.
-
+- We recommend monitoring this event and if the change was not planned, investigate the reason for the change.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4716.md b/windows/security/threat-protection/auditing/event-4716.md
index 35b1bfc9d2..1cd47c82c4 100644
--- a/windows/security/threat-protection/auditing/event-4716.md
+++ b/windows/security/threat-protection/auditing/event-4716.md
@@ -114,7 +114,7 @@ This event is generated only on domain controllers.
|-------|------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 | TRUST\_TYPE\_DOWNLEVEL | The domain controller of the trusted domain is a computer running an operating system earlier than Windows 2000. |
| 2 | TRUST\_TYPE\_UPLEVEL | The domain controller of the trusted domain is a computer running Windows 2000 or later. |
-| 3 | TRUST\_TYPE\_MIT | The trusted domain is running a non-Windows, RFC4120-compliant Kerberos distribution. This type of trust is distinguished in that (1) a [SID](https://msdn.microsoft.com/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) is not required for the [TDO](https://msdn.microsoft.com/library/cc223126.aspx#gt_f2ceef4e-999b-4276-84cd-2e2829de5fc4), and (2) the default key types include the DES-CBC and DES-CRC encryption types (see [\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458) section 8.1). |
+| 3 | TRUST\_TYPE\_MIT | The trusted domain is running a non-Windows, RFC4120-compliant Kerberos distribution. This type of trust is distinguished in that (1) a [SID](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) is not required for the [TDO](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_f2ceef4e-999b-4276-84cd-2e2829de5fc4), and (2) the default key types include the DES-CBC and DES-CRC encryption types (see [\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458) section 8.1). |
| 4 | TRUST\_TYPE\_DCE | The trusted domain is a DCE realm. Historical reference, this value is not used in Windows. |
- **Trust Direction** \[Type = UInt32\]**:** the direction of new trust. If this attribute was not changed, then it will have “**-**“ value or its old value. The following table contains possible values for this field:
@@ -131,17 +131,17 @@ This event is generated only on domain controllers.
| Value | Attribute Value | Description |
|-------|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0x1 | TRUST\_ATTRIBUTE\_NON\_TRANSITIVE | If this bit is set, then the trust cannot be used transitively. For example, if domain A trusts domain B, which in turn trusts domain C, and the A<-->B trust has this attribute set, then a client in domain A cannot authenticate to a server in domain C over the A<-->B<-->C trust linkage. |
-| 0x2 | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](https://msdn.microsoft.com/library/cc223126.aspx#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](https://msdn.microsoft.com/library/cc223126.aspx#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set. |
-| 0x4 | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](https://msdn.microsoft.com/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section [4.1.2.2](https://msdn.microsoft.com/library/cc237940.aspx). |
-| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
-| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/library/cc223991.aspx).
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
+| 0x2 | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set. |
+| 0x4 | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](/openspecs/windows_protocols/ms-pac/166d8064-c863-41e1-9c23-edaaa5f36962) section [4.1.2.2](/openspecs/windows_protocols/ms-pac/55fc19f2-55ba-4251-8a6a-103dd7c66280). |
+| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) between the root domains of two [forests](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
+| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](/openspecs/windows_protocols/ms-adts/b645c125-a7da-4097-84a1-2fa7cea07714#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) section [3.3.5.7.5](/openspecs/windows_protocols/ms-kile/bac4dc69-352d-416c-a9f4-730b81ababb3) and [\[MS-APDS\]](/openspecs/windows_protocols/ms-apds/dd444344-fd7e-430e-b313-7e95ab9c338e) section [3.1.5](/openspecs/windows_protocols/ms-apds/f47e40e1-b9ca-47e2-b139-15a1e96b0e72).
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. |
-| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are [more stringently filtered](https://docs.microsoft.com/openspecs/windows_protocols/ms-adts/e9a2d23c-c31e-4a6f-88a0-6646fdb51a3c) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Only evaluated if SID Filtering is used.
Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
-| 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](https://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/library/cc223782.aspx).
Only evaluated on TRUST\_TYPE\_MIT |
-| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section 3.3.5.7.5.
Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. |
-| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.
Evaluated only on Windows Server 2016
Evaluated only if SID Filtering is used.
Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. |
+| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are [more stringently filtered](/openspecs/windows_protocols/ms-adts/e9a2d23c-c31e-4a6f-88a0-6646fdb51a3c) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Only evaluated if SID Filtering is used.
Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
+| 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](/openspecs/windows_protocols/ms-ada3/d4b436de-0ba2-44e3-975c-9f4d8aa51885) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](https://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](/openspecs/windows_protocols/ms-adts/c964fca9-c50e-426a-9173-5bf3cb720e2e).
Only evaluated on TRUST\_TYPE\_MIT |
+| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) section 3.3.5.7.5.
Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. |
+| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](/openspecs/windows_protocols/ms-pac/166d8064-c863-41e1-9c23-edaaa5f36962) section 4.1.2.2.
Evaluated only on Windows Server 2016
Evaluated only if SID Filtering is used.
Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. |
-- **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](https://technet.microsoft.com/library/cc772633(v=ws.10).aspx) state for the new trust:
+- **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](/previous-versions/windows/it-pro/windows-server-2003/cc772633(v=ws.10)) state for the new trust:
- Enabled
diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md
index ddbd9f66db..32576cdc3b 100644
--- a/windows/security/threat-protection/auditing/event-4717.md
+++ b/windows/security/threat-protection/auditing/event-4717.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates every time local [logon user right policy](https://technet.microsoft.com/library/cc728212(v=ws.10).aspx) is changed and logon right was granted to an account.
+This event generates every time local [logon user right policy](/previous-versions/windows/it-pro/windows-server-2003/cc728212(v=ws.10)) is changed and logon right was granted to an account.
You will see unique event for every user if logon user rights were granted to multiple accounts.
@@ -102,7 +102,7 @@ You will see unique event for every user if logon user rights were granted to mu
**Access Granted:**
-- **Access Right** \[Type = UnicodeString\]: the name of granted logon right. This event generates only for [logon rights](https://technet.microsoft.com/library/cc728212(v=ws.10).aspx), which are as follows:
+- **Access Right** \[Type = UnicodeString\]: the name of granted logon right. This event generates only for [logon rights](/previous-versions/windows/it-pro/windows-server-2003/cc728212(v=ws.10)), which are as follows:
| Value | Group Policy Name |
|-----------------------------------|-----------------------------------------------|
@@ -132,5 +132,4 @@ For 4717(S): System security access was granted to an account.
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Account Modified\\Account Name**” to see whether logon rights should be granted to that account.
For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Access Right**” should be granted to “**Account Modified\\Account Name**” in each case. |
| **Logon rights that should be restricted**: You might have a list of user logon rights that you want to monitor (for example, **SeServiceLogonRight**). | Monitor this event and compare the **“Access Right”** to your list of restricted rights. |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
-
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md
index 0e7892c9c8..2c7f91f8c7 100644
--- a/windows/security/threat-protection/auditing/event-4718.md
+++ b/windows/security/threat-protection/auditing/event-4718.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates every time local [logon user right policy](https://technet.microsoft.com/library/cc728212(v=ws.10).aspx) is changed and logon right was removed from an account.
+This event generates every time local [logon user right policy](/previous-versions/windows/it-pro/windows-server-2003/cc728212(v=ws.10)) is changed and logon right was removed from an account.
You will see unique event for every user if logon user rights were removed for multiple accounts.
@@ -102,7 +102,7 @@ You will see unique event for every user if logon user rights were removed for m
**Access Removed:**
-- **Access Right** \[Type = UnicodeString\]: the name of removed logon right. This event generates only for [logon rights](https://technet.microsoft.com/library/cc728212(v=ws.10).aspx), which are as follows:
+- **Access Right** \[Type = UnicodeString\]: the name of removed logon right. This event generates only for [logon rights](/previous-versions/windows/it-pro/windows-server-2003/cc728212(v=ws.10)), which are as follows:
| Value | Group Policy Name |
|-----------------------------------|-----------------------------------------------|
@@ -132,5 +132,4 @@ For 4718(S): System security access was removed from an account.
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. Also be sure to check “**Account Modified\\Account Name**” to see whether logon rights should be removed from that account.
For high-value servers or other computers, we recommend that you track this event and investigate whether the specific “**Access Right**” should be removed from “**Account Modified\\Account Name**” in each case. |
| **Logon rights that should be restricted**: You might have a list of user logon rights that you want to monitor (for example, **SeServiceLogonRight**).
**“Deny” rights that should not be removed**: Your organization might use “Deny” rights that should not be removed, for example, SeDenyRemoteInteractiveLogonRight. | - Monitor this event and compare the **“Access Right”** to your list of restricted rights.
Monitor this event to discover the removal of a right that should never have been granted, so that you can investigate further.
You can also monitor this event to discover the removal of “Deny” rights. When these rights are removed, it could be an approved action, done by mistake, or part of malicious activity. These rights include:
SeDenyNetworkLogonRight:
SeDenyBatchLogonRight
SeDenyServiceLogonRight
SeDenyInteractiveLogonRight
SeDenyRemoteInteractiveLogonRight |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
-
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4732.md b/windows/security/threat-protection/auditing/event-4732.md
index 94a84c0054..43c74c4d05 100644
--- a/windows/security/threat-protection/auditing/event-4732.md
+++ b/windows/security/threat-protection/auditing/event-4732.md
@@ -137,7 +137,7 @@ You will typically see “[4735](event-4735.md): A security-enabled local group
- For a local group, this field will contain the name of the computer to which this new group belongs, for example: “Win81”.
- - [Built-in groups](https://technet.microsoft.com/library/dn169025(v=ws.10).aspx): Builtin
+ - [Built-in groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dn169025(v=ws.10)): Builtin
**Additional Information:**
@@ -159,5 +159,4 @@ For 4732(S): A member was added to a security-enabled local group.
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
-| **Mismatch between type of account (user or computer) and the group it was added to**: You might want to monitor to ensure that a computer account was not added to a group intended for users, or a user account was not added to a group intended for computers. | Monitor the type of account added to the group to see if it matches what the group is intended for. |
-
+| **Mismatch between type of account (user or computer) and the group it was added to**: You might want to monitor to ensure that a computer account was not added to a group intended for users, or a user account was not added to a group intended for computers. | Monitor the type of account added to the group to see if it matches what the group is intended for. |
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4733.md b/windows/security/threat-protection/auditing/event-4733.md
index b23bf184d3..b7bad044d0 100644
--- a/windows/security/threat-protection/auditing/event-4733.md
+++ b/windows/security/threat-protection/auditing/event-4733.md
@@ -143,7 +143,7 @@ You will typically see “[4735](event-4735.md): A security-enabled local group
- - [Built-in groups](https://technet.microsoft.com/library/dn169025(v=ws.10).aspx): Builtin
+ - [Built-in groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dn169025(v=ws.10)): Builtin
**Additional Information:**
@@ -165,5 +165,4 @@ For 4733(S): A member was removed from a security-enabled local group.
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
-
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4734.md b/windows/security/threat-protection/auditing/event-4734.md
index 144c20c935..df33b3726f 100644
--- a/windows/security/threat-protection/auditing/event-4734.md
+++ b/windows/security/threat-protection/auditing/event-4734.md
@@ -114,7 +114,7 @@ This event generates on domain controllers, member servers, and workstations.
- For a local group, this field will contain the name of the computer to which this new group belongs, for example: “Win81”.
- - [Built-in groups](https://technet.microsoft.com/library/dn169025(v=ws.10).aspx): Builtin
+ - [Built-in groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dn169025(v=ws.10)): Builtin
**Additional Information:**
@@ -128,5 +128,4 @@ For 4734(S): A security-enabled local group was deleted.
- If you have a list of critical local or domain security groups in the organization, and need to specifically monitor these groups for any change, especially group deletion, monitor events with the “**Group\\Group Name”** values that correspond to the critical local or domain security groups. Examples of critical local or domain groups are built-in local administrators group, domain admins, enterprise admins, and so on.
-- If you need to monitor each time a local or domain security group is deleted, to see who deleted it and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
-
+- If you need to monitor each time a local or domain security group is deleted, to see who deleted it and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4735.md b/windows/security/threat-protection/auditing/event-4735.md
index 98843abaa0..14d1e6df28 100644
--- a/windows/security/threat-protection/auditing/event-4735.md
+++ b/windows/security/threat-protection/auditing/event-4735.md
@@ -127,13 +127,13 @@ From 4735 event you can get information about changes of **sAMAccountName** and
- For a local group, this field will contain the name of the computer to which this new group belongs, for example: “Win81”.
- - [Built-in groups](https://technet.microsoft.com/library/dn169025(v=ws.10).aspx): Builtin
+ - [Built-in groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dn169025(v=ws.10)): Builtin
**Changed Attributes:**
> **Note** If attribute was not changed it will have “-“ value.
-You might see a 4735 event without any changes inside, that is, where all Changed Attributes apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the Description of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4735 event will generate, but all attributes will be “-“.
+You might see a 4735 event without any changes inside, that is, where all Changed Attributes apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the Description of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](/windows/win32/secauthz/access-control-lists) (DACL) is changed, a 4735 event will generate, but all attributes will be “-“.
- **SAM Account Name** \[Type = UnicodeString\]: This is a new name of changed group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). If the value of **sAMAccountName** attribute of group object was changed, you will see the new value here. For example: ServiceDesk. For local groups it is simply a new name of the group, if it was changed.
@@ -153,5 +153,4 @@ For 4735(S): A security-enabled local group was changed.
- If you need to monitor each time a member is added to a local or domain security group, to see who added the member and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
-- If your organization has naming conventions for account names, monitor “**Attributes\\SAM Account Name”** for names that don’t comply with the naming conventions.
-
+- If your organization has naming conventions for account names, monitor “**Attributes\\SAM Account Name”** for names that don’t comply with the naming conventions.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md
index 6262726e51..f62d7e4ba8 100644
--- a/windows/security/threat-protection/auditing/event-4738.md
+++ b/windows/security/threat-protection/auditing/event-4738.md
@@ -33,7 +33,7 @@ This event generates on domain controllers, member servers, and workstations.
For each change, a separate 4738 event will be generated.
-You might see this event without any changes inside, that is, where all **Changed Attributes** appear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, if the [discretionary access control list](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4738 event will generate, but all attributes will be “-“.
+You might see this event without any changes inside, that is, where all **Changed Attributes** appear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, if the [discretionary access control list](/windows/win32/secauthz/access-control-lists) (DACL) is changed, a 4738 event will generate, but all attributes will be “-“.
Some changes do not invoke a 4738 event.
@@ -293,5 +293,4 @@ For 4738(S): A user account was changed.
| **'Use DES Key Only'** – Enabled | Should not typically be enabled for user accounts because it weakens security for the account’s Kerberos authentication. |
| **'Don't Require Preauth'** – Enabled | Should not be enabled for user accounts because it weakens security for the account’s Kerberos authentication. |
| **'Use DES Key Only'** – Disabled | Should be monitored for all accounts where the setting should be “**Enabled**.” |
-| **'Don't Require Preauth'** – Disabled | Should be monitored for all accounts where the setting should be “**Enabled**.” |
-
+| **'Don't Require Preauth'** – Disabled | Should be monitored for all accounts where the setting should be “**Enabled**.” |
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4739.md b/windows/security/threat-protection/auditing/event-4739.md
index 900d034c18..e3268f4c69 100644
--- a/windows/security/threat-protection/auditing/event-4739.md
+++ b/windows/security/threat-protection/auditing/event-4739.md
@@ -101,8 +101,8 @@ This event generates when one of the following changes was made to local compute
|-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------|
| Lockout Policy | Computer’s “\\Security Settings\\Account Policies\\Account Lockout Policy” settings were modified. |
| Password Policy | Computer's “\\Security Settings\\Account Policies\\Password Policy” settings were modified. |
-| Logoff Policy | "[Network security: Force logoff when logon hours expire](https://technet.microsoft.com/library/jj852195.aspx)" group policy setting was changed. |
-| - | Machine Account Quota ([ms-DS-MachineAccountQuota](https://technet.microsoft.com/library/dd391926(v=ws.10).aspx)) domain attribute was modified. |
+| Logoff Policy | "[Network security: Force logoff when logon hours expire](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852195(v=ws.11))" group policy setting was changed. |
+| - | Machine Account Quota ([ms-DS-MachineAccountQuota](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd391926(v=ws.10))) domain attribute was modified. |
**Subject:**
@@ -163,11 +163,11 @@ This event generates when one of the following changes was made to local compute
- **Password History Length** \[Type = UnicodeString\]: “\\Security Settings\\Account Policies\\Password Policy\\Enforce password history” group policy. Numeric value.
-- **Machine Account Quota** \[Type = UnicodeString\]: [ms-DS-MachineAccountQuota](https://technet.microsoft.com/library/dd391926(v=ws.10).aspx) domain attribute was modified. Numeric value.
+- **Machine Account Quota** \[Type = UnicodeString\]: [ms-DS-MachineAccountQuota](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd391926(v=ws.10)) domain attribute was modified. Numeric value.
- **Mixed Domain Mode** \[Type = UnicodeString\]: there is no information about this field in this document.
-- **Domain Behavior Version** \[Type = UnicodeString\]: [msDS-Behavior-Version](https://msdn.microsoft.com/library/cc223742.aspx) domain attribute was modified. Numeric value. Possible values:
+- **Domain Behavior Version** \[Type = UnicodeString\]: [msDS-Behavior-Version](/openspecs/windows_protocols/ms-adts/d7422d35-448a-451a-8846-6a7def0044df) domain attribute was modified. Numeric value. Possible values:
| Value | Identifier | Domain controller operating systems that are allowed in the domain |
|-------|---------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -188,9 +188,9 @@ This event generates when one of the following changes was made to local compute
| Privilege Name | User Right Group Policy Name | Description |
|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. |
-| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE |
+| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE |
| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
@@ -222,11 +222,10 @@ This event generates when one of the following changes was made to local compute
| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. |
-| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. |
+| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](/windows/win32/secgloss/t-gly#_security_terminal_gly) device. |
## Security Monitoring Recommendations
For 4739(S): Domain Policy was changed.
-- Any settings changes to “**Account Lockout Policy**”, “**Password Policy**”, or “**Network security: Force logoff when logon hours expire**”, plus any **domain functional level and attributes** changes that are reported by this event, must be monitored and an alert should be triggered. If this change was not planned, investigate the reason for the change.
-
+- Any settings changes to “**Account Lockout Policy**”, “**Password Policy**”, or “**Network security: Force logoff when logon hours expire**”, plus any **domain functional level and attributes** changes that are reported by this event, must be monitored and an alert should be triggered. If this change was not planned, investigate the reason for the change.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md
index 466e46e06b..6c83f23d1e 100644
--- a/windows/security/threat-protection/auditing/event-4741.md
+++ b/windows/security/threat-protection/auditing/event-4741.md
@@ -259,9 +259,9 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT
| Privilege Name | User Right Group Policy Name | Description |
|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
+| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](/windows/win32/secgloss/p-gly#_security_primary_token_gly) of a process.
With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. |
-| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE |
+| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](/windows/win32/secgloss/a-gly#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
READ\_CONTROL
ACCESS\_SYSTEM\_SECURITY
FILE\_GENERIC\_READ
FILE\_TRAVERSE |
| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
@@ -293,7 +293,7 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT
| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
With this privilege, the user can undock a portable computer from its docking station without logging on. |
-| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. |
+| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](/windows/win32/secgloss/t-gly#_security_terminal_gly) device. |
> Table 8. User Privileges.
@@ -330,5 +330,4 @@ For 4741(S): A computer account was created.
| **'Not Delegated'** – Enabled | Should not be enabled for new computer accounts. |
| **'Use DES Key Only'** – Enabled | Should not be enabled for new computer accounts. For computer accounts, it cannot be set in the account properties in Active Directory Users and Computers. |
| **'Don't Require Preauth'** – Enabled | Should not be enabled for new computer accounts. For computer accounts, it cannot be set in the account properties in Active Directory Users and Computers. |
-| **'Trusted To Authenticate For Delegation'** – Enabled | Should not be enabled for new computer accounts by default. |
-
+| **'Trusted To Authenticate For Delegation'** – Enabled | Should not be enabled for new computer accounts by default. |
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md
index c692aef6e1..5d0cda5110 100644
--- a/windows/security/threat-protection/auditing/event-4742.md
+++ b/windows/security/threat-protection/auditing/event-4742.md
@@ -37,7 +37,7 @@ For each change, a separate 4742 event will be generated.
Some changes do not invoke a 4742 event, for example, changes made using Active Directory Users and Computers management console in **Managed By** tab in computer account properties.
-You might see this event without any changes inside, that is, where all **Changed Attributes** appear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the **Description** of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4742 event will generate, but all attributes will be “-“.
+You might see this event without any changes inside, that is, where all **Changed Attributes** appear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the **Description** of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](/windows/win32/secauthz/access-control-lists) (DACL) is changed, a 4742 event will generate, but all attributes will be “-“.
***Important*:** If you manually change any user-related setting or attribute, for example if you set the SMARTCARD\_REQUIRED flag in **userAccountControl** for the computer account, then the **sAMAccountType** of the computer account will be changed to NORMAL\_USER\_ACCOUNT and you will get “[4738](event-4738.md): A user account was changed” instead of 4742 for this computer account. Essentially, the computer account will “become” a user account. For NORMAL\_USER\_ACCOUNT you will always get events from [Audit User Account Management](audit-user-account-management.md) subcategory. We strongly recommend that you avoid changing any user-related settings manually for computer objects.
@@ -296,5 +296,4 @@ For 4742(S): A computer account was changed.
| **'Trusted To Authenticate For Delegation'** – Disabled | Means that Protocol Transition delegation was disabled for the computer account. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action.
Also, if you have a list of computer accounts for which delegation is critical and should not be disabled, monitor this for those accounts. |
| **'Not Delegated'** – Enabled | Means that **Account is sensitive and cannot be delegated** was selected for the computer account. For computer accounts, this flag cannot be set using the graphical interface. We recommend monitoring this to discover whether it is an approved action (done by an administrator), a mistake, or a malicious action. |
| **'Use DES Key Only'** – Enabled | Should not be enabled for computer accounts. For computer accounts, it cannot be set in the account properties in Active Directory Users and Computers. |
-| **'Don't Require Preauth'** - Enabled | Should not be enabled for computer accounts. For computer accounts, it cannot be set in the account properties in Active Directory Users and Computers. |
-
+| **'Don't Require Preauth'** - Enabled | Should not be enabled for computer accounts. For computer accounts, it cannot be set in the account properties in Active Directory Users and Computers. |
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4750.md b/windows/security/threat-protection/auditing/event-4750.md
index 4bdfe79f69..1a8a03f92a 100644
--- a/windows/security/threat-protection/auditing/event-4750.md
+++ b/windows/security/threat-protection/auditing/event-4750.md
@@ -123,13 +123,13 @@ From 4750 event you can get information about changes of **sAMAccountName** and
- Uppercase full domain name: CONTOSO.LOCAL
- - [Built-in groups](https://technet.microsoft.com/library/dn169025(v=ws.10).aspx): Builtin
+ - [Built-in groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dn169025(v=ws.10)): Builtin
**Changed Attributes:**
> **Note** If attribute was not changed it will have “-“ value.
>
-> **Note** You might see a 4750 event without any changes inside, that is, where all **Changed Attributes** appear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the Description of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4750 event will generate, but all attributes will be “-“.
+> **Note** You might see a 4750 event without any changes inside, that is, where all **Changed Attributes** appear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the Description of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](/windows/win32/secauthz/access-control-lists) (DACL) is changed, a 4750 event will generate, but all attributes will be “-“.
- **SAM Account Name** \[Type = UnicodeString\]: This is a new name of changed group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). If the value of **sAMAccountName** attribute of group object was changed, you will see the new value here. For example: ServiceDesk.
@@ -149,5 +149,4 @@ For 4750(S): A security-disabled global group was changed.
- If you need to monitor each time a member is added to a distribution group, to see who added the member and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
-- If your organization has naming conventions for account names, monitor “**Attributes\\SAM Account Name”** for names that don’t comply with the naming conventions.
-
+- If your organization has naming conventions for account names, monitor “**Attributes\\SAM Account Name”** for names that don’t comply with the naming conventions.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4751.md b/windows/security/threat-protection/auditing/event-4751.md
index c86b86e123..a6ac4afde8 100644
--- a/windows/security/threat-protection/auditing/event-4751.md
+++ b/windows/security/threat-protection/auditing/event-4751.md
@@ -141,7 +141,7 @@ You will typically see “[4750](event-4750.md): A security-disabled global grou
- Uppercase full domain name: CONTOSO.LOCAL
- - [Built-in groups](https://technet.microsoft.com/library/dn169025(v=ws.10).aspx): Builtin
+ - [Built-in groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dn169025(v=ws.10)): Builtin
**Additional Information:**
@@ -162,5 +162,4 @@ For 4751(S): A member was added to a security-disabled global group.
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
-
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4752.md b/windows/security/threat-protection/auditing/event-4752.md
index 791b2886aa..7a81d28e4f 100644
--- a/windows/security/threat-protection/auditing/event-4752.md
+++ b/windows/security/threat-protection/auditing/event-4752.md
@@ -131,7 +131,7 @@ For every removed member you will get separate 4752 event.
- Uppercase full domain name: CONTOSO.LOCAL
- - [Built-in groups](https://technet.microsoft.com/library/dn169025(v=ws.10).aspx): Builtin
+ - [Built-in groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dn169025(v=ws.10)): Builtin
**Additional Information:**
@@ -153,5 +153,4 @@ For 4752(S): A member was removed from a security-disabled global group.
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
-
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4753.md b/windows/security/threat-protection/auditing/event-4753.md
index 501018ce26..45b9de0d33 100644
--- a/windows/security/threat-protection/auditing/event-4753.md
+++ b/windows/security/threat-protection/auditing/event-4753.md
@@ -110,7 +110,7 @@ This event generates only on domain controllers.
- Uppercase full domain name: CONTOSO.LOCAL
- - [Built-in groups](https://technet.microsoft.com/library/dn169025(v=ws.10).aspx): Builtin
+ - [Built-in groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dn169025(v=ws.10)): Builtin
**Additional Information:**
@@ -124,7 +124,4 @@ For 4753(S): A security-disabled global group was deleted.
- If you have a list of critical distribution groups in the organization, and need to specifically monitor these groups for any change, especially group deletion, monitor events with the “**Group\\Group Name”** values that correspond to the critical distribution groups.
-- If you need to monitor each time a distribution group is deleted, to see who deleted it and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
-
-
-
+- If you need to monitor each time a distribution group is deleted, to see who deleted it and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4764.md b/windows/security/threat-protection/auditing/event-4764.md
index 1697b853f9..3b50ba9bf1 100644
--- a/windows/security/threat-protection/auditing/event-4764.md
+++ b/windows/security/threat-protection/auditing/event-4764.md
@@ -130,7 +130,7 @@ This event generates only on domain controllers.
- For a local group, this field will contain the name of the computer to which this new group belongs, for example: “Win81”.
- - [Built-in groups](https://technet.microsoft.com/library/dn169025(v=ws.10).aspx): Builtin
+ - [Built-in groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dn169025(v=ws.10)): Builtin
**Additional Information:**
@@ -144,5 +144,4 @@ For 4764(S): A group’s type was changed.
- If you have a list of critical local or domain groups in the organization, and need to specifically monitor these groups for any change, especially group type change, monitor events with the “**Group\\Group Name”** values that correspond to the critical distribution groups. Examples of critical local or domain groups are built-in local administrators group, domain admins, enterprise admins, critical distribution groups, and so on.
-- If you need to monitor each time any group’s type is changed, to see who changed it and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
-
+- If you need to monitor each time any group’s type is changed, to see who changed it and when, monitor this event. Typically, this event is used as an informational event, to be reviewed if needed.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4765.md b/windows/security/threat-protection/auditing/event-4765.md
index 3a23558650..ff685d9081 100644
--- a/windows/security/threat-protection/auditing/event-4765.md
+++ b/windows/security/threat-protection/auditing/event-4765.md
@@ -21,7 +21,7 @@ ms.technology: mde
- Windows Server 2016
-This event generates when [SID History](https://msdn.microsoft.com/library/ms679833(v=vs.85).aspx) was added to an account.
+This event generates when [SID History](/windows/win32/adschema/a-sidhistory) was added to an account.
See more information about SID History here:
Some of the potential causes for this:
An invalid username and/or password was used
[LAN Manager Authentication Level](https://technet.microsoft.com/library/jj852207.aspx) mismatch between the source and target computers. |
+| 0xC000006D | - Generic logon failure.
Some of the potential causes for this:
An invalid username and/or password was used
[LAN Manager Authentication Level](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852207(v=ws.11)) mismatch between the source and target computers. |
| 0xC000006F | Account logon outside authorized hours. |
| 0xC0000070 | Account logon from unauthorized workstation. |
| 0xC0000071 | Account logon with expired password. |
@@ -150,5 +150,4 @@ For 4776(S, F): The computer attempted to validate the credentials for an accoun
| **User logon from unauthorized workstation** | Can indicate a compromised account; especially relevant for highly critical accounts. |
| **User logon to account disabled by administrator** | For example, N events in last N minutes can be an indicator of an account compromise attempt, especially relevant for highly critical accounts. |
| **User logon with expired account** | Can indicate an account compromise attempt; especially relevant for highly critical accounts. |
-| **User logon with account locked** | Can indicate a brute-force password attack; especially relevant for highly critical accounts. |
-
+| **User logon with account locked** | Can indicate a brute-force password attack; especially relevant for highly critical accounts. |
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md
index 53c1eac2d8..74b7630bc6 100644
--- a/windows/security/threat-protection/auditing/event-4778.md
+++ b/windows/security/threat-protection/auditing/event-4778.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using [Fast User Switching](https://docs.microsoft.com/windows-hardware/drivers/display/fast-user-switching).
+This event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using [Fast User Switching](/windows-hardware/drivers/display/fast-user-switching).
This event also generates when user reconnects to virtual host Hyper-V Enhanced Session, for example.
@@ -139,5 +139,4 @@ For 4778(S): A session was reconnected to a Window Station.
- If a specific computer or device (**Client Name** or **Client Address**) should never connect to this computer (**Computer**), monitor for any event with that **Client Name** or **Client Address**.
-- Check that **Additional Information\\Client Address** is from internal IP addresses list.
-
+- Check that **Additional Information\\Client Address** is from internal IP addresses list.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md
index 76337cfdf8..7cf0dec285 100644
--- a/windows/security/threat-protection/auditing/event-4779.md
+++ b/windows/security/threat-protection/auditing/event-4779.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using [Fast User Switching](https://docs.microsoft.com/windows-hardware/drivers/display/fast-user-switching).
+This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using [Fast User Switching](/windows-hardware/drivers/display/fast-user-switching).
This event also generated when user disconnects from virtual host Hyper-V Enhanced Session, for example.
@@ -141,5 +141,4 @@ For 4779(S): A session was disconnected from a Window Station.
- If Remote Desktop Connections are not allowed for specific users (**Subject\\Account Name**) or disabled on some computers, then monitor for **Session Name** = RDP-Tcp\# (substring).
-- To ensure that connections are made only from your internal IP address list, monitor the **Additional Information\\Client Address** in this event.
-
+- To ensure that connections are made only from your internal IP address list, monitor the **Additional Information\\Client Address** in this event.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4780.md b/windows/security/threat-protection/auditing/event-4780.md
index dafa5d3ff1..00faedae10 100644
--- a/windows/security/threat-protection/auditing/event-4780.md
+++ b/windows/security/threat-protection/auditing/event-4780.md
@@ -21,7 +21,7 @@ ms.technology: mde
- Windows Server 2016
-Every hour, the domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative or security-sensitive groups and which have AdminCount attribute = 1 against the ACL on the [AdminSDHolder](https://technet.microsoft.com/magazine/2009.09.sdadminholder.aspx) object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated.
+Every hour, the domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative or security-sensitive groups and which have AdminCount attribute = 1 against the ACL on the [AdminSDHolder](/previous-versions/technet-magazine/ee361593(v=msdn.10)) object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated.
For some reason, this event doesn’t generate on some OS versions.
@@ -61,5 +61,4 @@ For some reason, this event doesn’t generate on some OS versions.
## Security Monitoring Recommendations
-- Monitor for this event and investigate why the object’s ACL was changed.
-
+- Monitor for this event and investigate why the object’s ACL was changed.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4782.md b/windows/security/threat-protection/auditing/event-4782.md
index a7907aed15..e0ecc19336 100644
--- a/windows/security/threat-protection/auditing/event-4782.md
+++ b/windows/security/threat-protection/auditing/event-4782.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates on domain controllers during password migration of an account using [Active Directory Migration Toolkit](https://technet.microsoft.com/library/cc974332(v=ws.10).aspx).
+This event generates on domain controllers during password migration of an account using [Active Directory Migration Toolkit](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc974332(v=ws.10)).
Typically **“Subject\\Security ID”** is the SYSTEM account.
@@ -114,5 +114,4 @@ Typically **“Subject\\Security ID”** is the SYSTEM account.
For 4782(S): The password hash of an account was accessed.
-- Monitor for all events of this type, because any actions with account’s password hashes should be planned. If this action was not planned, investigate the reason for the change.
-
+- Monitor for all events of this type, because any actions with account’s password hashes should be planned. If this action was not planned, investigate the reason for the change.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4793.md b/windows/security/threat-protection/auditing/event-4793.md
index d6fecbdbdf..4b75a802d5 100644
--- a/windows/security/threat-protection/auditing/event-4793.md
+++ b/windows/security/threat-protection/auditing/event-4793.md
@@ -27,11 +27,11 @@ ms.technology: mde
***Event Description:***
-This event generates each time the [Password Policy Checking API](https://msdn.microsoft.com/library/aa370661(VS.85).aspx) is called.
+This event generates each time the [Password Policy Checking API](/windows/win32/api/lmaccess/nf-lmaccess-netvalidatepasswordpolicy) is called.
The Password Policy Checking API allows an application to check password compliance against an application-provided account database or single account and verify that passwords meet the complexity, aging, minimum length, and history reuse requirements of a password policy.
-This event, for example, generates during Directory Services Restore Mode ([DSRM](https://blogs.technet.com/b/askds/archive/2009/03/11/ds-restore-mode-password-maintenance.aspx)) account password reset procedure to check new DSRM password.
+This event, for example, generates during Directory Services Restore Mode ([DSRM](/archive/blogs/askds/ds-restore-mode-password-maintenance)) account password reset procedure to check new DSRM password.
This event generates on the computer where Password Policy Checking API was called.
@@ -117,5 +117,4 @@ For 4793(S): The Password Policy Checking API was called.
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-- Typically this is an informational event, and can give you information about when Password Policy Checking APIs were invoked, and who invoked them. The **Provided Account Name** does not always have a value—sometimes it’s not really possible to determine for which account the password policy check was performed.
-
+- Typically this is an informational event, and can give you information about when Password Policy Checking APIs were invoked, and who invoked them. The **Provided Account Name** does not always have a value—sometimes it’s not really possible to determine for which account the password policy check was performed.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md
index 48757706f8..0b0fc16bf7 100644
--- a/windows/security/threat-protection/auditing/event-4817.md
+++ b/windows/security/threat-protection/auditing/event-4817.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates when the [Global Object Access Auditing](https://technet.microsoft.com/library/dd772630(v=ws.10).aspx) policy is changed on a computer.
+This event generates when the [Global Object Access Auditing](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772630(v=ws.10)) policy is changed on a computer.
Separate events will be generated for “Registry” and “File system” policy changes.
@@ -247,5 +247,4 @@ For 4817(S): Auditing settings on object were changed.
- If you use Global Object Access Auditing policies, then this event should be always monitored, especially on high value assets or computers. If this change was not planned, investigate the reason for the change.
-- If you don’t use Global Object Access Auditing policies, then this event should be always monitored because it indicates use of Global Object Access Auditing policies outside of your standard procedures.
-
+- If you don’t use Global Object Access Auditing policies, then this event should be always monitored because it indicates use of Global Object Access Auditing policies outside of your standard procedures.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4818.md b/windows/security/threat-protection/auditing/event-4818.md
index 7da8723ef4..05266e39e5 100644
--- a/windows/security/threat-protection/auditing/event-4818.md
+++ b/windows/security/threat-protection/auditing/event-4818.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates when Dynamic Access Control Proposed [Central Access Policy](https://technet.microsoft.com/library/hh831425.aspx) is enabled and access was not granted by Proposed Central Access Policy.
+This event generates when Dynamic Access Control Proposed [Central Access Policy](/windows-server/identity/solution-guides/scenario--central-access-policy) is enabled and access was not granted by Proposed Central Access Policy.
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -150,7 +150,7 @@ The possible REQUESTED\_ACCESS values are listed in the table below.
| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. |
| ReadEA | 0x8 | The right to read extended file attributes. |
| WriteEA | 0x10 | The right to write extended file attributes. |
-| Execute/Traverse | 0x20 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](https://msdn.microsoft.com/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE** [access right](https://msdn.microsoft.com/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. |
+| Execute/Traverse | 0x20 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](/windows/win32/secauthz/privileges), which ignores the **FILE\_TRAVERSE** [access right](/windows/win32/secauthz/access-rights-and-access-masks). See the remarks in [File Security and Access Rights](/windows/win32/fileio/file-security-and-access-rights) for more information. |
| DeleteChild | 0x40 | For a directory, the right to delete a directory and all the files it contains, including read-only files. |
| ReadAttributes | 0x80 | The right to read file attributes. |
| WriteAttributes | 0x100 | The right to write file attributes. |
@@ -196,7 +196,7 @@ The possible REQUESTED\_ACCESS values are listed in the table below:
| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. |
| ReadEA | 0x8 | The right to read extended file attributes. |
| WriteEA | 0x10 | The right to write extended file attributes. |
-| Execute/Traverse | 0x20 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](https://msdn.microsoft.com/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE** [access right](https://msdn.microsoft.com/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. |
+| Execute/Traverse | 0x20 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](/windows/win32/secauthz/privileges), which ignores the **FILE\_TRAVERSE** [access right](/windows/win32/secauthz/access-rights-and-access-masks). See the remarks in [File Security and Access Rights](/windows/win32/fileio/file-security-and-access-rights) for more information. |
| DeleteChild | 0x40 | For a directory, the right to delete a directory and all the files it contains, including read-only files. |
| ReadAttributes | 0x80 | The right to read file attributes. |
| WriteAttributes | 0x100 | The right to write file attributes. |
@@ -213,5 +213,4 @@ The possible REQUESTED\_ACCESS values are listed in the table below:
For 4818(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
-- This event typically used for troubleshooting and testing of Proposed Central Access Policies for Dynamic Access Control.
-
+- This event typically used for troubleshooting and testing of Proposed Central Access Policies for Dynamic Access Control.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4819.md b/windows/security/threat-protection/auditing/event-4819.md
index 58fa2fcf24..3751b39e45 100644
--- a/windows/security/threat-protection/auditing/event-4819.md
+++ b/windows/security/threat-protection/auditing/event-4819.md
@@ -27,9 +27,9 @@ ms.technology: mde
***Event Description:***
-This event generates when [Central Access Policy](https://technet.microsoft.com/library/hh831425.aspx) on the machine have been changed.
+This event generates when [Central Access Policy](/windows-server/identity/solution-guides/scenario--central-access-policy) on the machine have been changed.
-For example, it generates when a new [Central Access Policy](https://technet.microsoft.com/library/hh831425.aspx) was applied to the machine via Group Policy.
+For example, it generates when a new [Central Access Policy](/windows-server/identity/solution-guides/scenario--central-access-policy) was applied to the machine via Group Policy.
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -137,5 +137,4 @@ For 4819(S): Central Access Policies on the machine have been changed.
- This event can help you to track modifications, additions and deletions of Central Access Policies if it is required by your security monitoring policy.
--
-
+-
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4826.md b/windows/security/threat-protection/auditing/event-4826.md
index 29f4675931..2e78b4c653 100644
--- a/windows/security/threat-protection/auditing/event-4826.md
+++ b/windows/security/threat-protection/auditing/event-4826.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates every time system starts and load current [Boot Configuration Data](https://msdn.microsoft.com/library/windows/hardware/dn653287(v=vs.85).aspx) (BCD) settings.
+This event generates every time system starts and load current [Boot Configuration Data](/previous-versions/windows/hardware/design/dn653287(v=vs.85)) (BCD) settings.
This event is always logged regardless of the "Audit Other Policy Change Events" sub-category setting.
@@ -106,15 +106,15 @@ This event is always logged regardless of the "Audit Other Policy Change Events"
- **System Event Logging** \[Type = UnicodeString\]**:** there is no information about this field in this document.
-- **Kernel Debugging** \[Type = UnicodeString\]**:** shows whether Windows [kernel debugging](https://msdn.microsoft.com/library/windows/hardware/ff542191(v=vs.85).aspx) is enabled or not (**Yes** or **No**). You can enable kernel debugging using “bcdedit /debug on” command.
+- **Kernel Debugging** \[Type = UnicodeString\]**:** shows whether Windows [kernel debugging](/windows-hardware/drivers/devtest/bcdedit--debug) is enabled or not (**Yes** or **No**). You can enable kernel debugging using “bcdedit /debug on” command.
- **VSM Launch Type** \[Type = UnicodeString\]**:** there is no information about this field in this document.
**Signature Settings:**
-- **Test Signing** \[Type = UnicodeString\]**:** shows whether Windows [test signing](https://msdn.microsoft.com/library/windows/hardware/dn653559(v=vs.85).aspx) is enabled or not (**Yes** or **No**). You can disable test signing using “bcdedit /set testsigning off” command.
+- **Test Signing** \[Type = UnicodeString\]**:** shows whether Windows [test signing](/previous-versions/windows/hardware/design/dn653559(v=vs.85)) is enabled or not (**Yes** or **No**). You can disable test signing using “bcdedit /set testsigning off” command.
-> **Note** This parameter controls whether Windows 8.1, Windows 8, Windows 7, Windows Server 2008, or Windows Vista will load any type of test-signed kernel-mode code. This option is not set by default, which means test-signed kernel-mode drivers on 64-bit versions of Windows 8.1, Windows 8, Windows 7, Windows Server 2008, and Windows Vista will not load by default. After you run the BCDEdit command, restart the computer so that the change takes effect. For more information, see [Introduction to Test-Signing](https://msdn.microsoft.com/library/windows/hardware/ff547660(v=vs.85).aspx).
+> **Note** This parameter controls whether Windows 8.1, Windows 8, Windows 7, Windows Server 2008, or Windows Vista will load any type of test-signed kernel-mode code. This option is not set by default, which means test-signed kernel-mode drivers on 64-bit versions of Windows 8.1, Windows 8, Windows 7, Windows Server 2008, and Windows Vista will not load by default. After you run the BCDEdit command, restart the computer so that the change takes effect. For more information, see [Introduction to Test-Signing](/windows-hardware/drivers/install/introduction-to-test-signing).
- **Flight Signing** \[Type = UnicodeString\]**:** shows whether Windows flight signing (which allows flight-signed code signing certificates) is enabled or not (**Yes** or **No**). You can disable flight signing using “bcdedit /set flightsigning off” command.
@@ -124,7 +124,7 @@ This event is always logged regardless of the "Audit Other Policy Change Events"
- **HyperVisor Load Options** \[Type = UnicodeString\]**:** shows hypervisor **loadoptions**. See more information here:
@@ -286,5 +286,4 @@ For 4907(S): Auditing settings on object were changed.
- If you have critical file or registry objects and you need to monitor all modifications (especially changes in SACL), monitor for specific “**Object\\Object Name”**.
-- If you have high-value computers for which you need to monitor all changes for all or specific file or registry objects, monitor for all [4907](event-4907.md) events on these computers.
-
+- If you have high-value computers for which you need to monitor all changes for all or specific file or registry objects, monitor for all [4907](event-4907.md) events on these computers.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md
index 95f0aa8b70..51ff7291cb 100644
--- a/windows/security/threat-protection/auditing/event-4913.md
+++ b/windows/security/threat-protection/auditing/event-4913.md
@@ -27,9 +27,9 @@ ms.technology: mde
***Event Description:***
-This event generates when a [Central Access Policy](https://technet.microsoft.com/library/hh831425.aspx) on a file system object is changed.
+This event generates when a [Central Access Policy](/windows-server/identity/solution-guides/scenario--central-access-policy) on a file system object is changed.
-This event always generates, regardless of the object’s [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) settings.
+This event always generates, regardless of the object’s [SACL](/windows/win32/secauthz/access-control-lists) settings.
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -287,7 +287,4 @@ For 4913(S): Central Access Policy on the object was changed.
- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
-- If you have specific files, folders, or entire systems to which a specific Central Access Policy should be applied, you can monitor this event and compare the Central Access Policy SID in “**New Security Descriptor**” to see if it matches the expected policy.
-
-
-
+- If you have specific files, folders, or entire systems to which a specific Central Access Policy should be applied, you can monitor this event and compare the Central Access Policy SID in “**New Security Descriptor**” to see if it matches the expected policy.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4928.md b/windows/security/threat-protection/auditing/event-4928.md
index 45fa768785..166bc42cf3 100644
--- a/windows/security/threat-protection/auditing/event-4928.md
+++ b/windows/security/threat-protection/auditing/event-4928.md
@@ -97,7 +97,7 @@ Failure event generates if an error occurs (**Status Code** != 0).
> **Note** The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition.
-- **Options** \[Type = UInt32\]: decimal value of [DRS Options](https://msdn.microsoft.com/library/cc228477.aspx).
+- **Options** \[Type = UInt32\]: decimal value of [DRS Options](/openspecs/windows_protocols/ms-drsr/ac9c8a11-cd46-4080-acbf-9faa86344030).
@@ -109,5 +109,4 @@ For 4928(S, F): An Active Directory replica source naming context was establishe
- Monitor for **Source Address** field, because the source of new replication (new DRA) must be authorized for this action. If you find any unauthorized DRA you should trigger an event.
-- This event is typically used for Active Directory replication troubleshooting.
-
+- This event is typically used for Active Directory replication troubleshooting.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4929.md b/windows/security/threat-protection/auditing/event-4929.md
index 9e126439a2..ab04f9ab17 100644
--- a/windows/security/threat-protection/auditing/event-4929.md
+++ b/windows/security/threat-protection/auditing/event-4929.md
@@ -97,7 +97,7 @@ Failure event generates if an error occurs (**Status Code** != 0).
> **Note** The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition.
-- **Options** \[Type = UInt32\]: decimal value of [DRS Options](https://msdn.microsoft.com/library/cc228477.aspx).
+- **Options** \[Type = UInt32\]: decimal value of [DRS Options](/openspecs/windows_protocols/ms-drsr/ac9c8a11-cd46-4080-acbf-9faa86344030).
- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: 
-**Allow Remote Administration** \[Type = UnicodeString\]: looks like this setting is connected to ”[Windows Firewall: Allow remote administration exception](https://technet.microsoft.com/library/cc738900(v=ws.10).aspx)” Group Policy setting, but it is always Disabled, no matter which option is set for “[Windows Firewall: Allow remote administration exception](https://technet.microsoft.com/library/cc738900(v=ws.10).aspx)” Group Policy.
+**Allow Remote Administration** \[Type = UnicodeString\]: looks like this setting is connected to ”[Windows Firewall: Allow remote administration exception](/previous-versions/windows/it-pro/windows-server-2003/cc738900(v=ws.10))” Group Policy setting, but it is always Disabled, no matter which option is set for “[Windows Firewall: Allow remote administration exception](/previous-versions/windows/it-pro/windows-server-2003/cc738900(v=ws.10))” Group Policy.
**Allow Unicast Responses to Multicast/Broadcast Traffic** \[Type = UnicodeString\]:
@@ -119,5 +119,4 @@ For 4944(S): The following policy was active when the Windows Firewall started.
- If you have a standard or baseline for Windows Firewall settings defined for **Public** profile (which can be the same as for Domain, for example), monitor this event and check whether the settings reported by the event are still the same as were defined in your standard or baseline.
-- Unfortunately this event shows configuration only for **Public** profile, but you can still compare all the settings with your organization's Windows Firewall baseline for Public profile on different computers and trigger an alert if the configuration is not the same.
-
+- Unfortunately this event shows configuration only for **Public** profile, but you can still compare all the settings with your organization's Windows Firewall baseline for Public profile on different computers and trigger an alert if the configuration is not the same.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4985.md b/windows/security/threat-protection/auditing/event-4985.md
index 9b3680639b..c57db1916e 100644
--- a/windows/security/threat-protection/auditing/event-4985.md
+++ b/windows/security/threat-protection/auditing/event-4985.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This is an informational event from file system [Transaction Manager](https://msdn.microsoft.com/library/windows/desktop/aa366385(v=vs.85).aspx).
+This is an informational event from file system [Transaction Manager](/windows/win32/ktm/transaction-managers).
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -99,13 +99,13 @@ This is an informational event from file system [Transaction Manager](https://ms
**Transaction Information:**
-- **RM Transaction ID** \[Type = GUID\]: unique GUID of the [transaction](https://msdn.microsoft.com/library/windows/desktop/aa366402(v=vs.85).aspx). This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4656](event-4656.md)(S, F): A handle to an object was requested.”
+- **RM Transaction ID** \[Type = GUID\]: unique GUID of the [transaction](/windows/win32/ktm/what-is-a-transaction). This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4656](event-4656.md)(S, F): A handle to an object was requested.”
> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
-- **New State** \[Type = UInt32\]**:** identifier of the new state of the [transaction](https://msdn.microsoft.com/library/windows/desktop/aa366402(v=vs.85).aspx).
+- **New State** \[Type = UInt32\]**:** identifier of the new state of the [transaction](/windows/win32/ktm/what-is-a-transaction).
-- **Resource Manager** \[Type = GUID\]**:** unique GUID-Identifier of the [Resource Manager](https://msdn.microsoft.com/library/windows/desktop/aa366356(v=vs.85).aspx) which associated with this [transaction](https://msdn.microsoft.com/library/windows/desktop/aa366402(v=vs.85).aspx).
+- **Resource Manager** \[Type = GUID\]**:** unique GUID-Identifier of the [Resource Manager](/windows/win32/ktm/resource-managers) which associated with this [transaction](/windows/win32/ktm/what-is-a-transaction).
**Process Information:**
@@ -123,5 +123,4 @@ This is an informational event from file system [Transaction Manager](https://ms
For 4985(S): The state of a transaction has changed.
-- This event typically has no security relevance and used for [Transaction Manager](https://msdn.microsoft.com/library/windows/desktop/aa366385(v=vs.85).aspx) troubleshooting.
-
+- This event typically has no security relevance and used for [Transaction Manager](/windows/win32/ktm/transaction-managers) troubleshooting.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5031.md b/windows/security/threat-protection/auditing/event-5031.md
index 7453df6988..df9881e050 100644
--- a/windows/security/threat-protection/auditing/event-5031.md
+++ b/windows/security/threat-protection/auditing/event-5031.md
@@ -28,9 +28,9 @@ ms.technology: mde
***Event Description:***
-This event generates when an application was blocked from accepting incoming connections on the network by [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx).
+This event generates when an application was blocked from accepting incoming connections on the network by [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page).
-If you don’t have any firewall rules (Allow or Deny) in Windows Firewall for specific applications, you will get this event from [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx) layer, because by default this layer is denying any incoming connections.
+If you don’t have any firewall rules (Allow or Deny) in Windows Firewall for specific applications, you will get this event from [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) layer, because by default this layer is denying any incoming connections.
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -91,5 +91,4 @@ For 5031(F): The Windows Firewall Service blocked an application from accepting
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
-- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
-
+- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5038.md b/windows/security/threat-protection/auditing/event-5038.md
index eac7f9eea0..2dc28bef2e 100644
--- a/windows/security/threat-protection/auditing/event-5038.md
+++ b/windows/security/threat-protection/auditing/event-5038.md
@@ -23,7 +23,7 @@ ms.technology: mde
The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
-This event generates by [Code Integrity](https://technet.microsoft.com/library/dd348642(v=ws.10).aspx) feature, if signature of a file is not valid.
+This event generates by [Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) feature, if signature of a file is not valid.
Code Integrity is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
@@ -39,5 +39,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
-- We recommend monitoring for this event, especially on high value assets or computers, because it can be a sign of a software or configuration issue, or a malicious action.
-
+- We recommend monitoring for this event, especially on high value assets or computers, because it can be a sign of a software or configuration issue, or a malicious action.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5058.md b/windows/security/threat-protection/auditing/event-5058.md
index 5f999b36d1..b351ee93e6 100644
--- a/windows/security/threat-protection/auditing/event-5058.md
+++ b/windows/security/threat-protection/auditing/event-5058.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates when an operation (read, write, delete, and so on) was performed on a file that contains a KSP key by using a [Key Storage Provider](https://msdn.microsoft.com/library/windows/desktop/bb931355(v=vs.85).aspx) (KSP). This event generates only if one of the following KSPs were used:
+This event generates when an operation (read, write, delete, and so on) was performed on a file that contains a KSP key by using a [Key Storage Provider](/windows/win32/seccertenroll/cng-key-storage-providers) (KSP). This event generates only if one of the following KSPs were used:
- Microsoft Software Key Storage Provider
@@ -163,5 +163,4 @@ For 5058(S, F): Key file operation.
- Typically this event is required for detailed monitoring of KSP-related actions with cryptographic keys. If you need to monitor actions related to specific cryptographic keys (**“Key Name”**) or a specific **“Operation”**, such as **“Delete key file”**, create monitoring rules and use this event as an information source.
-> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5059.md b/windows/security/threat-protection/auditing/event-5059.md
index e7c0a1264b..5881e672d5 100644
--- a/windows/security/threat-protection/auditing/event-5059.md
+++ b/windows/security/threat-protection/auditing/event-5059.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates when a cryptographic key is exported or imported using a [Key Storage Provider](https://msdn.microsoft.com/library/windows/desktop/bb931355(v=vs.85).aspx) (KSP). This event generates only if one of the following KSPs were used:
+This event generates when a cryptographic key is exported or imported using a [Key Storage Provider](/windows/win32/seccertenroll/cng-key-storage-providers) (KSP). This event generates only if one of the following KSPs were used:
- Microsoft Software Key Storage Provider
@@ -158,5 +158,4 @@ For 5059(S, F): Key migration operation.
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
--
-
+-
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5061.md b/windows/security/threat-protection/auditing/event-5061.md
index a7f832d34b..7612017713 100644
--- a/windows/security/threat-protection/auditing/event-5061.md
+++ b/windows/security/threat-protection/auditing/event-5061.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates when a cryptographic operation (open key, create key, create key, and so on) was performed using a [Key Storage Provider](https://msdn.microsoft.com/library/windows/desktop/bb931355(v=vs.85).aspx) (KSP). This event generates only if one of the following KSPs were used:
+This event generates when a cryptographic operation (open key, create key, create key, and so on) was performed using a [Key Storage Provider](/windows/win32/seccertenroll/cng-key-storage-providers) (KSP). This event generates only if one of the following KSPs were used:
- Microsoft Software Key Storage Provider
@@ -168,5 +168,4 @@ For 5061(S, F): Cryptographic operation.
- Typically this event is required for detailed monitoring of KSP-related actions with cryptographic keys. If you need to monitor actions related to specific cryptographic keys (**“Key Name”)** or a specific **“Operation”**, such as **“Delete Key”**, create monitoring rules and use this event as an information source.
-> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-
+> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5064.md b/windows/security/threat-protection/auditing/event-5064.md
index 77da8c5596..077fadf9f7 100644
--- a/windows/security/threat-protection/auditing/event-5064.md
+++ b/windows/security/threat-protection/auditing/event-5064.md
@@ -21,7 +21,7 @@ ms.technology: mde
- Windows Server 2016
-This event generates in [BCryptCreateContext](https://msdn.microsoft.com/library/windows/desktop/aa375381(v=vs.85).aspx)() and [BCryptDeleteContext](https://msdn.microsoft.com/library/windows/desktop/aa375392(v=vs.85).aspx)() functions. These are Cryptographic Next Generation (CNG) functions.
+This event generates in [BCryptCreateContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptcreatecontext)() and [BCryptDeleteContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptdeletecontext)() functions. These are Cryptographic Next Generation (CNG) functions.
This event generates when cryptographic context was created or deleted.
@@ -71,5 +71,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
-- Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
-
+- Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md
index 7c46971bc8..3a64e39e7f 100644
--- a/windows/security/threat-protection/auditing/event-5065.md
+++ b/windows/security/threat-protection/auditing/event-5065.md
@@ -21,7 +21,7 @@ ms.technology: mde
- Windows Server 2016
-This event generates in [BCryptConfigureContext](https://msdn.microsoft.com/vstudio/aa375379)() function. This is a Cryptographic Next Generation (CNG) function.
+This event generates in [BCryptConfigureContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontext)() function. This is a Cryptographic Next Generation (CNG) function.
This event generates when configuration information was changed for existing CNG context.
@@ -75,5 +75,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
-- Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
-
+- Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5066.md b/windows/security/threat-protection/auditing/event-5066.md
index c78b0bd513..52fca7414b 100644
--- a/windows/security/threat-protection/auditing/event-5066.md
+++ b/windows/security/threat-protection/auditing/event-5066.md
@@ -21,7 +21,7 @@ ms.technology: mde
- Windows Server 2016
-This event generates in [BCryptAddContextFunction](https://msdn.microsoft.com/library/windows/desktop/aa375360(v=vs.85).aspx)() and [BCryptRemoveContextFunction](https://msdn.microsoft.com/library/windows/desktop/aa375492(v=vs.85).aspx)() functions. These are Cryptographic Next Generation (CNG) functions.
+This event generates in [BCryptAddContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptaddcontextfunction)() and [BCryptRemoveContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptremovecontextfunction)() functions. These are Cryptographic Next Generation (CNG) functions.
This event generates when cryptographic function was added or removed from the list of functions that are supported by an existing CNG context.
@@ -77,5 +77,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
-- Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
-
+- Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5067.md b/windows/security/threat-protection/auditing/event-5067.md
index eae3eb2038..245b241e69 100644
--- a/windows/security/threat-protection/auditing/event-5067.md
+++ b/windows/security/threat-protection/auditing/event-5067.md
@@ -21,7 +21,7 @@ ms.technology: mde
- Windows Server 2016
-This event generates in [BCryptConfigureContextFunction](https://msdn.microsoft.com/library/windows/desktop/aa375380(v=vs.85).aspx)() function. This is a Cryptographic Next Generation (CNG) function.
+This event generates in [BCryptConfigureContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontextfunction)() function. This is a Cryptographic Next Generation (CNG) function.
This event generates when configuration information for the cryptographic function of an existing CNG context was changed.
@@ -79,5 +79,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
-- Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
-
+- Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5069.md b/windows/security/threat-protection/auditing/event-5069.md
index 104d55f067..742188905d 100644
--- a/windows/security/threat-protection/auditing/event-5069.md
+++ b/windows/security/threat-protection/auditing/event-5069.md
@@ -21,7 +21,7 @@ ms.technology: mde
- Windows Server 2016
-This event generates in [BCryptSetContextFunctionProperty](https://msdn.microsoft.com/library/windows/desktop/Aa375501(v=VS.85).aspx)() function. This is a Cryptographic Next Generation (CNG) function.
+This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This is a Cryptographic Next Generation (CNG) function.
This event generates when named property for a cryptographic function in an existing CNG context was added or removed.
@@ -79,5 +79,4 @@ Return Code:%12
## Security Monitoring Recommendations
-- Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
-
+- Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5070.md b/windows/security/threat-protection/auditing/event-5070.md
index 0cb592e4d4..9893a7116b 100644
--- a/windows/security/threat-protection/auditing/event-5070.md
+++ b/windows/security/threat-protection/auditing/event-5070.md
@@ -21,7 +21,7 @@ ms.technology: mde
- Windows Server 2016
-This event generates in [BCryptSetContextFunctionProperty](https://msdn.microsoft.com/library/windows/desktop/Aa375501(v=VS.85).aspx)() function. This is a Cryptographic Next Generation (CNG) function.
+This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This is a Cryptographic Next Generation (CNG) function.
This event generates when named property for a cryptographic function in an existing CNG context was updated.
@@ -81,5 +81,4 @@ Return Code:%12
## Security Monitoring Recommendations
-- Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
-
+- Typically this event is required for detailed monitoring of CNG-related cryptographic functions. If you need to monitor or troubleshoot actions related to specific cryptographic functions, review this event to see if it provides the information you need.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md
index 58301baf30..1b62c11bab 100644
--- a/windows/security/threat-protection/auditing/event-5136.md
+++ b/windows/security/threat-protection/auditing/event-5136.md
@@ -29,7 +29,7 @@ ms.technology: mde
This event generates every time an Active Directory object is modified.
-To generate this event, the modified object must have an appropriate entry in [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Write”** action auditing for specific attributes.
+To generate this event, the modified object must have an appropriate entry in [SACL](/windows/win32/secauthz/access-control-lists): the “**Write”** action auditing for specific attributes.
For a change operation you will typically see two 5136 events for one action, with different **Operation\\Type** fields: “Value Deleted” and then “Value Added”. “Value Deleted” event typically contains previous value and “Value Added” event contains new value.
@@ -182,7 +182,7 @@ For a change operation you will typically see two 5136 events for one action, wi
- **LDAP Display Name** \[Type = UnicodeString\]**:** the object attribute that was modified.
-> **Note** [LDAP Display Name](https://msdn.microsoft.com/library/ms676828(v=vs.85).aspx) is the name used by LDAP clients, such as the ADSI LDAP provider, to read and write the attribute by using the LDAP protocol.
+> **Note** [LDAP Display Name](/windows/win32/adschema/a-ldapdisplayname) is the name used by LDAP clients, such as the ADSI LDAP provider, to read and write the attribute by using the LDAP protocol.
- **Syntax (OID)** \[Type = UnicodeString\]**:** The syntax for an attribute defines the storage representation, byte ordering, and matching rules for comparisons of property types. Whether the attribute value must be a string, a number, or a unit of time is also defined. Every attribute of every object is associated with exactly one syntax. The syntaxes are not represented as objects in the schema, but they are programmed to be understood by Active Directory. The allowable syntaxes in Active Directory are predefined.
@@ -239,5 +239,4 @@ For 5136(S): A directory service object was modified.
- If you need to monitor modifications to specific Active Directory attributes, monitor for **LDAP Display Name** field with specific attribute name.
-- It is better to monitor **Operation\\Type = Value Added** events, because you will see the new value of attribute. At the same time you can correlate to previous **Operation\\Type = Value Deleted** event with the same **Correlation ID** to see the previous value.
-
+- It is better to monitor **Operation\\Type = Value Added** events, because you will see the new value of attribute. At the same time you can correlate to previous **Operation\\Type = Value Deleted** event with the same **Correlation ID** to see the previous value.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5137.md b/windows/security/threat-protection/auditing/event-5137.md
index 959ae8dbd8..0146958e61 100644
--- a/windows/security/threat-protection/auditing/event-5137.md
+++ b/windows/security/threat-protection/auditing/event-5137.md
@@ -29,7 +29,7 @@ ms.technology: mde
This event generates every time an Active Directory object is created.
-This event only generates if the parent object has a particular entry in its [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create Computer objects**” action auditing for the organizational unit.
+This event only generates if the parent object has a particular entry in its [SACL](/windows/win32/secauthz/access-control-lists): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create Computer objects**” action auditing for the organizational unit.
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -186,5 +186,4 @@ For 5137(S): A directory service object was created.
- If you need to monitor creation of Active Directory objects with specific classes, monitor for **Class** field with specific class name. For example, we recommend that you monitor all new group policy objects creations: **groupPolicyContainer** class.
-- You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get [5137](event-5137.md). There is no reason to audit all creation events for all types of Active Directory objects; find the most important locations (organizational units, folders, etc.) and monitor for creation of specific classes only (user, computer, group, etc.).
-
+- You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get [5137](event-5137.md). There is no reason to audit all creation events for all types of Active Directory objects; find the most important locations (organizational units, folders, etc.) and monitor for creation of specific classes only (user, computer, group, etc.).
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5138.md b/windows/security/threat-protection/auditing/event-5138.md
index 54582252c1..2553251b75 100644
--- a/windows/security/threat-protection/auditing/event-5138.md
+++ b/windows/security/threat-protection/auditing/event-5138.md
@@ -27,9 +27,9 @@ ms.technology: mde
***Event Description:***
-This event generates every time an Active Directory object is undeleted. It happens, for example, when an Active Directory object was restored from the [Active Directory Recycle Bin](https://technet.microsoft.com/library/dd392261(v=ws.10).aspx).
+This event generates every time an Active Directory object is undeleted. It happens, for example, when an Active Directory object was restored from the [Active Directory Recycle Bin](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392261(v=ws.10)).
-This event only generates if the container to which the Active Directory object was restored has a particular entry in its [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create User objects**” action.
+This event only generates if the container to which the Active Directory object was restored has a particular entry in its [SACL](/windows/win32/secauthz/access-control-lists): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create User objects**” action.
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -109,7 +109,7 @@ This event only generates if the container to which the Active Directory object
**Object:**
-- **Old DN** \[Type = UnicodeString\]: Old distinguished name of undeleted object. It will points to [Active Directory Recycle Bin](https://technet.microsoft.com/library/dd392261(v=ws.10).aspx) folder, in case if it was restored from it.
+- **Old DN** \[Type = UnicodeString\]: Old distinguished name of undeleted object. It will points to [Active Directory Recycle Bin](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392261(v=ws.10)) folder, in case if it was restored from it.
> **Note** The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
>
@@ -189,5 +189,4 @@ For 5138(S): A directory service object was undeleted.
- If you need to monitor undelete operations (restoration) of Active Directory objects with specific classes, monitor for **Class** field with specific class name.
-- It may be a good idea to monitor all undelete events, because the operation is not performed very often. Confirm that there is a reason for the object to be undeleted.
-
+- It may be a good idea to monitor all undelete events, because the operation is not performed very often. Confirm that there is a reason for the object to be undeleted.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5139.md b/windows/security/threat-protection/auditing/event-5139.md
index 2860791322..c7f306eab0 100644
--- a/windows/security/threat-protection/auditing/event-5139.md
+++ b/windows/security/threat-protection/auditing/event-5139.md
@@ -29,7 +29,7 @@ ms.technology: mde
This event generates every time an Active Directory object is moved.
-This event only generates if the destination object has a particular entry in its [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create Computer objects**” action, auditing for the organizational unit.
+This event only generates if the destination object has a particular entry in its [SACL](/windows/win32/secauthz/access-control-lists): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create Computer objects**” action, auditing for the organizational unit.
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -189,5 +189,4 @@ For 5139(S): A directory service object was moved.
- If you need to monitor movement of Active Directory objects with specific classes, monitor for **Class** field with specific class name.
-- You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get [5139](event-5139.md). There is no reason to audit all movement events for all types of Active Directory objects, you need to find the most important locations (organizational units, folders, etc.) and monitor for movement of specific classes only to these locations (user, computer, group, etc.).
-
+- You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get [5139](event-5139.md). There is no reason to audit all movement events for all types of Active Directory objects, you need to find the most important locations (organizational units, folders, etc.) and monitor for movement of specific classes only to these locations (user, computer, group, etc.).
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5141.md b/windows/security/threat-protection/auditing/event-5141.md
index 09e46f5b1b..7d85f444d4 100644
--- a/windows/security/threat-protection/auditing/event-5141.md
+++ b/windows/security/threat-protection/auditing/event-5141.md
@@ -29,7 +29,7 @@ ms.technology: mde
This event generates every time an Active Directory object is deleted.
-This event only generates if the deleted object has a particular entry in its [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Delete”** action, auditing for specific objects.
+This event only generates if the deleted object has a particular entry in its [SACL](/windows/win32/secauthz/access-control-lists): the “**Delete”** action, auditing for specific objects.
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -197,5 +197,4 @@ For 5141(S): A directory service object was deleted.
- If you need to monitor deletion of Active Directory objects with specific classes, monitor for **Class** field with specific class name. For example, we recommend that you monitor for group policy objects deletions: **groupPolicyContainer** class.
-- If you need to monitor deletion of specific Active Directory objects, monitor for **DN** field with specific object name. For example, if you have critical Active Directory objects which should not be deleted, monitor for their deletion.
-
+- If you need to monitor deletion of specific Active Directory objects, monitor for **DN** field with specific object name. For example, if you have critical Active Directory objects which should not be deleted, monitor for their deletion.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md
index dee8d57794..933ab84191 100644
--- a/windows/security/threat-protection/auditing/event-5145.md
+++ b/windows/security/threat-protection/auditing/event-5145.md
@@ -151,7 +151,7 @@ This event generates every time network share object (file or folder) was access
| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,
%%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. |
| ReadEA | 0x8,
%%4419 | The right to read extended file attributes. |
| WriteEA | 0x10,
%%4420 | The right to write extended file attributes. |
-| Execute/Traverse | 0x20,
%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](https://msdn.microsoft.com/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE** [access right](https://msdn.microsoft.com/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. |
+| Execute/Traverse | 0x20,
%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](/windows/win32/secauthz/privileges), which ignores the **FILE\_TRAVERSE** [access right](/windows/win32/secauthz/access-rights-and-access-masks). See the remarks in [File Security and Access Rights](/windows/win32/fileio/file-security-and-access-rights) for more information. |
| DeleteChild | 0x40,
%%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. |
| ReadAttributes | 0x80,
%%4423 | The right to read file attributes. |
| WriteAttributes | 0x100,
%%4424 | The right to write file attributes. |
@@ -322,7 +322,4 @@ For 5145(S, F): A network share object was checked to see whether client can be
- WRITE\_DAC
- - WRITE\_OWNER
-
-
-
+ - WRITE\_OWNER
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md
index 018894b1cf..7e8b6a5cc1 100644
--- a/windows/security/threat-protection/auditing/event-5150.md
+++ b/windows/security/threat-protection/auditing/event-5150.md
@@ -21,7 +21,7 @@ ms.technology: mde
- Windows Server 2016
-This event is logged if the Windows Filtering Platform [MAC filter](https://msdn.microsoft.com/library/windows/hardware/hh440262(v=vs.85).aspx) blocked a packet.
+This event is logged if the Windows Filtering Platform [MAC filter](/windows-hardware/drivers/network/using-layer-2-filtering) blocked a packet.
There is no example of this event in this document.
@@ -63,5 +63,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
-- There is no recommendation for this event in this document.
-
+- There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md
index 1b55b64d41..611541553e 100644
--- a/windows/security/threat-protection/auditing/event-5151.md
+++ b/windows/security/threat-protection/auditing/event-5151.md
@@ -21,7 +21,7 @@ ms.technology: mde
- Windows Server 2016
-This event is logged if a more restrictive Windows Filtering Platform [MAC filter](https://msdn.microsoft.com/library/windows/hardware/hh440262(v=vs.85).aspx) has blocked a packet.
+This event is logged if a more restrictive Windows Filtering Platform [MAC filter](/windows-hardware/drivers/network/using-layer-2-filtering) has blocked a packet.
There is no example of this event in this document.
@@ -63,5 +63,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
-- There is no recommendation for this event in this document.
-
+- There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md
index d89a240a64..cb8da40be3 100644
--- a/windows/security/threat-protection/auditing/event-5152.md
+++ b/windows/security/threat-protection/auditing/event-5152.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates when [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx) has blocked a network packet.
+This event generates when [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) has blocked a network packet.
This event is generated for every received network packet.
@@ -159,7 +159,7 @@ This event is generated for every received network packet.
-- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](/windows/win32/fwp/application-layer-enforcement--ale-) layer name.
- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
@@ -187,5 +187,4 @@ For 5152(F): The Windows Filtering Platform blocked a packet.
- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17.
-- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
-
+- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md
index 5083012650..ea9c8ea638 100644
--- a/windows/security/threat-protection/auditing/event-5154.md
+++ b/windows/security/threat-protection/auditing/event-5154.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates every time [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx) permits an application or service to listen on a port.
+This event generates every time [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) permits an application or service to listen on a port.
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -122,7 +122,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
-- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](/windows/win32/fwp/application-layer-enforcement--ale-) layer name.
- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
@@ -146,5 +146,4 @@ For 5154(S): The Windows Filtering Platform has permitted an application or serv
- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
-- Typically this event has an informational purpose.
-
+- Typically this event has an informational purpose.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md
index 7d6eac1919..d00134db41 100644
--- a/windows/security/threat-protection/auditing/event-5155.md
+++ b/windows/security/threat-protection/auditing/event-5155.md
@@ -29,7 +29,7 @@ You can add your own filters using the WFP APIs to block listen to reproduce thi
***Event Description:***
-This event generates every time the [Windows Filtering Platform](https://docs.microsoft.com/windows/win32/fwp/windows-filtering-platform-start-page) blocks an application or service from listening on a port for incoming connections.
+This event generates every time the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) blocks an application or service from listening on a port for incoming connections.
@@ -136,7 +136,7 @@ This event generates every time the [Windows Filtering Platform](https://docs.mi
-- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](/windows/win32/fwp/application-layer-enforcement--ale-) layer name.
- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, you need to execute the following command: **netsh wfp show state**. As result of this command, a **wfpstate.xml** file will be generated. You need to open this file and find the specific substring with the required layer ID (**<layerId>**), for example:
@@ -144,5 +144,4 @@ This event generates every time the [Windows Filtering Platform](https://docs.mi
## Security Monitoring Recommendations
-- If you use Windows Filtering Platform APIs to block application or services from listening on a port, then you can use this event for troubleshooting and monitoring.
-
+- If you use Windows Filtering Platform APIs to block application or services from listening on a port, then you can use this event for troubleshooting and monitoring.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md
index 8c1116cba5..b7aa9709b2 100644
--- a/windows/security/threat-protection/auditing/event-5156.md
+++ b/windows/security/threat-protection/auditing/event-5156.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates when [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx) has allowed a connection.
+This event generates when [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) has allowed a connection.
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -159,7 +159,7 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
-- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](/windows/win32/fwp/application-layer-enforcement--ale-) layer name.
- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
@@ -187,5 +187,4 @@ For 5156(S): The Windows Filtering Platform has permitted a connection.
- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17.
-- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
-
+- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md
index 2f2b2cd8fd..73d84e9d53 100644
--- a/windows/security/threat-protection/auditing/event-5157.md
+++ b/windows/security/threat-protection/auditing/event-5157.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates when [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx) has blocked a connection.
+This event generates when [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) has blocked a connection.
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -159,7 +159,7 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
-- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](/windows/win32/fwp/application-layer-enforcement--ale-) layer name.
- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
@@ -187,5 +187,4 @@ For 5157(F): The Windows Filtering Platform has blocked a connection.
- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17.
-- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
-
+- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md
index 63753bbc2b..d863b08c36 100644
--- a/windows/security/threat-protection/auditing/event-5158.md
+++ b/windows/security/threat-protection/auditing/event-5158.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates every time [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx) permits an application or service to bind to a local port.
+This event generates every time [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) permits an application or service to bind to a local port.
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -136,7 +136,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
-- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](/windows/win32/fwp/application-layer-enforcement--ale-) layer name.
- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
@@ -158,5 +158,4 @@ For 5158(S): The Windows Filtering Platform has permitted a bind to a local port
- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 6 or 17.
-- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
-
+- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md
index b5b867bc47..fb896131ac 100644
--- a/windows/security/threat-protection/auditing/event-5159.md
+++ b/windows/security/threat-protection/auditing/event-5159.md
@@ -134,7 +134,7 @@ This event is logged if the Windows Filtering Platform has blocked a bind to a l
-- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
+- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](/windows/win32/fwp/application-layer-enforcement--ale-) layer name.
- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find the specific substring with the required layer ID (**<layerId>**)**,** for example:
@@ -142,5 +142,4 @@ This event is logged if the Windows Filtering Platform has blocked a bind to a l
## Security Monitoring Recommendations
-- There is no recommendation for this event in this document.
-
+- There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5168.md b/windows/security/threat-protection/auditing/event-5168.md
index 819d9f191e..bb9371baff 100644
--- a/windows/security/threat-protection/auditing/event-5168.md
+++ b/windows/security/threat-protection/auditing/event-5168.md
@@ -29,7 +29,7 @@ ms.technology: mde
This event generates when SMB SPN check fails.
-It often happens because of NTLMv1 or LM protocols usage from client side when “[Microsoft Network Server: Server SPN target name validation level](https://technet.microsoft.com/library/jj852272.aspx)” group policy set to “Require from client” on server side. SPN only sent to server when NTLMv2 or Kerberos protocols are used, and after that SPN can be validated.
+It often happens because of NTLMv1 or LM protocols usage from client side when “[Microsoft Network Server: Server SPN target name validation level](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852272(v=ws.11))” group policy set to “Require from client” on server side. SPN only sent to server when NTLMv2 or Kerberos protocols are used, and after that SPN can be validated.
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -121,5 +121,4 @@ For 5168(F): SPN check for SMB/SMB2 failed.
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-- We recommend monitoring for any [5168](event-5168.md) event, because it can be a sign of a configuration issue or a malicious authentication attempt.
-
+- We recommend monitoring for any [5168](event-5168.md) event, because it can be a sign of a configuration issue or a malicious authentication attempt.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5376.md b/windows/security/threat-protection/auditing/event-5376.md
index 3d7cc2e623..3cbb58cf29 100644
--- a/windows/security/threat-protection/auditing/event-5376.md
+++ b/windows/security/threat-protection/auditing/event-5376.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates every time the user (**Subject**) successfully backs up the [credential manager](https://technet.microsoft.com/library/jj554668.aspx) database.
+This event generates every time the user (**Subject**) successfully backs up the [credential manager](/previous-versions/windows/it-pro/windows-8.1-and-8/jj554668(v=ws.11)) database.
Typically this can be done by clicking “Back up Credentials” in Credential Manager in the Control Panel.
@@ -102,5 +102,4 @@ For 5376(S): Credential Manager credentials were backed up.
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-- Every [5376](event-5376.md) event should be recorded for all local and domain accounts, because this action (back up Credential Manager) is very rarely used by users and can indicate a virus, or other harmful or malicious activity.
-
+- Every [5376](event-5376.md) event should be recorded for all local and domain accounts, because this action (back up Credential Manager) is very rarely used by users and can indicate a virus, or other harmful or malicious activity.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5377.md b/windows/security/threat-protection/auditing/event-5377.md
index 98ccff769a..3be670da7b 100644
--- a/windows/security/threat-protection/auditing/event-5377.md
+++ b/windows/security/threat-protection/auditing/event-5377.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates every time the user (**Subject**) successfully restores the [credential manager](https://technet.microsoft.com/library/jj554668.aspx) database.
+This event generates every time the user (**Subject**) successfully restores the [credential manager](/previous-versions/windows/it-pro/windows-8.1-and-8/jj554668(v=ws.11)) database.
Typically this can be done by clicking “Restore Credentials” in Credential Manager in the Control Panel.
@@ -102,5 +102,4 @@ For 5377(S): Credential Manager credentials were restored from a backup.
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-- Every [5377](event-5377.md) event should be recorded for all local and domain accounts, because this action (restore Credential Manager credentials from a backup) is very rarely used by users, and can indicate a virus, or other harmful or malicious activity.
-
+- Every [5377](event-5377.md) event should be recorded for all local and domain accounts, because this action (restore Credential Manager credentials from a backup) is very rarely used by users, and can indicate a virus, or other harmful or malicious activity.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5378.md b/windows/security/threat-protection/auditing/event-5378.md
index 04395a702b..0025f40837 100644
--- a/windows/security/threat-protection/auditing/event-5378.md
+++ b/windows/security/threat-protection/auditing/event-5378.md
@@ -27,9 +27,9 @@ ms.technology: mde
***Event Description:***
-This event generates requested [CredSSP](https://msdn.microsoft.com/library/cc226764.aspx) credentials delegation was disallowed by [CredSSP](https://msdn.microsoft.com/library/cc226764.aspx) delegation policy.
+This event generates requested [CredSSP](/openspecs/windows_protocols/ms-cssp/85f57821-40bb-46aa-bfcb-ba9590b8fc30) credentials delegation was disallowed by [CredSSP](/openspecs/windows_protocols/ms-cssp/85f57821-40bb-46aa-bfcb-ba9590b8fc30) delegation policy.
-It typically occurs when [CredSSP](https://msdn.microsoft.com/library/cc226764.aspx) delegation for [WinRM](https://msdn.microsoft.com/library/aa384426(v=vs.85).aspx) [double-hop](https://msdn.microsoft.com/library/ee309365(v=vs.85).aspx) session was not set properly.
+It typically occurs when [CredSSP](/openspecs/windows_protocols/ms-cssp/85f57821-40bb-46aa-bfcb-ba9590b8fc30) delegation for [WinRM](/windows/win32/winrm/portal) [double-hop](/windows/win32/winrm/multi-hop-support) session was not set properly.
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -100,9 +100,9 @@ It typically occurs when [CredSSP](https://msdn.microsoft.com/library/cc226764.a
**Credential Delegation Information:**
-- **Security Package** \[Type = UnicodeString\]: the name of [Security Package](https://msdn.microsoft.com/library/windows/desktop/aa380501(v=vs.85).aspx) which was used. Always **CREDSSP** for this event.
+- **Security Package** \[Type = UnicodeString\]: the name of [Security Package](/windows/win32/secauthn/ssp-aps-versus-ssps) which was used. Always **CREDSSP** for this event.
-- **User's UPN** \[Type = UnicodeString\]: [UPN](https://msdn.microsoft.com/library/windows/desktop/aa380525(v=vs.85).aspx) of the account for which delegation was requested.
+- **User's UPN** \[Type = UnicodeString\]: [UPN](/windows/win32/secauthn/user-name-formats) of the account for which delegation was requested.
- **Target Server** \[Type = UnicodeString\]: SPN of the target service for which delegation was requested.
@@ -114,7 +114,7 @@ It typically occurs when [CredSSP](https://msdn.microsoft.com/library/cc226764.a
|---------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
| Default credentials | The credentials obtained when the user first logs on to Windows. |
| Fresh credentials | The credentials that the user is prompted for when executing an application. |
-| Saved credentials | The credentials that are saved using [Credential Manager](https://msdn.microsoft.com/library/windows/desktop/aa374792(v=vs.85).aspx). |
+| Saved credentials | The credentials that are saved using [Credential Manager](/windows/win32/secauthn/credential-manager). |
## Security Monitoring Recommendations
@@ -124,5 +124,4 @@ For 5378(F): The requested credentials delegation was disallowed by policy.
- If you have defined CredSSP delegation policy, then this event will show you policy violations. We recommend collecting these events and investigating every policy violation.
-- This event also can be used for CredSSP delegation troubleshooting.
-
+- This event also can be used for CredSSP delegation troubleshooting.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5447.md b/windows/security/threat-protection/auditing/event-5447.md
index a647b4c565..2b5c265e83 100644
--- a/windows/security/threat-protection/auditing/event-5447.md
+++ b/windows/security/threat-protection/auditing/event-5447.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates every time a [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx) filter has been changed.
+This event generates every time a [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) filter has been changed.
It typically generates during Group Policy update procedures.
@@ -88,5 +88,4 @@ It typically generates during Group Policy update procedures.
For 5447(S): A Windows Filtering Platform filter has been changed.
-- This event mainly used for Windows Filtering Platform troubleshooting and typically has little to no security relevance.
-
+- This event mainly used for Windows Filtering Platform troubleshooting and typically has little to no security relevance.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5632.md b/windows/security/threat-protection/auditing/event-5632.md
index 0870e6a7fc..ad0e108238 100644
--- a/windows/security/threat-protection/auditing/event-5632.md
+++ b/windows/security/threat-protection/auditing/event-5632.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates when [802.1x](https://technet.microsoft.com/library/hh831831.aspx) authentication attempt was made for wireless network.
+This event generates when [802.1x](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831831(v=ws.11)) authentication attempt was made for wireless network.
It typically generates when network adapter connects to new wireless network.
@@ -85,7 +85,7 @@ It typically generates when network adapter connects to new wireless network.
- **Security ID** \[Type = UnicodeString\]**:** User Principal Name (UPN) or another type of account identifier for which 802.1x authentication request was made.
-> **Note** [User principal name](https://msdn.microsoft.com/library/windows/desktop/aa380525(v=vs.85).aspx) (UPN) format is used to specify an Internet-style name, such as UserName@Example.Microsoft.com.
+> **Note** [User principal name](/windows/win32/secauthn/user-name-formats) (UPN) format is used to specify an Internet-style name, such as UserName@Example.Microsoft.com.
- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which 802.1x authentication request was made.
@@ -141,5 +141,4 @@ You can see interface’s GUID using the following commands:
For 5632(S, F): A request was made to authenticate to a wireless network.
-- There is no recommendation for this event in this document.
-
+- There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5633.md b/windows/security/threat-protection/auditing/event-5633.md
index 1bb8d2d300..ba78854b75 100644
--- a/windows/security/threat-protection/auditing/event-5633.md
+++ b/windows/security/threat-protection/auditing/event-5633.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates when [802.1x](https://technet.microsoft.com/library/hh831831.aspx) authentication attempt was made for wired network.
+This event generates when [802.1x](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831831(v=ws.11)) authentication attempt was made for wired network.
It typically generates when network adapter connects to new wired network.
@@ -79,7 +79,7 @@ It typically generates when network adapter connects to new wired network.
- **Security ID** \[Type = UnicodeString\]**:** User Principal Name (UPN) of account for which 802.1x authentication request was made.
-> **Note** [User principal name](https://msdn.microsoft.com/library/windows/desktop/aa380525(v=vs.85).aspx) (UPN) format is used to specify an Internet-style name, such as UserName@Example.Microsoft.com.
+> **Note** [User principal name](/windows/win32/secauthn/user-name-formats) (UPN) format is used to specify an Internet-style name, such as UserName@Example.Microsoft.com.
- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which 802.1x authentication request was made.
@@ -113,5 +113,4 @@ It typically generates when network adapter connects to new wired network.
For 5633(S, F): A request was made to authenticate to a wired network.
-- There is no recommendation for this event in this document.
-
+- There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5888.md b/windows/security/threat-protection/auditing/event-5888.md
index 8531945a54..8d2ea38fcb 100644
--- a/windows/security/threat-protection/auditing/event-5888.md
+++ b/windows/security/threat-protection/auditing/event-5888.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates when the object in [COM+ Catalog](https://msdn.microsoft.com/library/windows/desktop/ms679196(v=vs.85).aspx) was modified.
+This event generates when the object in [COM+ Catalog](/windows/win32/cossdk/the-com--catalog) was modified.
For some reason this event belongs to [Audit System Integrity](event-5890.md) subcategory, but generation of this event enables in this subcategory.
@@ -103,45 +103,45 @@ For some reason this event belongs to [Audit System Integrity](event-5890.md) su
| Collection | Description |
|------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| [ApplicationCluster](https://msdn.microsoft.com/library/windows/desktop/ms683600(v=vs.85).aspx) | Contains a list of the servers in the application cluster. |
-| [ApplicationInstances](https://msdn.microsoft.com/library/windows/desktop/ms679173(v=vs.85).aspx) | Contains an object for each instance of a running COM+ application. |
-| [Applications](https://msdn.microsoft.com/library/windows/desktop/ms686107(v=vs.85).aspx) | Contains an object for each COM+ application installed on the local computer. |
-| [Components](https://msdn.microsoft.com/library/windows/desktop/ms688285(v=vs.85).aspx) | Contains an object for each component in the application to which it is related. |
-| [ComputerList](https://msdn.microsoft.com/library/windows/desktop/ms681320(v=vs.85).aspx) | Contains a list of the computers found in the Computers folder of the Component Services administration tool. |
-| [DCOMProtocols](https://msdn.microsoft.com/library/windows/desktop/ms688297(v=vs.85).aspx) | Contains a list of the protocols to be used by DCOM. It contains an object for each protocol. |
-| [ErrorInfo](https://msdn.microsoft.com/library/windows/desktop/ms686530(v=vs.85).aspx) | Retrieves extended error information regarding methods that deal with multiple objects. |
-| [EventClassesForIID](https://msdn.microsoft.com/library/windows/desktop/ms679576(v=vs.85).aspx) | Retrieves information regarding event classes. |
-| [FilesForImport](https://msdn.microsoft.com/library/windows/desktop/ms685046(v=vs.85).aspx) | Retrieves information from its MSI file about an application that can be imported. |
-| [InprocServers](https://msdn.microsoft.com/library/windows/desktop/ms678949(v=vs.85).aspx) | Contains a list of the in-process servers registered with the system. It contains an object for each component. |
-| [InterfacesForComponent](https://msdn.microsoft.com/library/windows/desktop/ms687751(v=vs.85).aspx) | Contains an object for each interface exposed by the component to which the collection is related. |
-| [LegacyComponents](https://msdn.microsoft.com/library/windows/desktop/ms683616(v=vs.85).aspx) | Contains an object for each unconfigured component in the application to which it is related. |
-| [LegacyServers](https://msdn.microsoft.com/library/windows/desktop/ms685965(v=vs.85).aspx) | Identical to the [InprocServers](https://msdn.microsoft.com/library/windows/desktop/ms678949(v=vs.85).aspx) collection except that this collection also includes local servers. |
-| [LocalComputer](https://msdn.microsoft.com/library/windows/desktop/ms682790(v=vs.85).aspx) | Contains a single object that holds computer level settings information for the computer whose catalog you are accessing. |
-| [MethodsForInterface](https://msdn.microsoft.com/library/windows/desktop/ms687595(v=vs.85).aspx) | Contains an object for each method on the interface to which the collection is related. |
-| [Partitions](https://msdn.microsoft.com/library/windows/desktop/ms679480(v=vs.85).aspx) | Used to specify the applications contained in each partition. |
-| [PartitionUsers](https://msdn.microsoft.com/library/windows/desktop/ms686081(v=vs.85).aspx) | Used to specify the users contained in each partition. |
-| [PropertyInfo](https://msdn.microsoft.com/library/windows/desktop/ms681735(v=vs.85).aspx) | Retrieves information about the properties that a specified collection supports. |
-| [PublisherProperties](https://msdn.microsoft.com/library/windows/desktop/ms682794(v=vs.85).aspx) | Contains an object for each publisher property for the parent [SubscriptionsForComponent](https://msdn.microsoft.com/library/windows/desktop/ms687726(v=vs.85).aspx) collection. |
-| [RelatedCollectionInfo](https://msdn.microsoft.com/library/windows/desktop/ms686925(v=vs.85).aspx) | Retrieves information about other collections related to the collection from which it is called. |
-| [Roles](https://msdn.microsoft.com/library/windows/desktop/ms683613(v=vs.85).aspx) | Contains an object for each role assigned to the application to which it is related. |
-| [RolesForComponent](https://msdn.microsoft.com/library/windows/desktop/ms686119(v=vs.85).aspx) | Contains an object for each role assigned to the component to which the collection is related. |
-| [RolesForInterface](https://msdn.microsoft.com/library/windows/desktop/ms688303(v=vs.85).aspx) | Contains an object for each role assigned to the interface to which the collection is related. |
-| [RolesForMethod](https://msdn.microsoft.com/library/windows/desktop/ms679943(v=vs.85).aspx) | Contains an object for each role assigned to the method to which the collection is related. |
-| [RolesForPartition](https://msdn.microsoft.com/library/windows/desktop/ms681316(v=vs.85).aspx) | Contains an object for each role assigned to the partition to which the collection is related. |
-| [Root](https://msdn.microsoft.com/library/windows/desktop/ms682277(v=vs.85).aspx) | Contains the top-level collections on the catalog. |
-| [SubscriberProperties](https://msdn.microsoft.com/library/windows/desktop/ms681611(v=vs.85).aspx) | Contains an object for each subscriber property for the parent [SubscriptionsForComponent](https://msdn.microsoft.com/library/windows/desktop/ms687726(v=vs.85).aspx) collection. |
-| [SubscriptionsForComponent](https://msdn.microsoft.com/library/windows/desktop/ms687726(v=vs.85).aspx) | Contains an object for each subscription for the parent [Components](https://msdn.microsoft.com/library/windows/desktop/ms688285(v=vs.85).aspx) collection. |
-| [TransientPublisherProperties](https://msdn.microsoft.com/library/windows/desktop/ms681793(v=vs.85).aspx) | Contains an object for each publisher property for the parent [TransientSubscriptions](https://msdn.microsoft.com/library/windows/desktop/ms686100(v=vs.85).aspx) collection. |
-| [TransientSubscriberProperties](https://msdn.microsoft.com/library/windows/desktop/ms686051(v=vs.85).aspx) | Contains an object for each subscriber property for the parent [TransientSubscriptions](https://msdn.microsoft.com/library/windows/desktop/ms686100(v=vs.85).aspx) collection. |
-| [TransientSubscriptions](https://msdn.microsoft.com/library/windows/desktop/ms686100(v=vs.85).aspx) | Contains an object for each transient subscription. |
-| [UsersInPartitionRole](https://msdn.microsoft.com/library/windows/desktop/ms686441(v=vs.85).aspx) | Contains an object for each user in the partition role to which the collection is related. |
-| [UsersInRole](https://msdn.microsoft.com/library/windows/desktop/ms687622(v=vs.85).aspx) | Contains an object for each user in the role to which the collection is related. |
-| [WOWInprocServers](https://msdn.microsoft.com/library/windows/desktop/ms681249(v=vs.85).aspx) | Contains a list of the in-process servers registered with the system for 32-bit components on 64-bit computers. |
-| [WOWLegacyServers](https://msdn.microsoft.com/library/windows/desktop/ms682774(v=vs.85).aspx) | Identical to the [LegacyServers](https://msdn.microsoft.com/library/windows/desktop/ms685965(v=vs.85).aspx) collection except that this collection is drawn from the 32-bit registry on 64-bit computers. |
+| [ApplicationCluster](/windows/win32/cossdk/applicationcluster) | Contains a list of the servers in the application cluster. |
+| [ApplicationInstances](/windows/win32/cossdk/applicationinstances) | Contains an object for each instance of a running COM+ application. |
+| [Applications](/windows/win32/cossdk/applications) | Contains an object for each COM+ application installed on the local computer. |
+| [Components](/windows/win32/cossdk/components) | Contains an object for each component in the application to which it is related. |
+| [ComputerList](/windows/win32/cossdk/computerlist) | Contains a list of the computers found in the Computers folder of the Component Services administration tool. |
+| [DCOMProtocols](/windows/win32/cossdk/dcomprotocols) | Contains a list of the protocols to be used by DCOM. It contains an object for each protocol. |
+| [ErrorInfo](/windows/win32/cossdk/errorinfo) | Retrieves extended error information regarding methods that deal with multiple objects. |
+| [EventClassesForIID](/windows/win32/cossdk/eventclassesforiid) | Retrieves information regarding event classes. |
+| [FilesForImport](/windows/win32/cossdk/filesforimport) | Retrieves information from its MSI file about an application that can be imported. |
+| [InprocServers](/windows/win32/cossdk/inprocservers) | Contains a list of the in-process servers registered with the system. It contains an object for each component. |
+| [InterfacesForComponent](/windows/win32/cossdk/interfacesforcomponent) | Contains an object for each interface exposed by the component to which the collection is related. |
+| [LegacyComponents](/windows/win32/cossdk/legacycomponents) | Contains an object for each unconfigured component in the application to which it is related. |
+| [LegacyServers](/windows/win32/cossdk/legacyservers) | Identical to the [InprocServers](/windows/win32/cossdk/inprocservers) collection except that this collection also includes local servers. |
+| [LocalComputer](/windows/win32/cossdk/localcomputer) | Contains a single object that holds computer level settings information for the computer whose catalog you are accessing. |
+| [MethodsForInterface](/windows/win32/cossdk/methodsforinterface) | Contains an object for each method on the interface to which the collection is related. |
+| [Partitions](/windows/win32/cossdk/partitions) | Used to specify the applications contained in each partition. |
+| [PartitionUsers](/windows/win32/cossdk/partitionusers) | Used to specify the users contained in each partition. |
+| [PropertyInfo](/windows/win32/cossdk/propertyinfo) | Retrieves information about the properties that a specified collection supports. |
+| [PublisherProperties](/windows/win32/cossdk/publisherproperties) | Contains an object for each publisher property for the parent [SubscriptionsForComponent](/windows/win32/cossdk/subscriptionsforcomponent) collection. |
+| [RelatedCollectionInfo](/windows/win32/cossdk/relatedcollectioninfo) | Retrieves information about other collections related to the collection from which it is called. |
+| [Roles](/windows/win32/cossdk/roles) | Contains an object for each role assigned to the application to which it is related. |
+| [RolesForComponent](/windows/win32/cossdk/rolesforcomponent) | Contains an object for each role assigned to the component to which the collection is related. |
+| [RolesForInterface](/windows/win32/cossdk/rolesforinterface) | Contains an object for each role assigned to the interface to which the collection is related. |
+| [RolesForMethod](/windows/win32/cossdk/rolesformethod) | Contains an object for each role assigned to the method to which the collection is related. |
+| [RolesForPartition](/windows/win32/cossdk/rolesforpartition) | Contains an object for each role assigned to the partition to which the collection is related. |
+| [Root](/windows/win32/cossdk/root) | Contains the top-level collections on the catalog. |
+| [SubscriberProperties](/windows/win32/cossdk/subscriberproperties) | Contains an object for each subscriber property for the parent [SubscriptionsForComponent](/windows/win32/cossdk/subscriptionsforcomponent) collection. |
+| [SubscriptionsForComponent](/windows/win32/cossdk/subscriptionsforcomponent) | Contains an object for each subscription for the parent [Components](/windows/win32/cossdk/components) collection. |
+| [TransientPublisherProperties](/windows/win32/cossdk/transientpublisherproperties) | Contains an object for each publisher property for the parent [TransientSubscriptions](/windows/win32/cossdk/transientsubscriptions) collection. |
+| [TransientSubscriberProperties](/windows/win32/cossdk/transientsubscriberproperties) | Contains an object for each subscriber property for the parent [TransientSubscriptions](/windows/win32/cossdk/transientsubscriptions) collection. |
+| [TransientSubscriptions](/windows/win32/cossdk/transientsubscriptions) | Contains an object for each transient subscription. |
+| [UsersInPartitionRole](/windows/win32/cossdk/usersinpartitionrole) | Contains an object for each user in the partition role to which the collection is related. |
+| [UsersInRole](/windows/win32/cossdk/usersinrole) | Contains an object for each user in the role to which the collection is related. |
+| [WOWInprocServers](/windows/win32/cossdk/wowinprocservers) | Contains a list of the in-process servers registered with the system for 32-bit components on 64-bit computers. |
+| [WOWLegacyServers](/windows/win32/cossdk/wowlegacyservers) | Identical to the [LegacyServers](/windows/win32/cossdk/legacyservers) collection except that this collection is drawn from the 32-bit registry on 64-bit computers. |
-- **Object Name** \[Type = UnicodeString\]: object-specific fields with the names and identifiers for the modified object. It depends on **COM+ Catalog Collection** value, for example, if **COM+ Catalog Collection** = [Applications](https://msdn.microsoft.com/library/windows/desktop/ms686107(v=vs.85).aspx), then you can find that:
+- **Object Name** \[Type = UnicodeString\]: object-specific fields with the names and identifiers for the modified object. It depends on **COM+ Catalog Collection** value, for example, if **COM+ Catalog Collection** = [Applications](/windows/win32/cossdk/applications), then you can find that:
- - **ID** - A GUID representing the application. This property is returned when the [Key](https://msdn.microsoft.com/library/windows/desktop/ms679201(v=vs.85).aspx) property method is called on an object of this collection.
+ - **ID** - A GUID representing the application. This property is returned when the [Key](/windows/win32/api/comadmin/nf-comadmin-icatalogobject-get_key) property method is called on an object of this collection.
- **AppPartitionID** - A GUID representing the application partition ID.
@@ -159,5 +159,4 @@ For 5888(S): An object in the COM+ Catalog was modified.
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-- If you have a specific COM+ object for which you need to monitor all modifications, monitor all [5888](event-5888.md) events with the corresponding **Object Name**.
-
+- If you have a specific COM+ object for which you need to monitor all modifications, monitor all [5888](event-5888.md) events with the corresponding **Object Name**.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5889.md b/windows/security/threat-protection/auditing/event-5889.md
index 3fe376f85c..e3d65ee453 100644
--- a/windows/security/threat-protection/auditing/event-5889.md
+++ b/windows/security/threat-protection/auditing/event-5889.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates when the object in the [COM+ Catalog](https://msdn.microsoft.com/library/windows/desktop/ms679196(v=vs.85).aspx) was deleted.
+This event generates when the object in the [COM+ Catalog](/windows/win32/cossdk/the-com--catalog) was deleted.
For some reason this event belongs to [Audit System Integrity](event-5890.md) subcategory, but generation of this event enables in this subcategory.
@@ -103,45 +103,45 @@ For some reason this event belongs to [Audit System Integrity](event-5890.md) su
| Collection | Description |
|------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| [ApplicationCluster](https://msdn.microsoft.com/library/windows/desktop/ms683600(v=vs.85).aspx) | Contains a list of the servers in the application cluster. |
-| [ApplicationInstances](https://msdn.microsoft.com/library/windows/desktop/ms679173(v=vs.85).aspx) | Contains an object for each instance of a running COM+ application. |
-| [Applications](https://msdn.microsoft.com/library/windows/desktop/ms686107(v=vs.85).aspx) | Contains an object for each COM+ application installed on the local computer. |
-| [Components](https://msdn.microsoft.com/library/windows/desktop/ms688285(v=vs.85).aspx) | Contains an object for each component in the application to which it is related. |
-| [ComputerList](https://msdn.microsoft.com/library/windows/desktop/ms681320(v=vs.85).aspx) | Contains a list of the computers found in the Computers folder of the Component Services administration tool. |
-| [DCOMProtocols](https://msdn.microsoft.com/library/windows/desktop/ms688297(v=vs.85).aspx) | Contains a list of the protocols to be used by DCOM. It contains an object for each protocol. |
-| [ErrorInfo](https://msdn.microsoft.com/library/windows/desktop/ms686530(v=vs.85).aspx) | Retrieves extended error information regarding methods that deal with multiple objects. |
-| [EventClassesForIID](https://msdn.microsoft.com/library/windows/desktop/ms679576(v=vs.85).aspx) | Retrieves information regarding event classes. |
-| [FilesForImport](https://msdn.microsoft.com/library/windows/desktop/ms685046(v=vs.85).aspx) | Retrieves information from its MSI file about an application that can be imported. |
-| [InprocServers](https://msdn.microsoft.com/library/windows/desktop/ms678949(v=vs.85).aspx) | Contains a list of the in-process servers registered with the system. It contains an object for each component. |
-| [InterfacesForComponent](https://msdn.microsoft.com/library/windows/desktop/ms687751(v=vs.85).aspx) | Contains an object for each interface exposed by the component to which the collection is related. |
-| [LegacyComponents](https://msdn.microsoft.com/library/windows/desktop/ms683616(v=vs.85).aspx) | Contains an object for each unconfigured component in the application to which it is related. |
-| [LegacyServers](https://msdn.microsoft.com/library/windows/desktop/ms685965(v=vs.85).aspx) | Identical to the [InprocServers](https://msdn.microsoft.com/library/windows/desktop/ms678949(v=vs.85).aspx) collection except that this collection also includes local servers. |
-| [LocalComputer](https://msdn.microsoft.com/library/windows/desktop/ms682790(v=vs.85).aspx) | Contains a single object that holds computer level settings information for the computer whose catalog you are accessing. |
-| [MethodsForInterface](https://msdn.microsoft.com/library/windows/desktop/ms687595(v=vs.85).aspx) | Contains an object for each method on the interface to which the collection is related. |
-| [Partitions](https://msdn.microsoft.com/library/windows/desktop/ms679480(v=vs.85).aspx) | Used to specify the applications contained in each partition. |
-| [PartitionUsers](https://msdn.microsoft.com/library/windows/desktop/ms686081(v=vs.85).aspx) | Used to specify the users contained in each partition. |
-| [PropertyInfo](https://msdn.microsoft.com/library/windows/desktop/ms681735(v=vs.85).aspx) | Retrieves information about the properties that a specified collection supports. |
-| [PublisherProperties](https://msdn.microsoft.com/library/windows/desktop/ms682794(v=vs.85).aspx) | Contains an object for each publisher property for the parent [SubscriptionsForComponent](https://msdn.microsoft.com/library/windows/desktop/ms687726(v=vs.85).aspx) collection. |
-| [RelatedCollectionInfo](https://msdn.microsoft.com/library/windows/desktop/ms686925(v=vs.85).aspx) | Retrieves information about other collections related to the collection from which it is called. |
-| [Roles](https://msdn.microsoft.com/library/windows/desktop/ms683613(v=vs.85).aspx) | Contains an object for each role assigned to the application to which it is related. |
-| [RolesForComponent](https://msdn.microsoft.com/library/windows/desktop/ms686119(v=vs.85).aspx) | Contains an object for each role assigned to the component to which the collection is related. |
-| [RolesForInterface](https://msdn.microsoft.com/library/windows/desktop/ms688303(v=vs.85).aspx) | Contains an object for each role assigned to the interface to which the collection is related. |
-| [RolesForMethod](https://msdn.microsoft.com/library/windows/desktop/ms679943(v=vs.85).aspx) | Contains an object for each role assigned to the method to which the collection is related. |
-| [RolesForPartition](https://msdn.microsoft.com/library/windows/desktop/ms681316(v=vs.85).aspx) | Contains an object for each role assigned to the partition to which the collection is related. |
-| [Root](https://msdn.microsoft.com/library/windows/desktop/ms682277(v=vs.85).aspx) | Contains the top-level collections on the catalog. |
-| [SubscriberProperties](https://msdn.microsoft.com/library/windows/desktop/ms681611(v=vs.85).aspx) | Contains an object for each subscriber property for the parent [SubscriptionsForComponent](https://msdn.microsoft.com/library/windows/desktop/ms687726(v=vs.85).aspx) collection. |
-| [SubscriptionsForComponent](https://msdn.microsoft.com/library/windows/desktop/ms687726(v=vs.85).aspx) | Contains an object for each subscription for the parent [Components](https://msdn.microsoft.com/library/windows/desktop/ms688285(v=vs.85).aspx) collection. |
-| [TransientPublisherProperties](https://msdn.microsoft.com/library/windows/desktop/ms681793(v=vs.85).aspx) | Contains an object for each publisher property for the parent [TransientSubscriptions](https://msdn.microsoft.com/library/windows/desktop/ms686100(v=vs.85).aspx) collection. |
-| [TransientSubscriberProperties](https://msdn.microsoft.com/library/windows/desktop/ms686051(v=vs.85).aspx) | Contains an object for each subscriber property for the parent [TransientSubscriptions](https://msdn.microsoft.com/library/windows/desktop/ms686100(v=vs.85).aspx) collection. |
-| [TransientSubscriptions](https://msdn.microsoft.com/library/windows/desktop/ms686100(v=vs.85).aspx) | Contains an object for each transient subscription. |
-| [UsersInPartitionRole](https://msdn.microsoft.com/library/windows/desktop/ms686441(v=vs.85).aspx) | Contains an object for each user in the partition role to which the collection is related. |
-| [UsersInRole](https://msdn.microsoft.com/library/windows/desktop/ms687622(v=vs.85).aspx) | Contains an object for each user in the role to which the collection is related. |
-| [WOWInprocServers](https://msdn.microsoft.com/library/windows/desktop/ms681249(v=vs.85).aspx) | Contains a list of the in-process servers registered with the system for 32-bit components on 64-bit computers. |
-| [WOWLegacyServers](https://msdn.microsoft.com/library/windows/desktop/ms682774(v=vs.85).aspx) | Identical to the [LegacyServers](https://msdn.microsoft.com/library/windows/desktop/ms685965(v=vs.85).aspx) collection except that this collection is drawn from the 32-bit registry on 64-bit computers. |
+| [ApplicationCluster](/windows/win32/cossdk/applicationcluster) | Contains a list of the servers in the application cluster. |
+| [ApplicationInstances](/windows/win32/cossdk/applicationinstances) | Contains an object for each instance of a running COM+ application. |
+| [Applications](/windows/win32/cossdk/applications) | Contains an object for each COM+ application installed on the local computer. |
+| [Components](/windows/win32/cossdk/components) | Contains an object for each component in the application to which it is related. |
+| [ComputerList](/windows/win32/cossdk/computerlist) | Contains a list of the computers found in the Computers folder of the Component Services administration tool. |
+| [DCOMProtocols](/windows/win32/cossdk/dcomprotocols) | Contains a list of the protocols to be used by DCOM. It contains an object for each protocol. |
+| [ErrorInfo](/windows/win32/cossdk/errorinfo) | Retrieves extended error information regarding methods that deal with multiple objects. |
+| [EventClassesForIID](/windows/win32/cossdk/eventclassesforiid) | Retrieves information regarding event classes. |
+| [FilesForImport](/windows/win32/cossdk/filesforimport) | Retrieves information from its MSI file about an application that can be imported. |
+| [InprocServers](/windows/win32/cossdk/inprocservers) | Contains a list of the in-process servers registered with the system. It contains an object for each component. |
+| [InterfacesForComponent](/windows/win32/cossdk/interfacesforcomponent) | Contains an object for each interface exposed by the component to which the collection is related. |
+| [LegacyComponents](/windows/win32/cossdk/legacycomponents) | Contains an object for each unconfigured component in the application to which it is related. |
+| [LegacyServers](/windows/win32/cossdk/legacyservers) | Identical to the [InprocServers](/windows/win32/cossdk/inprocservers) collection except that this collection also includes local servers. |
+| [LocalComputer](/windows/win32/cossdk/localcomputer) | Contains a single object that holds computer level settings information for the computer whose catalog you are accessing. |
+| [MethodsForInterface](/windows/win32/cossdk/methodsforinterface) | Contains an object for each method on the interface to which the collection is related. |
+| [Partitions](/windows/win32/cossdk/partitions) | Used to specify the applications contained in each partition. |
+| [PartitionUsers](/windows/win32/cossdk/partitionusers) | Used to specify the users contained in each partition. |
+| [PropertyInfo](/windows/win32/cossdk/propertyinfo) | Retrieves information about the properties that a specified collection supports. |
+| [PublisherProperties](/windows/win32/cossdk/publisherproperties) | Contains an object for each publisher property for the parent [SubscriptionsForComponent](/windows/win32/cossdk/subscriptionsforcomponent) collection. |
+| [RelatedCollectionInfo](/windows/win32/cossdk/relatedcollectioninfo) | Retrieves information about other collections related to the collection from which it is called. |
+| [Roles](/windows/win32/cossdk/roles) | Contains an object for each role assigned to the application to which it is related. |
+| [RolesForComponent](/windows/win32/cossdk/rolesforcomponent) | Contains an object for each role assigned to the component to which the collection is related. |
+| [RolesForInterface](/windows/win32/cossdk/rolesforinterface) | Contains an object for each role assigned to the interface to which the collection is related. |
+| [RolesForMethod](/windows/win32/cossdk/rolesformethod) | Contains an object for each role assigned to the method to which the collection is related. |
+| [RolesForPartition](/windows/win32/cossdk/rolesforpartition) | Contains an object for each role assigned to the partition to which the collection is related. |
+| [Root](/windows/win32/cossdk/root) | Contains the top-level collections on the catalog. |
+| [SubscriberProperties](/windows/win32/cossdk/subscriberproperties) | Contains an object for each subscriber property for the parent [SubscriptionsForComponent](/windows/win32/cossdk/subscriptionsforcomponent) collection. |
+| [SubscriptionsForComponent](/windows/win32/cossdk/subscriptionsforcomponent) | Contains an object for each subscription for the parent [Components](/windows/win32/cossdk/components) collection. |
+| [TransientPublisherProperties](/windows/win32/cossdk/transientpublisherproperties) | Contains an object for each publisher property for the parent [TransientSubscriptions](/windows/win32/cossdk/transientsubscriptions) collection. |
+| [TransientSubscriberProperties](/windows/win32/cossdk/transientsubscriberproperties) | Contains an object for each subscriber property for the parent [TransientSubscriptions](/windows/win32/cossdk/transientsubscriptions) collection. |
+| [TransientSubscriptions](/windows/win32/cossdk/transientsubscriptions) | Contains an object for each transient subscription. |
+| [UsersInPartitionRole](/windows/win32/cossdk/usersinpartitionrole) | Contains an object for each user in the partition role to which the collection is related. |
+| [UsersInRole](/windows/win32/cossdk/usersinrole) | Contains an object for each user in the role to which the collection is related. |
+| [WOWInprocServers](/windows/win32/cossdk/wowinprocservers) | Contains a list of the in-process servers registered with the system for 32-bit components on 64-bit computers. |
+| [WOWLegacyServers](/windows/win32/cossdk/wowlegacyservers) | Identical to the [LegacyServers](/windows/win32/cossdk/legacyservers) collection except that this collection is drawn from the 32-bit registry on 64-bit computers. |
-- **Object Name** \[Type = UnicodeString\]: object-specific fields with the names and identifiers for the deleted object. It depends on **COM+ Catalog Collection** value, for example, if **COM+ Catalog Collection** = [Applications](https://msdn.microsoft.com/library/windows/desktop/ms686107(v=vs.85).aspx), then you can find that:
+- **Object Name** \[Type = UnicodeString\]: object-specific fields with the names and identifiers for the deleted object. It depends on **COM+ Catalog Collection** value, for example, if **COM+ Catalog Collection** = [Applications](/windows/win32/cossdk/applications), then you can find that:
- - **ID** - A GUID representing the application. This property is returned when the [Key](https://msdn.microsoft.com/library/windows/desktop/ms679201(v=vs.85).aspx) property method is called on an object of this collection.
+ - **ID** - A GUID representing the application. This property is returned when the [Key](/windows/win32/api/comadmin/nf-comadmin-icatalogobject-get_key) property method is called on an object of this collection.
- **AppPartitionID** - A GUID representing the application partition ID.
@@ -159,5 +159,4 @@ For 5889(S): An object was deleted from the COM+ Catalog.
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-- If you have a specific COM+ object for which you need to monitor all modifications (especially delete operations), monitor all [5889](event-5889.md) events with the corresponding **Object Name**.
-
+- If you have a specific COM+ object for which you need to monitor all modifications (especially delete operations), monitor all [5889](event-5889.md) events with the corresponding **Object Name**.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5890.md b/windows/security/threat-protection/auditing/event-5890.md
index 9a90b1a6a3..9b7a9f515c 100644
--- a/windows/security/threat-protection/auditing/event-5890.md
+++ b/windows/security/threat-protection/auditing/event-5890.md
@@ -27,7 +27,7 @@ ms.technology: mde
***Event Description:***
-This event generates when new object was added to the [COM+ Catalog](https://msdn.microsoft.com/library/windows/desktop/ms679196(v=vs.85).aspx).
+This event generates when new object was added to the [COM+ Catalog](/windows/win32/cossdk/the-com--catalog).
For some reason this event belongs to [Audit System Integrity](event-5890.md) subcategory, but generation of this event enables in this subcategory.
@@ -103,45 +103,45 @@ For some reason this event belongs to [Audit System Integrity](event-5890.md) su
| Collection | Description |
|------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| [ApplicationCluster](https://msdn.microsoft.com/library/windows/desktop/ms683600(v=vs.85).aspx) | Contains a list of the servers in the application cluster. |
-| [ApplicationInstances](https://msdn.microsoft.com/library/windows/desktop/ms679173(v=vs.85).aspx) | Contains an object for each instance of a running COM+ application. |
-| [Applications](https://msdn.microsoft.com/library/windows/desktop/ms686107(v=vs.85).aspx) | Contains an object for each COM+ application installed on the local computer. |
-| [Components](https://msdn.microsoft.com/library/windows/desktop/ms688285(v=vs.85).aspx) | Contains an object for each component in the application to which it is related. |
-| [ComputerList](https://msdn.microsoft.com/library/windows/desktop/ms681320(v=vs.85).aspx) | Contains a list of the computers found in the Computers folder of the Component Services administration tool. |
-| [DCOMProtocols](https://msdn.microsoft.com/library/windows/desktop/ms688297(v=vs.85).aspx) | Contains a list of the protocols to be used by DCOM. It contains an object for each protocol. |
-| [ErrorInfo](https://msdn.microsoft.com/library/windows/desktop/ms686530(v=vs.85).aspx) | Retrieves extended error information regarding methods that deal with multiple objects. |
-| [EventClassesForIID](https://msdn.microsoft.com/library/windows/desktop/ms679576(v=vs.85).aspx) | Retrieves information regarding event classes. |
-| [FilesForImport](https://msdn.microsoft.com/library/windows/desktop/ms685046(v=vs.85).aspx) | Retrieves information from its MSI file about an application that can be imported. |
-| [InprocServers](https://msdn.microsoft.com/library/windows/desktop/ms678949(v=vs.85).aspx) | Contains a list of the in-process servers registered with the system. It contains an object for each component. |
-| [InterfacesForComponent](https://msdn.microsoft.com/library/windows/desktop/ms687751(v=vs.85).aspx) | Contains an object for each interface exposed by the component to which the collection is related. |
-| [LegacyComponents](https://msdn.microsoft.com/library/windows/desktop/ms683616(v=vs.85).aspx) | Contains an object for each unconfigured component in the application to which it is related. |
-| [LegacyServers](https://msdn.microsoft.com/library/windows/desktop/ms685965(v=vs.85).aspx) | Identical to the [InprocServers](https://msdn.microsoft.com/library/windows/desktop/ms678949(v=vs.85).aspx) collection except that this collection also includes local servers. |
-| [LocalComputer](https://msdn.microsoft.com/library/windows/desktop/ms682790(v=vs.85).aspx) | Contains a single object that holds computer level settings information for the computer whose catalog you are accessing. |
-| [MethodsForInterface](https://msdn.microsoft.com/library/windows/desktop/ms687595(v=vs.85).aspx) | Contains an object for each method on the interface to which the collection is related. |
-| [Partitions](https://msdn.microsoft.com/library/windows/desktop/ms679480(v=vs.85).aspx) | Used to specify the applications contained in each partition. |
-| [PartitionUsers](https://msdn.microsoft.com/library/windows/desktop/ms686081(v=vs.85).aspx) | Used to specify the users contained in each partition. |
-| [PropertyInfo](https://msdn.microsoft.com/library/windows/desktop/ms681735(v=vs.85).aspx) | Retrieves information about the properties that a specified collection supports. |
-| [PublisherProperties](https://msdn.microsoft.com/library/windows/desktop/ms682794(v=vs.85).aspx) | Contains an object for each publisher property for the parent [SubscriptionsForComponent](https://msdn.microsoft.com/library/windows/desktop/ms687726(v=vs.85).aspx) collection. |
-| [RelatedCollectionInfo](https://msdn.microsoft.com/library/windows/desktop/ms686925(v=vs.85).aspx) | Retrieves information about other collections related to the collection from which it is called. |
-| [Roles](https://msdn.microsoft.com/library/windows/desktop/ms683613(v=vs.85).aspx) | Contains an object for each role assigned to the application to which it is related. |
-| [RolesForComponent](https://msdn.microsoft.com/library/windows/desktop/ms686119(v=vs.85).aspx) | Contains an object for each role assigned to the component to which the collection is related. |
-| [RolesForInterface](https://msdn.microsoft.com/library/windows/desktop/ms688303(v=vs.85).aspx) | Contains an object for each role assigned to the interface to which the collection is related. |
-| [RolesForMethod](https://msdn.microsoft.com/library/windows/desktop/ms679943(v=vs.85).aspx) | Contains an object for each role assigned to the method to which the collection is related. |
-| [RolesForPartition](https://msdn.microsoft.com/library/windows/desktop/ms681316(v=vs.85).aspx) | Contains an object for each role assigned to the partition to which the collection is related. |
-| [Root](https://msdn.microsoft.com/library/windows/desktop/ms682277(v=vs.85).aspx) | Contains the top-level collections on the catalog. |
-| [SubscriberProperties](https://msdn.microsoft.com/library/windows/desktop/ms681611(v=vs.85).aspx) | Contains an object for each subscriber property for the parent [SubscriptionsForComponent](https://msdn.microsoft.com/library/windows/desktop/ms687726(v=vs.85).aspx) collection. |
-| [SubscriptionsForComponent](https://msdn.microsoft.com/library/windows/desktop/ms687726(v=vs.85).aspx) | Contains an object for each subscription for the parent [Components](https://msdn.microsoft.com/library/windows/desktop/ms688285(v=vs.85).aspx) collection. |
-| [TransientPublisherProperties](https://msdn.microsoft.com/library/windows/desktop/ms681793(v=vs.85).aspx) | Contains an object for each publisher property for the parent [TransientSubscriptions](https://msdn.microsoft.com/library/windows/desktop/ms686100(v=vs.85).aspx) collection. |
-| [TransientSubscriberProperties](https://msdn.microsoft.com/library/windows/desktop/ms686051(v=vs.85).aspx) | Contains an object for each subscriber property for the parent [TransientSubscriptions](https://msdn.microsoft.com/library/windows/desktop/ms686100(v=vs.85).aspx) collection. |
-| [TransientSubscriptions](https://msdn.microsoft.com/library/windows/desktop/ms686100(v=vs.85).aspx) | Contains an object for each transient subscription. |
-| [UsersInPartitionRole](https://msdn.microsoft.com/library/windows/desktop/ms686441(v=vs.85).aspx) | Contains an object for each user in the partition role to which the collection is related. |
-| [UsersInRole](https://msdn.microsoft.com/library/windows/desktop/ms687622(v=vs.85).aspx) | Contains an object for each user in the role to which the collection is related. |
-| [WOWInprocServers](https://msdn.microsoft.com/library/windows/desktop/ms681249(v=vs.85).aspx) | Contains a list of the in-process servers registered with the system for 32-bit components on 64-bit computers. |
-| [WOWLegacyServers](https://msdn.microsoft.com/library/windows/desktop/ms682774(v=vs.85).aspx) | Identical to the [LegacyServers](https://msdn.microsoft.com/library/windows/desktop/ms685965(v=vs.85).aspx) collection except that this collection is drawn from the 32-bit registry on 64-bit computers. |
+| [ApplicationCluster](/windows/win32/cossdk/applicationcluster) | Contains a list of the servers in the application cluster. |
+| [ApplicationInstances](/windows/win32/cossdk/applicationinstances) | Contains an object for each instance of a running COM+ application. |
+| [Applications](/windows/win32/cossdk/applications) | Contains an object for each COM+ application installed on the local computer. |
+| [Components](/windows/win32/cossdk/components) | Contains an object for each component in the application to which it is related. |
+| [ComputerList](/windows/win32/cossdk/computerlist) | Contains a list of the computers found in the Computers folder of the Component Services administration tool. |
+| [DCOMProtocols](/windows/win32/cossdk/dcomprotocols) | Contains a list of the protocols to be used by DCOM. It contains an object for each protocol. |
+| [ErrorInfo](/windows/win32/cossdk/errorinfo) | Retrieves extended error information regarding methods that deal with multiple objects. |
+| [EventClassesForIID](/windows/win32/cossdk/eventclassesforiid) | Retrieves information regarding event classes. |
+| [FilesForImport](/windows/win32/cossdk/filesforimport) | Retrieves information from its MSI file about an application that can be imported. |
+| [InprocServers](/windows/win32/cossdk/inprocservers) | Contains a list of the in-process servers registered with the system. It contains an object for each component. |
+| [InterfacesForComponent](/windows/win32/cossdk/interfacesforcomponent) | Contains an object for each interface exposed by the component to which the collection is related. |
+| [LegacyComponents](/windows/win32/cossdk/legacycomponents) | Contains an object for each unconfigured component in the application to which it is related. |
+| [LegacyServers](/windows/win32/cossdk/legacyservers) | Identical to the [InprocServers](/windows/win32/cossdk/inprocservers) collection except that this collection also includes local servers. |
+| [LocalComputer](/windows/win32/cossdk/localcomputer) | Contains a single object that holds computer level settings information for the computer whose catalog you are accessing. |
+| [MethodsForInterface](/windows/win32/cossdk/methodsforinterface) | Contains an object for each method on the interface to which the collection is related. |
+| [Partitions](/windows/win32/cossdk/partitions) | Used to specify the applications contained in each partition. |
+| [PartitionUsers](/windows/win32/cossdk/partitionusers) | Used to specify the users contained in each partition. |
+| [PropertyInfo](/windows/win32/cossdk/propertyinfo) | Retrieves information about the properties that a specified collection supports. |
+| [PublisherProperties](/windows/win32/cossdk/publisherproperties) | Contains an object for each publisher property for the parent [SubscriptionsForComponent](/windows/win32/cossdk/subscriptionsforcomponent) collection. |
+| [RelatedCollectionInfo](/windows/win32/cossdk/relatedcollectioninfo) | Retrieves information about other collections related to the collection from which it is called. |
+| [Roles](/windows/win32/cossdk/roles) | Contains an object for each role assigned to the application to which it is related. |
+| [RolesForComponent](/windows/win32/cossdk/rolesforcomponent) | Contains an object for each role assigned to the component to which the collection is related. |
+| [RolesForInterface](/windows/win32/cossdk/rolesforinterface) | Contains an object for each role assigned to the interface to which the collection is related. |
+| [RolesForMethod](/windows/win32/cossdk/rolesformethod) | Contains an object for each role assigned to the method to which the collection is related. |
+| [RolesForPartition](/windows/win32/cossdk/rolesforpartition) | Contains an object for each role assigned to the partition to which the collection is related. |
+| [Root](/windows/win32/cossdk/root) | Contains the top-level collections on the catalog. |
+| [SubscriberProperties](/windows/win32/cossdk/subscriberproperties) | Contains an object for each subscriber property for the parent [SubscriptionsForComponent](/windows/win32/cossdk/subscriptionsforcomponent) collection. |
+| [SubscriptionsForComponent](/windows/win32/cossdk/subscriptionsforcomponent) | Contains an object for each subscription for the parent [Components](/windows/win32/cossdk/components) collection. |
+| [TransientPublisherProperties](/windows/win32/cossdk/transientpublisherproperties) | Contains an object for each publisher property for the parent [TransientSubscriptions](/windows/win32/cossdk/transientsubscriptions) collection. |
+| [TransientSubscriberProperties](/windows/win32/cossdk/transientsubscriberproperties) | Contains an object for each subscriber property for the parent [TransientSubscriptions](/windows/win32/cossdk/transientsubscriptions) collection. |
+| [TransientSubscriptions](/windows/win32/cossdk/transientsubscriptions) | Contains an object for each transient subscription. |
+| [UsersInPartitionRole](/windows/win32/cossdk/usersinpartitionrole) | Contains an object for each user in the partition role to which the collection is related. |
+| [UsersInRole](/windows/win32/cossdk/usersinrole) | Contains an object for each user in the role to which the collection is related. |
+| [WOWInprocServers](/windows/win32/cossdk/wowinprocservers) | Contains a list of the in-process servers registered with the system for 32-bit components on 64-bit computers. |
+| [WOWLegacyServers](/windows/win32/cossdk/wowlegacyservers) | Identical to the [LegacyServers](/windows/win32/cossdk/legacyservers) collection except that this collection is drawn from the 32-bit registry on 64-bit computers. |
-- **Object Name** \[Type = UnicodeString\]: object-specific fields with the names and identifiers for the new object. It depends on **COM+ Catalog Collection** value, for example, if **COM+ Catalog Collection** = [Applications](https://msdn.microsoft.com/library/windows/desktop/ms686107(v=vs.85).aspx), then you can find that:
+- **Object Name** \[Type = UnicodeString\]: object-specific fields with the names and identifiers for the new object. It depends on **COM+ Catalog Collection** value, for example, if **COM+ Catalog Collection** = [Applications](/windows/win32/cossdk/applications), then you can find that:
- - **ID** - A GUID representing the application. This property is returned when the [Key](https://msdn.microsoft.com/library/windows/desktop/ms679201(v=vs.85).aspx) property method is called on an object of this collection.
+ - **ID** - A GUID representing the application. This property is returned when the [Key](/windows/win32/api/comadmin/nf-comadmin-icatalogobject-get_key) property method is called on an object of this collection.
- **AppPartitionID** - A GUID representing the application partition ID.
@@ -159,7 +159,4 @@ For 5890(S): An object was added to the COM+ Catalog.
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
-- If you need to monitor for creation of new COM+ objects within specific COM+ collection, monitor all [5890](event-5890.md) events with the corresponding **COM+ Catalog Collection** field value.
-
-
-
+- If you need to monitor for creation of new COM+ objects within specific COM+ collection, monitor all [5890](event-5890.md) events with the corresponding **COM+ Catalog Collection** field value.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6145.md b/windows/security/threat-protection/auditing/event-6145.md
index 8b541749d6..b70a0844a2 100644
--- a/windows/security/threat-protection/auditing/event-6145.md
+++ b/windows/security/threat-protection/auditing/event-6145.md
@@ -29,7 +29,7 @@ ms.technology: mde
This event generates every time settings from the “Security Settings” section in the group policy object are applied to a computer with one or more errors. This event generates on the target computer itself.
-This event generates, for example, if the [SID](https://msdn.microsoft.com/library/windows/desktop/aa379571(v=vs.85).aspx) of a security principal which was included in one of the Group Policy settings cannot be resolved or translated to the real account name.
+This event generates, for example, if the [SID](/windows/win32/secauthz/security-identifiers) of a security principal which was included in one of the Group Policy settings cannot be resolved or translated to the real account name.
> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@@ -90,5 +90,4 @@ For 6145(F): One or more errors occurred while processing security policy in the
- Typically this event has an informational purpose and the reason is configuration errors in Group Policy’s security settings.
-- This event might be used for Group Policy troubleshooting purposes.
-
+- This event might be used for Group Policy troubleshooting purposes.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6281.md b/windows/security/threat-protection/auditing/event-6281.md
index b4d79cbbdb..e6ec5bea59 100644
--- a/windows/security/threat-protection/auditing/event-6281.md
+++ b/windows/security/threat-protection/auditing/event-6281.md
@@ -23,9 +23,9 @@ ms.technology: mde
The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
-[Code Integrity](https://technet.microsoft.com/library/dd348642(v=ws.10).aspx) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
+[Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
-This event generates when [code Integrity](https://technet.microsoft.com/library/dd348642(v=ws.10).aspx) determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. This event also generates when signing certificate was revoked. The invalid hashes could indicate a potential disk device error.
+This event generates when [code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. This event also generates when signing certificate was revoked. The invalid hashes could indicate a potential disk device error.
There is no example of this event in this document.
@@ -45,5 +45,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
-- We recommend monitoring for this event, especially on high value assets or computers, because it can be a sign of a software or configuration issue, or a malicious action.
-
+- We recommend monitoring for this event, especially on high value assets or computers, because it can be a sign of a software or configuration issue, or a malicious action.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md
index acefc262d9..511aeb3ae9 100644
--- a/windows/security/threat-protection/auditing/event-6400.md
+++ b/windows/security/threat-protection/auditing/event-6400.md
@@ -21,7 +21,7 @@ ms.technology: mde
- Windows Server 2016
-[BranchCache](https://technet.microsoft.com/library/dd425028.aspx) events are outside the scope of this document.
+[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
There is no example of this event in this document.
@@ -41,5 +41,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
-- There is no recommendation for this event in this document.
-
+- There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md
index 1b442d10d9..829c3215c9 100644
--- a/windows/security/threat-protection/auditing/event-6401.md
+++ b/windows/security/threat-protection/auditing/event-6401.md
@@ -21,7 +21,7 @@ ms.technology: mde
- Windows Server 2016
-[BranchCache](https://technet.microsoft.com/library/dd425028.aspx) events are outside the scope of this document.
+[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
There is no example of this event in this document.
@@ -41,5 +41,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
-- There is no recommendation for this event in this document.
-
+- There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md
index 77a10ac4dc..2aee0f9232 100644
--- a/windows/security/threat-protection/auditing/event-6402.md
+++ b/windows/security/threat-protection/auditing/event-6402.md
@@ -21,7 +21,7 @@ ms.technology: mde
- Windows Server 2016
-[BranchCache](https://technet.microsoft.com/library/dd425028.aspx) events are outside the scope of this document.
+[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
There is no example of this event in this document.
@@ -41,5 +41,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
-- There is no recommendation for this event in this document.
-
+- There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md
index d730acb9d3..ec9028c852 100644
--- a/windows/security/threat-protection/auditing/event-6403.md
+++ b/windows/security/threat-protection/auditing/event-6403.md
@@ -21,7 +21,7 @@ ms.technology: mde
- Windows Server 2016
-[BranchCache](https://technet.microsoft.com/library/dd425028.aspx) events are outside the scope of this document.
+[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
There is no example of this event in this document.
@@ -41,5 +41,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
-- There is no recommendation for this event in this document.
-
+- There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md
index 808c8e4264..eaa912b6e3 100644
--- a/windows/security/threat-protection/auditing/event-6404.md
+++ b/windows/security/threat-protection/auditing/event-6404.md
@@ -21,7 +21,7 @@ ms.technology: mde
- Windows Server 2016
-[BranchCache](https://technet.microsoft.com/library/dd425028.aspx) events are outside the scope of this document.
+[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
There is no example of this event in this document.
@@ -43,5 +43,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
-- There is no recommendation for this event in this document.
-
+- There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6405.md b/windows/security/threat-protection/auditing/event-6405.md
index 2638753673..fc188cce3b 100644
--- a/windows/security/threat-protection/auditing/event-6405.md
+++ b/windows/security/threat-protection/auditing/event-6405.md
@@ -21,7 +21,7 @@ ms.technology: mde
- Windows Server 2016
-[BranchCache](https://technet.microsoft.com/library/dd425028.aspx) events are outside the scope of this document.
+[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
There is no example of this event in this document.
@@ -39,5 +39,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
-- There is no recommendation for this event in this document.
-
+- There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6406.md b/windows/security/threat-protection/auditing/event-6406.md
index 11cef9058e..689085b2fd 100644
--- a/windows/security/threat-protection/auditing/event-6406.md
+++ b/windows/security/threat-protection/auditing/event-6406.md
@@ -21,7 +21,7 @@ ms.technology: mde
- Windows Server 2016
-[BranchCache](https://technet.microsoft.com/library/dd425028.aspx) events are outside the scope of this document.
+[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
There is no example of this event in this document.
@@ -41,5 +41,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
-- There is no recommendation for this event in this document.
-
+- There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6407.md b/windows/security/threat-protection/auditing/event-6407.md
index 1e3d0cbd85..3273efaba1 100644
--- a/windows/security/threat-protection/auditing/event-6407.md
+++ b/windows/security/threat-protection/auditing/event-6407.md
@@ -21,7 +21,7 @@ ms.technology: mde
- Windows Server 2016
-[BranchCache](https://technet.microsoft.com/library/dd425028.aspx) events are outside the scope of this document.
+[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
There is no example of this event in this document.
@@ -39,5 +39,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
-- There is no recommendation for this event in this document.
-
+- There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6408.md b/windows/security/threat-protection/auditing/event-6408.md
index d3bd29901c..7b29a0468c 100644
--- a/windows/security/threat-protection/auditing/event-6408.md
+++ b/windows/security/threat-protection/auditing/event-6408.md
@@ -21,7 +21,7 @@ ms.technology: mde
- Windows Server 2016
-[BranchCache](https://technet.microsoft.com/library/dd425028.aspx) events are outside the scope of this document.
+[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
There is no example of this event in this document.
@@ -39,5 +39,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
-- There is no recommendation for this event in this document.
-
+- There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md
index 97d212be9a..6855ea810d 100644
--- a/windows/security/threat-protection/auditing/event-6409.md
+++ b/windows/security/threat-protection/auditing/event-6409.md
@@ -21,7 +21,7 @@ ms.technology: mde
- Windows Server 2016
-[BranchCache](https://technet.microsoft.com/library/dd425028.aspx) events are outside the scope of this document.
+[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
There is no example of this event in this document.
@@ -41,5 +41,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
-- There is no recommendation for this event in this document.
-
+- There is no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-6410.md b/windows/security/threat-protection/auditing/event-6410.md
index a8980cfb49..a306a98882 100644
--- a/windows/security/threat-protection/auditing/event-6410.md
+++ b/windows/security/threat-protection/auditing/event-6410.md
@@ -21,9 +21,9 @@ ms.technology: mde
- Windows Server 2016
-[Code Integrity](https://technet.microsoft.com/library/dd348642(v=ws.10).aspx) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
+[Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
-This event generates due to writable [shared sections](https://msdn.microsoft.com/library/windows/desktop/cc307397.aspx) being present in a file image.
+This event generates due to writable [shared sections](/previous-versions/windows/desktop/cc307397(v=msdn.10)) being present in a file image.
There is no example of this event in this document.
@@ -43,7 +43,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
-- We recommend monitoring for this event, especially on high value assets or computers, because it can be a sign of a software or configuration issue, or a malicious action.
-
-
-
+- We recommend monitoring for this event, especially on high value assets or computers, because it can be a sign of a software or configuration issue, or a malicious action.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
index 5331884d19..3c07a1dae0 100644
--- a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
+++ b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
@@ -27,7 +27,7 @@ This article for IT professionals describes how to monitor changes to central ac
Central access policies and rules determine access permissions for files on multiple file servers, so it's important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule definitions reside in Active Directory Domain Services (AD DS). You can monitor them just like any other object in Active Directory. These policies and rules are critical elements in a Dynamic Access Control deployment. They are stored in AD DS, so they're less likely to be tampered with than other network objects. But it's important to monitor them for potential changes in security auditing and to verify that policies are being enforced.
-Follow the procedures in this article to configure settings to monitor changes to central access policy and central access rule definitions and to verify the changes. These procedures assume that you've configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (demonstration steps)](https://technet.microsoft.com/library/hh846167.aspx).
+Follow the procedures in this article to configure settings to monitor changes to central access policy and central access rule definitions and to verify the changes. These procedures assume that you've configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (demonstration steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-).
> [!NOTE]
> Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
@@ -61,4 +61,4 @@ After you configure settings to monitor changes to central access policy and cen
### Related topics
-- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/monitor-claim-types.md b/windows/security/threat-protection/auditing/monitor-claim-types.md
index 50b89da04a..baf7d9e8a7 100644
--- a/windows/security/threat-protection/auditing/monitor-claim-types.md
+++ b/windows/security/threat-protection/auditing/monitor-claim-types.md
@@ -28,7 +28,7 @@ This topic for the IT professional describes how to monitor changes to claim typ
Claim types are one of the basic building blocks of Dynamic Access Control. Claim types can include attributes such as the departments in an organization or the levels of security clearance that apply to classes of users. You can use security auditing to track whether claims are added, modified, enabled, disabled, or deleted.
Use the following procedures to configure settings to monitor changes to claim types in AD DS. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic
-Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](https://technet.microsoft.com/library/hh846167.aspx).
+Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-).
>**Note:** Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
@@ -59,4 +59,4 @@ After you configure settings to monitor changes to claim types in AD DS, verify
### Related resource
-- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
index 6d433c9bcd..ed4d03037f 100644
--- a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
+++ b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
@@ -28,7 +28,7 @@ Resource attribute definitions define the basic properties of resource attribute
For information about monitoring changes to the resource attributes that apply to files, see [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md).
-Use the following procedures to configure settings to monitor changes to resource attribute definitions in AD DS and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](https://technet.microsoft.com/library/hh846167.aspx).
+Use the following procedures to configure settings to monitor changes to resource attribute definitions in AD DS and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-).
>**Note:** Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
@@ -59,4 +59,4 @@ After you configure settings to monitor changes to resource attributes in AD DS
### Related resource
-- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
index d1429af0f1..f034f7c0fc 100644
--- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
+++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
@@ -29,7 +29,7 @@ This security audit policy and the event that it records are generated when the
For information about monitoring potential central access policy changes for an entire file server, see [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md).
-Use the following procedures to configure settings to monitor central access policies that are associated with files. These procedures assume that you have configured and deployed Dynamic Access Control in your network. For more information about how to configure and deploy Dynamic Access Control, see [Dynamic Access Control: Scenario Overview](https://technet.microsoft.com/library/hh831717.aspx).
+Use the following procedures to configure settings to monitor central access policies that are associated with files. These procedures assume that you have configured and deployed Dynamic Access Control in your network. For more information about how to configure and deploy Dynamic Access Control, see [Dynamic Access Control: Scenario Overview](/windows-server/identity/solution-guides/dynamic-access-control--scenario-overview).
> [!NOTE]
> Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
@@ -76,4 +76,4 @@ After you configure settings to monitor changes to the central access policies t
### Related resource
-- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
index 36bd40c78c..12dedf0d60 100644
--- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
+++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
@@ -25,7 +25,7 @@ ms.technology: mde
This article describes how to monitor changes to the central access policies (CAPs) that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. CAPs are created on a domain controller and then applied to file servers through Group Policy management.
-Use the following procedures to configure and verify security auditing settings that are used to monitor changes to the set of CAPs on a file server. The following procedures assume that you have configured and deployed dynamic access control, including CAPs and claims, in your network. If you have not yet deployed dynamic access control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](https://technet.microsoft.com/library/hh846167.aspx).
+Use the following procedures to configure and verify security auditing settings that are used to monitor changes to the set of CAPs on a file server. The following procedures assume that you have configured and deployed dynamic access control, including CAPs and claims, in your network. If you have not yet deployed dynamic access control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-).
**To configure settings to monitor changes to central access policies**
@@ -61,4 +61,4 @@ After you modify the CAPs on the domain controller, verify that the changes have
## Related resources
-- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
index 243c686c50..f1676a1640 100644
--- a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
+++ b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
@@ -31,7 +31,7 @@ If your organization has a carefully thought out authorization configuration for
- Changing the Retention attribute of files that have been marked for retention.
- Changing the Department attribute of files that are marked as belonging to a particular department.
-Use the following procedures to configure settings to monitor changes to resource attributes on files and folders. These procedures assume that have configured and deployed central access policies in your network. For more information about how to configure and deploy central access policies, see [Dynamic Access Control: Scenario Overview](https://technet.microsoft.com/library/hh831717.aspx) .
+Use the following procedures to configure settings to monitor changes to resource attributes on files and folders. These procedures assume that have configured and deployed central access policies in your network. For more information about how to configure and deploy central access policies, see [Dynamic Access Control: Scenario Overview](/windows-server/identity/solution-guides/dynamic-access-control--scenario-overview) .
>**Note:** Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
@@ -61,4 +61,4 @@ After you configure settings to monitor resource attributes on files, verify tha
### Related resource
-- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
index ef0df1f2a8..04ac1c7929 100644
--- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
+++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
@@ -32,7 +32,7 @@ Use the following procedures to monitor the use of removable storage devices and
Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
> [!NOTE]
-> When a policy to audit removable storage is pushed to a computer, a new [Security Descriptor](https://docs.microsoft.com/windows/win32/secauthz/audit-generation) needs to be applied to all removable storage devices with the audit settings. The [security descriptor for a device](https://docs.microsoft.com/windows-hardware/drivers/kernel/controlling-device-access) can be set up either when the device is installed, or by setting up the [device properties in the registry](https://docs.microsoft.com/windows-hardware/drivers/kernel/setting-device-object-registry-properties-after-installation), which is done by calling a [device installation function](https://docs.microsoft.com/previous-versions/ff541299). This may require the device to restart to apply the new security descriptor.
+> When a policy to audit removable storage is pushed to a computer, a new [Security Descriptor](/windows/win32/secauthz/audit-generation) needs to be applied to all removable storage devices with the audit settings. The [security descriptor for a device](/windows-hardware/drivers/kernel/controlling-device-access) can be set up either when the device is installed, or by setting up the [device properties in the registry](/windows-hardware/drivers/kernel/setting-device-object-registry-properties-after-installation), which is done by calling a [device installation function](/previous-versions/ff541299). This may require the device to restart to apply the new security descriptor.
**To configure settings to monitor removable storage devices**
@@ -66,4 +66,4 @@ After you configure the settings to monitor removable storage devices, use the f
### Related resource
-- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
index 7f14c10bd0..edaf8e590f 100644
--- a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
+++ b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
@@ -27,7 +27,7 @@ This topic for the IT professional describes how to monitor user and device clai
Device claims are associated with the system that is used to access resources that are protected with Dynamic Access Control. User claims are attributes that are associated with a user. User claims and device claims are included in the user’s security token used at sign-on. For example, information about Department, Company, Project, or Security clearances might be included in the token.
-Use the following procedures to monitor changes to user claims and device claims in the user’s sign-on token and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](https://technet.microsoft.com/library/hh846167.aspx).
+Use the following procedures to monitor changes to user claims and device claims in the user’s sign-on token and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-).
>**Note:** Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
@@ -54,4 +54,4 @@ After you configure settings to monitor user and device claims, verify that the
### Related resource
-- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
index 78bb89bc17..068c8792d4 100644
--- a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
@@ -153,9 +153,9 @@ Security and auditing requirements and audit event volume can vary considerably
> [!NOTE]
> For more information about auditing:
- > - In Exchange Server, see [Exchange 2010 Security Guide](https://go.microsoft.com/fwlink/p/?linkid=128052).
- > - In SQL Server 2008, see [Auditing (Database Engine)](https://go.microsoft.com/fwlink/p/?LinkId=163434).
- > - In SQL Server 2012, see [SQL Server Audit (Database Engine)](https://technet.microsoft.com/library/cc280386.aspx).
+ > - In Exchange Server, see [Exchange 2010 Security Guide](/previous-versions/office/exchange-server-2010/bb691338(v=exchg.141)).
+ > - In SQL Server 2008, see [Auditing (Database Engine)](/previous-versions/sql/sql-server-2008-r2/cc280526(v=sql.105)).
+ > - In SQL Server 2012, see [SQL Server Audit (Database Engine)](/sql/relational-databases/security/auditing/sql-server-audit-database-engine).
- The operating system versions
@@ -179,7 +179,7 @@ The following table illustrates an analysis of computers in an organization.
Many industries and locales have specific requirements for network operations and how resources are protected. In the health care and financial industries, for example, strict guidelines control who can access records and how the records are used. Many countries have strict privacy rules. To identify regulatory requirements, work with your organization's legal department and other departments responsible for these requirements. Then consider the security configuration and auditing options that you can use to comply with these regulations and verify compliance.
-For more information, see the [System Center Process Pack for IT GRC](https://technet.microsoft.com/library/dd206732.aspx).
+For more information, see the [System Center Process Pack for IT GRC](/previous-versions/tn-archive/dd206732(v=technet.10)).
## Map your security audit policy to groups of users, computers, and resources
@@ -320,7 +320,7 @@ Not all versions of Windows support advanced audit policy settings or the use of
The audit policy settings under **Local Policies\\Audit Policy** overlap with the audit policy settings under **Security Settings\\Advanced Audit Policy Configuration**. However, the advanced audit policy categories and subcategories enable you to focus your auditing efforts on critical activities while reducing the amount of audit data that's less important to your organization.
-For example, **Local Policies\\Audit Policy** contains a single setting called **[Audit account logon events](https://technet.microsoft.com/library/cc787176.aspx)**. When this setting is configured, it generates at least 10 types of audit events.
+For example, **Local Policies\\Audit Policy** contains a single setting called **[Audit account logon events](/previous-versions/windows/it-pro/windows-server-2003/cc787176(v=ws.10))**. When this setting is configured, it generates at least 10 types of audit events.
In comparison, the Account Logon category under **Security Settings\\Advanced Audit Policy Configuration** provides the following advanced settings, which allow you to focus your auditing:
@@ -361,7 +361,7 @@ Configuration\\Administrative Templates\\Windows Components\\Event Log Service\\
- **Retain old events**: This policy setting controls event log behavior when the log file reaches its maximum size. When this policy setting is enabled and a log file reaches its maximum size, new events aren't written to the log and are lost. When this policy setting is disabled and a log file reaches its maximum size, new events overwrite old events.
- **Backup log automatically when full**: This policy setting controls event log behavior when the log file reaches its maximum size. It takes effect only if the **Retain old events** policy setting is enabled. If you enable these policy settings, the event log file is automatically closed and renamed when it's full. A new log file is then started. If you disable or don't configure this policy setting and the **Retain old events** policy setting is enabled, new events are discarded, and the old events are retained.
-Many organizations are now required to store archived log files for a number of years. Consult with regulatory compliance officers in your organization to determine whether such guidelines apply to your organization. For more information, see the [IT Compliance Management Guide](https://go.microsoft.com/fwlink/p/?LinkId=163435).
+Many organizations are now required to store archived log files for a number of years. Consult with regulatory compliance officers in your organization to determine whether such guidelines apply to your organization. For more information, see the [IT Compliance Management Guide](/previous-versions/tn-archive/dd206732(v=technet.10)).
## Deploy the security audit policy
@@ -375,4 +375,4 @@ However, unless you can run fairly realistic simulations of network usage patter
- A limited set of security audit policy settings, such as **Logon/Logoff** and **Account Logon**
- A combination of limited OUs and audit policy settings—for example, targeting servers in only the Accounting OU with **Object Access** policy settings
-After you successfully complete one or more limited deployments, you should confirm that the audit data that's collected is manageable with your management tools and administrators. After you confirm that the pilot deployment is effective, you need to ensure that you have the necessary tools and staff to expand the deployment to include additional OUs and sets of audit policy settings until production deployment is complete.
+After you successfully complete one or more limited deployments, you should confirm that the audit data that's collected is manageable with your management tools and administrators. After you confirm that the pilot deployment is effective, you need to ensure that you have the necessary tools and staff to expand the deployment to include additional OUs and sets of audit policy settings until production deployment is complete.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
index 9f9218109c..6e90c989e0 100644
--- a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
+++ b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
@@ -25,7 +25,7 @@ ms.technology: mde
This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.
-These procedures can be deployed with the advanced security auditing capabilities described in [Deploy Security Auditing with Central Audit Policies (Demonstration Steps)](https://technet.microsoft.com/library/hh831542.aspx).
+These procedures can be deployed with the advanced security auditing capabilities described in [Deploy Security Auditing with Central Audit Policies (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-security-auditing-with-central-audit-policies--demonstration-steps-).
## In this guide
@@ -48,4 +48,4 @@ Domain administrators can create and deploy expression-based security audit poli
## Related topics
-- [Security auditing](security-auditing-overview.md)
+- [Security auditing](security-auditing-overview.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
index fa3a798839..c1ffec9b59 100644
--- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
+++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
@@ -46,7 +46,7 @@ After you turn this feature on, your employees might experience reduced function
- Sending a print job to a remote printer server that uses this feature and where the spooler process hasn’t been specifically excluded. In this situation, any fonts that aren’t already available in the server’s %windir%/Fonts folder won’t be used.
-- Printing using fonts provided by the installed printer’s graphics .dll file, outside of the %windir%/Fonts folder. For more information, see [Introduction to Printer Graphics DLLs](https://go.microsoft.com/fwlink/p/?LinkId=522302).
+- Printing using fonts provided by the installed printer’s graphics .dll file, outside of the %windir%/Fonts folder. For more information, see [Introduction to Printer Graphics DLLs](/windows-hardware/drivers/print/introduction-to-printer-graphics-dlls).
- Using first or third-party apps that use memory-based fonts.
@@ -148,4 +148,4 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa
## Related content
-- [Dropping the “Untrusted Font Blocking” setting](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/dropping-the-quot-untrusted-font-blocking-quot-setting/ba-p/701068/)
+- [Dropping the “Untrusted Font Blocking” setting](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/dropping-the-quot-untrusted-font-blocking-quot-setting/ba-p/701068/)
\ No newline at end of file
diff --git a/windows/security/threat-protection/change-history-for-threat-protection.md b/windows/security/threat-protection/change-history-for-threat-protection.md
deleted file mode 100644
index a1091576a5..0000000000
--- a/windows/security/threat-protection/change-history-for-threat-protection.md
+++ /dev/null
@@ -1,27 +0,0 @@
----
-title: "Change history for [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)"
-ms.reviewer:
-ms.author: dansimp
-description: This topic lists new and updated topics in the Defender for Endpoint content set.
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: dulcemontemayor
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.localizationpriority: medium
-ms.technology: mde
----
-
-# Change history for threat protection
-This topic lists new and updated topics in the [Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) documentation.
-
-## August 2018
-
-New or changed topic | Description
----------------------|------------
-[Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) | Reorganized Windows 10 security topics to reflect the Defender for Endpoint platform.
-
diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
deleted file mode 100644
index 1c2d45ad8e..0000000000
--- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
+++ /dev/null
@@ -1,331 +0,0 @@
----
-title: How to control USB devices and other removable media using Intune (Windows 10)
-description: You can configure Intune settings to reduce threats from removable storage such as USB devices.
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-ms.reviewer: dansimp
-manager: dansimp
-audience: ITPro
-ms.technology: mde
----
-
-# How to control USB devices and other removable media using Microsoft Defender for Endpoint
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Microsoft recommends [a layered approach to securing removable media](https://aka.ms/devicecontrolblog), and Microsoft Defender for Endpoint provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices:
-
-1. [Discover plug and play connected events for peripherals in Microsoft Defender for Endpoint advanced hunting](#discover-plug-and-play-connected-events). Identify or investigate suspicious usage activity.
-
-2. Configure to allow or block only certain removable devices and prevent threats.
- 1. [Allow or block removable devices](#allow-or-block-removable-devices) based on granular configuration to deny write access to removable disks and approve or deny devices by using USB device IDs. Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
-
- 2. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling:
- - Microsoft Defender Antivirus real-time protection (RTP) to scan removable storage for malware.
- - The Attack Surface Reduction (ASR) USB rule to block untrusted and unsigned processes that run from USB.
- - Direct Memory Access (DMA) protection settings to mitigate DMA attacks, including Kernel DMA Protection for Thunderbolt and blocking DMA until a user signs in.
-3. [Create customized alerts and response actions](#create-customized-alerts-and-response-actions) to monitor usage of removable devices based on these plug and play events or any other Microsoft Defender for Endpoint events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules).
-
-4. [Respond to threats](#respond-to-threats) from peripherals in real-time based on properties reported by each peripheral.
-
->[!Note]
->These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Microsoft Defender for Endpoint and Azure Information Protection.
-
-## Discover plug and play connected events
-
-You can view plug and play connected events in Microsoft Defender for Endpoint advanced hunting to identify suspicious usage activity or perform internal investigations.
-For examples of Defender for Endpoint advanced hunting queries, see the [Microsoft Defender for Endpoint hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries).
-
-Sample Power BI report templates are available for Microsoft Defender for Endpoint that you can use for Advanced hunting queries. With these sample templates, including one for device control, you can integrate the power of Advanced hunting into Power BI. See the [GitHub repository for PowerBI templates](https://github.com/microsoft/MDATP-PowerBI-Templates) for more information. See [Create custom reports using Power BI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/api-power-bi) to learn more about Power BI integration.
-
-## Allow or block removable devices
-The following table describes the ways Microsoft Defender for Endpoint can allow or block removable devices based on granular configuration.
-
-| Control | Description |
-|----------|-------------|
-| [Restrict USB drives and other peripherals](#restrict-usb-drives-and-other-peripherals) | You can allow/prevent users to install only the USB drives and other peripherals included on a list of authorized/unauthorized devices or device types. |
-| [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | You can't install or use removable storage. |
-| [Allow installation and usage of specifically approved peripherals](#allow-installation-and-usage-of-specifically-approved-peripherals) | You can only install and use approved peripherals that report specific properties in their firmware. |
-| [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | You can't install or use prohibited peripherals that report specific properties in their firmware. |
-| [Allow installation and usage of specifically approved peripherals with matching device instance IDs](#allow-installation-and-usage-of-specifically-approved-peripherals-with-matching-device-instance-ids) | You can only install and use approved peripherals that match any of these device instance IDs. |
-| [Prevent installation and usage of specifically prohibited peripherals with matching device instance IDs](#prevent-installation-and-usage-of-specifically-prohibited-peripherals-with-matching-device-instance-ids) | You can't install or use prohibited peripherals that match any of these device instance IDs. |
-| [Limit services that use Bluetooth](#limit-services-that-use-bluetooth) | You can limit the services that can use Bluetooth. |
-| [Use Microsoft Defender for Endpoint baseline settings](#use-microsoft-defender-for-endpoint-baseline-settings) | You can set the recommended configuration for ATP by using the Defender for Endpoint security baseline. |
-
-### Restrict USB drives and other peripherals
-
-To prevent malware infections or data loss, an organization may restrict USB drives and other peripherals. The following table describes the ways Microsoft Defender for Endpoint can help prevent installation and usage of USB drives and other peripherals.
-
-| Control | Description
-|----------|-------------|
-| [Allow installation and usage of USB drives and other peripherals](#allow-installation-and-usage-of-usb-drives-and-other-peripherals) | Allow users to install only the USB drives and other peripherals included on a list of authorized devices or device types |
-| [Prevent installation and usage of USB drives and other peripherals](#prevent-installation-and-usage-of-usb-drives-and-other-peripherals) | Prevent users from installing USB drives and other peripherals included on a list of unauthorized devices and device types |
-
-All of the above controls can be set through the Intune [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows). The relevant policies are located here in the Intune Administrator Templates:
-
-
-
->[!Note]
->Using Intune, you can apply device configuration policies to Azure AD user and/or device groups.
-The above policies can also be set through the [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) and the [Device Installation GPOs](https://docs.microsoft.com/previous-versions/dotnet/articles/bb530324(v=msdn.10)).
-
-> [!Note]
-> Always test and refine these settings with a pilot group of users and devices first before applying them in production.
-For more information about controlling USB devices, see the [Microsoft Defender for Endpoint blog](https://www.microsoft.com/security/blog/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/).
-
-#### Allow installation and usage of USB drives and other peripherals
-
-One way to approach allowing installation and usage of USB drives and other peripherals is to start by allowing everything. Afterwards, you can start reducing the allowable USB drivers and other peripherals.
-
->[!Note]
->Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
-
-1. Enable **Prevent installation of devices not described by other policy settings** to all users.
-2. Enable **Allow installation of devices using drivers that match these device setup classes** for all [device setup classes](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
-
-To enforce the policy for already installed devices, apply the prevent policies that have this setting.
-
-When configuring the allow device installation policy, you must allow all parent attributes as well. You can view the parents of a device by opening Device Manager and view by connection.
-
-
-
-In this example, the following classes needed to be added: HID, Keyboard, and {36fc9e60-c465-11cf-8056-444553540000}. See [Microsoft-provided USB drivers](https://docs.microsoft.com/windows-hardware/drivers/usbcon/supported-usb-classes) for more information.
-
-
-
-If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit. Then add the device ID that you want to add. Device ID is based on the vendor ID and product ID values for a device. For information on device ID formats, see [Standard USB Identifiers](https://docs.microsoft.com/windows-hardware/drivers/install/standard-usb-identifiers).
-
-To find the device IDs, see [Look up device ID](#look-up-device-id).
-
-For example:
-
-1. Remove class USBDevice from the **Allow installation of devices using drivers that match these device setup**.
-2. Add the device ID to allow in the **Allow installation of device that match any of these device IDs**.
-
-
-#### Prevent installation and usage of USB drives and other peripherals
-
-If you want to prevent the installation of a device class or certain devices, you can use the prevent device installation policies:
-
-1. Enable **Prevent installation of devices that match any of these device IDs** and add these devices to the list.
-2. Enable **Prevent installation of devices using drivers that match these device setup classes**.
-
-> [!Note]
-> The prevent device installation policies take precedence over the allow device installation policies.
-
-The **Prevent installation of devices that match any of these device IDs** policy allows you to specify a list of devices that Windows is prevented from installing.
-
-To prevent installation of devices that match any of these device IDs:
-
-1. [Look up device ID](#look-up-device-id) for devices that you want Windows to prevent from installing.
-
-2. Enable **Prevent installation of devices that match any of these device IDs** and add the vendor or product IDs to the list.
-
-
-#### Look up device ID
-You can use Device Manager to look up a device ID.
-
-1. Open Device Manager.
-2. Click **View** and select **Devices by connection**.
-3. From the tree, right-click the device and select **Properties**.
-4. In the dialog box for the selected device, click the **Details** tab.
-5. Click the **Property** drop-down list and select **Hardware Ids**.
-6. Right-click the top ID value and select **Copy**.
-
-For information about Device ID formats, see [Standard USB Identifiers](https://docs.microsoft.com/windows-hardware/drivers/install/standard-usb-identifiers).
-
-For information on vendor IDs, see [USB members](https://www.usb.org/members).
-
-The following is an example for looking up a device vendor ID or product ID (which is part of the device ID) using PowerShell:
-``` PowerShell
-Get-WMIObject -Class Win32_DiskDrive |
-Select-Object -Property *
-```
-
-The **Prevent installation of devices using drivers that match these device setup classes** policy allows you to specify device setup classes that Windows is prevented from installing.
-
-To prevent installation of particular classes of devices:
-
-1. Find the GUID of the device setup class from [System-Defined Device Setup Classes Available to Vendors](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
-2. Enable **Prevent installation of devices using drivers that match these device setup classes** and add the class GUID to the list.
-
-
-### Block installation and usage of removable storage
-
-1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
-2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
-
- 
-
-3. Use the following settings:
-
- - Name: Type a name for the profile
- - Description: Type a description
- - Platform: Windows 10 and later
- - Profile type: Device restrictions
-
- 
-
-4. Click **Configure** > **General**.
-
-5. For **Removable storage** and **USB connection (mobile only)**, choose **Block**. **Removable storage** includes USB drives, whereas **USB connection (mobile only)** excludes USB charging but includes other USB connections on mobile devices only.
-
- 
-
-6. Click **OK** to close **General** settings and **Device restrictions**.
-
-7. Click **Create** to save the profile.
-
-### Allow installation and usage of specifically approved peripherals
-
-Peripherals that are allowed to be installed can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks and allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
-
-For a SyncML example that allows installation of specific device IDs, see [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdeviceids). To allow specific device classes, see [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdevicesetupclasses).
-Allowing installation of specific devices requires also enabling [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings).
-
-### Prevent installation of specifically prohibited peripherals
-
-Microsoft Defender for Endpoint blocks installation and usage of prohibited peripherals by using either of these options:
-
-- [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows) can block any device with a matching hardware ID or setup class.
-- [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) with a custom profile in Intune. You can [prevent installation of specific device IDs](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceids) or [prevent specific device classes](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdevicesetupclasses).
-
-### Allow installation and usage of specifically approved peripherals with matching device instance IDs
-
-Peripherals that are allowed to be installed can be specified by their [device instance IDs](https://docs.microsoft.com/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
-
-You can allow installation and usage of approved peripherals with matching device instance IDs by configuring [DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdeviceinstanceids) policy setting.
-
-### Prevent installation and usage of specifically prohibited peripherals with matching device instance IDs
-
-Peripherals that are prohibited to be installed can be specified by their [device instance IDs](https://docs.microsoft.com/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
-
-You can prevent installation of the prohibited peripherals with matching device instance IDs by configuring [DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceinstanceids) policy setting.
-
-### Limit services that use Bluetooth
-
-Using Intune, you can limit the services that can use Bluetooth through the ["Bluetooth allowed services"](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-bluetooth#servicesallowedlist-usage-guide). The default state of "Bluetooth allowed services" settings means everything is allowed. As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and doesn’t add the file transfer GUIDs, file transfer should be blocked.
-
-
-
-### Use Microsoft Defender for Endpoint baseline settings
-
-The Microsoft Defender for Endpoint baseline settings represent the recommended configuration for ATP. Configuration settings for baseline are located in the edit profile page of the configuration settings.
-
-
-
-## Prevent threats from removable storage
-
-Removable storage devices can introduce additional security risk to your organization. Microsoft Defender for Endpoint can help identify and block malicious files on removable storage devices.
-
-Microsoft Defender for Endpoint can also prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device.
-
-Note that if you block USB devices or any other device classes using the device installation policies, connected devices, such as phones, can still charge.
-
->[!NOTE]
->Always test and refine these settings with a pilot group of users and devices first before widely distributing to your organization.
-
-The following table describes the ways Microsoft Defender for Endpoint can help prevent threats from removable storage.
-
-For more information about controlling USB devices, see the [Microsoft Defender for Endpoint blog](https://aka.ms/devicecontrolblog).
-
-| Control | Description |
-|----------|-------------|
-| [Enable Microsoft Defender Antivirus Scanning](#enable-microsoft-defender-antivirus-scanning) | Enable Microsoft Defender Antivirus scanning for real-time protection or scheduled scans.|
-| [Block untrusted and unsigned processes on USB peripherals](#block-untrusted-and-unsigned-processes-on-usb-peripherals) | Block USB files that are unsigned or untrusted. |
-| [Protect against Direct Memory Access (DMA) attacks](#protect-against-direct-memory-access-dma-attacks) | Configure settings to protect against DMA attacks. |
-
->[!NOTE]
->Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
-
-### Enable Microsoft Defender Antivirus Scanning
-
-Protecting authorized removable storage with Microsoft Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) or scheduling scans and configuring removable drives for scans.
-
-- If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted, so that Microsoft Defender Antivirus starts scanning all files on a removable device once the removable device is attached. However, we recommend enabling real-time protection for improved scanning performance, especially for large storage devices.
-- If scheduled scans are used, then you need to disable the DisableRemovableDriveScanning setting (enabled by default) to scan the removable device during a full scan. Removable devices are scanned during a quick or custom scan regardless of the DisableRemovableDriveScanning setting.
-
->[!NOTE]
->We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10 in **Device Restrictions** > **Configure** > **Microsoft Defender Antivirus** > **Real-time monitoring**.
-
-
-
-### Block untrusted and unsigned processes on USB peripherals
-
-End-users might plug in removable devices that are infected with malware.
-To prevent infections, a company can block USB files that are unsigned or untrusted.
-Alternatively, companies can leverage the audit feature of [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to monitor the activity of untrusted and unsigned processes that execute on a USB peripheral.
-This can be done by setting **Untrusted and unsigned processes that run from USB** to either **Block** or **Audit only**, respectively.
-With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards.
-Affected file types include executable files (such as .exe, .dll, or .scr) and script files such as a PowerShell (.ps), VisualBasic (.vbs), or JavaScript (.js) files.
-
-These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus).
-
-1. Sign in to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/).
-2. Click **Devices** > **Windows** > **Configuration Policies** > **Create profile**.
-
-3. Use the following settings:
- - Platform: Windows 10 and later
- - Profile type: Device restrictions
- 
-4. Click **Create**.
-5. For **Unsigned and untrusted processes that run from USB**, choose **Block**.
- 
-6. Click **OK** to close settings and **Device restrictions**.
-
-### Protect against Direct Memory Access (DMA) attacks
-
-DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely. The following settings help to prevent DMA attacks:
-
-1. Beginning with Windows 10 version 1803, Microsoft introduced [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) to provide native protection against DMA attacks via Thunderbolt ports. Kernel DMA Protection for Thunderbolt is enabled by system manufacturers and cannot be turned on or off by users.
-
- Beginning with Windows 10 version 1809, you can adjust the level of Kernel DMA Protection by configuring the [DMA Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-deviceenumerationpolicy). This is an additional control for peripherals that don't support device memory isolation (also known as DMA-remapping). Memory isolation allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral (memory sandboxing). In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
-
- Peripherals that support device memory isolation can always connect. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default).
-
-2. On Windows 10 systems that do not support Kernel DMA Protection, you can:
-
- - [Block DMA until a user signs in](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess)
- - [Block all connections via the Thunderbolt ports (including USB devices)](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d)
-
-## Create customized alerts and response actions
-
-You can create custom alerts and response actions with the WDATP Connector and the custom detection rules:
-
-**Wdatp Connector response Actions:**
-
-**Investigate:** Initiate investigations, collect investigation package, and isolate a machine.
-
-**Threat Scanning** on USB devices.
-
-**Restrict execution of all applications** on the machine except a predefined set
-MDATP connector is one of over 200 pre-defined connectors including Outlook, Teams, Slack, etc. Custom connectors can be built.
-- [More information on WDATP Connector Response Actions](https://docs.microsoft.com/connectors/wdatp/)
-
-**Custom Detection Rules Response Action:**
-Both machine and file level actions can be applied.
-- [More information on Custom Detection Rules Response Actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules)
-
-For information on device control related advance hunting events and examples on how to create custom alerts, see [Advanced hunting updates: USB events, machine-level actions, and schema changes](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Advanced-hunting-updates-USB-events-machine-level-actions-and/ba-p/824152).
-
-## Respond to threats
-
-You can create custom alerts and automatic response actions with the [Microsoft Defender for Endpoint Custom Detection Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules). Response actions within the custom detection cover both machine and file level actions. You can also create alerts and automatic response actions using [PowerApps](https://powerapps.microsoft.com/) and [Flow](https://flow.microsoft.com/) with the [Microsoft Defender for Endpoint connector](https://docs.microsoft.com/connectors/wdatp/). The connector supports actions for investigation, threat scanning, and restricting running applications. It is one of over 200 pre-defined connectors including Outlook, Teams, Slack, and more. Custom connectors can also be built. See [Connectors](https://docs.microsoft.com/connectors/) to learn more about connectors.
-
-For example, using either approach, you can automatically have the Microsoft Defender Antivirus run when a USB device is mounted onto a machine.
-
-## Related topics
-
-- [Configure real-time protection for Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus)
-- [Defender/AllowFullScanRemovableDriveScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning)
-- [Policy/DeviceInstallation CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation)
-- [Perform a custom scan of a removable device](https://aka.ms/scanusb)
-- [Device Control PowerBI Template for custom reporting](https://github.com/microsoft/MDATP-PowerBI-Templates)
-- [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview)
-- [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure)
diff --git a/windows/security/threat-protection/device-control/device-control-report.md b/windows/security/threat-protection/device-control/device-control-report.md
deleted file mode 100644
index 2c35de2163..0000000000
--- a/windows/security/threat-protection/device-control/device-control-report.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-title: Protect your organization’s data with device control
-description: Monitor your organization's data security through device control reports.
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-ms.author: v-ajupudi
-author: alluthewriter
-ms.reviewer: dansimp
-manager: dansimp
-audience: ITPro
-ms.technology: mde
----
-# Protect your organization’s data with device control
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Microsoft Defender for Endpoint device control protects against data loss, by monitoring and controlling media use by devices in your organization, such as the use of removable storage devices and USB drives.
-
-With the device control report, you can view events that relate to media usage, such as:
-
-- **Audit events:** Shows the number of audit events that occur when external media is connected.
-- **Policy events:** Shows the number of policy events that occur when a device control policy is triggered.
-
-> [!NOTE]
-> The audit event to track media usage is enabled by default for devices onboarded to Microsoft Defender for Endpoint.
-
-## Understanding the audit events
-
-The audit events include:
-
-- **USB drive mount and unmount:** Audit events that are generated when a USB drive is mounted or unmounted.
-- **PnP:** Plug and Play audit events are generated when removable storage, a printer, or Bluetooth media is connected.
-
-## Monitor device control security
-
-Device control in Microsoft Defender for Endpoint empowers security administrators with tools that enable them to track their organization’s device control security through reports. You can find the device control report in the Microsoft 365 security center by going to **Reports > Device protection**.
-
-The Device protection card on the **Reports** dashboard shows the number of audit events generated by media type, over the last 180 days.
-
-> [!div class="mx-imgBorder"]
-> 
-
-The **View details** button shows more media usage data in the **device control report** page.
-
-The page provides a dashboard with aggregated number of events per type and a list of events. Administrators can filter on time range, media class name, and device ID.
-
-> [!div class="mx-imgBorder"]
-> 
-
-When you select an event, a flyout appears that shows you more information:
-
-- **General details:** Date, Action mode, and the policy of this event.
-- **Media information:** Media information includes Media name, Class name, Class GUID, Device ID, Vendor ID, Volume, Serial number, and Bus type.
-- **Location details:** Device name and MDATP device ID.
-
-> [!div class="mx-imgBorder"]
-> 
-
-To see real-time activity for this media across the organization, select the **Open Advanced hunting** button. This includes an embedded, pre-defined query.
-
-> [!div class="mx-imgBorder"]
-> 
-
-To see the security of the device, select the **Open device page** button on the flyout. This button opens the device entity page.
-
-> [!div class="mx-imgBorder"]
-> 
-
-## Reporting delays
-
-The device control report can have a 12-hour delay from the time a media connection occurs to the time the event is reflected in the card or in the domain list.
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index 1c2019f4f1..0628013832 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -4,8 +4,8 @@ description: This article explains the steps to opt in to using HVCI on Windows
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
@@ -48,7 +48,7 @@ HVCI is labeled **Memory integrity** in the Windows Security app and it can be a
### Enable HVCI using Intune
-Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp).
+Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP](/windows/client-management/mdm/applocker-csp).
### Enable HVCI using Group Policy
@@ -270,7 +270,7 @@ A. If a device driver fails to load or crashes at runtime, you may be able to up
B. If you experience software or device malfunction after using the above procedure to turn on HVCI, but you are able to log in to Windows, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location in step 3 above and then restart your device.
-C. If you experience a critical error during boot or your system is unstable after using the above procedure to turn on HVCI, you can recover using the Windows Recovery Environment (Windows RE). To boot to Windows RE, see [Windows RE Technical Reference](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference). After logging in to Windows RE, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location in step 3 above and then restart your device.
+C. If you experience a critical error during boot or your system is unstable after using the above procedure to turn on HVCI, you can recover using the Windows Recovery Environment (Windows RE). To boot to Windows RE, see [Windows RE Technical Reference](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference). After logging in to Windows RE, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location in step 3 above and then restart your device.
## How to turn off HVCI
@@ -294,6 +294,6 @@ Set-VMSecurity -VMName
plus **extended page tables** | These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. |
-| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
-| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
+| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
+| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
+| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
| Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
> **Important** The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.
@@ -63,7 +63,7 @@ The following tables describe additional hardware and firmware qualifications, a
| Protections for Improved Security | Description | Security benefits |
|---------------------------------------------|----------------------------------------------------|-----|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies).
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.
• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://docs.microsoft.com/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies).
• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. |
| Firmware: **Firmware Update through Windows Update** | Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. |
| Firmware: **Securing Boot Configuration and Management** | • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.| • Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
@@ -75,5 +75,4 @@ The following tables describe additional hardware and firmware qualifications, a
| Protections for Improved Security | Description | Security benefits |
|---------------------------------------------|----------------------------------------------------|------|
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
• UEFI runtime service must meet these requirements:
• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
• PE sections need to be page-aligned in memory (not required for in non-volitile storage).
• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
• No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.
Please also note the following:
• Do not use sections that are both writeable and executable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. |
-| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. |
-
+| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. |
\ No newline at end of file
diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md
index 7be719b91a..cbcb5ff098 100644
--- a/windows/security/threat-protection/fips-140-validation.md
+++ b/windows/security/threat-protection/fips-140-validation.md
@@ -45,7 +45,7 @@ Each of the cryptographic modules has a defined security policy that must be met
### Step 3: Enable the FIPS security policy
-Windows provides the security policy setting, *System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing*. This setting is used by some Microsoft products to determine whether to run in FIPS mode. When this policy is turned on, the validated cryptographic modules in Windows will also operate in FIPS mode. This policy may be set using Local Security Policy, as part of Group Policy, or through a Modern Device Management (MDM) solution. For more information on the policy, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing).
+Windows provides the security policy setting, *System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing*. This setting is used by some Microsoft products to determine whether to run in FIPS mode. When this policy is turned on, the validated cryptographic modules in Windows will also operate in FIPS mode. This policy may be set using Local Security Policy, as part of Group Policy, or through a Modern Device Management (MDM) solution. For more information on the policy, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](./security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
### Step 4: Ensure that only FIPS validated cryptographic algorithms are used
@@ -7346,4 +7346,4 @@ fips@microsoft.com
* [FIPS 140-2, Security Requirements for Cryptographic Modules](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf))
* [Cryptographic Module Validation Program (CMVP) FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf)
* [SP 800-57 - Recommendation for Key Management – Part 1: General (Revised)](https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final)
-* [SP 800-131A - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)
+* [SP 800-131A - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)
\ No newline at end of file
diff --git a/windows/security/threat-protection/get-support-for-security-baselines.md b/windows/security/threat-protection/get-support-for-security-baselines.md
index c6c0883e58..6b37a5a6a1 100644
--- a/windows/security/threat-protection/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/get-support-for-security-baselines.md
@@ -22,13 +22,13 @@ ms.technology: mde
The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we have moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy.
-More information about this change can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2017/06/15/security-compliance-manager-scm-retired-new-tools-and-procedures/).
+More information about this change can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures).
**Where can I get an older version of a Windows baseline?**
Any version of Windows baseline before Windows 10 1703 can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT.
-- [SCM 4.0 Download](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)
+- [SCM 4.0 Download](/previous-versions/tn-archive/cc936627(v=technet.10))
- [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
- [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
- [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
@@ -57,12 +57,12 @@ No. SCM supported only SCAP 1.0, which was not updated as SCAP evolved. The new
| Name | Build | Baseline Release Date | Security Tools |
|---|---|---|---|
-|Windows 10 | [1709 (RS3)](https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-for-windows-10-fall-creators-update-v1709-draft/)
@@ -70,13 +70,13 @@ Windows 7 |[7601 (SP1)](https://technet.microsoft.com/library/ee712767.aspx)| Oc
| Name | Build | Baseline Release Date | Security Tools |
|---|---|---|---|
-|Windows Server 2016 | [SecGuide](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/) |October 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-|Windows Server 2012 R2|[SecGuide](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/)|August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|
-|Windows Server 2012|[Technet](https://technet.microsoft.com/library/jj898542.aspx) |2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-Windows Server 2008 R2 |[SP1](https://technet.microsoft.com/library/gg236605.aspx)|2009 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-| Windows Server 2008 |[SP2](https://technet.microsoft.com/library/cc514539.aspx)| 2008 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-|Windows Server 2003 R2|[Technet](https://technet.microsoft.com/library/cc163140.aspx)| 2003 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
-|Windows Server 2003|[Technet](https://technet.microsoft.com/library/cc163140.aspx)|2003|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+|Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) |October 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+|Windows Server 2012 R2|[SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)|August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|
+|Windows Server 2012|[Technet](/previous-versions/tn-archive/jj898542(v=technet.10)) |2012| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+Windows Server 2008 R2 |[SP1](/previous-versions/tn-archive/gg236605(v=technet.10))|2009 | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+| Windows Server 2008 |[SP2](/previous-versions/tn-archive/cc514539(v=technet.10))| 2008 | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+|Windows Server 2003 R2|[Technet](/previous-versions/tn-archive/cc163140(v=technet.10))| 2003 | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10))|
+|Windows Server 2003|[Technet](/previous-versions/tn-archive/cc163140(v=technet.10))|2003|[SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10))|
@@ -85,14 +85,14 @@ Windows Server 2008 R2 |[SP1](https://technet.microsoft.com/library/gg236605.asp
| Name | Details | Security Tools |
|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
-| Internet Explorer 11 | [SecGuide](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Internet Explorer 10 | [Technet](https://technet.microsoft.com/library/jj898540.aspx) | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-| Internet Explorer 9 | [Technet](https://technet.microsoft.com/library/hh539027.aspx) | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-| Internet Explorer 8 | [Technet](https://technet.microsoft.com/library/ee712766.aspx) | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-| Exchange Server 2010 | [Technet](https://technet.microsoft.com/library/hh913521.aspx) | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-| Exchange Server 2007 | [Technet](https://technet.microsoft.com/library/hh913520.aspx) | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-| Microsoft Office 2010 | [Technet](https://technet.microsoft.com/library/gg288965.aspx) | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-| Microsoft Office 2007 SP2 | [Technet](https://technet.microsoft.com/library/cc500475.aspx) | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+| Internet Explorer 11 | [SecGuide](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Internet Explorer 10 | [Technet](/previous-versions/tn-archive/jj898540(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+| Internet Explorer 9 | [Technet](/previous-versions/tn-archive/hh539027(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+| Internet Explorer 8 | [Technet](/previous-versions/tn-archive/ee712766(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+| Exchange Server 2010 | [Technet](/previous-versions/tn-archive/hh913521(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+| Exchange Server 2007 | [Technet](/previous-versions/tn-archive/hh913520(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+| Microsoft Office 2010 | [Technet](/previous-versions/tn-archive/gg288965(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+| Microsoft Office 2007 SP2 | [Technet](/previous-versions/tn-archive/cc500475(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
@@ -101,4 +101,4 @@ Windows Server 2008 R2 |[SP1](https://technet.microsoft.com/library/gg236605.asp
## See also
-[Windows security baselines](windows-security-baselines.md)
+[Windows security baselines](windows-security-baselines.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 80d1cc5846..f299d99657 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -20,16 +20,16 @@ ms.technology: mde
# Threat Protection
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+- [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender)
-[Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture.
+[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture.
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
> [!TIP]
-> Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](https://docs.microsoft.com/enterprise-mobility-security/remote-work/).
+> Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](/enterprise-mobility-security/remote-work/).
Microsoft Defender for Endpoint
@@ -56,87 +56,86 @@ ms.technology: mde
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq]
-**[Threat & vulnerability management](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)**
+**[Threat & vulnerability management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)**
This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
-- [Threat & vulnerability management overview](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)
-- [Get started](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-prerequisites)
-- [Access your security posture](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-dashboard-insights)
-- [Improve your security posture and reduce risk](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-security-recommendation)
-- [Understand vulnerabilities on your devices](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-software-inventory)
+- [Threat & vulnerability management overview](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)
+- [Get started](/microsoft-365/security/defender-endpoint/tvm-prerequisites)
+- [Access your security posture](/microsoft-365/security/defender-endpoint/tvm-dashboard-insights)
+- [Improve your security posture and reduce risk](/microsoft-365/security/defender-endpoint/tvm-security-recommendation)
+- [Understand vulnerabilities on your devices](/microsoft-365/security/defender-endpoint/tvm-software-inventory)
-**[Attack surface reduction](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**
+**[Attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation.
-- [Hardware based isolation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-hardware-based-isolation)
+- [Hardware based isolation](/microsoft-365/security/defender-endpoint/overview-hardware-based-isolation)
- [Application control](windows-defender-application-control/windows-defender-application-control.md)
- [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-- [Exploit protection](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection)
-- [Network protection](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/network-protection), [web protection](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview)
-- [Controlled folder access](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders)
+- [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)
+- [Network protection](/microsoft-365/security/defender-endpoint/network-protection), [web protection](/microsoft-365/security/defender-endpoint/web-protection-overview)
+- [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)
- [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
-- [Attack surface reduction rules](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction)
+- [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)
-**[Next-generation protection](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)**
+**[Next-generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10)**
To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats.
-- [Behavior monitoring](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus)
-- [Cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus)
-- [Machine learning](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus)
-- [URL Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
-- [Automated sandbox service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus)
+- [Behavior monitoring](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus)
+- [Cloud-based protection](/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus)
+- [Machine learning](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus)
+- [URL Protection](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus)
+- [Automated sandbox service](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus)
-**[Endpoint detection and response](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response)**
+**[Endpoint detection and response](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response)**
Endpoint detection and response capabilities are put in place to detect, investigate, and respond to intrusion attempts and active breaches. With Advanced hunting, you have a query-based threat-hunting tool that lets your proactively find breaches and create custom detections.
-- [Alerts](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/alerts-queue)
-- [Historical endpoint data](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/investigate-machines#timeline)
-- [Response orchestration](microsoft-defender-atp/response-actions.md)
-- [Forensic collection](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices)
-- [Threat intelligence](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/threat-indicator-concepts)
-- [Advanced detonation and analysis service](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/respond-file-alerts#deep-analysis)
-- [Advanced hunting](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/advanced-hunting-overview)
- - [Custom detections](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-custom-detections)
+- [Alerts](/microsoft-365/security/defender-endpoint/alerts-queue)
+- [Historical endpoint data](/microsoft-365/security/defender-endpoint/investigate-machines#timeline)
+- [Response orchestration](/microsoft-365/security/defender-endpoint/respond-machine-alerts)
+- [Forensic collection](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices)
+- [Threat intelligence](/microsoft-365/security/defender-endpoint/threat-indicator-concepts)
+- [Advanced detonation and analysis service](/microsoft-365/security/defender-endpoint/respond-file-alerts#deep-analysis)
+- [Advanced hunting](/microsoft-365/security/defender-endpoint/advanced-hunting-overview)
+ - [Custom detections](/microsoft-365/security/defender-endpoint/overview-custom-detections)
-**[Automated investigation and remediation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations)**
+**[Automated investigation and remediation](/microsoft-365/security/defender-endpoint/automated-investigations)**
In addition to quickly responding to advanced attacks, Microsoft Defender for Endpoint offers automated investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
-- [Get an overview of automated investigation and remediation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations)
-- [Learn about automation levels](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automation-levels)
-- [Configure automated investigation and remediation in Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation)
-- [Visit the Action center to see remediation actions](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/auto-investigation-action-center)
-- [Review remediation actions following an automated investigation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-auto-investigation)
-- [View the details and results of an automated investigation](microsoft-defender-atp/autoir-investigation-results.md)
+- [Get an overview of automated investigation and remediation](/microsoft-365/security/defender-endpoint/automated-investigations)
+- [Learn about automation levels](/microsoft-365/security/defender-endpoint/automation-levels)
+- [Configure automated investigation and remediation in Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation)
+- [Visit the Action center to see remediation actions](/microsoft-365/security/defender-endpoint/auto-investigation-action-center)
+- [Review remediation actions following an automated investigation](/microsoft-365/security/defender-endpoint/manage-auto-investigation)
-**[Microsoft Threat Experts](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-threat-experts)**
+**[Microsoft Threat Experts](/microsoft-365/security/defender-endpoint/microsoft-threat-experts)**
Microsoft Defender for Endpoint's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights. Microsoft Threat Experts further empowers Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately.
-- [Targeted attack notification](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-threat-experts)
-- [Experts-on-demand](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-threat-experts)
-- [Configure your Microsoft 365 Defender managed hunting service](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts)
+- [Targeted attack notification](/microsoft-365/security/defender-endpoint/microsoft-threat-experts)
+- [Experts-on-demand](/microsoft-365/security/defender-endpoint/microsoft-threat-experts)
+- [Configure your Microsoft 365 Defender managed hunting service](/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts)
-**[Centralized configuration and administration, APIs](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/management-apis)**
+**[Centralized configuration and administration, APIs](/microsoft-365/security/defender-endpoint/management-apis)**
Integrate Microsoft Defender for Endpoint into your existing workflows.
-- [Onboarding](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/onboard-configure)
-- [API and SIEM integration](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-siem)
-- [Exposed APIs](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/apis-intro)
-- [Role-based access control (RBAC)](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/rbac)
-- [Reporting and trends](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/threat-protection-reports)
+- [Onboarding](/microsoft-365/security/defender-endpoint/onboard-configure)
+- [API and SIEM integration](/microsoft-365/security/defender-endpoint/configure-siem)
+- [Exposed APIs](/microsoft-365/security/defender-endpoint/apis-intro)
+- [Role-based access control (RBAC)](/microsoft-365/security/defender-endpoint/rbac)
+- [Reporting and trends](/microsoft-365/security/defender-endpoint/threat-protection-reports)
-**[Integration with Microsoft solutions](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/threat-protection-integration)**
+**[Integration with Microsoft solutions](/microsoft-365/security/defender-endpoint/threat-protection-integration)**
Microsoft Defender for Endpoint directly integrates with various Microsoft solutions, including:
- Intune
- Microsoft Defender for Office 365
@@ -146,5 +145,5 @@ Integrate Microsoft Defender for Endpoint into your existing workflows.
- Microsoft Cloud App Security
-**[Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**
- With Microsoft 365 Defender, Microsoft Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.
+**[Microsoft 365 Defender](/microsoft-365/security/mtp/microsoft-threat-protection)**
+ With Microsoft 365 Defender, Microsoft Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/TOC.md b/windows/security/threat-protection/intelligence/TOC.md
deleted file mode 100644
index 9919f7d8d2..0000000000
--- a/windows/security/threat-protection/intelligence/TOC.md
+++ /dev/null
@@ -1,55 +0,0 @@
-# [Security intelligence](index.md)
-
-## [Understand malware & other threats](understanding-malware.md)
-
-### [Coin miners](coinminer-malware.md)
-
-### [Exploits and exploit kits](exploits-malware.md)
-
-### [Fileless threats](fileless-threats.md)
-
-### [Macro malware](macro-malware.md)
-
-### [Phishing attacks](phishing.md)
-
-#### [Phishing trends and techniques](phishing-trends.md)
-
-### [Ransomware](ransomware-malware.md)
-
-### [Rootkits](rootkits-malware.md)
-
-### [Supply chain attacks](supply-chain-malware.md)
-
-### [Tech support scams](support-scams.md)
-
-### [Trojans](trojans-malware.md)
-
-### [Unwanted software](unwanted-software.md)
-
-### [Worms](worms-malware.md)
-
-## [Prevent malware infection](prevent-malware-infection.md)
-
-## [Malware naming convention](malware-naming.md)
-
-## [How Microsoft identifies malware and PUA](criteria.md)
-
-## [Submit files for analysis](submission-guide.md)
-
-## [Troubleshoot malware submission](portal-submission-troubleshooting.md)
-
-## [Safety Scanner download](safety-scanner-download.md)
-
-## [Industry collaboration programs](cybersecurity-industry-partners.md)
-
-### [Virus information alliance](virus-information-alliance-criteria.md)
-
-### [Microsoft virus initiative](virus-initiative-criteria.md)
-
-### [Coordinated malware eradication](coordinated-malware-eradication.md)
-
-## [Information for developers]()
-
-### [Software developer FAQ](developer-faq.md)
-
-### [Software developer resources](developer-resources.md)
diff --git a/windows/security/threat-protection/intelligence/TOC.yml b/windows/security/threat-protection/intelligence/TOC.yml
new file mode 100644
index 0000000000..6c1f372f77
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/TOC.yml
@@ -0,0 +1,60 @@
+- name: Security intelligence
+ href: index.md
+ items:
+ - name: Understand malware & other threats
+ href: understanding-malware.md
+ items:
+ - name: Coin miners
+ href: coinminer-malware.md
+ - name: Exploits and exploit kits
+ href: exploits-malware.md
+ - name: Fileless threats
+ href: fileless-threats.md
+ - name: Macro malware
+ href: macro-malware.md
+ - name: Phishing attacks
+ href: phishing.md
+ items:
+ - name: Phishing trends and techniques
+ href: phishing-trends.md
+ - name: Ransomware
+ href: ransomware-malware.md
+ - name: Rootkits
+ href: rootkits-malware.md
+ - name: Supply chain attacks
+ href: supply-chain-malware.md
+ - name: Tech support scams
+ href: support-scams.md
+ - name: Trojans
+ href: trojans-malware.md
+ - name: Unwanted software
+ href: unwanted-software.md
+ - name: Worms
+ href: worms-malware.md
+ - name: Prevent malware infection
+ href: prevent-malware-infection.md
+ - name: Malware naming convention
+ href: malware-naming.md
+ - name: How Microsoft identifies malware and PUA
+ href: criteria.md
+ - name: Submit files for analysis
+ href: submission-guide.md
+ - name: Troubleshoot malware submission
+ href: portal-submission-troubleshooting.md
+ - name: Safety Scanner download
+ href: safety-scanner-download.md
+ - name: Industry collaboration programs
+ href: cybersecurity-industry-partners.md
+ items:
+ - name: Virus information alliance
+ href: virus-information-alliance-criteria.md
+ - name: Microsoft virus initiative
+ href: virus-initiative-criteria.md
+ - name: Coordinated malware eradication
+ href: coordinated-malware-eradication.md
+ - name: Information for developers
+ items:
+ - name: Software developer FAQ
+ href: developer-faq.md
+ - name: Software developer resources
+ href: developer-resources.md
diff --git a/windows/security/threat-protection/intelligence/coinminer-malware.md b/windows/security/threat-protection/intelligence/coinminer-malware.md
index aa36031971..2f9e582a64 100644
--- a/windows/security/threat-protection/intelligence/coinminer-malware.md
+++ b/windows/security/threat-protection/intelligence/coinminer-malware.md
@@ -7,8 +7,8 @@ ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
index 47e4ffb819..6e6173e36d 100644
--- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
+++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
@@ -7,8 +7,8 @@ ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md
index 0c75b48120..8f05e1c296 100644
--- a/windows/security/threat-protection/intelligence/criteria.md
+++ b/windows/security/threat-protection/intelligence/criteria.md
@@ -7,8 +7,8 @@ ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
@@ -164,7 +164,7 @@ Microsoft maintains a worldwide network of analysts and intelligence systems whe
## Potentially unwanted application (PUA)
-Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This protection helps deliver more productive, performant, and delightful Windows experiences. For instruction on how to enable PUA protection in Chromium-based Microsoft Edge and Microsoft Defender Antivirus, see [Detect and block potentially unwanted applications](../microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md).
+Our PUA protection aims to safeguard user productivity and ensure enjoyable Windows experiences. This protection helps deliver more productive, performant, and delightful Windows experiences. For instruction on how to enable PUA protection in Chromium-based Microsoft Edge and Microsoft Defender Antivirus, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
*PUAs are not considered malware.*
diff --git a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
index fec4892d00..6df748d442 100644
--- a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
+++ b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
@@ -7,8 +7,8 @@ ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/intelligence/developer-faq.md b/windows/security/threat-protection/intelligence/developer-faq.md
index 5f91ef4a1f..73ca4ec48c 100644
--- a/windows/security/threat-protection/intelligence/developer-faq.md
+++ b/windows/security/threat-protection/intelligence/developer-faq.md
@@ -8,8 +8,8 @@ ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -44,8 +44,8 @@ It contains instructions to offer a program classified as unwanted software. You
## Why is the Windows Defender Firewall blocking my program?
-Firewall blocks aren't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Windows Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security).
+Firewall blocks aren't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Windows Defender Firewall](../windows-firewall/windows-firewall-with-advanced-security.md).
## Why does the Microsoft Defender Windows Defender SmartScreen say my program isn't commonly downloaded?
-This isn't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Microsoft Defender Windows Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)
+This isn't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Microsoft Defender Windows Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/developer-resources.md b/windows/security/threat-protection/intelligence/developer-resources.md
index 9c99065431..659eaad25b 100644
--- a/windows/security/threat-protection/intelligence/developer-resources.md
+++ b/windows/security/threat-protection/intelligence/developer-resources.md
@@ -9,8 +9,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
ms.pagetype: security
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
@@ -41,4 +41,4 @@ Find more guidance about the file submission and detection dispute process in ou
### Scan your software
-Use [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) to check your software against the latest Security intelligence and cloud protection from Microsoft.
+Use [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) to check your software against the latest Security intelligence and cloud protection from Microsoft.
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/exploits-malware.md b/windows/security/threat-protection/intelligence/exploits-malware.md
index c7a418d55c..3a88ecaf55 100644
--- a/windows/security/threat-protection/intelligence/exploits-malware.md
+++ b/windows/security/threat-protection/intelligence/exploits-malware.md
@@ -7,8 +7,8 @@ ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md
index a120169e13..39371c3da0 100644
--- a/windows/security/threat-protection/intelligence/fileless-threats.md
+++ b/windows/security/threat-protection/intelligence/fileless-threats.md
@@ -7,8 +7,8 @@ ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
@@ -91,7 +91,7 @@ Besides being vulnerable at the firmware level, CPUs could be manufactured with
**File-based** (Type III: executables, DLLs, LNK files, scheduled tasks): This is the standard execution vector. A simple executable can be launched as a first-stage malware to run an additional payload in memory, or injected into other legitimate running processes.
-**Macro-based** (Type III: Office documents): The [VBA language](https://msdn.microsoft.com/vba/office-shared-vba/articles/getting-started-with-vba-in-office) is a flexible and powerful tool designed to automate editing tasks and add dynamic functionality to documents. As such, it can be abused by attackers to carry out malicious operations like decoding, running, or injecting an executable payload, or even implementing an entire ransomware, like in [the case of qkG](https://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/). Macros are executed within the context of an Office process (e.g., Winword.exe) and implemented in a scripting language. There's no binary executable that an antivirus can inspect. While Office apps require explicit consent from the user to execute macros from a document, attackers use social engineering techniques to trick users into allowing macros to execute.
+**Macro-based** (Type III: Office documents): The [VBA language](/office/vba/Library-Reference/Concepts/getting-started-with-vba-in-office) is a flexible and powerful tool designed to automate editing tasks and add dynamic functionality to documents. As such, it can be abused by attackers to carry out malicious operations like decoding, running, or injecting an executable payload, or even implementing an entire ransomware, like in [the case of qkG](https://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/). Macros are executed within the context of an Office process (e.g., Winword.exe) and implemented in a scripting language. There's no binary executable that an antivirus can inspect. While Office apps require explicit consent from the user to execute macros from a document, attackers use social engineering techniques to trick users into allowing macros to execute.
**Script-based** (Type II: file, service, registry, WMI repo, shell): The JavaScript, VBScript, and PowerShell scripting languages are available by default on Windows platforms. Scripts have the same advantages as macros, they are textual files (not binary executables) and run within the context of the interpreter (like wscript.exe, powershell.exe), which is a clean and legitimate component. Scripts are versatile and can be run from a file (by double-clicking them) or executed directly on the command line of an interpreter. Running on the command line allows malware to encode malicious scripts as autostart services inside [autorun registry keys](https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file) as [WMI event subscriptions](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html) from the WMI repo. Furthermore, an attacker who has gained access to an infected machine may input the script on the command prompt.
@@ -102,3 +102,7 @@ Besides being vulnerable at the firmware level, CPUs could be manufactured with
At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender for Endpoint](https://www.microsoft.com/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/)
+
+## Additional resources and information
+
+Learn how to [deploy threat protection capabilities across Microsoft 365 E5](/microsoft-365/solutions/deploy-threat-protection).
diff --git a/windows/security/threat-protection/intelligence/images/WormUSB_flight.png b/windows/security/threat-protection/intelligence/images/WormUSB-flight.png
similarity index 100%
rename from windows/security/threat-protection/intelligence/images/WormUSB_flight.png
rename to windows/security/threat-protection/intelligence/images/WormUSB-flight.png
diff --git a/windows/security/threat-protection/intelligence/index.md b/windows/security/threat-protection/intelligence/index.md
index 819ce7f08a..7fce4cc28d 100644
--- a/windows/security/threat-protection/intelligence/index.md
+++ b/windows/security/threat-protection/intelligence/index.md
@@ -6,8 +6,8 @@ ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
@@ -27,4 +27,4 @@ Here you will find information about different types of malware, safety tips on
Keep up with the latest malware news and research. Check out our [Microsoft Security blogs](https://www.microsoft.com/security/blog/product/windows/) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections.
-Learn more about [Windows security](https://docs.microsoft.com/windows/security/index).
\ No newline at end of file
+Learn more about [Windows security](../../index.yml).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/macro-malware.md b/windows/security/threat-protection/intelligence/macro-malware.md
index 6faec90f87..9c57408a5d 100644
--- a/windows/security/threat-protection/intelligence/macro-malware.md
+++ b/windows/security/threat-protection/intelligence/macro-malware.md
@@ -7,8 +7,8 @@ ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
@@ -44,8 +44,8 @@ We've seen macro malware download threats from the following families:
* Delete any emails from unknown people or with suspicious content. Spam emails are the main way macro malware spreads.
-* Enterprises can prevent macro malware from running executable content using [ASR rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
+* Enterprises can prevent macro malware from running executable content using [ASR rules](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
For more tips on protecting yourself from suspicious emails, see [phishing](phishing.md).
-For more general tips, see [prevent malware infection](prevent-malware-infection.md).
+For more general tips, see [prevent malware infection](prevent-malware-infection.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md
index abd3753a03..ef4a133061 100644
--- a/windows/security/threat-protection/intelligence/malware-naming.md
+++ b/windows/security/threat-protection/intelligence/malware-naming.md
@@ -7,8 +7,8 @@ ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/intelligence/phishing-trends.md b/windows/security/threat-protection/intelligence/phishing-trends.md
index d8cd025a74..9645672acd 100644
--- a/windows/security/threat-protection/intelligence/phishing-trends.md
+++ b/windows/security/threat-protection/intelligence/phishing-trends.md
@@ -7,8 +7,8 @@ ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md
index 20bf7cc3fd..55d1b756ed 100644
--- a/windows/security/threat-protection/intelligence/phishing.md
+++ b/windows/security/threat-protection/intelligence/phishing.md
@@ -7,8 +7,8 @@ ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
@@ -61,7 +61,7 @@ If in doubt, contact the business by known channels to verify if any suspicious
## Software solutions for organizations
-* [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) and [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) offer protection from the increasing threat of targeted attacks using Microsoft's industry-leading Hyper-V virtualization technology. If a browsed website is deemed untrusted, the Hyper-V container will isolate that device from the rest of your network thereby preventing access to your enterprise data.
+* [Microsoft Edge](/microsoft-edge/deploy/index) and [Windows Defender Application Guard](../microsoft-defender-application-guard/md-app-guard-overview.md) offer protection from the increasing threat of targeted attacks using Microsoft's industry-leading Hyper-V virtualization technology. If a browsed website is deemed untrusted, the Hyper-V container will isolate that device from the rest of your network thereby preventing access to your enterprise data.
* [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies. Using various layers of filtering, EOP can provide different controls for spam filtering, such as bulk mail controls and international spam, that will further enhance your protection services.
@@ -85,7 +85,7 @@ If you feel you've been a victim of a phishing attack:
- Junk: junk@office365.microsoft.com
- Phishing: phish@office365.microsoft.com
- Drag and drop the junk or phishing message into the new message. This will save the junk or phishing message as an attachment in the new message. Don't copy and paste the content of the message or forward the message (we need the original message so we can inspect the message headers). For more information, see [Submit spam, non-spam, and phishing scam messages to Microsoft for analysis](https://docs.microsoft.com/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis).
+ Drag and drop the junk or phishing message into the new message. This will save the junk or phishing message as an attachment in the new message. Don't copy and paste the content of the message or forward the message (we need the original message so we can inspect the message headers). For more information, see [Submit spam, non-spam, and phishing scam messages to Microsoft for analysis](/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis).
- **Anti-Phishing Working Group**: phishing-report@us-cert.gov. The group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors, financial institutions, and law enforcement agencies are involved.
@@ -99,4 +99,4 @@ If you feel you've been a victim of a phishing attack:
- [Protect yourself from phishing](https://support.microsoft.com/help/4033787/windows-protect-yourself-from-phishing)
- [Phishing trends](phishing-trends.md)
-- [Microsoft e-book on preventing social engineering attacks](https://info.microsoft.com/Protectyourweakestlink.html?ls=social), especially in enterprise environments.
+- [Microsoft e-book on preventing social engineering attacks](https://info.microsoft.com/Protectyourweakestlink.html?ls=social), especially in enterprise environments.
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
index e84f8e37a8..00eafc82ce 100644
--- a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
+++ b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
@@ -45,7 +45,7 @@ Azure Active Directory admins will need to allow for users to request admin cons
-More information is available in [Configure Admin consent workflow](https://docs.microsoft.com/azure/active-directory/manage-apps/configure-admin-consent-workflow).
+More information is available in [Configure Admin consent workflow](/azure/active-directory/manage-apps/configure-admin-consent-workflow).
Once this setting is verified, users can go through the enterprise customer sign-in at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission), and submit a request for admin consent, including justification.
@@ -87,4 +87,4 @@ and select **delete**.
6. Sign in to [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission) as an enterprise user with a non-admin account to see if you have access.
- If the warning is not resolved after following these troubleshooting steps, call Microsoft support.
+ If the warning is not resolved after following these troubleshooting steps, call Microsoft support.
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
index 03eb9157aa..4b3b38c797 100644
--- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md
+++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
@@ -7,8 +7,8 @@ ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
@@ -66,7 +66,7 @@ Only use removable drives that you are familiar with or that come from a trusted
At the time they are launched, whether inadvertently by a user or automatically, most malware run under the same privileges as the active user. This means that by limiting account privileges, you can prevent malware from making consequential changes any devices.
-By default, Windows uses [User Account Control (UAC)](https://docs.microsoft.com/windows/security/identity-protection/user-account-control/user-account-control-overview) to provide automatic, granular control of privileges—it temporarily restricts privileges and prompts the active user every time an application attempts to make potentially consequential changes to the system. Although UAC helps limit the privileges of admin users, users can override this restriction when prompted. As a result, it is quite easy for an admin user to inadvertently allow malware to run.
+By default, Windows uses [User Account Control (UAC)](../../identity-protection/user-account-control/user-account-control-overview.md) to provide automatic, granular control of privileges—it temporarily restricts privileges and prompts the active user every time an application attempts to make potentially consequential changes to the system. Although UAC helps limit the privileges of admin users, users can override this restriction when prompted. As a result, it is quite easy for an admin user to inadvertently allow malware to run.
To help ensure that everyday activities do not result in malware infection and other potentially catastrophic changes, it is recommended that you use a non-administrator account for regular use. By using a non-administrator account, you can prevent installation of unauthorized apps and prevent inadvertent changes to system settings. Avoid browsing the web or checking email using an account with administrator privileges.
@@ -94,23 +94,23 @@ Microsoft provides comprehensive security capabilities that help protect against
* [Automatic Microsoft updates](https://support.microsoft.com/help/12373/windows-update-faq) keeps software up to date to get the latest protections.
-* [Controlled folder access](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/enable-controlled-folders) stops ransomware in its tracks by preventing unauthorized access to your important files. Controlled folder access locks down folders, allowing only authorized apps to access files. Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are denied access.
+* [Controlled folder access](/microsoft-365/security/defender-endpoint/enable-controlled-folders) stops ransomware in its tracks by preventing unauthorized access to your important files. Controlled folder access locks down folders, allowing only authorized apps to access files. Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are denied access.
-* [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) browser protects against threats such as ransomware by preventing exploit kits from running. By using [Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/index), Microsoft Edge blocks access to malicious websites.
+* [Microsoft Edge](/microsoft-edge/deploy/index) browser protects against threats such as ransomware by preventing exploit kits from running. By using [Windows Defender SmartScreen](/microsoft-edge/deploy/index), Microsoft Edge blocks access to malicious websites.
* [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies.
* [Microsoft Safety Scanner](safety-scanner-download.md) helps remove malicious software from computers. NOTE: This tool does not replace your antimalware product.
-* [Microsoft 365](https://docs.microsoft.com/microsoft-365/enterprise/) includes Office 365, Windows 10, and Enterprise Mobility + Security. These resources power productivity while providing intelligent security across users, devices, and data.
+* [Microsoft 365](/microsoft-365/enterprise/) includes Office 365, Windows 10, and Enterprise Mobility + Security. These resources power productivity while providing intelligent security across users, devices, and data.
-* [Microsoft Defender for Office 365](https://docs.microsoft.com/office365/servicedescriptions/office-365-advanced-threat-protection-service-description) includes machine learning capabilities that block dangerous emails, including millions of emails carrying ransomware downloaders.
+* [Microsoft Defender for Office 365](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description) includes machine learning capabilities that block dangerous emails, including millions of emails carrying ransomware downloaders.
* [OneDrive for Business](https://support.office.com/article/restore-a-previous-version-of-a-file-in-onedrive-159cad6d-d76e-4981-88ef-de6e96c93893?ui=en-US&rs=en-US&ad=US) can back up files, which you would then use to restore files in the event of an infection.
-* [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Microsoft Defender for Endpoint alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Microsoft Defender for Endpoint free of charge.
+* [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Microsoft Defender for Endpoint alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Microsoft Defender for Endpoint free of charge.
-* [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication on your devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. It lets user authenticate to an Active Directory or Azure Active Directory account.
+* [Windows Hello for Business](../../identity-protection/hello-for-business/hello-identity-verification.md) replaces passwords with strong two-factor authentication on your devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. It lets user authenticate to an Active Directory or Azure Active Directory account.
### Earlier than Windows 10 (not recommended)
@@ -120,4 +120,4 @@ Microsoft provides comprehensive security capabilities that help protect against
Microsoft Defender for Endpoint antivirus capabilities help reduce the chances of infection and will automatically remove threats that it detects.
-In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware).
+In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md
index 77e6f67c32..4f7f59f8ff 100644
--- a/windows/security/threat-protection/intelligence/ransomware-malware.md
+++ b/windows/security/threat-protection/intelligence/ransomware-malware.md
@@ -7,8 +7,8 @@ ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
@@ -62,6 +62,6 @@ We recommend:
* Educate your employees so they can identify social engineering and spear-phishing attacks.
-* [Controlled folder access](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders). It can stop ransomware from encrypting files and holding the files for ransom.
+* [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). It can stop ransomware from encrypting files and holding the files for ransom.
-For more general tips, see [prevent malware infection](prevent-malware-infection.md).
+For more general tips, see [prevent malware infection](prevent-malware-infection.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/rootkits-malware.md b/windows/security/threat-protection/intelligence/rootkits-malware.md
index ab4fa996bd..3a795c9074 100644
--- a/windows/security/threat-protection/intelligence/rootkits-malware.md
+++ b/windows/security/threat-protection/intelligence/rootkits-malware.md
@@ -7,8 +7,8 @@ ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md
index c2e32ce5d1..1027ebf999 100644
--- a/windows/security/threat-protection/intelligence/safety-scanner-download.md
+++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md
@@ -7,8 +7,8 @@ ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
@@ -58,4 +58,4 @@ For more information about the Safety Scanner, see the support article on [how t
- [Microsoft Security Essentials](https://support.microsoft.com/help/14210/security-essentials-download)
- [Removing difficult threats](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware)
- [Submit file for malware analysis](https://www.microsoft.com/wdsi/filesubmission)
-- [Microsoft antimalware and threat protection solutions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)
+- [Microsoft antimalware and threat protection solutions](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/submission-guide.md b/windows/security/threat-protection/intelligence/submission-guide.md
index 87667989e4..97dda7a1ad 100644
--- a/windows/security/threat-protection/intelligence/submission-guide.md
+++ b/windows/security/threat-protection/intelligence/submission-guide.md
@@ -7,8 +7,8 @@ ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/intelligence/supply-chain-malware.md b/windows/security/threat-protection/intelligence/supply-chain-malware.md
index fff7e3b7b3..edd8709cdf 100644
--- a/windows/security/threat-protection/intelligence/supply-chain-malware.md
+++ b/windows/security/threat-protection/intelligence/supply-chain-malware.md
@@ -7,8 +7,8 @@ ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md
index 0cfb94aa8f..ffb5104d6c 100644
--- a/windows/security/threat-protection/intelligence/support-scams.md
+++ b/windows/security/threat-protection/intelligence/support-scams.md
@@ -7,8 +7,8 @@ ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
@@ -46,7 +46,7 @@ It is also important to keep the following in mind:
* Use [Microsoft Edge](https://www.microsoft.com/windows/microsoft-edge) when browsing the internet. It blocks known support scam sites using Windows Defender SmartScreen (which is also used by Internet Explorer). Furthermore, Microsoft Edge can stop pop-up dialogue loops used by these sites.
-* Enable [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) in Windows 10. It detects and removes known support scam malware.
+* Enable [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) in Windows 10. It detects and removes known support scam malware.
## What to do if information has been given to a tech support person
@@ -66,4 +66,4 @@ Help Microsoft stop scammers, whether they claim to be from Microsoft or from an
www.microsoft.com/reportascam
-You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/wdsi/support/report-unsafe-site) or using built in web browser functionality.
+You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/wdsi/support/report-unsafe-site) or using built in web browser functionality.
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/trojans-malware.md b/windows/security/threat-protection/intelligence/trojans-malware.md
index 31228195f8..f2b7fe2a80 100644
--- a/windows/security/threat-protection/intelligence/trojans-malware.md
+++ b/windows/security/threat-protection/intelligence/trojans-malware.md
@@ -7,8 +7,8 @@ ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
@@ -41,8 +41,8 @@ Trojans can come in many different varieties, but generally they do the followin
Use the following free Microsoft software to detect and remove it:
-- [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) for Windows 10 and Windows 8.1, or [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for previous versions of Windows.
+- [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) for Windows 10 and Windows 8.1, or [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for previous versions of Windows.
- [Microsoft Safety Scanner](safety-scanner-download.md)
-For more general tips, see [prevent malware infection](prevent-malware-infection.md).
+For more general tips, see [prevent malware infection](prevent-malware-infection.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/understanding-malware.md b/windows/security/threat-protection/intelligence/understanding-malware.md
index d7d82578fa..63477837e9 100644
--- a/windows/security/threat-protection/intelligence/understanding-malware.md
+++ b/windows/security/threat-protection/intelligence/understanding-malware.md
@@ -7,8 +7,8 @@ ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
@@ -40,6 +40,11 @@ There are many types of malware, including:
- [Unwanted software](unwanted-software.md)
- [Worms](worms-malware.md)
-Keep up with the latest malware news and research. Check out our [Microsoft security blogs](https://www.microsoft.com/security/blog/product/windows/) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections.
+## Additional resources and information
+
+- Keep up with the latest malware news and research. Check out our [Microsoft security blogs](https://www.microsoft.com/security/blog/product/windows/) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections.
+
+- Learn more about [Windows security](../../index.yml).
+
+- Learn how to [deploy threat protection capabilities across Microsoft 365 E5](/microsoft-365/solutions/deploy-threat-protection).
-Learn more about [Windows security](https://docs.microsoft.com/windows/security/index).
diff --git a/windows/security/threat-protection/intelligence/unwanted-software.md b/windows/security/threat-protection/intelligence/unwanted-software.md
index 31dc9dc196..0083b9496c 100644
--- a/windows/security/threat-protection/intelligence/unwanted-software.md
+++ b/windows/security/threat-protection/intelligence/unwanted-software.md
@@ -7,8 +7,8 @@ ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
@@ -42,9 +42,9 @@ Microsoft uses an extensive [evaluation criteria](criteria.md) to identify unwan
To prevent unwanted software infection, download software only from official websites, or from the Microsoft Store. Be wary of downloading software from third-party sites.
-Use [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) when browsing the internet. Microsoft Edge includes additional protections that effectively block browser modifiers that can change your browser settings. Microsoft Edge also blocks known websites hosting unwanted software using [Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/index) (also used by Internet Explorer).
+Use [Microsoft Edge](/microsoft-edge/deploy/index) when browsing the internet. Microsoft Edge includes additional protections that effectively block browser modifiers that can change your browser settings. Microsoft Edge also blocks known websites hosting unwanted software using [Windows Defender SmartScreen](/microsoft-edge/deploy/index) (also used by Internet Explorer).
-Enable [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software.
+Enable [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software.
Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista.
@@ -63,4 +63,4 @@ If you only recently noticed symptoms of unwanted software infection, consider s
You may also need to **remove browser add-ons** in your browsers, such as Internet Explorer, Firefox, or Chrome.
-In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware).
+In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
index a70ae6fe7e..65a11f61ab 100644
--- a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
+++ b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
@@ -7,8 +7,8 @@ ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
index 8512c8d267..83ca25908d 100644
--- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
+++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
@@ -7,8 +7,8 @@ ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md
index 99c3fafa1a..ed4e5aaf84 100644
--- a/windows/security/threat-protection/intelligence/worms-malware.md
+++ b/windows/security/threat-protection/intelligence/worms-malware.md
@@ -7,8 +7,8 @@ ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
-ms.author: ellevin
-author: levinec
+ms.author: dansimp
+author: dansimp
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
@@ -39,16 +39,16 @@ Both Bondat and Gamarue have clever ways of obscuring themselves to evade detect
This image shows how a worm can quickly spread through a shared USB drive.
-
+
### *Figure worm spreading from a shared USB drive*
## How to protect against worms
-Enable [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software.
+Enable [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software.
Download [Microsoft Security Essentials](https://www.microsoft.com/download/details.aspx?id=5201) for real-time protection in Windows 7 or Windows Vista.
In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection).
-For more general tips, see [prevent malware infection](prevent-malware-infection.md).
+For more general tips, see [prevent malware infection](/microsoft-365/security/defender-endpoint/prevent-malware-infection).
\ No newline at end of file
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md
index 34fc1933f8..f0c6938382 100644
--- a/windows/security/threat-protection/mbsa-removal-and-guidance.md
+++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md
@@ -24,12 +24,12 @@ MBSA was largely used in situations where neither Microsoft Update nor a local W
## The Solution
A script can help you with an alternative to MBSA’s patch-compliance checking:
-- [Using WUA to Scan for Updates Offline](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline), which includes a sample .vbs script.
+- [Using WUA to Scan for Updates Offline](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline), which includes a sample .vbs script.
For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0).
For example:
-[](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline)
+[](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline)
[](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0)
The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
@@ -41,4 +41,4 @@ For security compliance and for desktop/server hardening, we recommend the Micro
- [Windows security baselines](windows-security-baselines.md)
- [Download Microsoft Security Compliance Toolkit 1.0](https://www.microsoft.com/download/details.aspx?id=55319)
-- [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/)
+- [Microsoft Security Guidance blog](/archive/blogs/secguide/)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
deleted file mode 100644
index 1d3f01234e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: Collect diagnostic data for Update Compliance and Windows Defender Microsoft Defender Antivirus
-description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Microsoft Defender Antivirus Assessment add in
-keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender AV
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Collect Update Compliance diagnostic data for Microsoft Defender AV Assessment
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV Assessment section in the Update Compliance add-in.
-
-Before attempting this process, ensure you have read [Troubleshoot Microsoft Defender Antivirus reporting](troubleshoot-reporting.md), met all require prerequisites, and taken any other suggested troubleshooting steps.
-
-On at least two devices that are not reporting or showing up in Update Compliance, obtain the .cab diagnostic file by taking the following steps:
-
-1. Open an administrator-level version of the command prompt as follows:
-
- a. Open the **Start** menu.
-
- b. Type **cmd**. Right-click on **Command Prompt** and click **Run as administrator**.
-
- c. Enter administrator credentials or approve the prompt.
-
-2. Navigate to the Windows Defender directory. By default, this is `C:\Program Files\Windows Defender`.
-
-3. Type the following command, and then press **Enter**
-
- ```Dos
- mpcmdrun -getfiles
- ```
-
-4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt. By default, the location is `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`.
-
-5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.
-
-6. Send an email using the Update Compliance support email template, and fill out the template with the following information:
-
- ```
- I am encountering the following issue when using Microsoft Defender Antivirus in Update Compliance:
-
- I have provided at least 2 support .cab files at the following location:
For more information, see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share).
-
-5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.
-
-> [!NOTE]
->If you have a problem with Update compliance, send an email using the Update Compliance support email template, and fill out the template with the following information:
->```
-> I am encountering the following issue when using Microsoft Defender Antivirus in Update Compliance:
-> I have provided at least 2 support .cab files at the following location:
->
**Note:** In Windows 10 1909 or older, and Windows Server 2019 or older, the service used to be called "Windows Defender Antivirus" service.|
-| `0x80070667` | You're running the `-ValidateMapsConnection` command from a computer that is Windows 10 version 1607 or older, or Windows Server 2016 or older. Run the command from a machine that is Windows 10 version 1703 or newer, or Windows Server 2019 or newer.|
-| `'MpCmdRun' is not recognized as an internal or external command, operable program or batch file.` | The tool needs to be run from either: `%ProgramFiles%\Windows Defender` or `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2012.4-0` (where `2012.4-0` might differ since platform updates are monthly except for March)|
-| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80070005 httpcode=450)` | Not enough privileges. Use the command prompt (cmd.exe) as an administrator.|
-| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80070006 httpcode=451)` | The firewall is blocking the connection or conducting SSL inspection. |
-| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80004005 httpcode=450)` | Possible network-related issues, like name resolution problems|
-| `ValidateMapsConnection failed to establish a connection to MAPS (hr=0x80508015` | The firewall is blocking the connection or conducting SSL inspection. |
-| `ValidateMapsConnection failed to establish a connection to MAPS (hr=800722F0D` | The firewall is blocking the connection or conducting SSL inspection. |
-| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80072EE7 httpcode=451)` | The firewall is blocking the connection or conducting SSL inspection. |
-
-## See also
-
-- [Configure Microsoft Defender Antivirus features](configure-microsoft-defender-antivirus-features.md)
-- [Manage Microsoft Defender Antivirus in your business](configuration-management-reference-microsoft-defender-antivirus.md)
-- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
deleted file mode 100644
index 3108c5ea6b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,61 +0,0 @@
----
-title: Common mistakes to avoid when defining exclusions
-description: Avoid common mistakes when defining exclusions for Microsoft Defender Antivirus scans.
-keywords: exclusions, files, extension, file type, folder name, file name, scans
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Common mistakes to avoid when defining exclusions
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. Such excluded items could contain threats that make your device vulnerable.
-
-This article describes some common mistake that you should avoid when defining exclusions.
-
-Before defining your exclusion lists, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions).
-
-## Excluding certain trusted items
-
-Certain files, file types, folders, or processes should not be excluded from scanning even though you trust them to be not malicious.
-
-Do not define exclusions for the folder locations, file extensions, and processes that are listed in the following table:
-
-| Folder locations | File extensions | Processes |
-|:--|:--|:--|
-| `%systemdrive%`
`C:`
`C:\`
`C:\*`
`%ProgramFiles%\Java`
`C:\Program Files\Java`
`%ProgramFiles%\Contoso\`
`C:\Program Files\Contoso\`
`%ProgramFiles(x86)%\Contoso\`
`C:\Program Files (x86)\Contoso\`
`C:\Temp`
`C:\Temp\`
`C:\Temp\*`
`C:\Users\`
`C:\Users\*`
`C:\Users\
`C:\Users\
`C:\Users\
`%Windir%\Prefetch`
`C:\Windows\Prefetch`
`C:\Windows\Prefetch\`
`C:\Windows\Prefetch\*`
`%Windir%\System32\Spool`
`C:\Windows\System32\Spool`
`C:\Windows\System32\CatRoot2`
`%Windir%\Temp`
`C:\Windows\Temp`
`C:\Windows\Temp\`
`C:\Windows\Temp\*` | `.7zip`
`.bat`
`.bin`
`.cab`
`.cmd`
`.com`
`.cpl`
`.dll`
`.exe`
`.fla`
`.gif`
`.gz`
`.hta`
`.inf`
`.java`
`.jar`
`.job`
`.jpeg`
`.jpg`
`.js`
`.ko`
`.ko.gz`
`.msi`
`.ocx`
`.png`
`.ps1`
`.py`
`.rar`
`.reg`
`.scr`
`.sys`
`.tar`
`.tmp`
`.url`
`.vbe`
`.vbs`
`.wsf`
`.zip` | `AcroRd32.exe`
`bitsadmin.exe`
`excel.exe`
`iexplore.exe`
`java.exe`
`outlook.exe`
`psexec.exe`
`powerpnt.exe`
`powershell.exe`
`schtasks.exe`
`svchost.exe`
`wmic.exe`
`winword.exe`
`wuauclt.exe`
`addinprocess.exe`
`addinprocess32.exe`
`addinutil.exe`
`bash.exe`
`bginfo.exe`[1]
`cdb.exe`
`csi.exe`
`dbghost.exe`
`dbgsvc.exe`
`dnx.exe`
`fsi.exe`
`fsiAnyCpu.exe`
`kd.exe`
`ntkd.exe`
`lxssmanager.dll`
`msbuild.exe`[2]
`mshta.exe`
`ntsd.exe`
`rcsi.exe`
`system.management.automation.dll`
`windbg.exe` |
-
->[!NOTE]
-> You can chose to exclude file types, such as `.gif`, `.jpg`, `.jpeg`, or `.png` if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities.
-
-## Using just the file name in the exclusion list
-
-A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude `Filename.exe` from scanning, use the complete path to the file, such as `C:\program files\contoso\Filename.exe`.
-
-## Using a single exclusion list for multiple server workloads
-
-Do not use a single exclusion list to define exclusions for multiple server workloads. Split the exclusions for different application or service workloads into multiple exclusion lists. For example, the exclusion list for your IIS Server workload must be different from the exclusion list for your SQL Server workload.
-
-## Using incorrect environment variables as wildcards in the file name and folder path or extension exclusion lists
-
-Microsoft Defender Antivirus Service runs in system context using the LocalSystem account, which means it gets information from the system environment variable, and not from the user environment variable. Use of environment variables as a wildcard in exclusion lists is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, do not use user environment variables as wildcards when adding Microsoft Defender Antivirus folder and process exclusions. See the table under [System environment variables](configure-extension-file-exclusions-microsoft-defender-antivirus.md#system-environment-variables) for a complete list of system environment variables.
-
-See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for information on how to use wildcards in exclusion lists.
-
-## Related articles
-
-- [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
-- [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
-- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
-- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
deleted file mode 100644
index 3c463a5169..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-title: Manage Windows Defender in your business
-description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the command line to manage Microsoft Defender AV
-keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 12/16/2020
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Manage Microsoft Defender Antivirus in your business
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-You can manage and configure Microsoft Defender Antivirus with the following tools:
-
-- [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security-antivirus-policy) (now part of Microsoft Endpoint Manager)
-- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure) (now part of Microsoft Endpoint Manager)
-- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus)
-- [PowerShell cmdlets](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus)
-- [Windows Management Instrumentation (WMI)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus)
-- The [Microsoft Malware Protection Command Line Utility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) (referred to as the *mpcmdrun.exe* utility
-
-The following articles provide further information, links, and resources for using these tools to manage and configure Microsoft Defender Antivirus.
-
-| Article | Description |
-|:---|:---|
-|[Manage Microsoft Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-microsoft-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Microsoft Defender Antivirus |
-|[Manage Microsoft Defender Antivirus with Group Policy settings](use-group-policy-microsoft-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates |
-|[Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Microsoft Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters |
-|[Manage Microsoft Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-microsoft-defender-antivirus.md)| Instructions for using WMI to manage Microsoft Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties) |
-|[Manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-microsoft-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Microsoft Defender Antivirus |
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
deleted file mode 100644
index bf309eba5d..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,95 +0,0 @@
----
-title: Configure scanning options for Microsoft Defender AV
-description: You can configure Microsoft Defender AV to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files).
-keywords: advanced scans, scanning, email, archive, zip, rar, archive, reparse scanning
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Configure Microsoft Defender Antivirus scanning options
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-## Use Microsoft Intune to configure scanning options
-
-See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
-
-## Use Microsoft Endpoint Manager to configure scanning options
-
-See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Manager (current branch).
-
-## Use Group Policy to configure scanning options
-
-To configure the Group Policy settings described in the following table:
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
-3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below.
-
-4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
-
-Description | Location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class
----|---|---|---
-Email scanning See [Email scanning limitations](#ref1)| Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning`
-Scan [reparse points](https://msdn.microsoft.com/library/windows/desktop/aa365503.aspx) | Scan > Turn on reparse point scanning | Disabled | Not available
-Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan`
- Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md) will take precedence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning`
-Scan files on the network | Scan > Scan network files | Disabled | `-DisableScanningNetworkFiles`
-Scan packed executables | Scan > Scan packed executables | Enabled | Not available
-Scan removable drives during full scans only | Scan > Scan removable drives | Disabled | `-DisableRemovableDriveScanning`
-Specify the level of subfolders within an archive folder to scan | Scan > Specify the maximum depth to scan archive files | 0 | Not available
- Specify the maximum CPU load (as a percentage) during a scan. Note: This is not a hard limit but rather a guidance for the scanning engine to not exceed this maximum on average. | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 | `-ScanAvgCPULoadFactor`
- Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available
- Configure low CPU priority for scheduled scans | Scan > Configure low CPU priority for scheduled scans | Disabled | Not available
-
-> [!NOTE]
-> If real-time protection is turned on, files are scanned before they are accessed and executed. The scanning scope includes all files, including files on mounted removable media, such as USB drives. If the device performing the scan has real-time protection or on-access protection turned on, the scan will also include network shares.
-
-## Use PowerShell to configure scanning options
-
-See [Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
-
-## Use WMI to configure scanning options
-
-For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx).
-
-
-
-## Email scanning limitations
-
-Email scanning enables scanning of email files used by Outlook and other mail clients during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
-
-- DBX
-- MBX
-- MIME
-
-PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) will also be scanned, but Windows Defender cannot remediate threats detected inside PST files.
-
-If Microsoft Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat manually:
-
-- Email subject
-- Attachment name
-
-## Related topics
-
-- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
-- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md)
-- [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
deleted file mode 100644
index 96b78f6e1c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,176 +0,0 @@
----
-title: Enable block at first sight to detect malware in seconds
-description: Turn on the block at first sight feature to detect and block malware within seconds.
-keywords: scan, BAFS, malware, first seen, first sight, cloud, defender
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: high
-author: denisebmsft
-ms.author: deniseb
-ms.reviewer:
-manager: dansimp
-ms.custom: nextgen
-ms.date: 10/22/2020
-ms.technology: mde
----
-
-# Turn on block at first sight
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are enabled. These settings include cloud-delivered protection, a specified sample submission timeout (such as 50 seconds), and a file-blocking level of high. In most enterprise organizations, these settings are enabled by default with Microsoft Defender Antivirus deployments.
-
-You can [specify how long a file should be prevented from running](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL.
-
->[!TIP]
->Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
-
-## How it works
-
-When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or not a threat.
-
-Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, intelligent, and real-time protection. To learn more, see this blog: [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
-
-
-In Windows 10, version 1803 or later, block at first sight can block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
-
-Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if the file is a previously undetected file.
-
-If the cloud backend is unable to make a determination, Microsoft Defender Antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe.
-
-In many cases, this process can reduce the response time for new malware from hours to seconds.
-
-## Turn on block at first sight with Microsoft Intune
-
-> [!TIP]
-> Microsoft Intune is now part of Microsoft Endpoint Manager.
-
-1. In the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), navigate to **Devices** > **Configuration profiles**.
-
-2. Select or create a profile using the **Device restrictions** profile type.
-
-3. In the **Configuration settings** for the Device restrictions profile, set or confirm the following settings under **Microsoft Defender Antivirus**:
-
- - **Cloud-delivered protection**: Enabled
- - **File Blocking Level**: High
- - **Time extension for file scanning by the cloud**: 50
- - **Prompt users before sample submission**: Send all data without prompting
-
- 
-
-4. Save your settings.
-
-> [!TIP]
-> - Setting the file blocking level to **High** applies a strong level of detection. In the unlikely event that file blocking causes a false positive detection of legitimate files, you can [restore quarantined files](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus).
-> - For more information about configuring Microsoft Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
-> - For a list of Microsoft Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus).
-
-## Turn on block at first sight with Microsoft Endpoint Manager
-
-> [!TIP]
-> If you're looking for Microsoft Endpoint Configuration Manager, it's now part of Microsoft Endpoint Manager.
-
-1. In Microsoft Endpoint Manager ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), go to **Endpoint security** > **Antivirus**.
-
-2. Select an existing policy, or create a new policy using the **Microsoft Defender Antivirus** profile type.
-
-3. Set or confirm the following configuration settings:
-
- - **Turn on cloud-delivered protection**: Yes
- - **Cloud-delivered protection level**: High
- - **Defender Cloud Extended Timeout in Seconds**: 50
-
- :::image type="content" source="images/endpointmgr-antivirus-cloudprotection.png" alt-text="Block at first sight settings in Endpoint Manager":::
-
-4. Apply the Microsoft Defender Antivirus profile to a group, such as **All users**, **All devices**, or **All users and devices**.
-
-## Turn on block at first sight with Group Policy
-
-> [!NOTE]
-> We recommend using Intune or Microsoft Endpoint Manager to turn on block at first sight.
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-
-2. Using the **Group Policy Management Editor** go to **Computer configuration** > **Administrative templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS**.
-
-3. In the MAPS section, double-click **Configure the 'Block at First Sight' feature**, and set it to **Enabled**, and then select **OK**.
-
- > [!IMPORTANT]
- > Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function.
-
-4. In the MAPS section, double-click **Send file samples when further analysis is required**, and set it to **Enabled**. Under **Send file samples when further analysis is required**, select **Send all samples**, and then click **OK**.
-
-5. If you changed any settings, redeploy the Group Policy Object across your network to ensure all endpoints are covered.
-
-## Confirm block at first sight is enabled on individual clients
-
-You can confirm that block at first sight is enabled on individual clients using Windows security settings.
-
-Block at first sight is automatically enabled as long as **Cloud-delivered protection** and **Automatic sample submission** are both turned on.
-
-1. Open the Windows Security app.
-
-2. Select **Virus & threat protection**, and then, under **Virus & threat protection settings**, select **Manage Settings**.
-
- 
-
-3. Confirm that **Cloud-delivered protection** and **Automatic sample submission** are both turned on.
-
-> [!NOTE]
-> - If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints.
-> - Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
-
-## Validate block at first sight is working
-
-To validate that the feature is working, follow the guidance in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud).
-
-## Turn off block at first sight
-
-> [!CAUTION]
-> Turning off block at first sight will lower the protection state of your device(s) and your network.
-
-You might choose to disable block at first sight if you want to retain the prerequisite settings without actually using block at first sight protection. You might do temporarily turn block at first sight off if you are experiencing latency issues or you want to test the feature's impact on your network. However, we do not recommend disabling block at first sight protection permanently.
-
-### Turn off block at first sight with Microsoft Endpoint Manager
-
-1. Go to Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
-
-2. Go to **Endpoint security** > **Antivirus**, and then select your Microsoft Defender Antivirus policy.
-
-3. Under **Manage**, choose **Properties**.
-
-4. Next to **Configuration settings**, choose **Edit**.
-
-5. Change one or more of the following settings:
-
- - Set **Turn on cloud-delivered protection** to **No** or **Not configured**.
- - Set **Cloud-delivered protection level** to **Not configured**.
- - Clear the **Defender Cloud Extended Timeout In Seconds** box.
-
-6. Review and save your settings.
-
-### Turn off block at first sight with Group Policy
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and then click **Edit**.
-
-2. Using the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
-3. Expand the tree through **Windows components** > **Microsoft Defender Antivirus** > **MAPS**.
-
-4. Double-click **Configure the 'Block at First Sight' feature** and set the option to **Disabled**.
-
- > [!NOTE]
- > Disabling block at first sight does not disable or alter the prerequisite group policies.
-
-## See also
-
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-
-- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
deleted file mode 100644
index 6fc2a16ea3..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,56 +0,0 @@
----
-title: Configure the Microsoft Defender AV cloud block timeout period
-description: You can configure how long Microsoft Defender Antivirus will block a file from running while waiting for a cloud determination.
-keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, timeout, block, period, seconds
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Configure the cloud block timeout period
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Microsoft Defender Antivirus cloud service](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md).
-
-The default period that the file will be [blocked](configure-block-at-first-sight-microsoft-defender-antivirus.md) is 10 seconds. You can specify an additional period of time to wait before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from the Microsoft Defender Antivirus cloud service.
-
-## Prerequisites to use the extended cloud block timeout
-
-[Block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) and its prerequisites must be enabled before you can specify an extended timeout period.
-
-## Specify the extended timeout period
-
-You can use Group Policy to specify an extended timeout for cloud checks.
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
-3. Expand the tree to **Windows components > Microsoft Defender Antivirus > MpEngine**
-
-4. Double-click **Configure extended cloud check** and ensure the option is enabled. Specify the additional amount of time to prevent the file from running while waiting for a cloud determination. You can specify the additional time, in seconds, from 1 second to 50 seconds. This time will be added to the default 10 seconds.
-
-5. Click **OK**.
-
-## Related topics
-
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-- [Use next-generation antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
-- [Configure block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)
-- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
deleted file mode 100644
index a9d1ba4f3b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,38 +0,0 @@
----
-title: Configure how users can interact with Microsoft Defender AV
-description: Configure how end-users interact with Microsoft Defender AV, what notifications they see, and if they can override settings.
-keywords: endpoint, user, interaction, notifications, ui lockdown mode, headless mode, hide interface
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Configure end-user interaction with Microsoft Defender Antivirus
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-You can configure how users of the endpoints on your network can interact with Microsoft Defender Antivirus.
-
-This includes whether they see the Microsoft Defender Antivirus interface, what notifications they see, and if they can locally override globally-deployed Group Policy settings.
-
-## In this section
-
-Topic | Description
----|---
-[Configure notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) | Configure and customize additional notifications, customized text for notifications, and notifications about reboots for remediation
-[Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) | Hide the user interface from users
-[Prevent users from locally modifying policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) | Prevent (or allow) users from overriding policy settings on their individual endpoints
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
deleted file mode 100644
index 1f020f0372..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: Set up exclusions for Microsoft Defender AV scans
-description: You can exclude files (including files modified by specified processes) and folders from being scanned by Microsoft Defender AV. Validate your exclusions with PowerShell.
-keywords:
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Configure and validate exclusions for Microsoft Defender Antivirus scans
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection.
-
-## Configure and validate exclusions
-
-To configure and validate exclusions, see the following:
-
-- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location.
-
-- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from scans that have been opened by a specific process.
-
-## Recommendations for defining exclusions
-
-Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
-
-The following is a list of recommendations that you should keep in mind when defining exclusions:
-
-- Exclusions are technically a protection gap—always consider additional mitigations when defining exclusions. Additional mitigations could be as simple as making sure the excluded location has the appropriate access-control lists (ACLs), audit policy, is processed by an up-to-date software, etc.
-
-- Review the exclusions periodically. Re-check and re-enforce the mitigations as part of the review process.
-
-- Ideally, avoid defining proactive exclusions. For instance, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issues—mostly around performance, or sometimes around application compatibility that exclusions could mitigate.
-
-- Audit the exclusion list changes. The security admin should preserve enough context around why a certain exclusion was added. You should be able to provide answer with specific reasoning as to why a certain path was excluded.
-
-## Related articles
-
-- [Microsoft Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-microsoft-defender-antivirus.md)
-- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
deleted file mode 100644
index fa58bbf100..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,363 +0,0 @@
----
-title: Configure and validate exclusions based on extension, name, or location
-description: Exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location.
-keywords: exclusions, files, extension, file type, folder name, file name, scans
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Configure and validate exclusions based on file extension and folder location
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-> [!IMPORTANT]
-> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response (EDR)](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response), [attack surface reduction (ASR) rules](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender for Endpoint [custom indicators](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-indicators).
-
-## Exclusion lists
-
-You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
-
-**Note**: Exclusions apply to Potentially Unwanted Apps (PUA) detections as well.
-
-> [!NOTE]
-> Automatic exclusions apply only to Windows Server 2016 and above. These exclusions are not visible in the Windows Security app and in PowerShell.
-
-This article describes how to configure exclusion lists for the files and folders. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
-
-| Exclusion | Examples | Exclusion list |
-|:---|:---|:---|
-|Any file with a specific extension | All files with the specified extension, anywhere on the machine.
Valid syntax: `.test` and `test` | Extension exclusions |
-|Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions |
-| A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions |
-| A specific process | The executable file `c:\test\process.exe` | File and folder exclusions |
-
-Exclusion lists have the following characteristics:
-
-- Folder exclusions apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately.
-- File extensions apply to any file name with the defined extension if a path or folder is not defined.
-
-> [!IMPORTANT]
-> - Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work.
-> - You cannot exclude mapped network drives. You must specify the actual network path.
-> - Folders that are reparse points that are created after the Microsoft Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
-
-To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md).
-
-The exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md).
-
-> [!IMPORTANT]
-> Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
-> Changes made in the Windows Security app **will not show** in the Group Policy lists.
-
-By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists take precedence when there are conflicts.
-
-You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
-
-## Configure the list of exclusions based on folder name or file extension
-
-### Use Intune to configure file name, folder, or file extension exclusions
-
-See the following articles:
-- [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure)
-- [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus)
-
-### Use Configuration Manager to configure file name, folder, or file extension exclusions
-
-See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Manager (current branch).
-
-### Use Group Policy to configure folder or file extension exclusions
-
->[!NOTE]
->If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder are excluded.
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
-
-3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**.
-
-4. Open the **Path Exclusions** setting for editing, and add your exclusions.
-
- - Set the option to **Enabled**.
- - Under the **Options** section, click **Show...**.
- - Specify each folder on its own line under the **Value name** column.
- - If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
-
-5. Choose **OK**.
-
- 
-
-6. Open the **Extension Exclusions** setting for editing and add your exclusions.
-
- - Set the option to **Enabled**.
- - Under the **Options** section, select **Show...**.
- - Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
-
-7. Choose **OK**.
-
-
-
-### Use PowerShell cmdlets to configure file name, folder, or file extension exclusions
-
-Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender).
-
-The format for the cmdlets is as follows:
-
-```PowerShell
-
In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument.
In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`
`C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders`
`C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` |
-|`?` (question mark)
In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument.
In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my?` would include `C:\MyData\my1.zip`
`C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders
`C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders |
-|Environment variables
The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` |
-
-
-> [!IMPORTANT]
-> If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders.
-> For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`.
-> This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`.
-
-
-
-### System environment variables
-
-The following table lists and describes the system account environment variables.
-
-| This system environment variable... | Redirects to this |
-|:--|:--|
-| `%APPDATA%`| `C:\Users\UserName.DomainName\AppData\Roaming` |
-| `%APPDATA%\Microsoft\Internet Explorer\Quick Launch` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch` |
-| `%APPDATA%\Microsoft\Windows\Start Menu` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu` |
-| `%APPDATA%\Microsoft\Windows\Start Menu\Programs` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs` |
-| `%LOCALAPPDATA%` | `C:\Windows\System32\config\systemprofile\AppData\Local` |
-| `%ProgramData%` | `C:\ProgramData` |
-| `%ProgramFiles%` | `C:\Program Files` |
-| `%ProgramFiles%\Common Files` | `C:\Program Files\Common Files` |
-| `%ProgramFiles%\Windows Sidebar\Gadgets` | `C:\Program Files\Windows Sidebar\Gadgets` |
-| `%ProgramFiles%\Common Files` | `C:\Program Files\Common Files` |
-| `%ProgramFiles(x86)%` | `C:\Program Files (x86)` |
-| `%ProgramFiles(x86)%\Common Files` | `C:\Program Files (x86)\Common Files` |
-| `%SystemDrive%` | `C:` |
-| `%SystemDrive%\Program Files` | `C:\Program Files` |
-| `%SystemDrive%\Program Files (x86)` | `C:\Program Files (x86)` |
-| `%SystemDrive%\Users` | `C:\Users` |
-| `%SystemDrive%\Users\Public` | `C:\Users\Public` |
-| `%SystemRoot%` | `C:\Windows` |
-| `%windir%` | `C:\Windows` |
-| `%windir%\Fonts` | `C:\Windows\Fonts` |
-| `%windir%\Resources` | `C:\Windows\Resources` |
-| `%windir%\resources\0409` | `C:\Windows\resources\0409` |
-| `%windir%\system32` | `C:\Windows\System32` |
-| `%ALLUSERSPROFILE%` | `C:\ProgramData` |
-| `%ALLUSERSPROFILE%\Application Data` | `C:\ProgramData\Application Data` |
-| `%ALLUSERSPROFILE%\Documents` | `C:\ProgramData\Documents` |
-| `%ALLUSERSPROFILE%\Documents\My Music\Sample Music` | `C:\ProgramData\Documents\My Music\Sample Music` |
-| `%ALLUSERSPROFILE%\Documents\My Music` | `C:\ProgramData\Documents\My Music` |
-| `%ALLUSERSPROFILE%\Documents\My Pictures` | `C:\ProgramData\Documents\My Pictures` |
-| `%ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures` | `C:\ProgramData\Documents\My Pictures\Sample Pictures` |
-| `%ALLUSERSPROFILE%\Documents\My Videos` | `C:\ProgramData\Documents\My Videos` |
-| `%ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore` | `C:\ProgramData\Microsoft\Windows\DeviceMetadataStore` |
-| `%ALLUSERSPROFILE%\Microsoft\Windows\GameExplorer` | `C:\ProgramData\Microsoft\Windows\GameExplorer` |
-| `%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones` | `C:\ProgramData\Microsoft\Windows\Ringtones` |
-| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu` | `C:\ProgramData\Microsoft\Windows\Start Menu` |
-| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs` |
-| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools` |
-| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp` |
-| `%ALLUSERSPROFILE%\Microsoft\Windows\Templates` | `C:\ProgramData\Microsoft\Windows\Templates` |
-| `%ALLUSERSPROFILE%\Start Menu` | `C:\ProgramData\Start Menu` |
-| `%ALLUSERSPROFILE%\Start Menu\Programs` | C:\ProgramData\Start Menu\Programs |
-| `%ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools` | `C:\ProgramData\Start Menu\Programs\Administrative Tools` |
-| `%ALLUSERSPROFILE%\Templates` | `C:\ProgramData\Templates` |
-| `%LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\Templates` | `C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\ConnectedSearch\Templates` |
-| `%LOCALAPPDATA%\Microsoft\Windows\History` | `C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History` |
-| `%PUBLIC%` | `C:\Users\Public` |
-| `%PUBLIC%\AccountPictures` | `C:\Users\Public\AccountPictures` |
-| `%PUBLIC%\Desktop` | `C:\Users\Public\Desktop` |
-| `%PUBLIC%\Documents` | `C:\Users\Public\Documents` |
-| `%PUBLIC%\Downloads` | `C:\Users\Public\Downloads` |
-| `%PUBLIC%\Music\Sample Music` | `C:\Users\Public\Music\Sample Music` |
-| `%PUBLIC%\Music\Sample Playlists` | `C:\Users\Public\Music\Sample Playlists` |
-| `%PUBLIC%\Pictures\Sample Pictures` | `C:\Users\Public\Pictures\Sample Pictures` |
-| `%PUBLIC%\RecordedTV.library-ms` | `C:\Users\Public\RecordedTV.library-ms` |
-| `%PUBLIC%\Videos` | `C:\Users\Public\Videos` |
-| `%PUBLIC%\Videos\Sample Videos` | `C:\Users\Public\Videos\Sample Videos` |
-| `%USERPROFILE%` | `C:\Windows\System32\config\systemprofile` |
-| `%USERPROFILE%\AppData\Local` | `C:\Windows\System32\config\systemprofile\AppData\Local` |
-| `%USERPROFILE%\AppData\LocalLow` | `C:\Windows\System32\config\systemprofile\AppData\LocalLow` |
-| `%USERPROFILE%\AppData\Roaming` | `C:\Windows\System32\config\systemprofile\AppData\Roaming` |
-
-
-## Review the list of exclusions
-
-You can retrieve the items in the exclusion list using one of the following methods:
-- [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)
-- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings)
-- MpCmdRun
-- PowerShell
-- [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions)
-
->[!IMPORTANT]
->Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
->
->Changes made in the Windows Security app **will not show** in the Group Policy lists.
-
-If you use PowerShell, you can retrieve the list in two ways:
-
-- Retrieve the status of all Microsoft Defender Antivirus preferences. Each list is displayed on separate lines, but the items within each list are combined into the same line.
-- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
-
-### Validate the exclusion list by using MpCmdRun
-
-To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
-
-```DOS
-Start, CMD (Run as admin)
-cd "%programdata%\microsoft\windows defender\platform"
-cd 4.18.1812.3 (Where 4.18.1812.3 is this month's MDAV "Platform Update".)
-MpCmdRun.exe -CheckExclusion -path
`*.wdcpalt.microsoft.com`
`*.wd.microsoft.com`|
-| Microsoft Update Service (MU)
Windows Update Service (WU)| Security intelligence and product updates |`*.update.microsoft.com`
`*.delivery.mp.microsoft.com`
`*.windowsupdate.com`
For details see [Connection endpoints for Windows Update](https://docs.microsoft.com/windows/privacy/manage-windows-1709-endpoints#windows-update)|
-|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com` `*.download.windowsupdate.com` `https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`|
-| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
`ussus2eastprod.blob.core.windows.net`
`ussus3eastprod.blob.core.windows.net`
`ussus4eastprod.blob.core.windows.net`
`wsus1eastprod.blob.core.windows.net`
`wsus2eastprod.blob.core.windows.net`
`ussus1westprod.blob.core.windows.net`
`ussus2westprod.blob.core.windows.net`
`ussus3westprod.blob.core.windows.net`
`ussus4westprod.blob.core.windows.net`
`wsus1westprod.blob.core.windows.net`
`wsus2westprod.blob.core.windows.net`
`usseu1northprod.blob.core.windows.net`
`wseu1northprod.blob.core.windows.net`
`usseu1westprod.blob.core.windows.net`
`wseu1westprod.blob.core.windows.net`
`ussuk1southprod.blob.core.windows.net`
`wsuk1southprod.blob.core.windows.net`
`ussuk1westprod.blob.core.windows.net`
`wsuk1westprod.blob.core.windows.net` |
-| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `http://www.microsoft.com/pkiops/crl/`
`http://www.microsoft.com/pkiops/certs`
`http://crl.microsoft.com/pki/crl/products`
`http://www.microsoft.com/pki/certs` |
-| Symbol Store|Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` |
-| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses telemetry for product quality monitoring purposes | The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
`settings-win.data.microsoft.com`|
-
-## Validate connections between your network and the cloud
-
-After allowing the URLs listed above, you can test if you're connected to the Microsoft Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you're fully protected.
-
-**Use the cmdline tool to validate cloud-delivered protection:**
-
-Use the following argument with the Microsoft Defender Antivirus command-line utility (`mpcmdrun.exe`) to verify that your network can communicate with the Microsoft Defender Antivirus cloud service:
-
-```console
-"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection
-```
-
-> [!NOTE]
-> You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703 or higher.
-
-For more information, see [Manage Microsoft Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-microsoft-defender-antivirus.md).
-
-**Attempt to download a fake malware file from Microsoft:**
-
-You can download a sample file that Microsoft Defender Antivirus will detect and block if you're properly connected to the cloud.
-
-Download the file by visiting [https://aka.ms/ioavtest](https://aka.ms/ioavtest).
-
->[!NOTE]
->This file is not an actual piece of malware. It's a fake file that is designed to test if you're properly connected to the cloud.
-
-If you're properly connected, you'll see a warning Microsoft Defender Antivirus notification.
-
-If you're using Microsoft Edge, you'll also see a notification message:
-
-
-
-A similar message occurs if you're using Internet Explorer:
-
-
-
-You'll also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Security app:
-
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label:
-
- 
-
-3. Under the **Quarantined threats** section, select **See full history** to see the detected fake malware.
-
- > [!NOTE]
- > Versions of Windows 10 before version 1703 have a different user interface. See [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md).
-
- The Windows event log will also show [Windows Defender client event ID 1116](troubleshoot-microsoft-defender-antivirus.md).
-
-## Related articles
-
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-
-- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
-
-- [Command line arguments](command-line-arguments-microsoft-defender-antivirus.md)
-
-- [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
deleted file mode 100644
index 0b1a46fded..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,109 +0,0 @@
----
-title: Configure Microsoft Defender Antivirus notifications
-description: Learn how to configure and customize both standard and additional Microsoft Defender Antivirus notifications on endpoints.
-keywords: notifications, defender, antivirus, endpoint, management, admin
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Configure the notifications that appear on endpoints
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise.
-
-Notifications appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications also appear in the **Notification Center**, and a summary of scans and threat detections appear at regular time intervals.
-
-You can also configure how standard notifications appear on endpoints, such as notifications for reboot or when a threat has been detected and remediated.
-
-## Configure the additional notifications that appear on endpoints
-
-You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Security app](microsoft-defender-security-center-antivirus.md) and with Group Policy.
-
-> [!NOTE]
-> In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10, it is called **Enhanced notifications**.
-
-> [!IMPORTANT]
-> Disabling additional notifications will not disable critical notifications, such as threat detection and remediation alerts.
-
-**Use the Windows Security app to disable additional notifications:**
-
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
-
- 
-
-3. Scroll to the **Notifications** section and click **Change notification settings**.
-
-4. Slide the switch to **Off** or **On** to disable or enable additional notifications.
-
-**Use Group Policy to disable additional notifications:**
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
-
-3. Click **Administrative templates**.
-
-4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Reporting**.
-
-5. Double-click **Turn off enhanced notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
-
-## Configure standard notifications on endpoints
-
-You can use Group Policy to:
-
-- Display additional, customized text on endpoints when the user needs to perform an action
-- Hide all notifications on endpoints
-- Hide reboot notifications on endpoints
-
-Hiding notifications can be useful in situations where you can't hide the entire Microsoft Defender Antivirus interface. See [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) for more information.
-
-> [!NOTE]
-> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
-
-See [Customize the Windows Security app for your organization](../windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines.
-
-**Use Group Policy to hide notifications:**
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
-3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Client interface**.
-
-4. Double-click **Suppress all notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
-
-**Use Group Policy to hide reboot notifications:**
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
-
-3. Click **Administrative templates**.
-
-4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Client interface**.
-
-5. Double-click **Suppresses reboot notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
-
-## Related topics
-
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-- [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
deleted file mode 100644
index 94b265a644..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,188 +0,0 @@
----
-title: Configure exclusions for files opened by specific processes
-description: You can exclude files from scans if they have been opened by a specific process.
-keywords: Microsoft Defender Antivirus, process, exclusion, files, scans
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Configure exclusions for files opened by processes
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
-
-This article describes how to configure exclusion lists.
-
-## Examples of exclusions
-
-|Exclusion | Example |
-|---|---|
-|Any file on the machine that is opened by any process with a specific file name | Specifying `test.exe` would exclude files opened by:
`c:\sample\test.exe`
`d:\internal\files\test.exe` |
-|Any file on the machine that is opened by any process under a specific folder | Specifying `c:\test\sample\*` would exclude files opened by:
`c:\test\sample\test.exe`
`c:\test\sample\test2.exe`
`c:\test\sample\utility.exe` |
-|Any file on the machine that is opened by a specific process in a specific folder | Specifying `c:\test\process.exe` would exclude files only opened by `c:\test\process.exe` |
-
-
-When you add a process to the process exclusion list, Microsoft Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md).
-
-The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). They don't apply to scheduled or on-demand scans.
-
-Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Security app **will not show** in the Group Policy lists.
-
-You can add, remove, and review the lists for exclusions in Group Policy, Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app, and you can use wildcards to further customize the lists.
-
-You can also use PowerShell cmdlets and WMI to configure the exclusion lists, including reviewing your lists.
-
-By default, local changes made to the lists (by users with administrator privileges; changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
-
-You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
-
-## Configure the list of exclusions for files opened by specified processes
-
-### Use Microsoft Intune to exclude files that have been opened by specified processes from scans
-
-See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
-
-### Use Microsoft Endpoint Manager to exclude files that have been opened by specified processes from scans
-
-See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Manager (current branch).
-
-### Use Group Policy to exclude files that have been opened by specified processes from scans
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
-3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
-
-4. Double-click **Process Exclusions** and add the exclusions:
-
- 1. Set the option to **Enabled**.
- 2. Under the **Options** section, click **Show...**.
- 3. Enter each process on its own line under the **Value name** column. See the example table for the different types of process exclusions. Enter **0** in the **Value** column for all processes.
-
-5. Click **OK**.
-
-### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans
-
-Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender).
-
-The format for the cmdlets is:
-
-```PowerShell
-
Replaces any number of characters | `C:\MyData\*` | Any file opened by `C:\MyData\file.exe` |
-|Environment variables
The defined variable is populated as a path when the exclusion is evaluated | `%ALLUSERSPROFILE%\CustomLogFiles\file.exe` | Any file opened by `C:\ProgramData\CustomLogFiles\file.exe` |
-
-## Review the list of exclusions
-
-You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
-
-If you use PowerShell, you can retrieve the list in two ways:
-
-- Retrieve the status of all Microsoft Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
-- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
-
-### Validate the exclusion list by using MpCmdRun
-
-To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
-
-```DOS
-MpCmdRun.exe -CheckExclusion -path
`*.vhdx`
`*.avhd`
`*.avhdx`
`*.vsv`
`*.iso`
`*.rct`
`*.vmcx`
`*.vmrs` | `%ProgramData%\Microsoft\Windows\Hyper-V`
`%ProgramFiles%\Hyper-V`
`%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots`
`%Public%\Documents\Hyper-V\Virtual Hard Disks` | `%systemroot%\System32\Vmms.exe`
`%systemroot%\System32\Vmwp.exe` |
-
-#### SYSVOL files
-
-- `%systemroot%\Sysvol\Domain\*.adm`
-- `%systemroot%\Sysvol\Domain\*.admx`
-- `%systemroot%\Sysvol\Domain\*.adml`
-- `%systemroot%\Sysvol\Domain\Registry.pol`
-- `%systemroot%\Sysvol\Domain\*.aas`
-- `%systemroot%\Sysvol\Domain\*.inf`
-- `%systemroot%\Sysvol\Domain\*Scripts.ini`
-- `%systemroot%\Sysvol\Domain\*.ins`
-- `%systemroot%\Sysvol\Domain\Oscfilter.ini`
-
-
-### Active Directory exclusions
-
-This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services.
-
-#### NTDS database files
-
-The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
-
-- `%windir%\Ntds\ntds.dit`
-- `%windir%\Ntds\ntds.pat`
-
-#### The AD DS transaction log files
-
-The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path`
-
-- `%windir%\Ntds\EDB*.log`
-- `%windir%\Ntds\Res*.log`
-- `%windir%\Ntds\Edb*.jrs`
-- `%windir%\Ntds\Ntds*.pat`
-- `%windir%\Ntds\TEMP.edb`
-
-#### The NTDS working folder
-
-This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
-
-- `%windir%\Ntds\Temp.edb`
-- `%windir%\Ntds\Edb.chk`
-
-#### Process exclusions for AD DS and AD DS-related support files
-
-- `%systemroot%\System32\ntfrs.exe`
-- `%systemroot%\System32\lsass.exe`
-
-### DHCP Server exclusions
-
-This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters`
-
-- `%systemroot%\System32\DHCP\*\*.mdb`
-- `%systemroot%\System32\DHCP\*\*.pat`
-- `%systemroot%\System32\DHCP\*\*.log`
-- `%systemroot%\System32\DHCP\*\*.chk`
-- `%systemroot%\System32\DHCP\*\*.edb`
-
-### DNS Server exclusions
-
-This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you install the DNS Server role.
-
-#### File and folder exclusions for the DNS Server role
-
-- `%systemroot%\System32\Dns\*\*.log`
-- `%systemroot%\System32\Dns\*\*.dns`
-- `%systemroot%\System32\Dns\*\*.scc`
-- `%systemroot%\System32\Dns\*\BOOT`
-
-#### Process exclusions for the DNS Server role
-
-- `%systemroot%\System32\dns.exe`
-
-### File and Storage Services exclusions
-
-This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
-
-- `%SystemDrive%\ClusterStorage`
-- `%clusterserviceaccount%\Local Settings\Temp`
-- `%SystemDrive%\mscs`
-
-### Print Server exclusions
-
-This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered automatically when you install the Print Server role.
-
-#### File type exclusions
-
-- `*.shd`
-- `*.spl`
-
-#### Folder exclusions
-
-This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory`
-
-- `%system32%\spool\printers\*`
-
-#### Process exclusions
-
-- `spoolsv.exe`
-
-### Web Server exclusions
-
-This section lists the folder exclusions and the process exclusions that are delivered automatically when you install the Web Server role.
-
-#### Folder exclusions
-
-- `%SystemRoot%\IIS Temporary Compressed Files`
-- `%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files`
-- `%SystemDrive%\inetpub\temp\ASP Compiled Templates`
-- `%systemDrive%\inetpub\logs`
-- `%systemDrive%\inetpub\wwwroot`
-
-#### Process exclusions
-
-- `%SystemRoot%\system32\inetsrv\w3wp.exe`
-- `%SystemRoot%\SysWOW64\inetsrv\w3wp.exe`
-- `%SystemDrive%\PHP5433\php-cgi.exe`
-
-#### Turning off scanning of files in the Sysvol\Sysvol folder or the SYSVOL_DFSR\Sysvol folder
-
-The current location of the `Sysvol\Sysvol` or `SYSVOL_DFSR\Sysvol` folder and all the subfolders is the file system reparse target of the replica set root. The `Sysvol\Sysvol` and `SYSVOL_DFSR\Sysvol` folders use the following locations by default:
-
-- `%systemroot%\Sysvol\Domain`
-- `%systemroot%\Sysvol_DFSR\Domain`
-
-The path to the currently active `SYSVOL` is referenced by the NETLOGON share and can be determined by the SysVol value name in the following subkey: `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters`
-
-Exclude the following files from this folder and all its subfolders:
-
-- `*.adm`
-- `*.admx`
-- `*.adml`
-- `Registry.pol`
-- `Registry.tmp`
-- `*.aas`
-- `*.inf`
-- `Scripts.ini`
-- `*.ins`
-- `Oscfilter.ini`
-
-### Windows Server Update Services exclusions
-
-This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup`
-
-- `%systemroot%\WSUS\WSUSContent`
-- `%systemroot%\WSUS\UpdateServicesDBFiles`
-- `%systemroot%\SoftwareDistribution\Datastore`
-- `%systemroot%\SoftwareDistribution\Download`
-
-## See also
-
-- [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
-- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
-- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
-- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
-- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
deleted file mode 100644
index 142404566a..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-title: Run and customize scheduled and on-demand scans
-description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network.
-keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans.
-
-## In this section
-
-Topic | Description
----|---
-[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning
-[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning
-[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
-[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
-[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app
-[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
deleted file mode 100644
index 0fdf549b5e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-title: Run and customize scheduled and on-demand scans
-description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network.
-keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Customize, initiate, and review the results of Microsoft Defender Antivirus scans & remediation
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans.
-
-## In this section
-
-| Article | Description |
-|:---|:---|
-|[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning |
-|[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning |
-|[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder |
-|[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans |
-|[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app |
-|[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app |
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
deleted file mode 100644
index c5543f30ef..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: Deploy, manage, and report on Microsoft Defender Antivirus
-description: You can deploy and manage Microsoft Defender Antivirus with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, or WMI
-keywords: deploy, manage, update, protection, Microsoft Defender Antivirus
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Deploy, manage, and report on Microsoft Defender Antivirus
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-You can deploy, manage, and report on Microsoft Defender Antivirus in a number of ways.
-
-Because the Microsoft Defender Antivirus client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply.
-
-However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Azure Defender, or Group Policy Objects, which is described in the following table.
-
-You'll also see additional links for:
-
-- Managing Microsoft Defender Antivirus protection, including managing product and protection updates
-- Reporting on Microsoft Defender Antivirus protection
-
-> [!IMPORTANT]
-> In most cases, Windows 10 will disable Microsoft Defender Antivirus if it finds another antivirus product that is running and up-to-date. You must disable or uninstall third-party antivirus products before Microsoft Defender Antivirus will function. If you re-enable or install third-party antivirus products, then Windows 10 automatically disables Microsoft Defender Antivirus.
-
-Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options
----|---|---|---
-Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/intune/device-management)
-Microsoft Endpoint Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]
-Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Microsoft Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Microsoft Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][]
-PowerShell|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference] and [Update-MpSignature] cmdlets available in the Defender module.|Use the appropriate [Get- cmdlets available in the Defender module][]
-Windows Management Instrumentation|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][]
-Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Defender*](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Microsoft Defender Antivirus events][] and add that tool as an app in AAD.
-
-1. The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Manager (Current Branch) and System Center 2012 Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Manager (Current Branch). See [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2)
-
-2. In Windows 10, Microsoft Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](microsoft-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Microsoft Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2)
-
-3. Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Microsoft Defender Antivirus features](configure-notifications-microsoft-defender-antivirus.md) section in this library. [(Return to table)](#ref2)
-
-[Endpoint Protection point site system role]: https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-protection-site-role
-[default and customized antimalware policies]: https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies
-[client management]: https://docs.microsoft.com/configmgr/core/clients/manage/manage-clients
-[enable Endpoint Protection with custom client settings]: https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-protection-configure-client
-[Configuration Manager Monitoring workspace]: https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection
-[email alerts]: https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts
-[Deploy the Microsoft Intune client to endpoints]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune
-[custom Intune policy]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection
- [custom Intune policy]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection
-[manage tasks]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#choose-management-tasks-for-endpoint-protection
-[Monitor endpoint protection in the Microsoft Intune administration console]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection
-[Set method of the MSFT_MpPreference class]: https://msdn.microsoft.com/library/dn439474
-[Update method of the MSFT_MpSignature class]: https://msdn.microsoft.com/library/dn439474
-[MSFT_MpComputerStatus]: https://msdn.microsoft.com/library/dn455321
-[Windows Defender WMIv2 Provider]: https://msdn.microsoft.com/library/dn439477
-[Set-MpPreference]: https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference.md
-[Update-MpSignature]: https://technet.microsoft.com/itpro/powershell/windows/defender/update-mpsignature
-[Get- cmdlets available in the Defender module]: https://technet.microsoft.com/itpro/powershell/windows/defender/index
-[Configure update options for Microsoft Defender Antivirus]: manage-updates-baselines-microsoft-defender-antivirus.md
-[Configure Windows Defender features]: configure-microsoft-defender-antivirus-features.md
-[Group Policies to determine if any settings or policies are not applied]: https://technet.microsoft.com/library/cc771389.aspx
-[Possibly infected devices]: https://docs.microsoft.com/azure/active-directory/active-directory-reporting-sign-ins-from-possibly-infected-devices
-[Microsoft Defender Antivirus events]: troubleshoot-microsoft-defender-antivirus.md
-
-## In this section
-
-Topic | Description
----|---
-[Deploy and enable Microsoft Defender Antivirus protection](deploy-microsoft-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with Microsoft Endpoint Configuration Manager, Microsoft Intune, or Group Policy Objects.
-[Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) | There are two parts to updating Microsoft Defender Antivirus: updating the client on endpoints (product updates), and updating Security intelligence (protection updates). You can update Security intelligence in a number of ways, using Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, and WMI.
-[Monitor and report on Microsoft Defender Antivirus protection](report-monitor-microsoft-defender-antivirus.md) | You can use Microsoft Intune, Microsoft Endpoint Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, or a third-party SIEM product (by consuming Windows event logs) to monitor protection status and create reports about endpoint protection.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
deleted file mode 100644
index 38beb9a21f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: Deploy and enable Microsoft Defender Antivirus
-description: Deploy Microsoft Defender Antivirus for protection of your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or WMI.
-keywords: deploy, enable, Microsoft Defender Antivirus
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 01/06/2021
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Deploy and enable Microsoft Defender Antivirus
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-Depending on the management tool you are using, you may need to specifically enable or configure Microsoft Defender Antivirus protection.
-
-See the table in [Deploy, manage, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI).
-
-Some scenarios require more guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments.
-
-The remaining article in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md).
-
-## Related articles
-
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-- [Deploy, manage updates, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
-- [Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
deleted file mode 100644
index 3f58a55cf2..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,238 +0,0 @@
----
-title: Microsoft Defender Antivirus Virtual Desktop Infrastructure deployment guide
-description: Learn how to deploy Microsoft Defender Antivirus in a virtual desktop environment for the best balance between protection and performance.
-keywords: vdi, hyper-v, vm, virtual machine, windows defender, antivirus, av, virtual desktop, rds, remote desktop
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 12/28/2020
-ms.reviewer: jesquive
-manager: dansimp
-ms.technology: mde
----
-
-# Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-In addition to standard on-premises or hardware configurations, you can also use Microsoft Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.
-
-See [Windows Virtual Desktop Documentation](https://docs.microsoft.com/azure/virtual-desktop) for more details on Microsoft Remote Desktop Services and VDI support.
-
-For Azure-based virtual machines, see [Install Endpoint Protection in Azure Defender](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection).
-
-With the ability to easily deploy updates to VMs running in VDIs, we've shortened this guide to focus on how you can get updates on your machines quickly and easily. You no longer need to create and seal golden images on a periodic basis, as updates are expanded into their component bits on the host server and then downloaded directly to the VM when it's turned on.
-
-This guide describes how to configure your VMs for optimal protection and performance, including how to:
-
-- [Set up a dedicated VDI file share for security intelligence updates](#set-up-a-dedicated-vdi-file-share)
-- [Randomize scheduled scans](#randomize-scheduled-scans)
-- [Use quick scans](#use-quick-scans)
-- [Prevent notifications](#prevent-notifications)
-- [Disable scans from occurring after every update](#disable-scans-after-an-update)
-- [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
-- [Apply exclusions](#exclusions)
-
-You can also download the whitepaper [Microsoft Defender Antivirus on Virtual Desktop Infrastructure](https://demo.wd.microsoft.com/Content/wdav-testing-vdi-ssu.pdf), which looks at the new shared security intelligence update feature, alongside performance testing and guidance on how you can test antivirus performance on your own VDI.
-
-> [!IMPORTANT]
-> Although the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.
There are performance and feature improvements to the way in which Microsoft Defender AV operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607.
-
-## Set up a dedicated VDI file share
-
-In Windows 10, version 1903, we introduced the shared security intelligence feature, which offloads the unpackaging of downloaded security intelligence updates onto a host machine—thus saving previous CPU, disk, and memory resources on individual machines. This feature has been backported and now works in Windows 10 version 1703 and above. You can set this feature with a Group Policy, or PowerShell.
-
-### Use Group Policy to enable the shared security intelligence feature:
-
-1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure, and then click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
-
-3. Click **Administrative templates**.
-
-4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
-
-5. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears.
-
-6. Enter `\\
Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-microsoft-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).|
-
-You can manage the order in which update sources are used with Group Policy, Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and WMI.
-
-> [!IMPORTANT]
-> If you set Windows Server Update Service as a download location, you must approve the updates, regardless of the management tool you use to specify the location. You can set up an automatic approval rule with Windows Server Update Service, which might be useful as updates arrive at least once a day. To learn more, see [synchronize endpoint protection updates in standalone Windows Server Update Service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
-
-The procedures in this article first describe how to set the order, and then how to set up the **File share** option if you have enabled it.
-
-## Use Group Policy to manage the update location
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration**.
-
-3. Click **Policies** then **Administrative templates**.
-
-4. Expand the tree to **Windows components > Windows Defender > Signature updates** and configure the following settings:
-
- 1. Double-click the **Define the order of sources for downloading security intelligence updates** setting and set the option to **Enabled**.
-
- 2. Enter the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, as shown in the following screenshot.
-
- 
-
- 3. Click **OK**. This will set the order of protection update sources.
-
- 4. Double-click the **Define file shares for downloading security intelligence updates** setting and set the option to **Enabled**.
-
- 5. Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](https://docs.microsoft.com/openspecs/windows_protocols/ms-dtyp/62e862f4-2a51-452e-8eeb-dc4ff5ee33cc) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`. If you do not enter any paths, then this source will be skipped when the VM downloads updates.
-
- 6. Click **OK**. This will set the order of file shares when that source is referenced in the **Define the order of sources...** group policy setting.
-
-> [!NOTE]
-> For Windows 10, versions 1703 up to and including 1809, the policy path is **Windows Components > Microsoft Defender Antivirus > Signature Updates**
-> For Windows 10, version 1903, the policy path is **Windows Components > Microsoft Defender Antivirus > Security Intelligence Updates**
-
-## Use Configuration Manager to manage the update location
-
-See [Configure Security intelligence Updates for Endpoint Protection](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-definition-updates) for details on configuring Microsoft Endpoint Manager (current branch).
-
-
-## Use PowerShell cmdlets to manage the update location
-
-Use the following PowerShell cmdlets to set the update order.
-
-```PowerShell
-Set-MpPreference -SignatureFallbackOrder {LOCATION|LOCATION|LOCATION|LOCATION}
-Set-MpPreference -SignatureDefinitionUpdateFileSharesSource {\\UNC SHARE PATH|\\UNC SHARE PATH}
-```
-See the following articles for more information:
-- [Set-MpPreference -SignatureFallbackOrder](https://docs.microsoft.com/powershell/module/defender/set-mppreference)
-- [Set-MpPreference -SignatureDefinitionUpdateFileSharesSource](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference#-signaturedefinitionupdatefilesharessources)
-- [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md)
-- [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index)
-
-## Use Windows Management Instruction (WMI) to manage the update location
-
-Use the [**Set** method of the **MSFT_MpPreference**](https://docs.microsoft.com/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
-
-```WMI
-SignatureFallbackOrder
-SignatureDefinitionUpdateFileSharesSource
-```
-
-See the following articles for more information:
-- [Windows Defender WMIv2 APIs](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
-
-## Use Mobile Device Management (MDM) to manage the update location
-
-See [Policy CSP - Defender/SignatureUpdateFallbackOrder](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-signatureupdatefallbackorder) for details on configuring MDM.
-
-## What if we're using a third-party vendor?
-
-This article describes how to configure and manage updates for Microsoft Defender Antivirus. However, third-party vendors can be used to perform these tasks.
-
-For example, suppose that Contoso has hired Fabrikam to manage their security solution, which includes Microsoft Defender Antivirus. Fabrikam typically uses [Windows Management Instrumentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus), [PowerShell cmdlets](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus), or [Windows command-line](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) to deploy patches and updates.
-
-> [!NOTE]
-> Microsoft does not test third-party solutions for managing Microsoft Defender Antivirus.
-
-
-## Create a UNC share for security intelligence updates
-
-Set up a network file share (UNC/mapped drive) to download security intelligence updates from the MMPC site by using a scheduled task.
-
-1. On the system on which you want to provision the share and download the updates, create a folder to which you will save the script.
- ```DOS
- Start, CMD (Run as admin)
- MD C:\Tool\PS-Scripts\
- ```
-
-2. Create the folder to which you will save the signature updates.
- ```DOS
- MD C:\Temp\TempSigs\x64
- MD C:\Temp\TempSigs\x86
- ```
-
-3. Download the PowerShell script from [www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4).
-
-4. Click **Manual Download**.
-
-5. Click **Download the raw nupkg file**.
-
-6. Extract the file.
-
-7. Copy the file SignatureDownloadCustomTask.ps1 to the folder you previously created, C:\Tool\PS-Scripts\ .
-
-8. Use the command line to set up the scheduled task.
- > [!NOTE]
- > There are two types of updates: full and delta.
- - For x64 delta:
-
- ```DOS
- Powershell (Run as admin)
-
- C:\Tool\PS-Scripts\
-
- “.\SignatureDownloadCustomTask.ps1 -action create -arch x64 -isDelta $true -destDir C:\Temp\TempSigs\x64 -scriptPath C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval 1”
- ```
-
- - For x64 full:
-
- ```DOS
- Powershell (Run as admin)
-
- C:\Tool\PS-Scripts\
-
- “.\SignatureDownloadCustomTask.ps1 -action create -arch x64 -isDelta $false -destDir C:\Temp\TempSigs\x64 -scriptPath C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval 1”
- ```
-
- - For x86 delta:
-
- ```DOS
- Powershell (Run as admin)
-
- C:\Tool\PS-Scripts\
-
- “.\SignatureDownloadCustomTask.ps1 -action create -arch x86 -isDelta $true -destDir C:\Temp\TempSigs\x86 -scriptPath C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval 1”
- ```
-
- - For x86 full:
-
- ```DOS
- Powershell (Run as admin)
-
- C:\Tool\PS-Scripts\
-
- “.\SignatureDownloadCustomTask.ps1 -action create -arch x86 -isDelta $false -destDir C:\Temp\TempSigs\x86 -scriptPath C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval 1”
- ```
-
- > [!NOTE]
- > When the scheduled tasks are created, you can find these in the Task Scheduler under Microsoft\Windows\Windows Defender
-9. Run each task manually and verify that you have data (mpam-d.exe, mpam-fe.exe, and nis_full.exe) in the following folders (you might have chosen different locations):
-
- - C:\Temp\TempSigs\x86
- - C:\Temp\TempSigs\x64
-
- If the scheduled task fails, run the following commands:
-
- ```DOS
- C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command “&\”C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\” -action run -arch x64 -isDelta $False -destDir C:\Temp\TempSigs\x64″
-
- C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command “&\”C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\” -action run -arch x64 -isDelta $True -destDir C:\Temp\TempSigs\x64″
-
- C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command “&\”C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\” -action run -arch x86 -isDelta $False -destDir C:\Temp\TempSigs\x86″
-
- C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command “&\”C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\” -action run -arch x86 -isDelta $True -destDir C:\Temp\TempSigs\x86″
- ```
- > [!NOTE]
- > Issues could also be due to execution policy.
-
-10. Create a share pointing to C:\Temp\TempSigs (e.g. \\server\updates).
- > [!NOTE]
- > At a minimum, authenticated users must have “Read” access.
-11. Set the share location in the policy to the share.
-
- > [!NOTE]
- > Do not add the x64 (or x86) folder in the path. The mpcmdrun.exe process adds it automatically.
-
-## Related articles
-
-- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
-- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md)
-- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
-- [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
-- [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
deleted file mode 100644
index 4fd8f01ece..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,536 +0,0 @@
----
-title: Manage Microsoft Defender Antivirus updates and apply baselines
-description: Manage how Microsoft Defender Antivirus receives protection and product updates.
-keywords: updates, security baselines, protection, schedule updates, force updates, mobile updates, wsus
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.reviewer: pahuijbr
-manager: dansimp
-ms.date: 03/19/2021
-ms.technology: mde
----
-
-# Manage Microsoft Defender Antivirus updates and apply baselines
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
-
-- Security intelligence updates
-- Product updates
-
-> [!IMPORTANT]
-> Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.
-> Make sure to update your antivirus protection even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
->
-> To see the most current engine, platform, and signature date, visit the [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates).
-
-## Security intelligence updates
-
-Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection.
-
-> [!NOTE]
-> Updates are released under the below KB numbers:
-> Microsoft Defender Antivirus: KB2267602
-> System Center Endpoint Protection: KB2461484
-
-Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md).
-
-For a list of recent security intelligence updates, see [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates).
-
-Engine updates are included with security intelligence updates and are released on a monthly cadence.
-
-## Product updates
-
-Microsoft Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as *platform updates*), and will receive major feature updates alongside Windows 10 releases.
-
-You can manage the distribution of updates through one of the following methods:
-
-- [Windows Server Update Service (WSUS)](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus)
-- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction)
-- The usual method you use to deploy Microsoft and Windows updates to endpoints in your network.
-
-For more information, see [Manage the sources for Microsoft Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
-
-> [!NOTE]
-> Monthly updates are released in phases, resulting in multiple packages visible in your [Window Server Update Services](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus).
-
-## Monthly platform and engine versions
-
-For information how to update or install the platform update, see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform).
-
-All our updates contain
-- performance improvements;
-- serviceability improvements; and
-- integration improvements (Cloud, Microsoft 365 Defender).
-
-
- February-2021 (Platform: 4.18.2102.3 | Engine: 1.1.17900.7)
-
- Security intelligence update version: **1.333.7.0**
- Released: **March 9, 2021**
- Platform: **4.19.2102.3**
- Engine: **1.1.17900.7**
- Support phase: **Security and Critical Updates**
-
-### What's new
-
-- Improved service recovery through [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md)
-- Extend tamper protection scope
-
-### Known Issues
-No known issues
-
- January-2021 (Platform: 4.18.2101.9 | Engine: 1.1.17800.5)
-
- Security intelligence update version: **1.327.1854.0**
- Released: **February 2, 2021**
- Platform: **4.18.2101.9**
- Engine: **1.1.17800.5**
- Support phase: **Security and Critical Updates**
-
-### What's new
-
-- Additional failed tampering attempt event generation when [Tamper Protection](prevent-changes-to-security-settings-with-tamper-protection.md) is enabled
-- Shellcode exploit detection improvements
-- Increased visibility for credential stealing attempts
-- Improvements in antitampering features in Microsoft Defender Antivirus services
-- Improved support for ARM x64 emulation
-- Fix: EDR Block notification remains in threat history after real-time protection performed initial detection
-
-### Known Issues
-No known issues
-
- November-2020 (Platform: 4.18.2011.6 | Engine: 1.1.17700.4)
-
- Security intelligence update version: **1.327.1854.0**
- Released: **December 03, 2020**
- Platform: **4.18.2011.6**
- Engine: **1.1.17700.4**
- Support phase: **Security and Critical Updates**
-
-### What's new
-
-- Improved [SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) status support logging
-
-### Known Issues
-No known issues
-
-
- October-2020 (Platform: 4.18.2010.7 | Engine: 1.1.17600.5)
-
- Security intelligence update version: **1.327.7.0**
- Released: **October 29, 2020**
- Platform: **4.18.2010.7**
- Engine: **1.1.17600.5**
- Support phase: **Security and Critical Updates**
-
-### What's new
-
-- New descriptions for special threat categories
-- Improved emulation capabilities
-- Improved host address allow/block capabilities
-- New option in Defender CSP to Ignore merging of local user exclusions
-
-### Known Issues
-
-No known issues
-
- September-2020 (Platform: 4.18.2009.7 | Engine: 1.1.17500.4)
-
- Security intelligence update version: **1.325.10.0**
- Released: **October 01, 2020**
- Platform: **4.18.2009.7**
- Engine: **1.1.17500.4**
- Support phase: **Technical upgrade support (only)**
-
-### What's new
-
-- Admin permissions are required to restore files in quarantine
-- XML formatted events are now supported
-- CSP support for ignoring exclusion merges
-- New management interfaces for:
- - UDP Inspection
- - Network Protection on Server 2019
- - IP Address exclusions for Network Protection
-- Improved visibility into TPM measurements
-- Improved Office VBA module scanning
-
-### Known Issues
-
-No known issues
-
- August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)
-
- Security intelligence update version: **1.323.9.0**
- Released: **August 27, 2020**
- Platform: **4.18.2008.9**
- Engine: **1.1.17400.5**
- Support phase: **Technical upgrade support (only)**
-
-### What's new
-
-- Add more telemetry events
-- Improved scan event telemetry
-- Improved behavior monitoring for memory scans
-- Improved macro streams scanning
-- Added `AMRunningMode` to Get-MpComputerStatus PowerShell cmdlet
-- [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) is ignored. Microsoft Defender Antivirus automatically turns itself off when it detects another antivirus program.
-
-
-### Known Issues
-No known issues
-
- July-2020 (Platform: 4.18.2007.8 | Engine: 1.1.17300.4)
-
- Security intelligence update version: **1.321.30.0**
- Released: **July 28, 2020**
- Platform: **4.18.2007.8**
- Engine: **1.1.17300.4**
- Support phase: **Technical upgrade support (only)**
-
-### What's new
-
-- Improved telemetry for BITS
-- Improved Authenticode code signing certificate validation
-
-### Known Issues
-No known issues
-
- June-2020 (Platform: 4.18.2006.10 | Engine: 1.1.17200.2)
-
- Security intelligence update version: **1.319.20.0**
- Released: **June 22, 2020**
- Platform: **4.18.2006.10**
- Engine: **1.1.17200.2**
- Support phase: **Technical upgrade support (only)**
-
-### What's new
-
-- Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data)
-- Skipping aggressive catchup scan in Passive mode.
-- Allow Defender to update on metered connections
-- Fixed performance tuning when caching is disabled
-- Fixed registry query
-- Fixed scantime randomization in ADMX
-
-### Known Issues
-No known issues
-
- May-2020 (Platform: 4.18.2005.4 | Engine: 1.1.17100.2)
-
- Security intelligence update version: **1.317.20.0**
- Released: **May 26, 2020**
- Platform: **4.18.2005.4**
- Engine: **1.1.17100.2**
- Support phase: **Technical upgrade support (only)**
-
-### What's new
-
-- Improved logging for scan events
-- Improved user mode crash handling.
-- Added event tracing for Tamper protection
-- Fixed AMSI Sample submission
-- Fixed AMSI Cloud blocking
-- Fixed Security update install log
-
-### Known Issues
-No known issues
-
- April-2020 (Platform: 4.18.2004.6 | Engine: 1.1.17000.2)
-
- Security intelligence update version: **1.315.12.0**
- Released: **April 30, 2020**
- Platform: **4.18.2004.6**
- Engine: **1.1.17000.2**
- Support phase: **Technical upgrade support (only)**
-
-### What's new
-- WDfilter improvements
-- Add more actionable event data to attack surface reduction detection events
-- Fixed version information in diagnostic data and WMI
-- Fixed incorrect platform version in UI after platform update
-- Dynamic URL intel for Fileless threat protection
-- UEFI scan capability
-- Extend logging for updates
-
-### Known Issues
-No known issues
-
- March-2020 (Platform: 4.18.2003.8 | Engine: 1.1.16900.2)
-
- Security intelligence update version: **1.313.8.0**
- Released: **March 24, 2020**
- Platform: **4.18.2003.8**
- Engine: **1.1.16900.4**
- Support phase: **Technical upgrade support (only)**
-
-### What's new
-
-- CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus)
-- Improve diagnostic capability
-- reduce Security intelligence timeout (5 min)
-- Extend AMSI engine internal log capability
-- Improve notification for process blocking
-
-### Known Issues
-[**Fixed**] Microsoft Defender Antivirus is skipping files when running a scan.
-
-
- February-2020 (Platform: - | Engine: 1.1.16800.2)
-
-
- Security intelligence update version: **1.311.4.0**
- Released: **February 25, 2020**
- Platform/Client: **-**
- Engine: **1.1.16800.2**
- Support phase: **Technical upgrade support (only)**
-
-### What's new
-
-
-### Known Issues
-No known issues
-
- January-2020 (Platform: 4.18.2001.10 | Engine: 1.1.16700.2)
-
-
-Security intelligence update version: **1.309.32.0**
-Released: **January 30, 2020**
-Platform/Client: **4.18.2001.10**
-Engine: **1.1.16700.2**
- Support phase: **Technical upgrade support (only)**
-
-### What's new
-
-- Fixed BSOD on WS2016 with Exchange
-- Support platform updates when TMP is redirected to network path
-- Platform and engine versions are added to [WDSI](https://www.microsoft.com/en-us/wdsi/defenderupdates)
-- extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility)
-- Fix 4.18.1911.3 hang
-
-### Known Issues
-
-[**Fixed**] devices utilizing [modern standby mode](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.
-
-> [!IMPORTANT]
-> This update is:
-> - needed by RS1 devices running lower version of the platform to support SHA2;
-> - has a reboot flag for systems that have hanging issues;
-> - is re-released in April 2020 and will not be superseded by newer updates to keep future availability;
-> - is categorized as an update due to the reboot requirement; and
-> - is only be offered with [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update).
-
- November-2019 (Platform: 4.18.1911.3 | Engine: 1.1.16600.7)
-
-Security intelligence update version: **1.307.13.0**
-Released: **December 7, 2019**
-Platform: **4.18.1911.3**
-Engine: **1.1.17000.7**
-Support phase: **No support**
-
-### What's new
-
-- Fixed MpCmdRun tracing level
-- Fixed WDFilter version info
-- Improve notifications (PUA)
-- add MRT logs to support files
-
-### Known Issues
-When this update is installed, the device needs the jump package 4.10.2001.10 to be able to update to the latest platform version.
-
-1.1.2103.01
-
- Package version: **1.1.2103.01**
- Platform version: **4.18.2101.9**
- Engine version: **1.17800.5**
- Signature version: **1.331.2302.0**
-
-### Fixes
-- None
-
-### Additional information
-- None
-
-1.1.2102.03
-
- Package version: **1.1.2102.03**
- Platform version: **4.18.2011.6**
- Engine version: **1.17800.5**
- Signature version: **1.331.174.0**
-
-### Fixes
-- None
-
-### Additional information
-- None
-
-1.1.2101.02
-
- Package version: **1.1.2101.02**
- Platform version: **4.18.2011.6**
- Engine version: **1.17700.4**
- Signature version: **1.329.1796.0**
-
-### Fixes
-- None
-
-### Additional information
-- None
-
-1.1.2012.01
-
- Package version: **1.1.2012.01**
- Platform version: **4.18.2010.7**
- Engine version: **1.17600.5**
- Signature version: **1.327.1991.0**
-
-### Fixes
-- None
-
-### Additional information
-- None
-
-1.1.2011.02
-
- Package version: **1.1.2011.02**
- Platform version: **4.18.2010.7**
- Engine version: **1.17600.5**
- Signature version: **1.327.658.0**
-
-### Fixes
-- None
-
-### Additional information
-- Refreshed Microsoft Defender Antivirus signatures
-
-1.1.2011.01
-
- Package version: **1.1.2011.01**
- Platform version: **4.18.2009.7**
- Engine version: **1.17600.5**
- Signature version: **1.327.344.0**
-
-### Fixes
-- None
-
-### Additional information
-- None
-
-1.1.2009.10
-
- Package version: **1.1.2011.01**
- Platform version: **4.18.2008.9**
- Engine version: **1.17400.5**
- Signature version: **1.327.2216.0**
-
-### Fixes
-- None
-
-### Additional information
-- Added support for Windows 10 RS1 or later OS install images.
-
-
- **Download updates but let me choose whether to install them** allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
-|**Group Policy** | You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: **Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates** |
-|The **AUOptions** registry key |The following two values allow Windows Update to automatically download and install Security intelligence updates:
- **4** - **Install updates automatically**. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates.
- **3** - **Download updates but let me choose whether to install them**. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
-
-To ensure that protection from malware is maintained, we recommend that you enable the following services:
-
-- Windows Error Reporting service
-
-- Windows Update service
-
-The following table lists the services for Microsoft Defender Antivirus and the dependent services.
-
-|Service Name|File Location|Description|
-|--------|---------|--------|
-|Windows Defender Service (WinDefend)|`C:\Program Files\Windows Defender\MsMpEng.exe`|This is the main Microsoft Defender Antivirus service that needs to be running at all times.|
-|Windows Error Reporting Service (Wersvc)|`C:\WINDOWS\System32\svchost.exe -k WerSvcGroup`|This service sends error reports back to Microsoft.|
-|Windows Defender Firewall (MpsSvc)|`C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork`|We recommend leaving the Windows Defender Firewall service enabled.|
-|Windows Update (Wuauserv)|`C:\WINDOWS\system32\svchost.exe -k netsvcs`|Windows Update is needed to get Security intelligence updates and antimalware engine updates|
-
-## Submit samples
-
-Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and produce updated antimalware Security intelligence. We collect program executable files, such as .exe files and .dll files. We do not collect files that contain personal data, like Microsoft Word documents and PDF files.
-
-### Submit a file
-
-1. Review the [submission guide](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide).
-
-2. Visit the [sample submission portal](https://www.microsoft.com/wdsi/filesubmission), and submit your file.
-
-
-### Enable automatic sample submission
-
-To enable automatic sample submission, start a Windows PowerShell console as an administrator, and set the **SubmitSamplesConsent** value data according to one of the following settings:
-
-|Setting |Description |
-|---------|---------|
-|**0** - **Always prompt** |The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. |
-|**1** - **Send safe samples automatically** |The Microsoft Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. |
-|**2** - **Never send** |The Microsoft Defender Antivirus service does not prompt and does not send any files. |
-|**3** - **Send all samples automatically** |The Microsoft Defender Antivirus service sends all files without a prompt for confirmation. |
-
-## Configure automatic exclusions
-
-To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Microsoft Defender Antivirus on Windows Server 2016 or 2019.
-
-See [Configure exclusions in Microsoft Defender Antivirus on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md).
-
-## Need to set Microsoft Defender Antivirus to passive mode?
-
-If you are using a non-Microsoft antivirus product as your primary antivirus solution, set Microsoft Defender Antivirus to passive mode.
-
-### Set Microsoft Defender Antivirus to passive mode using a registry key
-
-If you are using Windows Server, version 1803 or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key:
-- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
-- Name: `ForcePassiveMode`
-- Type: `REG_DWORD`
-- Value: `1`
-
-### Disable Microsoft Defender Antivirus using the Remove Roles and Features wizard
-
-1. See [Install or Uninstall Roles, Role Services, or Features](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**.
-
-2. When you get to the **Features** step of the wizard, clear the **Windows Defender Features** option.
-
- If you clear **Windows Defender** by itself under the **Windows Defender Features** section, you will be prompted to remove the interface option **GUI for Windows Defender**.
-
- Microsoft Defender Antivirus will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature.
-
-### Turn off the Microsoft Defender Antivirus user interface using PowerShell
-
-To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell cmdlet:
-
-```PowerShell
-Uninstall-WindowsFeature -Name Windows-Defender-GUI
-```
-
-### Are you using Windows Server 2016?
-
-If you are using Windows Server 2016 and a third-party antimalware/antivirus product that is not offered or developed by Microsoft, you'll need to disable/uninstall Microsoft Defender Antivirus.
-
-> [!NOTE]
-> You can't uninstall the Windows Security app, but you can disable the interface with these instructions.
-
-The following PowerShell cmdlet uninstalls Microsoft Defender Antivirus on Windows Server 2016:
-
-```PowerShell
-Uninstall-WindowsFeature -Name Windows-Defender
-```
-
-## See also
-
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-- [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md)
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
deleted file mode 100644
index a63d9f70b3..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
+++ /dev/null
@@ -1,140 +0,0 @@
----
-title: Microsoft Defender Offline in Windows 10
-description: You can use Microsoft Defender Offline straight from the Windows Defender Antivirus app. You can also manage how it is deployed in your network.
-keywords: scan, defender, offline
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Run and review the results of a Microsoft Defender Offline scan
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-Microsoft Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
-
-You can use Microsoft Defender Offline if you suspect a malware infection, or you want to confirm a thorough clean of the endpoint after a malware outbreak.
-
-In Windows 10, Microsoft Defender Offline can be run with one click directly from the [Windows Security app](microsoft-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Microsoft Defender Offline to bootable media, restart the endpoint, and load the bootable media.
-
-## prerequisites and requirements
-
-Microsoft Defender Offline in Windows 10 has the same hardware requirements as Windows 10.
-
-For more information about Windows 10 requirements, see the following topics:
-
-- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
-
-- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049(v=vs.85).aspx)
-
-> [!NOTE]
-> Microsoft Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units.
-
-To run Microsoft Defender Offline from the endpoint, the user must be logged in with administrator privileges.
-
-## Microsoft Defender Offline updates
-
-Microsoft Defender Offline uses the most recent protection updates available on the endpoint; it's updated whenever Windows Defender Antivirus is updated.
-
-> [!NOTE]
-> Before running an offline scan, you should attempt to update Microsoft Defender AV protection. You can either force an update with Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest protection updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
-
-See the [Manage Microsoft Defender Antivirus Security intelligence updates](manage-protection-updates-microsoft-defender-antivirus.md) topic for more information.
-
-## Usage scenarios
-
-In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Microsoft Defender Offline needs to run, it will prompt the user on the endpoint.
-
-The need to perform an offline scan will also be revealed in Microsoft Endpoint Manager if you're using it to manage your endpoints.
-
-The prompt can occur via a notification, similar to the following:
-
-
-
-The user will also be notified within the Windows Defender client.
-
-In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**.
-
-Microsoft Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**.
-
-
-
-## Configure notifications
-
-
-Microsoft Defender Offline notifications are configured in the same policy setting as other Microsoft Defender AV notifications.
-
-For more information about notifications in Windows Defender, see the [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) topic.
-
-## Run a scan
-
-> [!IMPORTANT]
-> Before you use Microsoft Defender Offline, make sure you save any files and shut down running programs. The Microsoft Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
-
-You can run a Microsoft Defender Offline scan with the following:
-
-- PowerShell
-- Windows Management Instrumentation (WMI)
-- The Windows Security app
-
-
-
-### Use PowerShell cmdlets to run an offline scan
-
-Use the following cmdlets:
-
-```PowerShell
-Start-MpWDOScan
-```
-
-See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus.
-
-### Use Windows Management Instruction (WMI) to run an offline scan
-
-Use the [**MSFT_MpWDOScan**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class to run an offline scan.
-
-The following WMI script snippet will immediately run a Microsoft Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows.
-
-```console
-wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start
-```
-
-See the following for more information:
-- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
-
-
-### Use the Windows Defender Security app to run an offline scan
-
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Advanced scan** label:
-
-3. Select **Microsoft Defender Offline scan** and click **Scan now**.
-
- > [!NOTE]
- > In Windows 10, version 1607, the offline scan could be run from under **Windows Settings** > **Update & security** > **Windows Defender** or from the Windows Defender client.
-
-
-## Review scan results
-
-Microsoft Defender Offline scan results will be listed in the [Scan history section of the Windows Security app](microsoft-defender-security-center-antivirus.md#detection-history).
-
-
-## Related articles
-
-- [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
deleted file mode 100644
index 10976df113..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
+++ /dev/null
@@ -1,147 +0,0 @@
----
-title: Microsoft Defender Antivirus in the Windows Security app
-description: With Microsoft Defender AV now included in the Windows Security app, you can review, compare, and perform common tasks.
-keywords: wdav, antivirus, firewall, security, windows
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Microsoft Defender Antivirus in the Windows Security app
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-In Windows 10, version 1703 and later, the Windows Defender app is part of the Windows Security.
-
-Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703.
-
-> [!IMPORTANT]
-> Disabling the Windows Security Center service does not disable Microsoft Defender Antivirus or [Windows Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
-> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app might display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
-> It might also prevent Microsoft Defender Antivirus from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you might have previously installed.
-> This will significantly lower the protection of your device and could lead to malware infection.
-
-See the [Windows Security article](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
-
-The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint).
-
-## Review virus and threat protection settings in the Windows Security app
-
-
-
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-
-## Comparison of settings and functions of the old app and the new app
-
-All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Security app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app.
-
-The following diagrams compare the location of settings and functions between the old and new apps:
-
-
-
-
-
-| Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | Description |
-|:---|:---|:---|:---|
-| 1 | **Update** tab | **Protection updates** | Update the protection (Security intelligence) |
-| 2 | **History** tab | **Scan history** | Review threats that were quarantined, removed, or allowed |
-| 3 | **Settings** (links to **Windows Settings**) | **Virus & threat protection settings** | Enable various features, including Real-time protection, Cloud-delivered protection, Advanced notifications, and Automatic ample submission |
-| 4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Microsoft Defender Antivirus Offline scan |
-| 5 | Run a scan (based on the option chosen under **Scan options** | **Quick scan** | In Windows 10, version 1703 and later, you can run custom and full scans under the **Advanced scan** option |
-
-## Common tasks
-
-This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Microsoft Defender Antivirus in the Windows Security app.
-
-> [!NOTE]
-> If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) topic describes how local policy override settings can be configured.
-
-
-
-### Run a scan with the Windows Security app
-
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-3. Select **Scan now**.
-4. Select **Run a new advanced scan** to specify different types of scans, such as a full scan.
-
-
-
-### Review the security intelligence update version and download the latest updates in the Windows Security app
-
-
-
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-3. Select **Virus & threat protection updates**. The currently installed version is displayed along with some information about when it was downloaded. You can check this against the latest version available for manual download, or review the change log for that version.
-4. Select **Check for updates** to download new protection updates (if there are any).
-
-### Ensure Microsoft Defender Antivirus is enabled in the Windows Security app
-
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-3. Select **Virus & threat protection settings**.
-4. Toggle the **Real-time protection** switch to **On**.
-
- > [!NOTE]
- > If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats.
- > If you install another antivirus product, Microsoft Defender Antivirus automatically disables itself and is indicated as such in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md).
-
-
-
-### Add exclusions for Microsoft Defender Antivirus in the Windows Security app
-
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-3. Under the **Manage settings**, select **Virus & threat protection settings**.
-4. Under the **Exclusions** setting, select **Add or remove exclusions**.
-5. Select the plus icon (**+**) to choose the type and set the options for each exclusion.
-
-
-The following table summarizes exclusion types and what happens:
-
-|Exclusion type |Defined by |What happens |
-|---------|---------|---------|
-|**File** |Location
Example: `c:\sample\sample.test` |The specific file is skipped by Microsoft Defender Antivirus. |
-|**Folder** |Location
Example: `c:\test\sample` |All items in the specified folder are skipped by Microsoft Defender Antivirus. |
-|**File type** |File extension
Example: `.test` |All files with the `.test` extension anywhere on your device are skipped by Microsoft Defender Antivirus. |
-|**Process** |Executable file path
Example: `c:\test\process.exe` |The specific process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. |
-
-To learn more, see the following resources:
-- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus)
-- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus)
-
-### Review threat detection history in the Windows Defender Security Center app
-
-1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-3. Select **Threat history**
-4. Select **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**).
-
-
-
-### Set ransomware protection and recovery options
-
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-3. Select **Ransomware protection**.
-4. To change Controlled folder access settings, see [Protect important folders with Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard).
-5. To set up ransomware recovery options, select **Set up** under **Ransomware data recovery** and follow the instructions for linking or setting up your OneDrive account so you can easily recover from a ransomware attack.
-
-## See also
-- [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
deleted file mode 100644
index 5f2be1828e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,90 +0,0 @@
----
-title: Better together - Microsoft Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats
-description: Office 365, which includes OneDrive, goes together wonderfully with Microsoft Defender Antivirus. Read this article to learn more.
-keywords: windows defender, antivirus, office 365, onedrive, restore, ransomware
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-ms.topic: article
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 03/04/2020
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Better together: Microsoft Defender Antivirus and Office 365
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-- Microsoft Defender Antivirus
-- Microsoft 365
-
-You might already know that:
-
-- **Microsoft Defender Antivirus protects your Windows 10 device from software threats, such as viruses, malware, and spyware**. Microsoft Defender Antivirus is your complete, ongoing protection, built into Windows 10 and ready to go. [Microsoft Defender Antivirus is your next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).
-
-- **Office 365 includes antiphishing, antispam, and antimalware protection**. With your Office 365 subscription, you get premium email and calendars, Office apps, 1 TB of cloud storage (via OneDrive), and advanced security across all your devices. This is true for home and business users. And if you're a business user, and your organization is using Office 365 E5, you get even more protection through Microsoft Defender for Office 365 [Protect against threats with Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats).
-
-- **OneDrive, included in Office 365, enables you to store your files and folders online, and share them as you see fit**. You can work together with people (for work or fun), and coauthor files that are stored in OneDrive. You can also access your files across all your devices (your PC, phone, and tablet). [Manage sharing in OneDrive](https://docs.microsoft.com/OneDrive/manage-sharing).
-
-**But did you know there are good security reasons to use Microsoft Defender Antivirus together with Office 365**? Here are two:
-
- 1. [You get ransomware protection and recovery](#ransomware-protection-and-recovery).
-
- 2. [Integration means better protection](#integration-means-better-protection).
-
-Read the following sections to learn more.
-
-## Ransomware protection and recovery
-
-When you save your files to [OneDrive](https://docs.microsoft.com/onedrive), and [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) detects a ransomware threat on your device, the following things occur:
-
-1. **You are told about the threat**. (If your organization is using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection), your security operations team is notified, too.)
-
-2. **Microsoft Defender Antivirus helps you (and your organization's security team) remove the ransomware** from your device(s). (If your organization is using Microsoft Defender for Endpoint, your security operations team can determine whether other devices are infected and take appropriate action, too.)
-
-3. **You get the option to recover your files in OneDrive**. With the OneDrive Files Restore feature, you can recover your files in OneDrive to the state they were in before the ransomware attack occurred. See [Ransomware detection and recovering your files](https://support.office.com/article/0d90ec50-6bfd-40f4-acc7-b8c12c73637f).
-
-Think of the time and hassle this can save.
-
-## Integration means better protection
-
-Microsoft Defender for Office 365 integrated with Microsoft Defender for Endpoint means better protection for your organization. Here's how:
-
-- [Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp) safeguards your organization against malicious threats posed in email messages, email attachments, and links (URLs) in Office documents.
-
- AND
-
-- [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) protects your devices from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves your security posture.
-
- SO
-
-- Once integration is enabled, your security operations team can see a list of devices that are used by the recipients of any detected URLs or email messages, along with recent alerts for those devices, in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
-
-If you haven't already done so, [integrate Microsoft Defender for Office 365 with Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/office-365-security/integrate-office-365-ti-with-wdatp).
-
-## More good reasons to use OneDrive
-
-Protection from ransomware is one great reason to put your files in OneDrive. And there are several more good reasons, summarized in this video:
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/70b4d256-46fb-481f-ad9b-921ef5fd7bed]
-
-## Want to learn more?
-
-[OneDrive](https://docs.microsoft.com/onedrive)
-
-[Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp?view=o365-worldwide)
-
-[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/)
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
deleted file mode 100644
index e77818c9df..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ /dev/null
@@ -1,296 +0,0 @@
----
-title: Protect security settings with tamper protection
-ms.reviewer: shwjha, hayhov
-manager: dansimp
-description: Use tamper protection to prevent malicious apps from changing important security settings.
-keywords: malware, defender, antivirus, tamper protection
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-audience: ITPro
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 03/22/2021
-ms.technology: mde
----
-
-# Protect security settings with tamper protection
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-Tamper protection is available for devices that are running one of the following versions of Windows:
-
-- Windows 10
-- Windows Server 2019
-- Windows Server, version 1803 or later
-- Windows Server 2016
-
-## Overview
-
-During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. Bad actors like to disable your security features to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent these kinds of things from occurring.
-
-With tamper protection, malicious apps are prevented from taking actions such as:
-
-- Disabling virus and threat protection
-- Disabling real-time protection
-- Turning off behavior monitoring
-- Disabling antivirus (such as IOfficeAntivirus (IOAV))
-- Disabling cloud-delivered protection
-- Removing security intelligence updates
-
-### How it works
-
-Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods such as:
-
-- Configuring settings in Registry Editor on your Windows device
-- Changing settings through PowerShell cmdlets
-- Editing or removing security settings through group policies
-
-Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; in those cases, tamper protection is managed by your security team.
-
-### What do you want to do?
-
-| To perform this task... | See this section... |
-|:---|:---|
-| Turn tamper protection on (or off) in the Microsoft Defender Security Center
- - In the **Platform** list, select **Windows 10 and Windows Server (ConfigMgr)**.
- - In the **Profile** list, select **Windows Security experience (preview)**.
-
-3. Deploy the policy to your device collection.
-
-### Need help with this method?
-
-See the following resources:
-
-- [Settings for the Windows Security experience profile in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/antivirus-security-experience-windows-settings)
-- [Tech Community Blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin)
-
-## Manage tamper protection on an individual device
-
-> [!NOTE]
-> Tamper protection blocks attempts to modify Microsoft Defender Antivirus settings through the registry.
->
-> To help ensure that tamper protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).)
->
-> Once you’ve made this update, tamper protection continues to protect your registry settings, and logs attempts to modify them without returning errors.
-
-If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to manage tamper protection. You must have appropriate admin permissions on your device to do change security settings, such as tamper protection.
-
-Here's what you see in the Windows Security app:
-
-
-
-1. Select **Start**, and start typing *Security*. In the search results, select **Windows Security**.
-
-2. Select **Virus & threat protection** > **Virus & threat protection settings**.
-
-3. Set **Tamper Protection** to **On** or **Off**.
-
-
-
-## View information about tampering attempts
-
-Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats.
-
-When a tampering attempt is detected, an alert is raised in the [Microsoft Defender Security Center](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/portal-overview) ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
-
-
-
-Using [endpoint detection and response](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/advanced-hunting-overview) capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts.
-
-## Review your security recommendations
-
-Tamper protection integrates with [Threat & Vulnerability Management](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) capabilities. [Security recommendations](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-security-recommendation) include making sure tamper protection is turned on. For example, you can search on *tamper*, as shown in the following image:
-
-
-
-In the results, you can select **Turn on Tamper Protection** to learn more and turn it on.
-
-
-
-To learn more about Threat & Vulnerability Management, see [Threat & Vulnerability Management in Microsoft Defender Security Center](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-dashboard-insights#threat--vulnerability-management-in-microsoft-defender-security-center).
-
-## Frequently asked questions
-
-### To which Windows OS versions is configuring tamper protection is applicable?
-
-Windows 10 OS [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint).
-
-If you are using Configuration Manager, version 2006, with tenant attach, tamper protection can be extended to Windows Server 2019. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy).
-
-### Will tamper protection have any impact on third-party antivirus registration?
-
-No. Third-party antivirus offerings will continue to register with the Windows Security application.
-
-### What happens if Microsoft Defender Antivirus is not active on a device?
-
-Devices that are onboarded to Microsoft Defender for Endpoint will have Microsoft Defender Antivirus running in passive mode. Tamper protection will continue to protect the service and its features.
-
-### How can I turn tamper protection on/off?
-
-If you are a home user, see [Manage tamper protection on an individual device](#manage-tamper-protection-on-an-individual-device).
-
-If you are an organization using [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See the following sections of this article:
-
-- [Manage tamper protection using Intune](#manage-tamper-protection-for-your-organization-using-intune)
-- [Manage tamper protection using Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006)
-- [Manage tamper protection using the Microsoft Defender Security Center](#manage-tamper-protection-for-your-organization-using-the-microsoft-defender-security-center) (currently in preview)
-
-### How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus through my group policy?
-
-Your regular group policy doesn’t apply to tamper protection, and changes to Microsoft Defender Antivirus settings are ignored when tamper protection is on.
-
-### For Microsoft Defender for Endpoint, is configuring tamper protection in Intune targeted to the entire organization only?
-
-Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization and to specific devices and user groups.
-
-### Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager?
-
-If you are using tenant attach, you can use Microsoft Endpoint Configuration Manager. See the following resources:
-- [Manage tamper protection for your organization with Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006)
-- [Tech Community blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin)
-
-### I have the Windows E3 enrollment. Can I use configuring tamper protection in Intune?
-
-Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint).
-
-### What happens if I try to change Microsoft Defender for Endpoint settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device?
-
-You won’t be able to change the features that are protected by tamper protection; such change requests are ignored.
-
-### I’m an enterprise customer. Can local admins change tamper protection on their devices?
-
-No. Local admins cannot change or modify tamper protection settings.
-
-### What happens if my device is onboarded with Microsoft Defender for Endpoint and then goes into an off-boarded state?
-
-If a device is off-boarded from Microsoft Defender for Endpoint, tamper protection is turned on, which is the default state for unmanaged devices.
-
-### Will there be an alert about tamper protection status changing in the Microsoft Defender Security Center?
-
-Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**.
-
-Your security operations team can also use hunting queries, such as the following example:
-
-`DeviceAlertEvents | where Title == "Tamper Protection bypass"`
-
-[View information about tampering attempts](#view-information-about-tampering-attempts).
-
-## See also
-
-[Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)
-
-[Get an overview of Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint)
-
-[Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](why-use-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
deleted file mode 100644
index 9505edb6c6..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,89 +0,0 @@
----
-title: Hide the Microsoft Defender Antivirus interface
-description: You can hide virus and threat protection tile in the Windows Security app.
-keywords: ui lockdown, headless mode, hide app, hide settings, hide interface
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 09/03/2018
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-You can use Group Policy to prevent users on endpoints from seeing the Microsoft Defender Antivirus interface. You can also prevent them from pausing scans.
-
-## Hide the Microsoft Defender Antivirus interface
-
-In Windows 10, versions 1703, hiding the interface will hide Microsoft Defender Antivirus notifications and prevent the Virus & threat protection tile from appearing in the Windows Security app.
-
-With the setting set to **Enabled**:
-
-
-
-With the setting set to **Disabled** or not configured:
-
-
-
->[!NOTE]
->Hiding the interface will also prevent Microsoft Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender for Endpoint notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
-
-In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning that says, "Your system administrator has restricted access to this app."
-
-
-
-## Use Group Policy to hide the Microsoft Defender AV interface from users
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. Using the **Group Policy Management Editor** go to **Computer configuration**.
-
-3. Click **Administrative templates**.
-
-4. Expand the tree to **Windows components > Microsoft Defender Antivirus > Client interface**.
-
-5. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**.
-
-See [Prevent users from locally modifying policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) for more options on preventing users form modifying protection on their PCs.
-
-## Prevent users from pausing a scan
-
-You can prevent users from pausing scans, which can be helpful to ensure scheduled or on-demand scans are not interrupted by users.
-
-> [!NOTE]
-> This setting is not supported on Windows 10.
-
-### Use Group Policy to prevent users from pausing a scan
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. Using the **Group Policy Management Editor** go to **Computer configuration**.
-
-3. Click **Administrative templates**.
-
-4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Scan**.
-
-5. Double-click the **Allow users to pause scan** setting and set the option to **Disabled**. Click **OK**.
-
-## Related articles
-
-- [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
-
-- [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)
-
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
deleted file mode 100644
index 63b1cef153..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: Monitor and report on Microsoft Defender Antivirus protection
-description: Use Configuration Manager or security information and event management (SIEM) tools to consume reports, and monitor Microsoft Defender AV with PowerShell and WMI.
-keywords: siem, monitor, report, Microsoft Defender AV
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 12/07/2020
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Report on Microsoft Defender Antivirus
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-Microsoft Defender Antivirus is built into Windows 10, Windows Server 2019, and Windows Server 2016. Microsoft Defender Antivirus is of your next-generation protection in Microsoft Defender for Endpoint. Next-generation protection helps protect your devices from software threats like viruses, malware, and spyware across email, apps, the cloud, and the web.
-
-With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Manager to [monitor Microsoft Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune).
-
-Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Microsoft Defender Antivirus issues, including protection updates and real-time protection settings.
-
-If you have a third-party security information and event management (SIEM) server, you can also consume [Windows Defender client events](https://msdn.microsoft.com/library/windows/desktop/aa964766(v=vs.85).aspx).
-
-Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security auditing](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-microsoft-defender-antivirus.md).
-
-These events can be centrally aggregated using the [Windows event collector](https://msdn.microsoft.com/library/windows/desktop/bb427443(v=vs.85).aspx). Often, SIEM servers have connectors for Windows events, allowing you to correlate all security events in your SIEM server.
-
-You can also [monitor malware events using the Malware Assessment solution in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-malware).
-
-For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the [(Deployment, management, and reporting options table)](deploy-manage-report-microsoft-defender-antivirus.md#ref2).
-
-## Related articles
-
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016)
-- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
deleted file mode 100644
index 3aee622427..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-title: Restore quarantined files in Microsoft Defender AV
-description: You can restore files and folders that were quarantined by Microsoft Defender AV.
-keywords:
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 05/20/2020
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Restore quarantined files in Microsoft Defender AV
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-If Microsoft Defender Antivirus is configured to detect and remediate threats on your device, Microsoft Defender Antivirus quarantines suspicious files. If you are certain a quarantined file is not a threat, you can restore it.
-
-1. Open **Windows Security**.
-2. Select **Virus & threat protection** and then click **Protection history**.
-3. In the list of all recent items, filter on **Quarantined Items**.
-4. Select an item you want to keep, and take an action, such as restore.
-
-> [!TIP]
-> Restoring a file from quarantine can also be done using Command Prompt. See [Restore a file from quarantine](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts#restore-file-from-quarantine).
-
-## Related articles
-
-- [Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md)
-- [Review scan results](review-scan-results-microsoft-defender-antivirus.md)
-- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
-- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
-- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
deleted file mode 100644
index 82de267b72..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: Review the results of Microsoft Defender AV scans
-description: Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app
-keywords: scan results, remediation, full scan, quick scan
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 09/28/2020
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Review Microsoft Defender Antivirus scan results
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-After a Microsoft Defender Antivirus scan completes, whether it is an [on-demand](run-scan-microsoft-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md), the results are recorded and you can view the results.
-
-
-## Use Configuration Manager to review scan results
-
-See [How to monitor Endpoint Protection status](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
-
-## Use PowerShell cmdlets to review scan results
-
-The following cmdlet will return each detection on the endpoint. If there are multiple detections of the same threat, each detection will be listed separately, based on the time of each detection:
-
-```PowerShell
-Get-MpThreatDetection
-```
-
-
-
-You can specify `-ThreatID` to limit the output to only show the detections for a specific threat.
-
-If you want to list threat detections, but combine detections of the same threat into a single item, you can use the following cmdlet:
-
-```PowerShell
-Get-MpThreat
-```
-
-
-
-See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
-
-## Use Windows Management Instruction (WMI) to review scan results
-
-Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) classes.
-
-
-## Related articles
-
-- [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
deleted file mode 100644
index b9d6853c2a..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,98 +0,0 @@
----
-title: Run and customize on-demand scans in Microsoft Defender AV
-description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app
-keywords: scan, on-demand, dos, intune, instant scan
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 11/13/2020
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Configure and run on-demand Microsoft Defender Antivirus scans
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type.
-
-## Quick scan versus full scan
-
-Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
-
-> [!IMPORTANT]
-> Microsoft Defender Antivirus runs in the context of the [LocalSystem](https://docs.microsoft.com/windows/win32/services/localsystem-account) account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to the access network share.
-
-Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they're opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
-
-In most instances, a quick scan is adequate to find malware that wasn't picked up by real-time protection.
-
-A full scan can be useful on endpoints that have reported a malware threat. The scan can identify if there are any inactive components that require a more thorough clean-up. This is ideal if your organization is running on-demand scans.
-
-> [!NOTE]
-> By default, quick scans run on mounted removable devices, such as USB drives.
-
-## Use Microsoft Endpoint Manager to run a scan
-
-1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
-2. Choose **Endpoint security** > **Antivirus**.
-3. In the list of tabs, select **Windows 10 unhealthy endpoints**.
-4. From the list of actions provided, select **Quick Scan** or **Full Scan**.
-
-[  ](images/mem-antivirus-scan-on-demand.png#lightbox)
-
-> [!TIP]
-> For more information about using Microsoft Endpoint Manager to run a scan, see [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers).
-
-## Use the mpcmdrun.exe command-line utility to run a scan
-
-Use the following `-scan` parameter:
-
-```console
-mpcmdrun.exe -scan -scantype 1
-```
-
-For more information about how to use the tool and additional parameters, including starting a full scan, or defining paths, see [Use the mpcmdrun.exe commandline tool to configure and manage Microsoft Defender Antivirus](command-line-arguments-microsoft-defender-antivirus.md).
-
-## Use Microsoft Intune to run a scan
-
-1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
-2. From the sidebar, select **Devices > All Devices** and choose the device you want to scan.
-3. Select **...More**. From the options, select **Quick Scan** or **Full Scan**.
-
-## Use the Windows Security app to run a scan
-
-See [Run a scan in the Windows Security app](microsoft-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints.
-
-## Use PowerShell cmdlets to run a scan
-
-Use the following cmdlet:
-
-```PowerShell
-Start-MpScan
-```
-
-For more information on how to use PowerShell with Microsoft Defender Antivirus, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
-
-## Use Windows Management Instruction (WMI) to run a scan
-
-Use the [**Start** method](https://docs.microsoft.com/previous-versions/windows/desktop/defender/start-msft-mpscan) of the **MSFT_MpScan** class.
-
-For more information about which parameters are allowed, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
-
-## Related articles
-
-- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md)
-- [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
deleted file mode 100644
index d3af9f6b9d..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,243 +0,0 @@
----
-title: Schedule regular quick and full scans with Microsoft Defender Antivirus
-description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
-keywords: quick scan, full scan, quick vs full, schedule scan, daily, weekly, time, scheduled, recurring, regular
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 11/02/2020
-ms.reviewer: pauhijbr
-manager: dansimp
-ms.technology: mde
----
-
-# Configure scheduled quick or full Microsoft Defender Antivirus scans
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-
-> [!NOTE]
-> By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default.
-
-In addition to always-on real-time protection and [on-demand](run-scan-microsoft-defender-antivirus.md) scans, you can set up regular, scheduled scans.
-
-You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-microsoft-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur.
-
-This article describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10).
-
-## To configure the Group Policy settings described in this article
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4. Click **Administrative templates**.
-
-5. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below.
-
-6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration.
-
-7. Click **OK**, and repeat for any other settings.
-
-Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) topics.
-
-## Quick scan versus full scan and custom scan
-
-When you set up scheduled scans, you can set up whether the scan should be a full or quick scan.
-
-Quick scans look at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
-
-Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
-
-In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
-
-A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up. In this instance, you may want to use a full scan when running an [on-demand scan](run-scan-microsoft-defender-antivirus.md).
-
-A custom scan allows you to specify the files and folders to scan, such as a USB drive.
-
->[!NOTE]
->By default, quick scans run on mounted removable devices, such as USB drives.
-
-## Set up scheduled scans
-
-Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans.
-
->[!NOTE]
->If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Microsoft Defender Antivirus will run a full scan at the next scheduled time.
-
-### Use Group Policy to schedule scans
-
-|Location | Setting | Description | Default setting (if not configured) |
-|:---|:---|:---|:---|
-|Scan | Specify the scan type to use for a scheduled scan | Quick scan |
-|Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never |
-|Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.). | 2 a.m. |
-|Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.
In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled |
-
-
-### Use PowerShell cmdlets to schedule scans
-
-Use the following cmdlets:
-
-```PowerShell
-Set-MpPreference -ScanParameters
-Set-MpPreference -ScanScheduleDay
-Set-MpPreference -ScanScheduleTime
-Set-MpPreference -RandomizeScheduleTaskTimes
-
-```
-
-See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
-
-### Use Windows Management Instruction (WMI) to schedule scans
-
-Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
-
-```WMI
-ScanParameters
-ScanScheduleDay
-ScanScheduleTime
-RandomizeScheduleTaskTimes
-```
-
-See the following for more information and allowed parameters:
-- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
-
-
-
-
-## Start scheduled scans only when the endpoint is not in use
-
-You can set the scheduled scan to only occur when the endpoint is turned on but not in use with Group Policy, PowerShell, or WMI.
-
-> [!NOTE]
-> These scans will not honor the CPU throttling configuration and take full advantage of the resources available to complete the scan as fast as possible.
-
-### Use Group Policy to schedule scans
-
-|Location | Setting | Description | Default setting (if not configured) |
-|:---|:---|:---|:---|
-|Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled |
-
-### Use PowerShell cmdlets
-
-Use the following cmdlets:
-
-```PowerShell
-Set-MpPreference -ScanOnlyIfIdleEnabled
-```
-
-See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
-
-### Use Windows Management Instruction (WMI)
-
-Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
-
-```WMI
-ScanOnlyIfIdleEnabled
-```
-
-See the following for more information and allowed parameters:
-- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
-
-
-## Configure when full scans should be run to complete remediation
-
-Some threats may require a full scan to complete their removal and remediation. You can schedule when these scans should occur with Group Policy, PowerShell, or WMI.
-
-### Use Group Policy to schedule remediation-required scans
-
-| Location | Setting | Description | Default setting (if not configured) |
-|---|---|---|---|
-|Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never |
-|Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.) | 2 a.m. |
-
-### Use PowerShell cmdlets
-
-Use the following cmdlets:
-
-```PowerShell
-Set-MpPreference -RemediationScheduleDay
-Set-MpPreference -RemediationScheduleTime
-```
-
-See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
-
-### Use Windows Management Instruction (WMI)
-
-Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
-
-```WMI
-RemediationScheduleDay
-RemediationScheduleTime
-```
-
-See the following for more information and allowed parameters:
-- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
-
-
-
-
-## Set up daily quick scans
-
-You can enable a daily quick scan that can be run in addition to your other scheduled scans with Group Policy, PowerShell, or WMI.
-
-
-### Use Group Policy to schedule daily scans
-
-
-|Location | Setting | Description | Default setting (if not configured) |
-|:---|:---|:---|:---|
-|Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never |
-|Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.) | 2 a.m. |
-
-### Use PowerShell cmdlets to schedule daily scans
-
-Use the following cmdlets:
-
-```PowerShell
-Set-MpPreference -ScanScheduleQuickScanTime
-```
-
-See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
-
-### Use Windows Management Instruction (WMI) to schedule daily scans
-
-Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
-
-```WMI
-ScanScheduleQuickScanTime
-```
-
-See the following for more information and allowed parameters:
-- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
-
-
-## Enable scans after protection updates
-
-You can force a scan to occur after every [protection update](manage-protection-updates-microsoft-defender-antivirus.md) with Group Policy.
-
-### Use Group Policy to schedule scans after protection updates
-
-|Location | Setting | Description | Default setting (if not configured)|
-|:---|:---|:---|:---|
-|Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled |
-
-## See also
-- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
-- [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md)
-- [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md)
-- [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md)
-- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md)
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
deleted file mode 100644
index e65babbf90..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,93 +0,0 @@
----
-title: Specify the cloud-delivered protection level for Microsoft Defender Antivirus
-description: Set your level of cloud-delivered protection for Microsoft Defender Antivirus.
-keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.date: 10/26/2020
-ms.reviewer:
-manager: dansimp
-ms.custom: nextgen
-ms.technology: mde
----
-
-# Specify the cloud-delivered protection level
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-You can specify your level of cloud-delivered protection offered by Microsoft Defender Antivirus by using Microsoft Endpoint Manager (recommended) or Group Policy.
-
-> [!TIP]
-> Cloud protection is not simply protection for files that are stored in the cloud. The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and devices (also called endpoints). Cloud protection with Microsoft Defender Antivirus uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional security intelligence updates.
-> Microsoft Intune and Microsoft Endpoint Manager are now part of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview).
-
-
-## Use Microsoft Endpoint Manager to specify the level of cloud-delivered protection
-
-1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
-
-2. Choose **Endpoint security** > **Antivirus**.
-
-3. Select an antivirus profile. (If you don't have one yet, or if you want to create a new profile, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
-
-4. Select **Properties**. Then, next to **Configuration settings**, choose **Edit**.
-
-5. Expand **Cloud protection**, and then in the **Cloud-delivered protection level** list, select one of the following:
-
- 1. **High**: Applies a strong level of detection.
- 2. **High plus**: Uses the **High** level and applies additional protection measures (may impact client performance).
- 3. **Zero tolerance**: Blocks all unknown executables.
-
-6. Choose **Review + save**, and then choose **Save**.
-
-> [!TIP]
-> Need some help? See the following resources:
-> - [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure)
-> - [Add endpoint protection settings in Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-configure)
-
-
-## Use Group Policy to specify the level of cloud-delivered protection
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx).
-
-2. Right-click the Group Policy Object you want to configure, and then click **Edit**.
-
-3. In the **Group Policy Management Editor** go to **Computer Configuration** > **Administrative templates**.
-
-4. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus** > **MpEngine**.
-
-5. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
- - **Default blocking level** provides strong detection without increasing the risk of detecting legitimate files.
- - **Moderate blocking level** provides moderate only for high confidence detections
- - **High blocking level** applies a strong level of detection while optimizing client performance (but can also give you a greater chance of false positives).
- - **High + blocking level** applies additional protection measures (might impact client performance and increase your chance of false positives).
- - **Zero tolerance blocking level** blocks all unknown executables.
-
- > [!WARNING]
- > While unlikely, setting this switch to **High** or **High +** may cause some legitimate files to be detected (although you will have the option to unblock or dispute that detection).
-
-6. Click **OK**.
-
-7. Deploy your updated Group Policy Object. See [Group Policy Management Console](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx)
-
-> [!TIP]
-> Are you using Group Policy Objects on premises? See how they translate in the cloud. [Analyze your on-premises group policy objects using Group Policy analytics in Microsoft Endpoint Manager - Preview](https://docs.microsoft.com/mem/intune/configuration/group-policy-analytics).
-
-## Related articles
-
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
-- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md
deleted file mode 100644
index aed5140af3..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md
+++ /dev/null
@@ -1,136 +0,0 @@
----
-title: Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution
-description: Troubleshoot common errors when migrating to Microsoft Defender Antivirus
-keywords: event, error code, logging, troubleshooting, microsoft defender antivirus, windows defender antivirus, migration
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-author: martyav
-ms.author: v-maave
-ms.custom: nextgen
-ms.date: 09/11/2018
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-
-You can find help here if you encounter issues while migrating from a third-party security solution to Microsoft Defender Antivirus.
-
-## Review event logs
-
-Open the Event viewer app by selecting the **Search** icon in the taskbar, and searching for *event viewer*.
-
-Information about Microsoft Defender Antivirus can be found under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender**.
-
-From there, select **Open** underneath **Operational**.
-
-Selecting an event from the details pane will show you more information about an event in the lower pane, under the **General** and **Details** tabs.
-
-## Microsoft Defender Antivirus won't start
-
-This issue can manifest in the form of several different event IDs, all of which have the same underlying cause.
-
-### Associated event IDs
-
- Event ID | Log name | Description | Source
--|-|-|-
-15 | Application | Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_OFF. | Security Center
-5007 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
**Old value:** Default\IsServiceRunning = 0x0
**New value:** HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1 | Windows Defender
-5010 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus scanning for spyware and other potentially unwanted software is disabled. | Windows Defender
-
-### How to tell if Microsoft Defender Antivirus won't start because a third-party antivirus is installed
-
-On a Windows 10 device, if you are not using Microsoft Defender for Endpoint, and you have a third-party antivirus installed, then Microsoft Defender Antivirus will be automatically turned off. If you are using Microsoft Defender for Endpoint with a third-party antivirus installed, Microsoft Defender Antivirus will start in passive mode, with reduced functionality.
-
-> [!TIP]
-> The scenario just described applies only to Windows 10. Other versions of Windows have [different responses](microsoft-defender-antivirus-compatibility.md) to Microsoft Defender Antivirus being run alongside third-party security software.
-
-#### Use Services app to check if Microsoft Defender Antivirus is turned off
-
-To open the Services app, select the **Search** icon from the taskbar and search for *services*. You can also open the app from the command-line by typing *services.msc*.
-
-Information about Microsoft Defender Antivirus will be listed within the Services app under **Windows Defender** > **Operational**. The antivirus service name is *Windows Defender Antivirus Service*.
-
-While checking the app, you may see that *Windows Defender Antivirus Service* is set to manual — but when you try to start this service manually, you get a warning stating, *The Windows Defender Antivirus Service service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.*
-
-This indicates that Microsoft Defender Antivirus has been automatically turned off to preserve compatibility with a third-party antivirus.
-
-#### Generate a detailed report
-
-You can generate a detailed report about currently active group policies by opening a command prompt in **Run as admin** mode, then entering the following command:
-
-```powershell
-GPresult.exe /h gpresult.html
-```
-
-This will generate a report located at *./gpresult.html*. Open this file and you might see the following results, depending on how Microsoft Defender Antivirus was turned off.
-
-##### Group policy results
-
-##### If security settings are implemented via group policy (GPO) at the domain or local level, or though System center configuration manager (SCCM)
-
-Within the GPResults report, under the heading, *Windows Components/Windows Defender Antivirus*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off.
-
-Policy | Setting | Winning GPO
--|-|-
-Turn off Windows Defender Antivirus | Enabled | Win10-Workstations
-
-###### If security settings are implemented via Group policy preference (GPP)
-
-Under the heading, *Registry item (Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender, Value name: DisableAntiSpyware)*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off.
-
-DisableAntiSpyware | -
--|-
-Winning GPO | Win10-Workstations
-Result: Success |
-**General** |
-Action | Update
-**Properties** |
-Hive | HKEY_LOCAL_MACHINE
-Key path | SOFTWARE\Policies\Microsoft\Windows Defender
-Value name | DisableAntiSpyware
-Value type | REG_DWORD
-Value data | 0x1 (1)
-
-###### If security settings are implemented via registry key
-
-The report may contain the following text, indicating that Microsoft Defender Antivirus is turned off:
-
-> Registry (regedit.exe)
->
-> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
-> DisableAntiSpyware (dword) 1 (hex)
-
-###### If security settings are set in Windows or your Windows Server image
-
-Your imagining admin might have set the security policy, **[DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware)**, locally via *GPEdit.exe*, *LGPO.exe*, or by modifying the registry in their task sequence. You can [configure a Trusted Image Identifier](https://docs.microsoft.com/windows-hardware/manufacture/desktop/configure-a-trusted-image-identifier-for-windows-defender) for Microsoft Defender Antivirus.
-
-### Turn Microsoft Defender Antivirus back on
-
-Microsoft Defender Antivirus will automatically turn on if no other antivirus is currently active. You'll need to turn the third-party antivirus completely off to ensure Microsoft Defender Antivirus can run with full functionality.
-
-> [!WARNING]
-> Solutions suggesting that you edit the *Windows Defender* start values for *wdboot*, *wdfilter*, *wdnisdrv*, *wdnissvc*, and *windefend* in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services are unsupported, and may force you to re-image your system.
-
-Passive mode is available if you start using Microsoft Defender for Endpoint and a third-party antivirus together with Microsoft Defender Antivirus. Passive mode allows Microsoft Defender to scan files and update itself, but it will not remediate threats. In addition, behavior monitoring via [Real Time Protection](configure-real-time-protection-microsoft-defender-antivirus.md) is not available under passive mode, unless [Endpoint data loss prevention (DLP)](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/information-protection-in-windows-overview) is deployed.
-
-Another feature, known as [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), is available to end-users when Microsoft Defender Antivirus is set to automatically turn off. This feature allows Microsoft Defender Antivirus to scan files periodically alongside a third-party antivirus, using a limited number of detections.
-
-> [!IMPORTANT]
-> Limited periodic scanning is not recommended in enterprise environments. The detection, management and reporting capabilities available when running Microsoft Defender Antivirus in this mode are reduced as compared to active mode.
-
-### See also
-
-* [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md)
-* [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
deleted file mode 100644
index 6d48b38885..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,3246 +0,0 @@
----
-title: Microsoft Defender AV event IDs and error codes
-description: Look up the causes and solutions for Microsoft Defender Antivirus event IDs and errors
-keywords: event, error code, siem, logging, troubleshooting, wef, windows event forwarding
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 09/11/2018
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-If you encounter a problem with Microsoft Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution.
-
-The tables list:
-
-- [Microsoft Defender Antivirus event IDs](#windows-defender-av-ids) (these apply to both Windows 10 and Windows Server 2016)
-- [Microsoft Defender Antivirus client error codes](#error-codes)
-- [Internal Microsoft Defender Antivirus client error codes (used by Microsoft during development and testing)](#internal-error-codes)
-
-> [!TIP]
-> You can also visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
->
-> - Cloud-delivered protection
-> - Fast learning (including Block at first sight)
-> - Potentially unwanted application blocking
-
-
-## Microsoft Defender Antivirus event IDs
-
-Microsoft Defender Antivirus records event IDs in the Windows event log.
-
-You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Microsoft Defender Antivirus client event IDs](troubleshoot-microsoft-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints.
-
-The table in this section lists the main Microsoft Defender Antivirus event IDs and, where possible, provides suggested solutions to fix or resolve the error.
-
-## To view a Microsoft Defender Antivirus event
-
-1. Open **Event Viewer**.
-2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**.
-3. Double-click on **Operational**.
-4. In the details pane, view the list of individual events to find your event.
-5. Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs.
-
-
-
-
-
-## Microsoft Defender Antivirus client error codes
-If Microsoft Defender Antivirus experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update.
-This section provides the following information about Microsoft Defender Antivirus client errors.
-- The error code
-- The possible reason for the error
-- Advice on what to do now
-
-Use the information in these tables to help troubleshoot Microsoft Defender Antivirus error codes.
-
-
-
-
-Event ID: 1000
-
-
-
-Symbolic name:
-
-
-MALWAREPROTECTION_SCAN_STARTED
-
-
-
-
-Message:
-
-
-An antimalware scan started.
-
-
-
-
-
-Description:
-
-
-
-
-
-
-
-
-
-
-
-Event ID: 1001
-
-Symbolic name:
-
-
-MALWAREPROTECTION_SCAN_COMPLETED
-
-
-
-
-Message:
-
-
-An antimalware scan finished.
-
-
-
-
-Description:
-
-
-
-
-
-
-
-
-
-
-
-Event ID: 1002
-
-Symbolic name:
-
-
-MALWAREPROTECTION_SCAN_CANCELLED
-
-
-
-
-
-Message:
-
-
-An antimalware scan was stopped before it finished.
-
-
-
-
-
-Description:
-
-
-
-
-
-
-
-
-
-
-
-Event ID: 1003
-
-Symbolic name:
-
-
-MALWAREPROTECTION_SCAN_PAUSED
-
-
-
-
-
-Message:
-
-
-An antimalware scan was paused.
-
-
-
-
-
-Description:
-
-
-
-
-
-
-
-
-
-
-
-Event ID: 1004
-
-Symbolic name:
-
-
-MALWAREPROTECTION_SCAN_RESUMED
-
-
-
-
-
-Message:
-
-
-An antimalware scan was resumed.
-
-
-
-
-
-Description:
-
-
-
-
-
-
-
-
-
-
-
-Event ID: 1005
-
-Symbolic name:
-
-
-MALWAREPROTECTION_SCAN_FAILED
-
-
-
-
-
-Message:
-
-
-An antimalware scan failed.
-
-
-
-
-
-Description:
-
-
-
-
-
-
-
-
-
-
-
-
-User action:
-
-
-The antivirus client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (Microsoft Defender Antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error.
-To troubleshoot this event:
-
-
-
-
-
-Event ID: 1006
-
-Symbolic name:
-
-
-MALWAREPROTECTION_MALWARE_DETECTED
-
-
-
-
-
-Message:
-
-
-The antimalware engine found malware or other potentially unwanted software.
-
-
-
-
-
-Description:
-
-
-For more information, see the following:
-
-
-
-
-
-
-
-
-
-
-
Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
-UAC
-
-Event ID: 1007
-
-Symbolic name:
-
-
-MALWAREPROTECTION_MALWARE_ACTION_TAKEN
-
-
-
-
-
-Message:
-
-
-The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. For more information, see the following:
-
-
-
-
-
-
-
-
-
-Event ID: 1008
-
-Symbolic name:
-
-
-MALWAREPROTECTION_MALWARE_ACTION_FAILED
-
-
-
-
-Message:
-
-
-The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus has encountered an error when taking action on malware or other potentially unwanted software. For more information, see the following:
-
-
-
-
-
-
-
-
-
-Event ID: 1009
-
-Symbolic name:
-
-
-MALWAREPROTECTION_QUARANTINE_RESTORE
-
-
-
-
-
-Message:
-
-
-The antimalware platform restored an item from quarantine.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus has restored an item from quarantine. For more information, see the following:
-
-
-
-
-
-
-
-Event ID: 1010
-
-Symbolic name:
-
-
-MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED
-
-
-
-
-
-Message:
-
-
-The antimalware platform could not restore an item from quarantine.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus has encountered an error trying to restore an item from quarantine. For more information, see the following:
-
-
-
-
-
-
-
-Event ID: 1011
-
-Symbolic name:
-
-
-MALWAREPROTECTION_QUARANTINE_DELETE
-
-
-
-
-Message:
-
-
-The antimalware platform deleted an item from quarantine.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus has deleted an item from quarantine.
-
For more information, see the following:
-
-
-
-
-
-
-Event ID: 1012
-
-Symbolic name:
-
-
-MALWAREPROTECTION_QUARANTINE_DELETE_FAILED
-
-
-
-
-
-Message:
-
-
-The antimalware platform could not delete an item from quarantine.
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus has encountered an error trying to delete an item from quarantine.
-For more information, see the following:
-
-
-
-
-
-
-
-Event ID: 1013
-
-Symbolic name:
-
-
-MALWAREPROTECTION_MALWARE_HISTORY_DELETE
-
-
-
-
-
-Message:
-
-
-The antimalware platform deleted history of malware and other potentially unwanted software.
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus has removed history of malware and other potentially unwanted software.
-
-
-
-
-
-Event ID: 1014
-
-Symbolic name:
-
-
-MALWAREPROTECTION_MALWARE_HISTORY_DELETE_FAILED
-
-
-
-
-
-Message:
-
-
-The antimalware platform could not delete history of malware and other potentially unwanted software.
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus has encountered an error trying to remove history of malware and other potentially unwanted software.
-
-
-
-
-
-Event ID: 1015
-
-Symbolic name:
-
-
-MALWAREPROTECTION_BEHAVIOR_DETECTED
-
-
-
-
-
-Message:
-
-
-The antimalware platform detected suspicious behavior.
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus has detected a suspicious behavior.
-
For more information, see the following:
-
-
-
-
-
-
-
-
-
-
Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
-UAC
-
-Event ID: 1116
-
-Symbolic name:
-
-
-MALWAREPROTECTION_STATE_MALWARE_DETECTED
-
-
-
-
-Message:
-
-
-The antimalware platform detected malware or other potentially unwanted software.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
-
For more information, see the following:
-
-
-
-
-
-
-
-
-
-
Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
-UAC
-
-
-User action:
-
-
-No action is required. Microsoft Defender Antivirus can suspend and take routine action on this threat. If you want to remove the threat manually, in the Microsoft Defender Antivirus interface, click Clean Computer.
-
-
-
-Event ID: 1117
-
-Symbolic name:
-
-
-MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN
-
-
-
-
-
-Message:
-
-
-The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
-
For more information, see the following:
-
-
-
-
-
-
-
-
-
-
Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
-UAC
-
-
-
-The above context applies to the following client and server versions:
-
-
-
-
-Operating system
-Operating system version
-
-
-
-Client Operating System
-
-
-Windows Vista (Service Pack 1, or Service Pack 2), Windows 7 and later
-
-
-
-
-Server Operating System
-
-
-Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016
-
-
-
-
-User action:
-
-
-No action is necessary. Microsoft Defender Antivirus removed or quarantined a threat.
-
-
-
-Event ID: 1118
-
-Symbolic name:
-
-
-MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED
-
-
-
-
-Message:
-
-
-The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus has encountered a non-critical error when taking action on malware or other potentially unwanted software.
-
For more information, see the following:
-
-
-
-
-
-
-
-
-
-
Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
-UAC
-
-
-
-
-User action:
-
-
-No action is necessary. Microsoft Defender Antivirus failed to complete a task related to the malware remediation. This is not a critical failure.
-
-
-
-Event ID: 1119
-
-Symbolic name:
-
-
-MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED
-
-
-
-
-
-Message:
-
-
-The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message.
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
-
For more information, see the following:
-
-
-
-
-
-
-
-
-
-
Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well.
-UAC
-
-
-
-
-User action:
-
-
-The Microsoft Defender Antivirus client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant User action steps below.
-
-
-
-
-If this event persists:
-
-Action
-User action
-
-
-
-Remove
-
-
-Update the definitions then verify that the removal was successful.
-
-
-
-
-Clean
-
-
-Update the definitions then verify that the remediation was successful.
-
-
-
-
-Quarantine
-
-
-Update the definitions and verify that the user has permission to access the necessary resources.
-
-
-
-
-Allow
-
-
-Verify that the user has permission to access the necessary resources.
-
-
-
-
-
-Event ID: 1120
-
-Symbolic name:
-
-
-MALWAREPROTECTION_THREAT_HASH
-
-
-
-
-Message:
-
-
-Microsoft Defender Antivirus has deduced the hashes for a threat resource.
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus client is up and running in a healthy state.
-
-
-
-
-
-
-
-
-
-
-Event ID: 1150
-
-Symbolic name:
-
-
-MALWAREPROTECTION_SERVICE_HEALTHY
-
-
-
-
-Message:
-
-
-If your antimalware platform reports status to a monitoring platform, this event indicates that the antimalware platform is running and in a healthy state.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus client is up and running in a healthy state.
-
-
-
-
-
-
-
-User action:
-
-
-No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported on an hourly basis.
-
-
-
-Event ID: 1151
-
-Symbolic name:
-
-
-MALWAREPROTECTION_SERVICE_HEALTH_REPORT
-
-
-
-
-Message:
-
-
-Endpoint Protection client health report (time in UTC)
-
-
-
-
-
-
-Description:
-
-
-Antivirus client health report.
-
-
-
-
-
-Event ID: 2000
-
-Symbolic name:
-
-
-MALWAREPROTECTION_SIGNATURE_UPDATED
-
-
-
-
-
-Message:
-
-
-The antimalware definitions updated successfully.
-
-
-
-
-
-Description:
-
-
-Antivirus signature version has been updated.
-
-
-
-
-
-
-
-
-User action:
-
-
-No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported when signatures are successfully updated.
-
-
-
-Event ID: 2001
-
-Symbolic name:
-
-
-MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED
-
-
-
-
-Message:
-
-
-The security intelligence update failed.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus has encountered an error trying to update signatures.
-
-
-
-
-
-
-
-
-
-
-
-
-User action:
-
-
-This error occurs when there is a problem updating definitions.
-To troubleshoot this event:
-
-
-
-
-
-Event ID: 2002
-
-Symbolic name:
-
-
-MALWAREPROTECTION_ENGINE_UPDATED
-
-
-
-
-Message:
-
-
-The antimalware engine updated successfully.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus engine version has been updated.
-
-
-
-
-
-
-User action:
-
-
-No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported when the antimalware engine is successfully updated.
-
-
-
-Event ID: 2003
-
-Symbolic name:
-
-
-MALWAREPROTECTION_ENGINE_UPDATE_FAILED
-
-
-
-
-Message:
-
-
-The antimalware engine update failed.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus has encountered an error trying to update the engine.
-
-
-
-
-
-
-User action:
-
-
-The Microsoft Defender Antivirus client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.
-To troubleshoot this event:
-
-
-
-
-
-Event ID: 2004
-
-Symbolic name:
-
-
-MALWAREPROTECTION_SIGNATURE_REVERSION
-
-
-
-
-Message:
-
-
-There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions.
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
-
-
-
-
-
-
-User action:
-
-
-The Microsoft Defender Antivirus client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Microsoft Defender Antivirus will attempt to revert back to a known-good set of definitions.
-To troubleshoot this event:
-
-
-
-
-
-Event ID: 2005
-
-Symbolic name:
-
-
-MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOUTOFDATE
-
-
-
-
-Message:
-
-
-The antimalware engine failed to load because the antimalware platform is out of date. The antimalware platform will load the last-known good antimalware engine and attempt to update.
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus could not load antimalware engine because current platform version is not supported. Microsoft Defender Antivirus will revert back to the last known-good engine and a platform update will be attempted.
-
-
-
-
-
-Event ID: 2006
-
-Symbolic name:
-
-
-MALWAREPROTECTION_PLATFORM_UPDATE_FAILED
-
-
-
-
-
-Message:
-
-
-The platform update failed.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus has encountered an error trying to update the platform.
-
-
-
-
-
-Event ID: 2007
-
-Symbolic name:
-
-
-MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDATE
-
-
-
-
-Message:
-
-
-The platform will soon be out of date. Download the latest platform to maintain up-to-date protection.
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Microsoft Defender Antivirus platform to maintain the best level of protection available.
-
-
-
-
-
-Event ID: 2010
-
-Symbolic name:
-
-
-MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATED
-
-
-
-
-
-Message:
-
-
-The antimalware engine used the Dynamic Signature Service to get additional definitions.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus used Dynamic Signature Service to retrieve additional signatures to help protect your machine.
-
-
-
-
-
-
-
-
-
-
-
-Event ID: 2011
-
-Symbolic name:
-
-
-MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED
-
-
-
-
-
-Message:
-
-
-The Dynamic Signature Service deleted the out-of-date dynamic definitions.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus used Dynamic Signature Service to discard obsolete signatures.
-
-
-
-
-
-
-
-
-
-
-
-
-User action:
-
-
-No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.
-
-
-
-Event ID: 2012
-
-Symbolic name:
-
-
-MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE_FAILED
-
-
-
-
-
-Message:
-
-
-The antimalware engine encountered an error when trying to use the Dynamic Signature Service.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus has encountered an error trying to use Dynamic Signature Service.
-
-
-
-
-
-
-
-
-
-
-
-
-User action:
-
-
-Check your Internet connectivity settings.
-
-
-
-Event ID: 2013
-
-Symbolic name:
-
-
-MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED_ALL
-
-
-
-
-
-Message:
-
-
-The Dynamic Signature Service deleted all dynamic definitions.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus discarded all Dynamic Signature Service signatures.
-
-
-
-
-
-Event ID: 2020
-
-Symbolic name:
-
-
-MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOADED
-
-
-
-
-
-Message:
-
-
-The antimalware engine downloaded a clean file.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus downloaded a clean file.
-
-
-
-
-
-Event ID: 2021
-
-Symbolic name:
-
-
-MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOAD_FAILED
-
-
-
-
-Message:
-
-
-The antimalware engine failed to download a clean file.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus has encountered an error trying to download a clean file.
-
-
-
-
-
-
-User action:
-
-
-Check your Internet connectivity settings.
-The Microsoft Defender Antivirus client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue.
-
-
-
-Event ID: 2030
-
-Symbolic name:
-
-
-MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED
-
-
-
-
-Message:
-
-
-The antimalware engine was downloaded and is configured to run offline on the next system restart.
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus downloaded and configured offline antivirus to run on the next reboot.
-
-
-
-Event ID: 2031
-
-Symbolic name:
-
-
-MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILED
-
-
-
-
-
-Message:
-
-
-The antimalware engine was unable to download and configure an offline scan.
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus has encountered an error trying to download and configure offline antivirus.
-
-
-
-
-
-Event ID: 2040
-
-Symbolic name:
-
-
-MALWAREPROTECTION_OS_EXPIRING
-
-
-
-
-
-Message:
-
-
-Antimalware support for this operating system version will soon end.
-
-
-
-
-
-Description:
-
-
-The support for your operating system will expire shortly. Running Microsoft Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats.
-
-
-
-Event ID: 2041
-
-Symbolic name:
-
-
-MALWAREPROTECTION_OS_EOL
-
-
-
-
-
-Message:
-
-
-Antimalware support for this operating system has ended. You must upgrade the operating system for continued support.
-
-
-
-
-
-Description:
-
-
-The support for your operating system has expired. Running Microsoft Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats.
-
-
-
-Event ID: 2042
-
-Symbolic name:
-
-
-MALWAREPROTECTION_PROTECTION_EOL
-
-
-
-
-
-Message:
-
-
-The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware.
-
-
-
-
-
-Description:
-
-
-The support for your operating system has expired. Microsoft Defender Antivirus is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.
-
-
-
-Event ID: 3002
-
-Symbolic name:
-
-
-MALWAREPROTECTION_RTP_FEATURE_FAILURE
-
-
-
-
-
-Message:
-
-
-Real-time protection encountered an error and failed.
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus Real-Time Protection feature has encountered an error and failed.
-
-
-
-
-
-
-
-
-User action:
-
-
-You should restart the system then run a full scan because it's possible the system was not protected for some time.
-The Microsoft Defender Antivirus client's real-time protection feature encountered an error because one of the services failed to start.
-If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure.
-
-
-
-Event ID: 3007
-
-Symbolic name:
-
-
-MALWAREPROTECTION_RTP_FEATURE_RECOVERED
-
-
-
-
-Message:
-
-
-Real-time protection recovered from a failure. We recommend running a full system scan when you see this error.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
-
-
-
-
-
-
-
-
-User action:
-
-
-The real-time protection feature has restarted. If this event happens again, contact Microsoft Technical Support.
-
-
-
-Event ID: 5000
-
-Symbolic name:
-
-
-MALWAREPROTECTION_RTP_ENABLED
-
-
-
-
-
-Message:
-
-
-Real-time protection is enabled.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was enabled.
-
-
-
-Event ID: 5001
-
-Symbolic name:
-
-
-MALWAREPROTECTION_RTP_DISABLED
-
-
-
-
-Message:
-
-
-Real-time protection is disabled.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was disabled.
-
-
-
-Event ID: 5004
-
-Symbolic name:
-
-
-MALWAREPROTECTION_RTP_FEATURE_CONFIGURED
-
-
-
-
-
-Message:
-
-
-The real-time protection configuration changed.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus real-time protection feature configuration has changed.
-
-
-
-
-
-
-
-Event ID: 5007
-
-Symbolic name:
-
-
-MALWAREPROTECTION_CONFIG_CHANGED
-
-
-
-
-
-Message:
-
-
-The antimalware platform configuration changed.
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus configuration has changed. If this is an unexpected event, you should review the settings as this may be the result of malware.
-
-
-
-
-
-Event ID: 5008
-
-Symbolic name:
-
-
-MALWAREPROTECTION_ENGINE_FAILURE
-
-
-
-
-Message:
-
-
-The antimalware engine encountered an error and failed.
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus engine has been terminated due to an unexpected error.
-
-
-
-
-
-
-User action:
-
-
-To troubleshoot this event:
-
-
-
-
-
-
-
-User action:
-
-
-The Microsoft Defender Antivirus client engine stopped due to an unexpected error.
-To troubleshoot this event:
-
-
-
-
-
-Event ID: 5009
-
-Symbolic name:
-
-
-MALWAREPROTECTION_ANTISPYWARE_ENABLED
-
-
-
-
-
-Message:
-
-
-Scanning for malware and other potentially unwanted software is enabled.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus scanning for malware and other potentially unwanted software has been enabled.
-
-
-
-Event ID: 5010
-
-Symbolic name:
-
-
-MALWAREPROTECTION_ANTISPYWARE_DISABLED
-
-
-
-
-
-Message:
-
-
-Scanning for malware and other potentially unwanted software is disabled.
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus scanning for malware and other potentially unwanted software is disabled.
-
-
-
-Event ID: 5011
-
-Symbolic name:
-
-
-MALWAREPROTECTION_ANTIVIRUS_ENABLED
-
-
-
-
-Message:
-
-
-Scanning for viruses is enabled.
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus scanning for viruses has been enabled.
-
-
-
-Event ID: 5012
-
-Symbolic name:
-
-
-MALWAREPROTECTION_ANTIVIRUS_DISABLED
-
-
-
-
-
-Message:
-
-
-Scanning for viruses is disabled.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus scanning for viruses is disabled.
-
-
-
-Event ID: 5100
-
-Symbolic name:
-
-
-MALWAREPROTECTION_EXPIRATION_WARNING_STATE
-
-
-
-
-
-Message:
-
-
-The antimalware platform will expire soon.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.
-
-
-
-
-
-Event ID: 5101
-
-Symbolic name:
-
-
-MALWAREPROTECTION_DISABLED_EXPIRED_STATE
-
-
-
-
-
-Message:
-
-
-The antimalware platform is expired.
-
-
-
-
-
-Description:
-
-
-Microsoft Defender Antivirus grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.
-
-
-
-
-
-
-
-The following error codes are used during internal testing of Microsoft Defender Antivirus.
-
-If you see these errors, you can try to [update definitions](manage-updates-baselines-microsoft-defender-antivirus.md) and force a rescan directly on the endpoint.
-
-
-
-
-Error code: 0x80508007
-
-
-Message
-
-ERR_MP_NO_MEMORY
-
-
-
-
-Possible reason
-
-
-This error indicates that you might have run out of memory.
-
-
-
-Resolution
-
-
-
-
-
- Error code: 0x8050800C
-Message
-ERR_MP_BAD_INPUT_DATA
- Possible reason
-
-This error indicates that there might be a problem with your security product.
-
-Resolution
-
-
-
-
-
-
Or,
-
- Error code: 0x80508020
-Message
-ERR_MP_BAD_CONFIGURATION
-
- Possible reason
-
-This error indicates that there might be an engine configuration error; commonly, this is related to input
-data that does not allow the engine to function properly.
-
-
- Error code: 0x805080211
-
-Message
-ERR_MP_QUARANTINE_FAILED
-
- Possible reason
-
-This error indicates that Microsoft Defender Antivirus failed to quarantine a threat.
-
-
- Error code: 0x80508022
-
-Message
-ERR_MP_REBOOT_REQUIRED
-
- Possible reason
-
-This error indicates that a reboot is required to complete threat removal.
-
-
-
-0x80508023
-
-Message
-ERR_MP_THREAT_NOT_FOUND
-
- Possible reason
-
-This error indicates that the threat might no longer be present on the media, or malware might be stopping you from scanning your device.
- Resolution
-
-
-Run the Microsoft Safety Scanner then update your security software and try again.
-
-
-
-Error code: 0x80508024
- Message
-ERR_MP_FULL_SCAN_REQUIRED
-
- Possible reason
-
-This error indicates that a full system scan might be required.
-
-
-Resolution
-Run a full system scan.
-
-
- Error code: 0x80508025
-
-Message
-ERR_MP_MANUAL_STEPS_REQUIRED
-
- Possible reason
-
-This error indicates that manual steps are required to complete threat removal.
- Resolution
-Follow the manual remediation steps outlined in the Microsoft Malware Protection Encyclopedia. You can find a threat-specific link in the event history.
-
- Error code: 0x80508026
-
-Message
-ERR_MP_REMOVE_NOT_SUPPORTED
-
- Possible reason
-
-This error indicates that removal inside the container type might not be not supported.
- Resolution
-Microsoft Defender Antivirus is not able to remediate threats detected inside the archive. Consider manually removing the detected resources.
-
-
- Error code: 0x80508027
-
-Message
-ERR_MP_REMOVE_LOW_MEDIUM_DISABLED
-
- Possible reason
-
-This error indicates that removal of low and medium threats might be disabled.
- Resolution
-Check the detected threats and resolve them as required.
-
-
- Error code: 0x80508029
-
-Message
-ERROR_MP_RESCAN_REQUIRED
-
- Possible reason
-
-This error indicates a rescan of the threat is required.
- Resolution
-Run a full system scan.
-
-
- Error code: 0x80508030
-
-Message
-ERROR_MP_CALLISTO_REQUIRED
-
- Possible reason
-
-This error indicates that an offline scan is required.
- Resolution
-Run offline Microsoft Defender Antivirus. You can read about how to do this in the offline Microsoft Defender Antivirus article.
-
-
- Error code: 0x80508031
-
-Message
-ERROR_MP_PLATFORM_OUTDATED
-Possible reason
-
-This error indicates that Microsoft Defender Antivirus does not support the current version of the platform and requires a new version of the platform.
- Resolution
-You can only use Microsoft Defender Antivirus in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use System Center Endpoint Protection.
-
-
-
-## Related topics
-
-- [Report on Microsoft Defender Antivirus protection](report-monitor-microsoft-defender-antivirus.md)
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
deleted file mode 100644
index 4ec6d05d04..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
+++ /dev/null
@@ -1,73 +0,0 @@
----
-title: Troubleshoot problems with reporting tools for Microsoft Defender AV
-description: Identify and solve common problems when attempting to report in Microsoft Defender AV protection status in Update Compliance
-keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender AV
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Troubleshoot Microsoft Defender Antivirus reporting in Update Compliance
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-> [!IMPORTANT]
-> On March 31, 2020, the Microsoft Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates.
-
-You can use Microsoft Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the [Microsoft Defender for Endpoint portal](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see [Windows 10 product licensing options](https://www.microsoft.com/licensing/product-licensing/windows10.aspx).
-
-When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of devices or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Microsoft Defender Antivirus, you might encounter problems or issues.
-
-Typically, the most common indicators of a problem are:
-- You only see a small number or subset of all the devices you were expecting to see
-- You do not see any devices at all
-- The reports and information you do see is outdated (older than a few days)
-
-For common error codes and event IDs related to the Microsoft Defender Antivirus service that are not related to Update Compliance, see [Microsoft Defender Antivirus events](troubleshoot-microsoft-defender-antivirus.md).
-
-There are three steps to troubleshooting these problems:
-
-1. Confirm that you have met all prerequisites
-2. Check your connectivity to the Windows Defender cloud-based service
-3. Submit support logs
-
->[!IMPORTANT]
->It typically takes 3 days for devices to start appearing in Update Compliance.
-
-
-## Confirm prerequisites
-
-In order for devices to properly show up in Update Compliance, you have to meet certain prerequisites for both the Update Compliance service and for Microsoft Defender Antivirus:
-
->[!div class="checklist"]
->- Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender AV to disable itself](microsoft-defender-antivirus-compatibility.md) and the endpoint will not be reported in Update Compliance.
-> - [Cloud-delivered protection is enabled](enable-cloud-protection-microsoft-defender-antivirus.md).
-> - Endpoints can [connect to the Microsoft Defender AV cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud)
-> - If the endpoint is running Windows 10 version 1607 or earlier, [Windows 10 diagnostic data must be set to the Enhanced level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level).
-> - It has been 3 days since all requirements have been met
-
-“You can use Microsoft Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender for Endpoint portal (https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options"
-
-If the above prerequisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us.
-
-> [!div class="nextstepaction"]
-> [Collect diagnostic data for Update Compliance troubleshooting](collect-diagnostic-data.md)
-
-## Related topics
-
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
deleted file mode 100644
index decb62a445..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,152 +0,0 @@
----
-title: Configure Microsoft Defender Antivirus with Group Policy
-description: Learn how to use a Group Policy to configure and manage Microsoft Defender Antivirus on your endpoints in Microsoft Defender for Endpoint.
-keywords: group policy, GPO, configuration, settings
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 10/01/2018
-ms.reviewer: ksarens
-manager: dansimp
-ms.technology: mde
----
-
-# Use Group Policy settings to configure and manage Microsoft Defender Antivirus
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-You can use [Group Policy](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx) to configure and manage Microsoft Defender Antivirus on your endpoints.
-
-In general, you can use the following procedure to configure or change Microsoft Defender Antivirus group policy settings:
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
-
-2. Using the **Group Policy Management Editor** go to **Computer configuration**.
-
-3. Click **Administrative templates**.
-
-4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus**.
-
-5. Expand the section (referred to as **Location** in the table in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes.
-
-6. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
-
-The following table in this topic lists the Group Policy settings available in Windows 10, version 1703, and provides links to the appropriate topic in this documentation library (where applicable).
-
-Location | Setting | Article
----|---|---
-Client interface | Enable headless UI mode | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md)
-Client interface | Display additional text to clients when they need to perform an action | [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
-Client interface | Suppress all notifications | [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
-Client interface | Suppresses reboot notifications | [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
-Exclusions | Extension Exclusions | [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
-Exclusions | Path Exclusions | [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
-Exclusions | Process Exclusions | [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
-Exclusions | Turn off Auto Exclusions | [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
-MAPS | Configure the 'Block at First Sight' feature | [Enable block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)
-MAPS | Join Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
-MAPS | Send file samples when further analysis is required | [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
-MAPS | Configure local setting override for reporting to Microsoft MAPS | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
-MpEngine | Configure extended cloud check | [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md)
-MpEngine | Select cloud protection level | [Specify the cloud-delivered protection level](specify-cloud-protection-level-microsoft-defender-antivirus.md)
-Network inspection system | Specify additional definition sets for network traffic inspection | Not used
-Network inspection system | Turn on definition retirement | Not used
-Network inspection system | Turn on protocol recognition | Not used
-Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
-Quarantine | Configure removal of items from Quarantine folder | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
-Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
-Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
-Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
-Real-time protection | Configure local setting override for turn on behavior monitoring | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
-Real-time protection | Configure local setting override to turn on real-time protection | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
-Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
-Real-time protection | Monitor file and program activity on your computer | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
-Real-time protection | Scan all downloaded files and attachments | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
-Real-time protection | Turn off real-time protection | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
-Real-time protection | Turn on behavior monitoring | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
-Real-time protection | Turn on process scanning whenever real-time protection is enabled | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
-Real-time protection | Turn on raw volume write notifications | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
-Real-time protection | Configure monitoring for incoming and outgoing file and program activity | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
-Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
-Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-Remediation | Specify the time of day to run a scheduled full scan to complete remediation | [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-Reporting | Configure Watson events | Not used
-Reporting | Configure Windows software trace preprocessor components | Not used
-Reporting | Configure WPP tracing level | Not used
-Reporting | Configure time out for detections in critically failed state | Not used
-Reporting | Configure time out for detections in non-critical failed state | Not used
-Reporting | Configure time out for detections in recently remediated state | Not used
-Reporting | Configure time out for detections requiring additional action | Not used
-Reporting | Turn off enhanced notifications | [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
-Root | Turn off Microsoft Defender Antivirus | Not used (This setting must be set to **Not configured** to ensure any installed third-party antivirus apps work correctly)
-Root | Define addresses to bypass proxy server | Not used
-Root | Define proxy autoconfig (.pac) for connecting to the network | Not used
-Root | Define proxy server for connecting to the network | Not used
-Root | Configure local administrator merge behavior for lists | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
-Root | Allow antimalware service to start up with normal priority | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
-Root | Allow antimalware service to remain running always | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
-Root | Turn off routine remediation | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
-Root | Randomize scheduled task times | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) (Not supported on Windows 10)
-Scan | Check for the latest virus and spyware definitions before running a scheduled scan | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
-Scan | Define the number of days after which a catch-up scan is forced | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
-Scan | Turn on catch up full scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
-Scan | Turn on catch up quick scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
-Scan | Configure local setting override for maximum percentage of CPU utilization | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
-Scan | Configure local setting override for schedule scan day | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
-Scan | Configure local setting override for scheduled quick scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
-Scan | Configure local setting override for scheduled scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
-Scan | Configure local setting override for the scan type to use for a scheduled scan | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
-Scan | Create a system restore point | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
-Scan | Turn on removal of items from scan history folder | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
-Scan | Turn on heuristics | [Enable and configure Microsoft Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
-Scan | Turn on e-mail scanning | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)
-Scan | Turn on reparse point scanning | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)
-Scan | Run full scan on mapped network drives | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)
-Scan | Scan archive files | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)
-Scan | Scan network files | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)
-Scan | Scan packed executables | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)
-Scan | Scan removable drives | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)
-Scan | Specify the maximum depth to scan archive files | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)
-Scan | Specify the maximum percentage of CPU utilization during a scan | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)
-Scan | Specify the maximum size of archive files to be scanned | [Configure scanning options in Microsoft Defender Antivirus](configure-advanced-scan-types-microsoft-defender-antivirus.md)
-Scan | Specify the day of the week to run a scheduled scan | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-Scan | Specify the interval to run quick scans per day | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-Scan | Specify the scan type to use for a scheduled scan | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-Scan | Specify the time for a daily quick scan | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-Scan | Specify the time of day to run a scheduled scan | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-Security intelligence updates | Allow security intelligence updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
-Security intelligence updates | Allow security intelligence updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
-Security intelligence updates | Allow notifications to disable definitions-based reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
-Security intelligence updates | Allow real-time security intelligence updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
-Security intelligence updates | Check for the latest virus and spyware definitions on startup | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
-Security intelligence updates | Define file shares for downloading security intelligence updates | [Manage Microsoft Defender Antivirus protection and security intelligence updates](manage-protection-updates-microsoft-defender-antivirus.md)
-Security intelligence updates | Define the number of days after which a catch up security intelligence update is required | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
-Security intelligence updates | Define the number of days before spyware definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
-Security intelligence updates | Define the number of days before virus definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md)
-Security intelligence updates | Define the order of sources for downloading security intelligence updates | [Manage Microsoft Defender Antivirus protection and security intelligence updates](manage-protection-updates-microsoft-defender-antivirus.md)
-Security intelligence updates | Initiate security intelligence update on startup | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md)
-Security intelligence updates | Specify the day of the week to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md)
-Security intelligence updates | Specify the interval to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md)
-Security intelligence updates | Specify the time to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md)
-Security intelligence updates | Turn on scan after Security intelligence update | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
-Threats | Specify threat alert levels at which default action should not be taken when detected | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
-Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md)
-
-
-## Related articles
-
-- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
deleted file mode 100644
index dcd08baa99..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-title: Configure Microsoft Defender Antivirus with Configuration Manager and Intune
-description: Use Microsoft Endpoint Manager and Microsoft Intune to configure Microsoft Defender AV and Endpoint Protection
-keywords: scep, intune, endpoint protection, configuration
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 10/26/2018
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Use Microsoft Endpoint Manager and Microsoft Intune to configure and manage Microsoft Defender Antivirus
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-If you were using Microsoft Endpoint Manager or Microsoft Intune to manage the endpoints on your network, you can now use Microsoft Endpoint Manager to manage Microsoft Defender Antivirus scans.
-
-1. In the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), navigate to **Endpoint Security**.
-
-2. Under **Manage**, choose **Antivirus**.
-
-3. Select your Microsoft Defender Antivirus policy.
-
-4. Under **Manage**, choose **Properties**.
-
-5. Next to **Configuration settings**, choose **Edit**.
-
-6. Expand the **Scan** section, and review or edit your scanning settings.
-
-7. Choose **Review + save**
-
-Need help? See [Manage endpoint security in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security).
-
-
-## Related articles
-
-- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
deleted file mode 100644
index dc441c48cf..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
+++ /dev/null
@@ -1,65 +0,0 @@
----
-title: Use PowerShell cmdlets to configure and run Microsoft Defender AV
-description: In Windows 10, you can use PowerShell cmdlets to run scans, update Security intelligence, and change settings in Microsoft Defender Antivirus.
-keywords: scan, command line, mpcmdrun, defender
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 07/23/2020
-ms.reviewer:
-manager: dansimp
-ms.technology: mde
----
-
-# Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration. You can read more about it at the [PowerShell hub on MSDN](https://docs.microsoft.com/previous-versions/msdn10/mt173057(v=msdn.10)).
-
-For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender) topic.
-
-PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.
-
-> [!NOTE]
-> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr), [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), or [Microsoft Defender Antivirus Group Policy ADMX templates](https://www.microsoft.com/download/101445).
-
-Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
-
-You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-microsoft-defender-antivirus.md).
-
-PowerShell is typically installed under the folder `%SystemRoot%\system32\WindowsPowerShell`.
-
-## Use Microsoft Defender Antivirus PowerShell cmdlets
-
-1. In the Windows search bar, type **powershell**.
-2. Select **Windows PowerShell** from the results to open the interface.
-3. Enter the PowerShell command and any parameters.
-
-> [!NOTE]
-> You may need to open PowerShell in administrator mode. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
-
-To open online help for any of the cmdlets type the following:
-
-```PowerShell
-Get-Help
-
-Internal error codes
-
-
-Error code
-Message displayed
-Possible reason for error and resolution
-
-
-
-0x80501004
-
-
-ERROR_MP_NO_INTERNET_CONN
-
-
-
-Check your Internet connection, then run the scan again.
-
-
-
-
-0x80501000
-
-
-ERROR_MP_UI_CONSOLIDATION_BASE
-
-
-This is an internal error. The cause is not clearly defined.
-
-
-
-
-
-
-
-0x80501001
-
-
-ERROR_MP_ACTIONS_FAILED
-
-
-
-
-0x80501002
-
-
-ERROR_MP_NOENGINE
-
-
-
-
-0x80501003
-
-
-ERROR_MP_ACTIVE_THREATS
-
-
-
-
-0x805011011
-
-
-MP_ERROR_CODE_LUA_CANCELLED
-
-
-
-
-0x80501101
-
-
-ERROR_LUA_CANCELLATION
-
-
-
-
-0x80501102
-
-
-MP_ERROR_CODE_ALREADY_SHUTDOWN
-
-
-
-
-0x80501103
-
-
-MP_ERROR_CODE_RDEVICE_S_ASYNC_CALL_PENDING
-
-
-
-
-0x80501104
-
-
-MP_ERROR_CODE_CANCELLED
-
-
-
-
-0x80501105
-
-
-MP_ERROR_CODE_NO_TARGETOS
-
-
-
-
-0x80501106
-
-
-MP_ERROR_CODE_BAD_REGEXP
-
-
-
-
-0x80501107
-
-
-MP_ERROR_TEST_INDUCED_ERROR
-
-
-
-
-0x80501108
-
-
-MP_ERROR_SIG_BACKUP_DISABLED
-
-
-
-
-0x80508001
-
-
-ERR_MP_BAD_INIT_MODULES
-
-
-
-
-0x80508002
-
-
-ERR_MP_BAD_DATABASE
-
-
-
-
-0x80508004
-
-
-ERR_MP_BAD_UFS
-
-
-
-
-0x8050800C
-
-
-ERR_MP_BAD_INPUT_DATA
-
-
-
-
-0x8050800D
-
-
-ERR_MP_BAD_GLOBAL_STORAGE
-
-
-
-
-0x8050800E
-
-
-ERR_MP_OBSOLETE
-
-
-
-
-0x8050800F
-
-
-ERR_MP_NOT_SUPPORTED
-
-
-
-
-0x8050800F
-0x80508010
-
-
-ERR_MP_NO_MORE_ITEMS
-
-
-
-
-0x80508011
-
-
-ERR_MP_DUPLICATE_SCANID
-
-
-
-
-0x80508012
-
-
-ERR_MP_BAD_SCANID
-
-
-
-
-0x80508013
-
-
-ERR_MP_BAD_USERDB_VERSION
-
-
-
-
-0x80508014
-
-
-ERR_MP_RESTORE_FAILED
-
-
-
-
-0x80508016
-
-
-ERR_MP_BAD_ACTION
-
-
-
-
-0x80508019
-
-
-ERR_MP_NOT_FOUND
-
-
-
-
-0x80509001
-
-
-ERR_RELO_BAD_EHANDLE
-
-
-
-
-0x80509003
-
-
-ERR_RELO_KERNEL_NOT_LOADED
-
-
-
-
-0x8050A001
-
-
-ERR_MP_BADDB_OPEN
-
-
-
-
-0x8050A002
-
-
-ERR_MP_BADDB_HEADER
-
-
-
-
-0x8050A003
-
-
-ERR_MP_BADDB_OLDENGINE
-
-
-
-
-0x8050A004
-
-
-ERR_MP_BADDB_CONTENT
-
-
-
-
-0x8050A005
-
-
-ERR_MP_BADDB_NOTSIGNED
-
-
-
-
-0x8050801
-
-
-ERR_MP_REMOVE_FAILED
-
-
-This is an internal error. It might be triggered when malware removal is not successful.
-
-
-
-
-0x80508018
-
-
-ERR_MP_SCAN_ABORTED
-
-
-
-This is an internal error. It might have triggered when a scan fails to complete.
-
-
Windows 10 Pro, 1803 or higher|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.
**Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.|
-|Allow users to trust files that open in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher|Determines whether users are able to manually trust untrusted files to open them on the host.|**Enabled.** Users are able to manually trust files or trust files after an antivirus check.
**Disabled or not configured.** Users are unable to manually trust files and files continue to open in Microsoft Defender Application Guard.|
-
-
+|Allow users to trust files that open in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher|Determines whether users are able to manually trust untrusted files to open them on the host.|**Enabled.** Users are able to manually trust files or trust files after an antivirus check.
**Disabled or not configured.** Users are unable to manually trust files and files continue to open in Microsoft Defender Application Guard.|
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
index 60b5e96c41..61f3f7421b 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 01/21/2021
+ms.date: 04/26/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -19,11 +19,12 @@ ms.technology: mde
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Answering frequently asked questions about Microsoft Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration.
+This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration.
## Frequently Asked Questions
### Can I enable Application Guard on machines equipped with 4-GB RAM?
+
We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.)
@@ -34,25 +35,25 @@ We recommend 8-GB RAM for optimal performance but you can use the following regi
### Can employees download documents from the Application Guard Edge session onto host devices?
-In Windows 10 Enterprise edition 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy.
+In Windows 10 Enterprise edition, version 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy.
-In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.
+In Windows 10 Enterprise edition, version 1709, or Windows 10 Professional edition, version 1803, it is not possible to download files from the isolated Application Guard container to the host computer. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.
### Can employees copy and paste between the host device and the Application Guard Edge session?
Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container.
-### Why don't employees see their Favorites in the Application Guard Edge session?
+### Why don't employees see their favorites in the Application Guard Edge session?
-To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.
+To help keep the Application Guard Edge session secure and isolated from the host device, favorites that are stored in the Application Guard Edge session are not copied back to the host device.
-### Why aren’t employees able to see their Extensions in the Application Guard Edge session?
+### Why aren’t employees able to see their extensions in the Application Guard Edge session?
-Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.
+Currently, the Application Guard Edge session doesn't support extensions. However, we're closely monitoring your feedback about this.
### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
-Microsoft Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
+Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
### Which Input Method Editors (IME) in 19H1 are not supported?
@@ -84,7 +85,7 @@ To trust a subdomain, you must precede your domain with two dots, for example: `
### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
-When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
+When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md).
### Is there a size limit to the domain lists that I need to configure?
@@ -102,7 +103,7 @@ Mandatory network isolation GP policy to deploy Application Guard: "DomainSubnet
Mandatory network isolation CSP policy to deploy Application Guard: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)"
For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
-Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
+Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
### Why did Application Guard stop working after I turned off hyperthreading?
@@ -116,8 +117,8 @@ Application Guard might not work correctly on NTFS compressed volumes. If this i
This is a known issue. To mitigate this you need to create two firewall rules.
For guidance on how to create a firewall rule by using group policy, see:
-- [Create an inbound icmp rule](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule)
-- [Open Group Policy management console for Microsoft Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security)
+- [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md)
+- [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
First rule (DHCP Server):
1. Program path: `%SystemRoot%\System32\svchost.exe`
@@ -128,22 +129,25 @@ First rule (DHCP Server):
Second rule (DHCP Client)
This is the same as the first rule, but scoped to local port 68.
In the Microsoft Defender Firewall user interface go through the following steps:
-1. Right click on inbound rules, create a new rule.
+1. Right-click on inbound rules, and then create a new rule.
2. Choose **custom rule**.
-3. Program path: `%SystemRoot%\System32\svchost.exe`.
-4. Protocol Type: UDP, Specific ports: 67, Remote port: any.
-5. Any IP addresses.
-6. Allow the connection.
-7. All profiles.
-8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
-9. In the **Programs and services** tab, Under the **Services** section click on **settings**. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
+3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`.
+4. Specify the following settings:
+ - Protocol Type: UDP
+ - Specific ports: 67
+ - Remote port: any
+6. Specify any IP addresses.
+7. Allow the connection.
+8. Specify to use all profiles.
+9. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
+10. In the **Programs and services** tab, under the **Services** section, select **settings**.
+11. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
### Why can I not launch Application Guard when Exploit Guard is enabled?
There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**.
-
-### How can I have ICS in enabled state yet still use Application Guard?
+### How can I disable portions of ICS without breaking Application Guard?
ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
@@ -161,6 +165,7 @@ ICS is enabled by default in Windows, and ICS must be enabled in order for Appli
5. Reboot the device.
### Why doesn't the container fully load when device control policies are enabled?
+
Allow-listed items must be configured as "allowed" in the Group Policy Object ensure AppGuard works properly.
Policy: Allow installation of devices that match any of these device IDs
@@ -184,4 +189,4 @@ Policy: Allow installation of devices using drivers that match these device setu
## See also
-[Configure Microsoft Defender Application Guard policy settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)
+[Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
index e63bfdaf57..f3cbd518da 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
@@ -18,11 +18,11 @@ ms.technology: mde
# Prepare to install Microsoft Defender Application Guard
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
## Review system requirements
-See [System requirements for Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard) to review the hardware and software installation requirements for Microsoft Defender Application Guard.
+See [System requirements for Microsoft Defender Application Guard](./reqs-md-app-guard.md) to review the hardware and software installation requirements for Microsoft Defender Application Guard.
>[!NOTE]
>Microsoft Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.
@@ -84,7 +84,7 @@ Application Guard functionality is turned off by default. However, you can quick
### To install by using Intune
> [!IMPORTANT]
-> Make sure your organization's devices meet [requirements](reqs-md-app-guard.md) and are [enrolled in Intune](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment).
+> Make sure your organization's devices meet [requirements](reqs-md-app-guard.md) and are [enrolled in Intune](/mem/intune/enrollment/device-enrollment).
:::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune":::
@@ -120,5 +120,4 @@ Application Guard functionality is turned off by default. However, you can quick
1. Click **Save**.
-After the profile is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place.
-
+After the profile is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place.
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
index 2731dfe662..d507e47abf 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
@@ -26,7 +26,7 @@ ms.technology: mde
[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers.
> [!TIP]
-> Application Guard, by default, offers [native support](https://docs.microsoft.com/deployedge/microsoft-edge-security-windows-defender-application-guard) to both Microsoft Edge and Internet Explorer. These browsers do not need the extension described here for Application Guard to protect them.
+> Application Guard, by default, offers [native support](/deployedge/microsoft-edge-security-windows-defender-application-guard) to both Microsoft Edge and Internet Explorer. These browsers do not need the extension described here for Application Guard to protect them.
Microsoft Defender Application Guard Extension defends devices in your organization from advanced attacks, by redirecting untrusted websites to an isolated version of [Microsoft Edge](https://www.microsoft.com/edge). If an untrusted website turns out to be malicious, it remains within Application Guard's secure container, keeping the device protected.
@@ -96,4 +96,4 @@ Unexpected response while processing trusted state | The extension was able to c
## Related articles
- [Microsoft Defender Application Guard overview](md-app-guard-overview.md)
-- [Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)
+- [Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index 84ae3ac222..9c41f91b39 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -51,6 +51,6 @@ Application Guard has been created to target several types of devices:
|[Configure the Group Policy settings for Microsoft Defender Application Guard](configure-md-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
|[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.|
| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide |
-| [Microsoft Defender Application Guard for Microsoft Office](https://docs.microsoft.com/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide |
+| [Microsoft Defender Application Guard for Microsoft Office](/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide |
|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
-|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.|
+|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.|
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
index 4444817c21..ab3603b914 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
@@ -29,7 +29,7 @@ Your environment needs the following hardware to run Microsoft Defender Applicat
|Hardware|Description|
|--------|-----------|
-|64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/virtualization/hyper-v-on-windows/reference/tlfs).|
+|64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_
**-AND-**
One of the following virtualization extensions for VBS:
VT-x (Intel)
**-OR-**
AMD-V|
|Hardware memory|Microsoft requires a minimum of 8GB RAM|
|Hard disk|5 GB free space, solid state disk (SSD) recommended|
@@ -42,4 +42,4 @@ Your environment needs the following software to run Microsoft Defender Applicat
|--------|-----------|
|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with WDAG for Professional editions. |
|Browser|Microsoft Edge and Internet Explorer|
-|Management system
(only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)
**-OR-**
[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/)
**-OR-**
[Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)
**-OR-**
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
+|Management system
(only for managed devices)|[Microsoft Intune](/intune/)
**-OR-**
[Microsoft Endpoint Configuration Manager](/configmgr/)
**-OR-**
[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))
**-OR-**
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
index 89dc438cda..9baa7baa78 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@@ -19,7 +19,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.
@@ -29,7 +29,7 @@ You can see how an employee would use standalone mode with Application Guard.
### To test Application Guard in Standalone mode
-1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
+1. [Install Application Guard](./install-md-app-guard.md).
2. Restart the device, start Microsoft Edge, and then select **New Application Guard window** from the menu.
@@ -52,7 +52,7 @@ How to install, set up, turn on, and configure Application Guard for Enterprise-
Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings.
-1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard#install-application-guard).
+1. [Install Application Guard](./install-md-app-guard.md#install-application-guard).
2. Restart the device, and then start Microsoft Edge.
@@ -264,4 +264,4 @@ Once a user has the extension and its companion app installed on their enterpris
4. Open a new Application Guard window, by select the Microsoft Defender Application Guard icon, then **New Application Guard Window**
- 
+ 
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
index 022c938160..508358b284 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
@@ -22,7 +22,7 @@ ms.technology: mde
Microsoft Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Microsoft Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely.
-See [Windows 10 (and later) settings to protect devices using Intune](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune.
+See [Windows 10 (and later) settings to protect devices using Intune](/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune.
## Group Policy settings
@@ -78,7 +78,7 @@ SmartScreen uses registry-based Administrative Template policy settings.
## MDM settings
If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune) and Windows 10 Mobile devices.
-For Microsoft Defender SmartScreen Edge MDM policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser).
+For Microsoft Defender SmartScreen Edge MDM policies, see [Policy CSP - Browser](/windows/client-management/mdm/policy-csp-browser).
Executable
Windows Installer
Script
DLL| You can use the [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. |
+| Windows 10| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| You can use the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) to configure AppLocker policies on any edition of Windows 10 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. |
| Windows Server 2019
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| |
| Windows 8.1 Pro| Yes| No| N/A||
| Windows 8.1 Enterprise| Yes| Yes| Packaged apps
Executable
Windows Installer
Script
DLL| |
@@ -67,4 +67,4 @@ AppLocker is not supported on versions of the Windows operating system not liste
- [Optimize AppLocker performance](optimize-applocker-performance.md)
- [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md)
- [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md)
-- [AppLocker Design Guide](applocker-policies-design-guide.md)
+- [AppLocker Design Guide](applocker-policies-design-guide.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
index 92928f7068..7e757f7903 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
@@ -33,7 +33,7 @@ AppLocker is deployed within an enterprise and administered centrally by those i
AppLocker policies are distributed through known processes and by known means within the domain through Group Policy. But AppLocker policies can also be set on individual computers if the person has administrator privileges, and those policies might be contrary to the organization's written security policy. The enforcement settings for local policies are overridden by the same AppLocker policies in a Group Policy Object (GPO). However, because AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer.
-Microsoft does not provide a way to develop any extensions to AppLocker. The interfaces are not public. A user with administrator credentials can automate some AppLocker processes by using Windows PowerShell cmdlets. For info about the Windows PowerShell cmdlets for AppLocker, see the [AppLocker Cmdlets in Windows PowerShell](https://technet.microsoft.com/library/ee460962.aspx).
+Microsoft does not provide a way to develop any extensions to AppLocker. The interfaces are not public. A user with administrator credentials can automate some AppLocker processes by using Windows PowerShell cmdlets. For info about the Windows PowerShell cmdlets for AppLocker, see the [AppLocker Cmdlets in Windows PowerShell](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee460962(v=technet.10)).
AppLocker runs in the context of Administrator or LocalSystem, which is the highest privilege set. This security context has the potential of misuse. If a user with administrative credentials makes changes to an AppLocker policy on a local device that is joined to a domain, those changes could be overwritten or disallowed by the GPO that contains the AppLocker rule for the same file (or path) that was changed on the local device. However, because AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer. If the local computer is not joined to a domain and is not administered by Group Policy, a person with administrative credentials can alter the AppLocker policy.
@@ -57,4 +57,4 @@ You can block the Windows Subsystem for Linux by blocking LxssManager.dll.
## Related topics
-- [AppLocker technical reference](applocker-technical-reference.md)
+- [AppLocker technical reference](applocker-technical-reference.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
index 51d801a909..a39370e796 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
@@ -56,8 +56,8 @@ The following tools can help you administer the application control policies cre
- **AppLocker PowerShell cmdlets**
- The AppLocker Windows PowerShell cmdlets are designed to streamline the administration of AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the Local Security Policy snap-in and the GPMC. For information about the cmdlets, see the [AppLocker PowerShell Command Reference](https://technet.microsoft.com/itpro/powershell/windows/applocker/applocker).
+ The AppLocker Windows PowerShell cmdlets are designed to streamline the administration of AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the Local Security Policy snap-in and the GPMC. For information about the cmdlets, see the [AppLocker PowerShell Command Reference](/powershell/module/applocker/).
## Related topics
-- [AppLocker technical reference](applocker-technical-reference.md)
+- [AppLocker technical reference](applocker-technical-reference.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
index 72eea2c6c1..228ca42a8d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
@@ -65,8 +65,8 @@ If AppLocker policies are currently running in your production environment, expo
You should test each set of rules to ensure that they perform as intended. The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference device. Perform the steps on each reference device that you used to define the AppLocker policy. Ensure that the reference device is joined to the domain and that it is receiving the AppLocker policy from the appropriate GPO. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules to simultaneously test all of your test GPOs. Use the following procedures to complete this step:
-- [Test an AppLocker Policy with Test-AppLockerPolicy](https://technet.microsoft.com/library/ee791772(WS.10).aspx)
-- [Discover the Effect of an AppLocker Policy](https://technet.microsoft.com/library/ee791823(WS.10).aspx)
+- [Test an AppLocker Policy with Test-AppLockerPolicy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791772(v=ws.10))
+- [Discover the Effect of an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791823(v=ws.10))
>**Caution:** If you have set the enforcement setting on the rule collection to **Enforce rules** or you have not configured the rule collection, the policy will be implemented when the GPO is updated in the next step. If you have set the enforcement setting on the rule collection to **Audit only**, application access events are written to the AppLocker log, and the policy will not take effect.
@@ -76,7 +76,7 @@ When the AppLocker policy has been tested successfully, it can be imported into
- [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md)
- [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) or
-- [Discover the Effect of an AppLocker Policy](https://technet.microsoft.com/library/ee791823(WS.10).aspx)
+- [Discover the Effect of an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791823(v=ws.10))
If the AppLocker policy enforcement setting is **Audit only** and you are satisfied that the policy is fulfilling your intent, you can change it to **Enforce rules**. For info about how to change the enforcement setting, see [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md).
@@ -90,4 +90,4 @@ If additional refinements or updates are necessary after a policy is deployed, u
## See also
-- [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)
+- [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
index 65ade4ae02..58576ff79e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
@@ -36,27 +36,27 @@ Local Security policy snap-in, you must be a member of the local **Administrator
### Retrieve application information
-The [Get-AppLockerFileInformation](https://technet.microsoft.com/library/hh847209.aspx) cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information.
+The [Get-AppLockerFileInformation](/powershell/module/applocker/get-applockerfileinformation) cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information.
File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information.
### Set AppLocker policy
-The [Set-AppLockerPolicy](https://technet.microsoft.com/library/hh847212.aspx) cmdlet sets the specified GPO to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default.
+The [Set-AppLockerPolicy](/powershell/module/applocker/set-applockerpolicy) cmdlet sets the specified GPO to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default.
### Retrieve an AppLocker policy
-The [Get-AppLockerPolicy](https://technet.microsoft.com/library/hh847214.aspx) cmdlet gets the AppLocker policy from the local GPO, from a specified GPO, or from the effective AppLocker policy on the device. The output of the AppLocker policy is an AppLockerPolicy object or an XML-formatted string.
+The [Get-AppLockerPolicy](/powershell/module/applocker/get-applockerpolicy) cmdlet gets the AppLocker policy from the local GPO, from a specified GPO, or from the effective AppLocker policy on the device. The output of the AppLocker policy is an AppLockerPolicy object or an XML-formatted string.
### Generate rules for a given user or group
-The [New-AppLockerPolicy](https://technet.microsoft.com/library/hh847211.aspx) cmdlet uses a list of file information to automatically generate rules for a given user or group. It can generate rules based on publisher, hash, or path information. Use **Get-AppLockerFileInformation** to create the
+The [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) cmdlet uses a list of file information to automatically generate rules for a given user or group. It can generate rules based on publisher, hash, or path information. Use **Get-AppLockerFileInformation** to create the
list of file information.
### Test the AppLocker Policy against a file set
-The [Test-AppLockerPolicy](https://technet.microsoft.com/library/hh847213.aspx) cmdlet uses the specified AppLocker policy to test whether a specified list of files are allowed to run or not on the local device for a specific user.
+The [Test-AppLockerPolicy](/powershell/module/applocker/test-applockerpolicy) cmdlet uses the specified AppLocker policy to test whether a specified list of files are allowed to run or not on the local device for a specific user.
## Additional resources
-- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).
+- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
index c35dfc5108..5ed5fa1cf7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
@@ -1,6 +1,6 @@
---
-title: Audit Windows Defender Application Control policies (Windows 10)
-description: Audits allow admins to discover apps that were missed during an initial policy scan and to identify new apps that were installed since the policy was created.
+title: Use audit events to create WDAC policy rules (Windows 10)
+description: Audits allow admins to discover apps, binaries, and scripts that should be added to the WDAC policy.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
@@ -11,94 +11,65 @@ ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
-ms.reviewer: isbrahm
+ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
ms.date: 05/03/2018
ms.technology: mde
---
-# Audit Windows Defender Application Control policies
+# Use audit events to create WDAC policy rules
**Applies to:**
-- Windows 10
-- Windows Server 2016
+- Windows 10
+- Windows Server 2016 and above
-Running **Application Control** in audit mode allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a WDAC policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new WDAC policy. When the new exception policy is created, you can merge it with your existing WDAC policies.
+Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included.
-Before you begin this process, you need to create a WDAC policy binary file. If you have not already done so, see [Create an initial Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md).
+While a WDAC policy is running in audit mode, any binary that runs but would have been denied is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. Script and MSI are logged in the **Applications and Services Logs\\Microsoft\\Windows\\AppLocker\\MSI and Script** event log. These events can be used to generate a new WDAC policy that can be merged with the original Base policy or deployed as a separate Supplemental policy, if allowed.
-**To audit a Windows Defender Application Control policy with local policy:**
+## Overview of the process to create WDAC policy to allow apps using audit events
-1. Before you begin, find the *.bin policy file , for example, the DeviceGuardPolicy.bin. Copy the file to C:\\Windows\\System32\\CodeIntegrity.
+> [!Note]
+> You must have already deployed a WDAC audit mode policy to use this process. If you have not already done so, see [Deploying Windows Defender Application Control policies](windows-defender-application-control-deployment-guide.md).
-2. On the computer you want to run in audit mode, open the Local Group Policy Editor by running **GPEdit.msc**.
+To familiarize yourself with creating WDAC rules from audit events, follow these steps on a device with a WDAC audit mode policy.
- > [!Note]
- >
- > - The computer that you will run in audit mode must be clean of viruses or malware. Otherwise, in the process that you follow after auditing the system, you might unintentionally merge in a policy that allows viruses or malware to run.
- >
- > - An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into C:\\Windows\\System32\\CodeIntegrity, rather than deploy it by using the Local Group Policy Editor.
-
-3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Device Guard**, and then select **Deploy Windows Defender Application Control**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1.
+1. Install and run an application not allowed by the WDAC policy but that you want to allow.
- > [!Note]
- >
- > - You can copy the WDAC policies to a file share to which all computer accounts have access rather than copy them to every system.
- >
- > - You might have noticed that the GPO setting references a .p7b file and this policy uses a .bin file. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped onto the computers running Windows 10. We recommend that you make your WDAC policy names friendly and allow the system to convert the policy names for you. By doing this, it ensures that the policies are easily distinguishable when viewed in a share or any other central repository.
-
- 
-
- Figure 1. Deploy your Windows Defender Application Control policy
-
-4. Restart the reference system for the WDAC policy to take effect.
-
-5. Use the system as you normally would, and monitor code integrity events in the event log. While in audit mode, any exception to the deployed WDAC policy will be logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log, as shown in Figure 2.
+2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](event-id-explanations.md).
+ **Figure 1. Exceptions to the deployed WDAC policy**
- Figure 2. Exceptions to the deployed WDAC policy
+3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**.
- You will be reviewing the exceptions that appear in the event log, and making a list of any applications that should be allowed to run in your environment.
-
-6. If you want to create a catalog file to simplify the process of including unsigned LOB applications in your WDAC policy, this is a good time to create it. For information, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md).
+ ```powershell
+ $PolicyName= "Lamna_FullyManagedClients_Audit"
+ $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
+ $EventsPolicy=$env:userprofile+"\Desktop\EventsPolicy.xml"
+ $EventsPolicyWarnings=$env:userprofile+"\Desktop\EventsPolicyWarnings.txt"
+ ```
-Now that you have a WDAC policy deployed in audit mode, you can capture any audit information that appears in the event log. This is described in the next section.
+4. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a **FilePublisher** file rule level and a **Hash** fallback level. Warning messages are redirected to a text file **EventsPolicyWarnings.txt**.
-## Create a Windows Defender Application Control policy that captures audit information from the event log
-
-Use the following procedure after you have been running a computer with a WDAC policy in audit mode for a period of time. When you are ready to capture the needed policy information from the event log (so that you can later merge that information into the original WDAC policy), complete the following steps.
-
-
-
-1. Review the audit information in the event log. From the WDAC policy exceptions that you see, make a list of any applications that should be allowed to run in your environment, and decide on the file rule level that should be used to trust these applications.
-
- Although the Hash file rule level will catch all of these exceptions, it may not be the best way to trust all of them. For information about file rule levels, see [Windows Defender Application Control file rule levels](select-types-of-rules-to-create.md) in "Deploy Windows Defender Application Control: policy rules and file rules."
-
- Your event log might also contain exceptions for applications that you eventually want your WDAC policy to block. If these appear, make a list of these also, for a later step in this procedure.
-
-2. In an elevated Windows PowerShell session, initialize the variables that will be used. The example filename shown here is **DeviceGuardAuditPolicy.xml**:
-
- `$CIPolicyPath=$env:userprofile+"\Desktop\"`
-
- `$CIAuditPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"`
-
-3. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a file rule level of **Hash** and includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**.
-
- `New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt`
+ ```powershell
+ New-CIPolicy -FilePath $EventsPolicy -Audit -Level FilePublisher -Fallback Hash –UserPEs -MultiplePolicyFormat 3> $EventsPolicyWarnings
+ ```
> [!NOTE]
- > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy.
+ > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **FilePublisher** rule level with a fallback level of **Hash**, which may be more specific than desired. You can re-run the above command using different **-Level** and **-Fallback** options to meet your needs. For more information about WDAC rule levels, see [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md).
-4. Find and review the WDAC audit policy .xml file that you created. If you used the example variables as shown, the filename will be **DeviceGuardAuditPolicy.xml**, and it will be on your desktop. Look for the following:
+5. Find and review the WDAC policy file **EventsPolicy.xml** that should be found on your desktop. Ensure that it only includes file and signer rules for applications, binaries, and scripts you wish to allow. You can remove rules by manually editing the policy XML or use the WDAC Policy Wizard tool (see [Editing existing base and supplemental WDAC policies with the Wizard](wdac-wizard-editing-policy.md)).
- - Any applications that were caught as exceptions, but should be allowed to run in your environment. These are applications that should be in the .xml file. Leave these as-is in the file.
-
- - Any applications that actually should not be allowed to run in your environment. Edit these out of the .xml file. If they remain in the .xml file, and the information in the file is merged into your existing WDAC policy, the policy will treat the applications as trusted, and allow them to run.
+6. Find and review the text file **EventsPolicyWarnings.txt** that should be found on your desktop. This file will include a warning for any files that WDAC couldn't create a rule for at either the specified rule level or fallback rule level.
-You can now use this file to update the existing WDAC policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing WDAC policy, see the next section, [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md).
+ > [!NOTE]
+ > New-CIPolicy only creates rules for files that can still be found on disk. Files which are no longer present on the system will not have a rule created to allow them. However, the event log should have sufficient information to allow these files by manually editing the policy XML to add rules. You can use an existing rule as a template and verify your results against the WDAC policy schema definition found at **%windir%\schemas\CodeIntegrity\cipolicy.xsd**.
-> [!Note]
-> You may have noticed that you did not generate a binary version of this policy as you did in [Create a Windows Defender Application Control policy from a reference computer](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy). This is because WDAC policies created from an audit log are not intended to run as stand-alone policies but rather to update existing WDAC policies.
+7. Merge **EventsPolicy.xml** with the Base policy **Lamna_FullyManagedClients_Audit.xml** or convert it to a supplemental policy.
+
+ For information on merging policies, refer to [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) and for information on supplemental policies see [Use multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md).
+
+8. Convert the Base or Supplemental policy to binary and deploy using your preferred method.
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
index 91186d9798..9d15cbfcc7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
@@ -40,7 +40,7 @@ The identity of the managed installer executable(s) is specified in an AppLocker
Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, a text editor can be used to make the simple changes needed to an EXE or DLL rule collection policy to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO.
-1. Use [New-AppLockerPolicy](https://docs.microsoft.com/powershell/module/applocker/new-applockerpolicy?view=win10-ps) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback, but other rule types can be used as well. You may need to reformat the output for readability.
+1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback, but other rule types can be used as well. You may need to reformat the output for readability.
```powershell
Get-ChildItem
For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.
Policies deployed through MDM are effective on all SKUs. |
-| Management solutions |
| |
+| Management solutions |
| |
| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |
| Kernel mode policies | Available on all Windows 10 versions | Not available |
-| Per-app rules | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules) | Not available |
-| Managed Installer (MI) | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer) | Not available |
-| Reputation-Based intelligence | [Available on 1709+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph) | Not available |
-| Multiple policy support | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) | Not available |
-| Path-based rules | [Available on 1903+.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
-| COM object configurability | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy) | Not available |
-| Packaged app rules | [Available on RS5+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control) | Available on Windows 8+ |
-| Enforceable file types |
|
|
+| Per-app rules | [Available on 1703+](./use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) | Not available |
+| Managed Installer (MI) | [Available on 1703+](./use-windows-defender-application-control-with-managed-installer.md) | Not available |
+| Reputation-Based intelligence | [Available on 1709+](./use-windows-defender-application-control-with-intelligent-security-graph.md) | Not available |
+| Multiple policy support | [Available on 1903+](./deploy-multiple-windows-defender-application-control-policies.md) | Not available |
+| Path-based rules | [Available on 1903+.](./select-types-of-rules-to-create.md#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
+| COM object configurability | [Available on 1903+](./allow-com-object-registration-in-windows-defender-application-control-policy.md) | Not available |
+| Packaged app rules | [Available on RS5+](./manage-packaged-apps-with-windows-defender-application-control.md) | Available on Windows 8+ |
+| Enforceable file types |
|
|
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/policyflow.png b/windows/security/threat-protection/windows-defender-application-control/images/policyflow.png
new file mode 100644
index 0000000000..13874b6392
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/policyflow.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
index 97f364c353..a3a2084a23 100644
--- a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
@@ -1,59 +1,94 @@
---
-title: Merge Windows Defender Application Control policies (Windows 10)
-description: Because each computer running Windows 10 can have only one WDAC policy, you will occasionally need to merge two or more policies. Learn how with this guide.
+title: Merge Windows Defender Application Control policies (WDAC) (Windows 10)
+description: Learn how to merge WDAC policies as part of your policy lifecycle management.
keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
-ms.reviewer: isbrahm
-ms.author: dansimp
+ms.reviewer: jogeurte
+ms.author: jogeurte
+ms.manager: jsuther
manager: dansimp
-ms.date: 05/03/2018
+ms.date: 04/22/2021
ms.technology: mde
+ms.topic: article
+ms.localizationpriority: medium
---
-# Merge Windows Defender Application Control policies
+# Merge Windows Defender Application Control (WDAC) policies
**Applies to:**
-- Windows 10
-- Windows Server 2016
+- Windows 10
+- Windows Server 2016 and above
-Because each computer running Windows 10 can have only one WDAC policy, you will occasionally need to merge two or more policies. For example, after a WDAC policy is created and audited, you might want to merge audit events from another WDAC policy.
+This article shows how to merge multiple policy XML files together and how to merge rules directly into a policy. WDAC deployments often include a few base policies and optional supplemental policies for specific use cases.
> [!NOTE]
-> Because only one SiPolicy.p7b file can be active on a system, the last management authority to write the policy wins. If there was already a policy deployed by using Group Policy and then a managed installer using Microsoft Endpoint Configuration Manager targeted the same device, the Configuration Manager policy would overwrite the SiPolicy.p7b file.
+> Prior to Windows version 1903, including Windows Server 2019 and earlier, only one WDAC policy can be active on a system at a time. If you need to use WDAC on systems running these earlier versions of Windows, you must merge all policies before deploying.
-To merge two WDAC policies, complete the following steps in an elevated Windows PowerShell session:
+## Merge multiple WDAC policy XML files together
+
+There are many scenarios where you may want to merge two or more policy files together. For example, if you [use audit events to create WDAC policy rules](audit-windows-defender-application-control-policies.md), you can merge those rules with your existing WDAC base policy. To merge the two WDAC policies referenced in that article, complete the following steps in an elevated Windows PowerShell session.
1. Initialize the variables that will be used:
- `$CIPolicyPath=$env:userprofile+"\Desktop\"`
+ ```powershell
+ $PolicyName= "Lamna_FullyManagedClients_Audit"
+ $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
+ $EventsPolicy=$env:userprofile+"\Desktop\EventsPolicy.xml"
+ $MergedPolicy=$env:userprofile+"\Desktop\"+$PolicyName+"_Merged.xml"
+ ```
- `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
+2. Use [Merge-CIPolicy](/powershell/module/configci/merge-cipolicy) to merge two policies and create a new WDAC policy:
- `$AuditCIPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"`
-
- `$MergedCIPolicy=$CIPolicyPath+"MergedPolicy.xml"`
-
- `$CIPolicyBin=$CIPolicyPath+"NewDeviceGuardPolicy.bin"`
+ ```powershell
+ Merge-CIPolicy -PolicyPaths $LamnaPolicy,$EventsPolicy -OutputFilePath $MergedPolicy
+ ```
> [!NOTE]
- > The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit WDAC policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other WDAC policies, update the variables accordingly.
+ > You can merge additional policies with the Merge-CIPolicy step above by adding them to the -PolicyPaths parameter separated by commas. The new policy file specified by -OutputFilePath will have the Policy information from the first policy in the list. For example, in the above example, the $MergedPolicy will inherit the policy type, ID, name, and version information from $LamnaPolicy. To change any of those values, use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) and [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion).
-2. Use [Merge-CIPolicy](https://docs.microsoft.com/powershell/module/configci/merge-cipolicy) to merge two policies and create a new WDAC policy:
+## Merge WDAC rules directly into a policy XML
- `Merge-CIPolicy -PolicyPaths $InitialCIPolicy,$AuditCIPolicy -OutputFilePath $MergedCIPolicy`
+Besides merging multiple policy XML files, you can also merge rules created with the New-CIPolicyRule cmdlet directly into an existing WDAC policy XML file. Directly merging rules is a convenient way to update your policy without creating extra policy XML files. For example, to add rules that allow the WDAC Wizard and the WDAC RefreshPolicy.exe tool, follow these steps:
-3. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the merged WDAC policy to binary format:
+1. Install the [WDAC Wizard](wdac-wizard.md) packaged MSIX app.
+2. Download the [Refresh Policy tool](https://aka.ms/refreshpolicy) for your processor architecture and save it to your desktop as RefreshPolicy.exe.
+3. From a PowerShell session, run the following commands to create packaged app allow rules for the WDAC Wizard:
- `ConvertFrom-CIPolicy $MergedCIPolicy $CIPolicyBin`
+ ```powershell
+ $PackageInfo = Get-AppxPackage -Name Microsoft.WDAC.WDACWizard
+ $Rules = New-CIPolicyRule -Package $PackageInfo
+ ```
-Now that you have created a new WDAC policy, you can deploy the policy binary to systems manually or by using Group Policy or Microsoft client management solutions. For information about how to deploy this new policy with Group Policy, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
+4. Add FilePublisher rules for the RefreshPolicy.exe:
+ ```powershell
+ $Rules += New-CIPolicyRule -DriverFilePath $env:USERPROFILE\Desktop\RefreshPolicy.exe -Level FilePublisher
+ ```
+
+5. Use [Merge-CIPolicy](/powershell/module/configci/merge-cipolicy) to merge the new rules directly into the MergedPolicy file created in the previous procedure's final step:
+
+ ```powershell
+ Merge-CIPolicy -PolicyPaths $MergedPolicy -OutputFilePath $MergedPolicy -Rules $Rules
+ ```
+
+## Convert and deploy merged policy to managed endpoints
+
+Now that you have your new, merged policy, you can convert and deploy the policy binary to your managed endpoints.
+
+1. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format:
+
+ ```powershell
+ $WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin"
+ ConvertFrom-CIPolicy -XMLFilePath $MergedPolicy -BinaryFilePath $WDACPolicyBin
+ ```
+
+ > [!NOTE]
+ > In the sample commands above, for policies targeting Windows 10 version 1903+, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file. For Windows 10 versions prior to 1903, use the name SiPolicy.p7b for the binary file name.
+
+2. Upload your merged policy XML and the associated binary to the source control solution you are using for your WDAC policies. such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
+
+3. Deploy the merged policy using your preferred deployment solution. See [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 33c5abdbce..c69955e62b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -69,7 +69,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
- wslconfig.exe
- wslhost.exe
-1 A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](https://docs.microsoft.com/sysinternals/downloads/bginfo). Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked.
+1 A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](/sysinternals/downloads/bginfo). Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked.
2 If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.
@@ -1548,4 +1548,4 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
## More information
-- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md)
+- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
index 3c8a72ac23..887fc765be 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@@ -30,7 +30,7 @@ Microsoft has strict requirements for code running in kernel. Consequently, mali
- Hypervisor-protected code integrity (HVCI) enabled devices
- Windows 10 in S mode (S mode) devices
-Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events.
+Microsoft recommends enabling [HVCI](../device-guard/enable-virtualization-based-protection-of-code-integrity.md) or S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events.
> [!Note]
> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It is recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode.
@@ -385,4 +385,4 @@ Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security
## More information
-- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md)
+- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
new file mode 100644
index 0000000000..c525c8832f
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
@@ -0,0 +1,46 @@
+---
+title: WDAC Admin Tips & Known Issues
+description: WDAC Known Issues
+keywords: security, malware
+ms.prod: m365-security
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jsuther1974
+ms.reviewer: jogeurte
+ms.author: jogeurte
+ms.manager: jsuther
+manager: dansimp
+ms.date: 04/14/2021
+ms.technology: mde
+ms.topic: article
+ms.localizationpriority: medium
+---
+
+# WDAC Admin Tips & Known Issues
+
+**Applies to:**
+
+- Windows 10
+- Windows Server 2016 and above
+
+This topic covers tips and tricks for admins as well as known issues with WDAC.
+Test this configuration in your lab before enabling it in production.
+
+## .NET native images may generate false positive block events
+
+In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image will fallback to its corresponding assembly and .NET will regenerate the native image at its next scheduled maintenance window.
+
+## MSI Installations launched directly from the internet are blocked by WDAC
+
+Installing .msi files directly from the internet to a computer protected by WDAC will fail.
+For example, this command will not work:
+
+```code
+msiexec –i https://download.microsoft.com/download/2/E/3/2E3A1E42-8F50-4396-9E7E-76209EA4F429/Windows10_Version_1511_ADMX.msi
+```
+
+As a workaround, download the MSI file and run it locally:
+
+```code
+msiexec –i c:\temp\Windows10_Version_1511_ADMX.msi
+```
diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
index 13d6752759..8c0156d01b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
@@ -31,7 +31,6 @@ This topic describes the decisions you need to make to establish the processes f
The first step in implementing application control is to consider how your policies will be managed and maintained over time. Developing a process for managing WDAC policies helps assure that WDAC continues to effectively control how applications are allowed to run in your organization.
-
Most WDAC policies will evolve over time and proceed through a set of identifiable phases during their lifetime. Typically, these phases include:
1. [Define (or refine) the "circle-of-trust"](understand-windows-defender-application-control-policy-design-decisions.md) for the policy and build an audit mode version of the policy XML. In audit mode, block events are generated but files are not prevented from executing.
@@ -42,19 +41,21 @@ Most WDAC policies will evolve over time and proceed through a set of identifiab
6. Deploy the enforced mode policy to intended devices. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly.
7. Repeat steps 1-6 anytime the desired "circle-of-trust" changes.
+
+
### Keep WDAC policies in a source control or document management solution
To effectively manage WDAC policies, you should store and maintain your policy XML documents in a central repository that is accessible to everyone responsible for WDAC policy management. We recommend a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration), which provide version control and allow you to specify metadata about the XML documents.
### Set PolicyName, PolicyID, and Version metadata for each policy
-Use the [Set-CIPolicyIDInfo](https://docs.microsoft.com/powershell/module/configci/set-cipolicyidinfo) cmdlet to give each policy a descriptive name and set a unique ID in order to differentiate each policy when reviewing WDAC events or when viewing the policy XML document. Although you can specify a string value for PolicyId, for policies using the multiple policy format we recommend using the -ResetPolicyId switch to let the system auto-generate a unique ID for the policy.
+Use the [Set-CIPolicyIDInfo](/powershell/module/configci/set-cipolicyidinfo) cmdlet to give each policy a descriptive name and set a unique ID in order to differentiate each policy when reviewing WDAC events or when viewing the policy XML document. Although you can specify a string value for PolicyId, for policies using the multiple policy format we recommend using the -ResetPolicyId switch to let the system auto-generate a unique ID for the policy.
> [!NOTE]
> PolicyID only applies to policies using the [multiple policy format](deploy-multiple-windows-defender-application-control-policies.md) on computers running Windows 10, version 1903 and above. Running -ResetPolicyId on a policy created for pre-1903 computers will convert it to multiple policy format and prevent it from running on those earlier versions of Windows 10.
> PolicyID should be set only once per policy and use different PolicyID's for the audit and enforced mode versions of each policy.
-In addition, we recommend using the [Set-CIPolicyVersion](https://docs.microsoft.com/powershell/module/configci/set-cipolicyversion) cmdlet to increment the policy's internal version number when you make changes to the policy. The version must be defined as a standard four-part version string (e.g. "1.0.0.0").
+In addition, we recommend using the [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion) cmdlet to increment the policy's internal version number when you make changes to the policy. The version must be defined as a standard four-part version string (e.g. "1.0.0.0").
### Policy rule updates
@@ -64,9 +65,9 @@ As new apps are deployed or existing apps are updated by the software publisher,
Each time that a process is blocked by WDAC, events will be written to either the CodeIntegrity\Operational or the AppLocker\MSI and Script Windows event logs. The event details which file tried to run, the attributes of that file and its signatures, and the process that attempted to run the blocked file.
-Collecting these events in a central location can help you maintain your WDAC policy and troubleshoot rule configuration problems. Event collection technologies such as those available in Windows allow administrators to subscribe to specific event channels and have the events from source computers aggregated into a forwarded event log on a Windows Server operating system collector. For more info about setting up an event subscription, see [Configure Computers to Collect and Forward Events](https://go.microsoft.com/fwlink/p/?LinkId=145012).
+Collecting these events in a central location can help you maintain your WDAC policy and troubleshoot rule configuration problems. Event collection technologies such as those available in Windows allow administrators to subscribe to specific event channels and have the events from source computers aggregated into a forwarded event log on a Windows Server operating system collector. For more info about setting up an event subscription, see [Configure Computers to Collect and Forward Events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc748890(v=ws.11)).
-Additionally, WDAC events are collected by [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) and can be queried using the [advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) feature.
+Additionally, WDAC events are collected by [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) and can be queried using the [advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) feature.
## Application and user support policy
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index b692c51861..1314fa6e21 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -1,6 +1,6 @@
---
-title: Understand WDAC policy rules and file rules (Windows 10)
-description: Learn how Windows Defender Application Control provides control over a computer running Windows 10 by using policies that include policy rules and file rules.
+title: Understand Windows Defender Application Control (WDAC) policy rules and file rules (Windows 10)
+description: Learn how WDAC policy rules and file rules can control your Windows 10 computers.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
@@ -18,30 +18,30 @@ ms.date: 03/04/2020
ms.technology: mde
---
-# Understand WDAC policy rules and file rules
+# Understand Windows Defender Application Control (WDAC) policy rules and file rules
**Applies to:**
-- Windows 10
-- Windows Server 2016 and above
+- Windows 10
+- Windows Server 2016 and above
-Windows Defender Application Control (WDAC) provides control over a computer running Windows 10 by using policies that specify whether a driver or application is trusted and can be run. A policy includes *policy rules* that control options such as audit mode or whether user mode code integrity (UMCI) is enabled in a WDAC policy, and *file rules* (or *file rule levels*) that specify the level at which applications will be identified and trusted.
+Windows Defender Application Control (WDAC) can control what runs on Windows 10 by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted.
## Windows Defender Application Control policy rules
-To modify the policy rule options of an existing WDAC policy XML, use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption). The following examples show how to use this cmdlet to add and remove a rule option on an existing WDAC policy:
+To modify the policy rule options of an existing WDAC policy XML, use [Set-RuleOption](/powershell/module/configci/set-ruleoption). The following examples show how to use this cmdlet to add and remove a rule option on an existing WDAC policy:
-- To ensure that UMCI is enabled for a WDAC policy that was created with the `-UserPEs` (user mode) option, add rule option 0 to an existing policy by running the following command:
+- To ensure that UMCI is enabled for a WDAC policy that was created with the `-UserPEs` (user mode) option, add rule option 0 to an existing policy by running the following command:
`Set-RuleOption -FilePath
-S-1-3-0; S-1-5-18; S-1-5-19; S-1-5-20; S-1-5-32-544; S-1-5-32-549; S-1-5-32-550; S-1-5-32-551; S-1-5-32-577; S-1-5-32-559; S-1-5-32-568; S-1-15-2-1430448594-2639229838-973813799-439329657-1197984847-4069167804-1277922394; S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523.
+WDAC's list of well-known admin SIDs are:
-When generating filepath rules using [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy), a unique, fully-qualified path rule is generated for every file discovered in the scanned path(s). To create rules that instead allow all files under a specified folder path, use [New-CIPolicyRule](https://docs.microsoft.com/powershell/module/configci/new-cipolicyrule) to define rules containing wildcards using the [-FilePathRules](https://docs.microsoft.com/powershell/module/configci/new-cipolicyrule#parameters) switch.
+S-1-3-0; S-1-5-18; S-1-5-19; S-1-5-20; S-1-5-32-544; S-1-5-32-549; S-1-5-32-550; S-1-5-32-551; S-1-5-32-577; S-1-5-32-559; S-1-5-32-568; S-1-15-2-1430448594-2639229838-973813799-439329657-1197984847-4069167804-1277922394; S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523.
-Wildcards can be used at the beginning or end of a path rule; only one wildcard is allowed per path rule. Wildcards placed at the end of a path authorize all files in that path and its subdirectories recursively (ex. `C:\\*` would include `C:\foo\\*` ). Wildcards placed at the beginning of a path will allow the exact specified filename under any path (ex. `*\bar.exe` would allow `C:\bar.exe` and `C:\foo\bar.exe`). Wildcards in the middle of a path are not supported (ex. `C:\\*\foo.exe`). Without a wildcard, the rule will allow only a specific file (ex. `C:\foo\bar.exe`).
The use of macros is also supported and useful in scenarios where the system drive is different from the `C:\` drive. Supported macros: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`.
+When generating filepath rules using [New-CIPolicy](/powershell/module/configci/new-cipolicy), a unique, fully qualified path rule is generated for every file discovered in the scanned path(s). To create rules that instead allow all files under a specified folder path, use [New-CIPolicyRule](/powershell/module/configci/new-cipolicyrule) to define rules containing wildcards using the [-FilePathRules](/powershell/module/configci/new-cipolicyrule#parameters) switch.
-> [!NOTE]
-> Due to an existing bug, you can not combine Path-based ALLOW rules with any DENY rules in a single policy. Instead, either separate DENY rules into a separate Base policy or move the Path-based ALLOW rules into a supplemental policy as described in [Deploy multiple WDAC policies.](deploy-multiple-windows-defender-application-control-policies.md)
+Wildcards can be used at the beginning or end of a path rule; only one wildcard is allowed per path rule. Wildcards placed at the end of a path authorize all files in that path and its subdirectories recursively (ex. `C:\*` would include `C:\foo\*` ). Wildcards placed at the beginning of a path will allow the exact specified filename under any path (ex. `*\bar.exe` would allow `C:\bar.exe` and `C:\foo\bar.exe`). Wildcards in the middle of a path are not supported (ex. `C:\*\foo.exe`). Without a wildcard, the rule will allow only a specific file (ex. `C:\foo\bar.exe`).
+
+You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`.
## Windows Defender Application Control filename rules
-File name rule levels provide administrators to specify the file attributes off which to base a file name rule. File name rules provide the same security guarantees that explicit signer rules do, as they are based on non-mutable file attributes. Specification of the file name level occurs when creating new policy rules. In addition, to combine file name levels found in multiple policies, you can merge multiple policies.
+File name rule levels let you specify file attributes to base a rule on. File name rules provide the same security guarantees that explicit signer rules do, as they are based on non-mutable file attributes. Specification of the file name level occurs when creating new policy rules.
-Use Table 3 to select the appropriate file name level for your available administrative resources and Windows Defender Application Control deployment scenario. For instance, an LOB or production application and its binaries (eg. DLLs) may all share the same product name. This allows users to easily create targeted policies based on the Product Name filename rule level.
+Use Table 3 to select the appropriate file name level for your use cases. For instance, an LOB or production application and its binaries may all share the same product name. This option lets you easily create targeted policies based on the Product Name filename rule level.
**Table 3. Windows Defender Application Control policy - filename levels**
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
index 4703d016ee..a34f45e591 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
@@ -34,7 +34,7 @@ Before you get started, be sure to review these best practices:
**Best practices**
- Test your code integrity policies on a pilot group of devices before deploying them to production.
-- Use rule options 9 and 10 during testing. For more information, see the section Code integrity policy rules in the [Deploy Windows Defender Application Control policy rules and file rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create).
+- Use rule options 9 and 10 during testing. For more information, see the section Code integrity policy rules in the [Deploy Windows Defender Application Control policy rules and file rules](./select-types-of-rules-to-create.md).
**To sign a code integrity policy**
@@ -44,4 +44,4 @@ Before you get started, be sure to review these best practices:
4. After the files are uploaded, click **Sign** to sign the code integrity policy.
5. Click **Download** to download the signed code integrity policy.
- When you sign a code integrity policy with the Device Guard signing portal, the signing certificate is added to the policy. This means you can't modify this policy. If you need to make changes, make them to an unsigned version of the policy, and then sign the policy again.
+ When you sign a code integrity policy with the Device Guard signing portal, the signing certificate is added to the policy. This means you can't modify this policy. If you need to make changes, make them to an unsigned version of the policy, and then sign the policy again.
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index c951c3b825..a654d57870 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -64,7 +64,7 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
`cd $env:USERPROFILE\Desktop`
-5. Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy:
+5. Use [Add-SignerRule](/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy:
`Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath
|
-| **Allow Microsoft Mode** | Allow mode will authorize the following components:
|
-| **Signed and Reputable Mode** | Signed and Reputable mode will authorize the following components:
|
+| **Default Windows Mode** | Default Windows mode will authorize the following components:
|
+| **Allow Microsoft Mode** | Allow mode will authorize the following components:
|
+| **Signed and Reputable Mode** | Signed and Reputable mode will authorize the following components:
|
*Italicized content denotes the changes in the current policy with respect to the policy prior.*
@@ -59,8 +59,8 @@ A description of each policy rule, beginning with the left-most column, is provi
|------------ | ----------- |
| **Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. |
| **Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. |
-| **Disable Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is only supported with the Windows 10 May 2019 Update (1903) and higher. Using it on earlier versions of Windows 10 is not supported and may have unintended results. |
-|**[Hypervisor-protected code integrity (HVCI)](https://docs.microsoft.com/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)**| When enabled, policy enforcement uses virtualization-based security to run the code integrity service inside a secure environment. HVCI provides stronger protections against kernel malware.|
+| **Disable Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is only supported with the Windows 10 May 2019 Update (1903) and higher. Using it on earlier versions of Windows 10 is not supported and may have unintended results. |
+|**[Hypervisor-protected code integrity (HVCI)](../device-guard/enable-virtualization-based-protection-of-code-integrity.md)**| When enabled, policy enforcement uses virtualization-based security to run the code integrity service inside a secure environment. HVCI provides stronger protections against kernel malware.|
| **Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
| **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. |
| **Require WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows 10–compatible driver must be WHQL certified. |
@@ -136,4 +136,4 @@ The policy signing rules list table on the left of the page will document the al
## Up next
-- [Editing a WDAC policy using the Wizard](wdac-wizard-editing-policy.md)
+- [Editing a WDAC policy using the Wizard](wdac-wizard-editing-policy.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md
index cf315b6c1f..e1581cb011 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md
@@ -26,7 +26,7 @@ ms.technology: mde
- Windows 10
- Windows Server 2016 and above
-The Windows Defender Application Control (WDAC) policy Wizard is an open source Windows desktop application written in C# and bundled as an MSIX package. The Wizard was built to provide security architects, security and system administrators with a more user-friendly means to create, edit, and merge WDAC policies. The Wizard desktop application uses the [ConfigCI PowerShell Cmdlets](https://docs.microsoft.com/powershell/module/configci) in the backend so the output policy of the Wizard and PowerShell cmdlets is identical.
+The Windows Defender Application Control (WDAC) policy Wizard is an open source Windows desktop application written in C# and bundled as an MSIX package. The Wizard was built to provide security architects, security and system administrators with a more user-friendly means to create, edit, and merge WDAC policies. The Wizard desktop application uses the [ConfigCI PowerShell Cmdlets](/powershell/module/configci) in the backend so the output policy of the Wizard and PowerShell cmdlets is identical.
## Downloading the application
@@ -48,4 +48,4 @@ If neither requirement is satisfied, the Wizard will throw an error as the cmdle
| [Creating a new base policy](wdac-wizard-create-base-policy.md) | This article describes how to create a new base policy using one of the supplied policy templates. |
| [Creating a new supplemental policy](wdac-wizard-create-supplemental-policy.md) | This article describes the steps necessary to create a supplemental policy, from one of the supplied templates, for an existing base policy. |
| [Editing a base or supplemental policy](wdac-wizard-editing-policy.md) | This article demonstrates how to modify an existing policy and the Wizard's editing capabilities. |
-| [Merging policies](wdac-wizard-merging-policies.md) | This article describes how to merge policies into a single application control policy. |
+| [Merging policies](wdac-wizard-merging-policies.md) | This article describes how to merge policies into a single application control policy. |
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
index 68c0aa549e..ab280eb0bc 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
@@ -1,6 +1,6 @@
---
-title: Planning and getting started on the Windows Defender Application Control deployment process (Windows 10)
-description: Learn how to gather information, create a plan, and begin to test initial code integrity policies for a Windows Defender Application Control deployment.
+title: Deploying Windows Defender Application Control (WDAC) policies (Windows 10)
+description: Learn how to plan and implement a WDAC deployment.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
@@ -11,83 +11,33 @@ ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
-ms.reviewer: isbrahm
+ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
ms.date: 05/16/2018
ms.technology: mde
---
-# Planning and getting started on the Windows Defender Application Control deployment process
+# Deploying Windows Defender Application Control (WDAC) policies
**Applies to**
-- Windows 10
-- Windows Server 2016
-This topic provides a roadmap for planning and getting started on the Windows Defender Application Control (WDAC) deployment process, with links to topics that provide additional detail. Planning for WDAC deployment involves looking at both the end-user and the IT pro impact of your choices.
+- Windows 10
+- Windows Server 2016 and above
-## Planning
+You should now have one or more WDAC policies ready to deploy. If you haven't yet completed the steps described in the [WDAC Design Guide](windows-defender-application-control-design-guide.md), do so now before proceeding.
-1. Review requirements, especially hardware requirements for VBS.
+## Plan your deployment
-2. Group devices by degree of control needed. Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?
Deployment is simpler if everything is locked down in the same way, but meeting individual departments' needs, and working with a wide variety of devices, may require a more complicated and flexible deployment.
+As with any significant change to your environment, implementing application control can have unintended consequences. To ensure the best chance for success, you should follow safe deployment practices and plan your deployment carefully. Decide what devices you will manage with WDAC and split them into deployment rings so you can control the scale of the deployment and respond if anything goes wrong. Define the success criteria that will determine when it's safe to continue from one ring to the next.
-3. Review how much variety in software and hardware is needed by roles or departments. The following questions can help you clarify how many WDAC policies to create:
+All WDAC policy changes should be deployed in audit mode before proceeding to enforcement. Carefully monitor events from devices where the policy has been deployed to ensure the block events you observe match your expectation before broadening the deployment to other deployment rings. If your organization uses Microsoft Defender for Endpoint, you can use the Advanced Hunting feature to centrally monitor WDAC-related events. Otherwise, we recommend using an event log forwarding solution to collect relevant events from your managed endpoints.
- - How standardized is the hardware?
This can be relevant because of drivers. You could create a WDAC policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several WDAC policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment.
-
- - What software does each department or role need? Should they be able to install and run other departments' software?
If multiple departments are allowed to run the same list of software, you might be able to merge several WDAC policies to simplify management.
-
- - Are there departments or roles where unique, restricted software is used?
If one department needs to run an application that no other department is allowed, it might require a separate WDAC policy. Similarly, if only one department must run an old version of an application (while other departments allow only the newer version), it might require a separate WDAC policy.
-
- - Is there already a list of accepted applications?
A list of accepted applications can be used to help create a baseline WDAC policy.
As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser).
-
- - As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts?
- In day-to-day operations, your organization's security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Application Control policies.
-
- Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass WDAC.
-
- For operational scenarios that require elevated security, certain applications with known Code Integrity bypasses may represent a security risk if you allow them in your WDAC policies. Other applications, where older versions of the application had vulnerabilities, also represent a risk. Therefore, you may want to deny or block such applications from your WDAC policies. For applications with vulnerabilities, once the vulnerabilities are fixed you can create a rule that only allows the fixed or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used.
-
- Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Windows Defender Application Control. Depending on the context, you may want to block these applications. To view this list of applications and for use case examples, such as disabling msbuild.exe, see [Microsoft recommended block rules](microsoft-recommended-block-rules.md).
-
-4. Identify LOB applications that are currently unsigned. Although requiring signed code (through WDAC) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them.
-
-## Getting started on the deployment process
-
-1. Optionally, create a signing certificate for Windows Defender Application Control. As you deploy WDAC, you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal CA. If you choose to use an internal CA, you will need to [create a code signing certificate](create-code-signing-cert-for-windows-defender-application-control.md).
-
-2. Create WDAC policies from reference computers. In this respect, creating and managing WDAC policies to align with the needs of roles or departments can be similar to managing corporate images. From each reference computer, you can create a WDAC policy, and decide how to manage that policy. You can [merge](merge-windows-defender-application-control-policies.md) WDAC policies to create a broader policy or a master policy, or you can manage and deploy each policy individually.
-
-3. Audit the WDAC policy and capture information about applications that are outside the policy. We recommend that you use [audit mode](audit-windows-defender-application-control-policies.md) to carefully test each WDAC policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed.
-
-4. Create a [catalog file](deploy-catalog-files-to-support-windows-defender-application-control.md) for unsigned LOB applications. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your WDAC policy, so that applications in the catalog will be allowed by the policy.
-
-6. Capture needed policy information from the event log, and merge information into the existing policy as needed. After a WDAC policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge WDAC policies from other sources also, for flexibility in how you create your final WDAC policies.
-
-7. Deploy WDAC policies and catalog files. After you confirm that you have completed all the preceding steps, you can begin deploying catalog files and taking WDAC policies out of auditing mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and WDAC policies more broadly.
-
-8. Enable desired virtualization-based security (VBS) features. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by Windows Defender Application Control.
-
-## Known issues
-
-This section covers known issues with WDAC. Virtualization-based protection of code integrity may be incompatible with some devices and applications, which might cause unexpected failures, data loss, or a blue screen error (also called a stop error).
-Test this configuration in your lab before enabling it in production.
-
-### MSI Installations are blocked by WDAC
-
-Installing .msi files directly from the internet to a computer protected by WDAC will fail.
-For example, this command will not work:
-
-```code
-msiexec –i https://download.microsoft.com/download/2/E/3/2E3A1E42-8F50-4396-9E7E-76209EA4F429/Windows10_Version_1511_ADMX.msi
-```
-
-As a workaround, download the MSI file and run it locally:
-
-
-```code
-msiexec –i c:\temp\Windows10_Version_1511_ADMX.msi
-```
+## Choose how to deploy WDAC policies
+There are several options to deploy WDAC policies to managed endpoints, including:
+1. [Deploy using a Mobile Device Management (MDM) solution](deploy-windows-defender-application-control-policies-using-intune.md), such as Microsoft Intune
+2. [Deploy using Microsoft Endpoint Configuration Manager (MEMCM)](deployment/deploy-wdac-policies-with-memcm.md)
+3. [Deploy via script](deployment/deploy-wdac-policies-with-script.md)
+4. [Deploy via Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index 5c7a82ef8a..bbf2800ac4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -30,7 +30,7 @@ With thousands of new malicious files created every day, using traditional metho
In most organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. However, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software.
-Application control can help mitigate these types of security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel). Application control policies can also block unsigned scripts and MSIs, and restrict Windows PowerShell to run in [Constrained Language Mode](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes).
+Application control can help mitigate these types of security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel). Application control policies can also block unsigned scripts and MSIs, and restrict Windows PowerShell to run in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes).
Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an application trust model where all applications are assumed trustworthy to one where applications must earn trust in order to run. Many organizations, like the Australian Signals Directorate, understand this and frequently cite application control as one of the most effective means for addressing the threat of executable file-based malware (.exe, .dll, etc.).
@@ -53,4 +53,4 @@ Windows 10 includes two technologies that can be used for application control de
- [WDAC design guide](windows-defender-application-control-design-guide.md)
- [WDAC deployment guide](windows-defender-application-control-deployment-guide.md)
-- [AppLocker overview](applocker/applocker-overview.md)
+- [AppLocker overview](applocker/applocker-overview.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
index 967180e8e6..6da28ad681 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
@@ -27,7 +27,7 @@ ms.technology: mde
The **Account protection** section contains information and settings for account protection and sign in. IT administrators and IT pros can get more information and documentation about configuration from the following:
- [Microsoft Account](https://account.microsoft.com/account/faq)
-- [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification)
+- [Windows Hello for Business](../../identity-protection/hello-for-business/hello-identity-verification.md)
- [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from)
You can also choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
@@ -44,7 +44,7 @@ This can only be done in Group Policy.
>
>You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
@@ -52,9 +52,9 @@ This can only be done in Group Policy.
6. Open the **Hide the Account protection area** setting and set it to **Enabled**. Click **OK**.
-7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
>[!NOTE]
>If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->
+>
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
index e0741f686c..80d025f7ac 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
@@ -23,9 +23,9 @@ ms.technology: mde
- Windows 10, version 1703 and later
-The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](https://docs.microsoft.com/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview).
+The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview).
-In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at [Exploit protection](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection).
+In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection).
You can also choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
@@ -41,7 +41,7 @@ You can only prevent users from modifying Exploit protection settings by using G
>
> You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
@@ -49,7 +49,7 @@ You can only prevent users from modifying Exploit protection settings by using G
4. Open the **Prevent users from modifying settings** setting and set it to **Enabled**. Click **OK**.
-5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
## Hide the App & browser control section
@@ -63,7 +63,7 @@ This can only be done in Group Policy.
>
> You must have Windows 10, version 1709 (the Fall Creators Update). The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
@@ -71,9 +71,9 @@ This can only be done in Group Policy.
4. Open the **Hide the App and browser protection area** setting and set it to **Enabled**. Click **OK**.
-5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
> [!NOTE]
> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
-> 
+> 
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
index 5924c85165..1bfddcc3f2 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
@@ -54,7 +54,7 @@ There are two stages to using the contact card and customized notifications. Fir
This can only be done in Group Policy.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
@@ -76,4 +76,4 @@ This can only be done in Group Policy.
7. Select **OK** after you configure each setting to save your changes.
>[!IMPORTANT]
->You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized.
+>You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized.
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
index de163e7707..919f2cb7a2 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
@@ -24,9 +24,9 @@ ms.technology: mde
- Windows 10, version 1703 and later
-The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they are seeing, such as the [configure the Load and unload device drivers security policy setting](https://docs.microsoft.com/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager).
+The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they are seeing, such as the [configure the Load and unload device drivers security policy setting](/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Endpoint Configuration Manager](/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager).
-The [Windows 10 IT pro troubleshooting topic](https://docs.microsoft.com/windows/client-management/windows-10-support-solutions), and the main [Windows 10 documentation library](https://docs.microsoft.com/windows/windows-10/) can also be helpful for resolving issues.
+The [Windows 10 IT pro troubleshooting topic](/windows/client-management/windows-10-support-solutions), and the main [Windows 10 documentation library](/windows/windows-10/) can also be helpful for resolving issues.
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
@@ -43,7 +43,7 @@ This can only be done in Group Policy.
>
>You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
@@ -51,9 +51,9 @@ This can only be done in Group Policy.
6. Open the **Hide the Device performance and health area** setting and set it to **Enabled**. Click **OK**.
-7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
>[!NOTE]
>If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->
+>
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
index 8df410f1f3..f0627d2869 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
@@ -37,7 +37,7 @@ This can only be done in Group Policy.
>
>You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
@@ -45,7 +45,7 @@ This can only be done in Group Policy.
4. Open the **Hide the Device security area** setting and set it to **Enabled**. Click **OK**.
-5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
>[!NOTE]
>If you hide all sections then the app will show a restricted interface, as in the following screenshot:
@@ -60,7 +60,7 @@ If you don't want users to be able to click the **Clear TPM** button in the Wind
>
>You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
@@ -68,12 +68,12 @@ If you don't want users to be able to click the **Clear TPM** button in the Wind
4. Open the **Disable the Clear TPM button** setting and set it to **Enabled**. Click **OK**.
-5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
## Hide the TPM Firmware Update recommendation
If you don't want users to see the recommendation to update TPM firmware, you can disable it.
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
@@ -81,12 +81,12 @@ If you don't want users to see the recommendation to update TPM firmware, you ca
4. Open the **Hide the TPM Firmware Update recommendation** setting and set it to **Enabled**. Click **OK**.
-5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
## Disable Memory integrity switch
If you don't want users to be able to change the Hypervisor Control Integrity (HVCI), or memory integrity, setting on their computers, you can disable the **Memory integrity** switch.
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
@@ -94,4 +94,4 @@ If you don't want users to be able to change the Hypervisor Control Integrity (H
4. Open the **Disable Memory integrity switch** setting and set it to **Enabled**. Click **OK**.
-5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
index e8003f20a2..c7d0fb4944 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
@@ -42,7 +42,7 @@ This can only be done in Group Policy.
>
>You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
@@ -50,9 +50,9 @@ This can only be done in Group Policy.
6. Open the **Hide the Family options area** setting and set it to **Enabled**. Click **OK**.
-7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
>[!NOTE]
>If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->
+>
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
index 1a7d13e733..0a1389c07b 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
@@ -57,7 +57,7 @@ This can only be done in Group Policy.
1. Download the latest [Administrative Templates (.admx) for Windows 10, v2004](https://www.microsoft.com/download/101445).
-2. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+2. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
@@ -65,7 +65,7 @@ This can only be done in Group Policy.
6. Open the **Hide non-critical notifications** setting and set it to **Enabled**. Click **OK**.
-7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
## Use Group Policy to hide all notifications
@@ -78,7 +78,7 @@ This can only be done in Group Policy.
>
> Requirement: You must have Windows 10, version 1903 or higher. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
@@ -89,7 +89,7 @@ This can only be done in Group Policy.
6. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.
-7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
> [!NOTE]
> You can use the following registry key and DWORD value to **Hide all notifications**.
@@ -148,5 +148,4 @@ This can only be done in Group Policy.
| Dynamic lock on, bluetooth on, but device unpaired | | | No |
| Dynamic lock on, bluetooth on, but unable to detect device | | | No |
| NoPa or federated no hello | | | No |
-| NoPa or federated hello broken | | | No |
-
+| NoPa or federated hello broken | | | No |
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
index 28d50127b4..762e9c7402 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
@@ -10,7 +10,6 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 04/30/2018
ms.reviewer:
manager: dansimp
ms.technology: mde
@@ -30,11 +29,11 @@ In Windows 10, version 1803, this section also contains information and settings
IT administrators and IT pros can get more configuration information from these articles:
-- [Microsoft Defender Antivirus in the Windows Security app](../microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md)
-- [Microsoft Defender Antivirus documentation library](../microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)
-- [Protect important folders with Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)
+- [Microsoft Defender Antivirus in the Windows Security app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus)
+- [Microsoft Defender Antivirus documentation library](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10)
+- [Protect important folders with Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)
- [Defend yourself from cybercrime with new Office 365 capabilities](https://blogs.office.com/en-us/2018/04/05/defend-yourself-from-cybercrime-with-new-office-365-capabilities/)
-- [Office 365 advanced protection](https://support.office.com/en-us/article/office-365-advanced-protection-82e72640-39be-4dc7-8efd-740fb289123a)
+- [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365)
- [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US)
You can hide the **Virus & threat protection** section or the **Ransomware protection** area from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for these features.
@@ -51,7 +50,7 @@ This can only be done in Group Policy.
>
>You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
@@ -59,7 +58,7 @@ This can only be done in Group Policy.
6. Open the **Hide the Virus and threat protection area** setting and set it to **Enabled**. Click **OK**.
-7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
>[!NOTE]
>If you hide all sections then the app will show a restricted interface, as in the following screenshot:
@@ -77,7 +76,7 @@ This can only be done in Group Policy.
>
>You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
@@ -85,4 +84,4 @@ This can only be done in Group Policy.
6. Open the **Hide the Ransomware data recovery area** setting and set it to **Enabled**. Click **OK**.
-7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
index 7925fe31dc..146bdcc78e 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
@@ -36,11 +36,10 @@ The Windows Security interface is a little different in Windows 10 in S mode. Th
-For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](https://docs.microsoft.com/windows/deployment/windows-10-pro-in-s-mode).
+For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](/windows/deployment/windows-10-pro-in-s-mode).
## Managing Windows Security settings with Intune
In the enterprise, you can only manage security settings for devices running Windows 10 in S mode with Microsoft Intune or other mobile device management apps. Windows 10 in S mode prevents making changes via PowerShell scripts.
-For information about using Intune to manage Windows Security settings on your organization's devices, see [Set up Intune](https://docs.microsoft.com/intune/setup-steps) and [Endpoint protection settings for Windows 10 (and later) in Intune](https://docs.microsoft.com/intune/endpoint-protection-windows-10).
-
+For information about using Intune to manage Windows Security settings on your organization's devices, see [Set up Intune](/intune/setup-steps) and [Endpoint protection settings for Windows 10 (and later) in Intune](/intune/endpoint-protection-windows-10).
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index 174e3b1ec8..17eb0a98fd 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -1,5 +1,5 @@
---
-title: The Windows Security app
+title: The Windows Security app
description: The Windows Security app brings together common Windows security features into one place
keywords: wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows
search.product: eADQiWindows 10XVcnh
@@ -9,7 +9,6 @@ ms.sitesec: library
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
-ms.date: 10/02/2018
ms.reviewer:
manager: dansimp
ms.technology: mde
@@ -35,13 +34,13 @@ In Windows 10, version 1803, the app has two new areas, **Account protection** a
> [!NOTE]
-> The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
+> The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender for Endpoint](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
You can't uninstall the Windows Security app, but you can do one of the following:
-- Disable the interface on Windows Server 2016. See [Microsoft Defender Antivirus on Windows Server 2016](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016).
+- Disable the interface on Windows Server 2016. See [Microsoft Defender Antivirus on Windows Server](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server).
- Hide all of the sections on client computers (see below).
-- Disable Microsoft Defender Antivirus, if needed. See [Enable and configure Microsoft Defender AV always-on protection and monitoring](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus).
+- Disable Microsoft Defender Antivirus, if needed. See [Enable and configure Microsoft Defender AV always-on protection and monitoring](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus).
You can find more information about each section, including options for configuring the sections - such as hiding each of the sections - at the following topics:
@@ -78,13 +77,13 @@ You can find more information about each section, including options for configur
> [!IMPORTANT]
> Microsoft Defender AV and the Windows Security app use similarly named services for specific purposes.
>
-> The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Servce*), which in turn utilizes the Security Center service ([*wscsvc*](https://technet.microsoft.com/library/bb457154.aspx#EDAA)) to ensure the app provides the most up-to-date information about the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
+> The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Servce*), which in turn utilizes the Security Center service ([*wscsvc*](/previous-versions/windows/it-pro/windows-xp/bb457154(v=technet.10)#EDAA)) to ensure the app provides the most up-to-date information about the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
>
>These services do not affect the state of Microsoft Defender AV. Disabling or modifying these services will not disable Microsoft Defender AV, and will lead to a lowered protection state on the endpoint, even if you are using a third-party antivirus product.
>
->Microsoft Defender AV will be [disabled automatically when a third-party antivirus product is installed and kept up to date](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
+>Microsoft Defender AV will be [disabled automatically when a third-party antivirus product is installed and kept up to date]/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).
>
-> Disabling the Windows Security Center service will not disable Microsoft Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security).
+> Disabling the Windows Security Center service will not disable Microsoft Defender AV or [Windows Defender Firewall](/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security).
> [!WARNING]
> If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
@@ -102,4 +101,4 @@ Disabling any of the individual features (through Group Policy or other manageme
> [!IMPORTANT]
> Individually disabling any of the services will not disable the other services or the Windows Security app.
-For example, [using a third-party antivirus will disable Microsoft Defender Antivirus](https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility). However, the Windows Security app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall.
+For example, [using a third-party antivirus will disable Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility). However, the Windows Security app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall.
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
index 662de15893..570641d7b7 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@@ -30,7 +30,7 @@ You can enable System Guard Secure Launch by using any of these options:
### Mobile Device Management
-System Guard Secure Launch can be configured for Mobile Device Management (MDM) by using DeviceGuard policies in the Policy CSP, specifically [DeviceGuard/ConfigureSystemGuardLaunch](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceguard#deviceguard-configuresystemguardlaunch).
+System Guard Secure Launch can be configured for Mobile Device Management (MDM) by using DeviceGuard policies in the Policy CSP, specifically [DeviceGuard/ConfigureSystemGuardLaunch](/windows/client-management/mdm/policy-csp-deviceguard#deviceguard-configuresystemguardlaunch).
### Group Policy
@@ -67,13 +67,13 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic
> [!NOTE]
-> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control), [Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements), and [Virtualization Based Security](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-vbs).
+> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
## System requirements for System Guard
|For Intel® vPro™ processors starting with Intel® Coffeelake, Whiskeylake, or later silicon|Description|
|--------|-----------|
-|64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/virtualization/hyper-v-on-windows/reference/tlfs).|
+|64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs are not supported.|
|Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).|
|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData ,EfiRuntimeServicesCode , EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. |
@@ -94,4 +94,4 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic
|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
> [!NOTE]
-> For more details around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/).
+> For more details around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/).
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-firewall/TOC.md b/windows/security/threat-protection/windows-firewall/TOC.md
deleted file mode 100644
index 00a5fecc08..0000000000
--- a/windows/security/threat-protection/windows-firewall/TOC.md
+++ /dev/null
@@ -1,184 +0,0 @@
-# [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
-
-## [Plan deployment]()
-
-### [Design guide](windows-firewall-with-advanced-security-design-guide.md)
-
-### [Design process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
-
-### [Implementation goals]()
-#### [Identify implementation goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
-#### [Protect devices from unwanted network traffic](protect-devices-from-unwanted-network-traffic.md)
-#### [Restrict access to only trusted devices](restrict-access-to-only-trusted-devices.md)
-#### [Require encryption](require-encryption-when-accessing-sensitive-network-resources.md)
-#### [Restrict access](restrict-access-to-only-specified-users-or-devices.md)
-
-### [Implementation designs]()
-#### [Mapping goals to a design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
-
-#### [Basic firewall design](basic-firewall-policy-design.md)
-##### [Basic firewall design example](firewall-policy-design-example.md)
-
-
-#### [Domain isolation design](domain-isolation-policy-design.md)
-##### [Domain isolation design example](domain-isolation-policy-design-example.md)
-
-
-#### [Server isolation design](server-isolation-policy-design.md)
-##### [Server Isolation design example](server-isolation-policy-design-example.md)
-
-
-#### [Certificate-based isolation design](certificate-based-isolation-policy-design.md)
-##### [Certificate-based Isolation design example](certificate-based-isolation-policy-design-example.md)
-
-### [Design planning]()
-#### [Planning your design](planning-your-windows-firewall-with-advanced-security-design.md)
-
-#### [Planning settings for a basic firewall policy](planning-settings-for-a-basic-firewall-policy.md)
-
-#### [Planning domain isolation zones]()
-##### [Domain isolation zones](planning-domain-isolation-zones.md)
-##### [Exemption list](exemption-list.md)
-##### [Isolated domain](isolated-domain.md)
-##### [Boundary zone](boundary-zone.md)
-##### [Encryption zone](encryption-zone.md)
-
-#### [Planning server isolation zones](planning-server-isolation-zones.md)
-
-#### [Planning certificate-based authentication](planning-certificate-based-authentication.md)
-##### [Documenting the Zones](documenting-the-zones.md)
-
-##### [Planning group policy deployment for your isolation zones](planning-group-policy-deployment-for-your-isolation-zones.md)
-###### [Planning isolation groups for the zones](planning-isolation-groups-for-the-zones.md)
-###### [Planning network access groups](planning-network-access-groups.md)
-
-###### [Planning the GPOs](planning-the-gpos.md)
-####### [Firewall GPOs](firewall-gpos.md)
-######## [GPO_DOMISO_Firewall](gpo-domiso-firewall.md)
-####### [Isolated domain GPOs](isolated-domain-gpos.md)
-######## [GPO_DOMISO_IsolatedDomain_Clients](gpo-domiso-isolateddomain-clients.md)
-######## [GPO_DOMISO_IsolatedDomain_Servers](gpo-domiso-isolateddomain-servers.md)
-####### [Boundary zone GPOs](boundary-zone-gpos.md)
-######## [GPO_DOMISO_Boundary](gpo-domiso-boundary.md)
-####### [Encryption zone GPOs](encryption-zone-gpos.md)
-######## [GPO_DOMISO_Encryption](gpo-domiso-encryption.md)
-####### [Server isolation GPOs](server-isolation-gpos.md)
-
-###### [Planning GPO deployment](planning-gpo-deployment.md)
-
-
-### [Planning to deploy](planning-to-deploy-windows-firewall-with-advanced-security.md)
-
-
-## [Deployment guide]()
-### [Deployment overview](windows-firewall-with-advanced-security-deployment-guide.md)
-
-### [Implementing your plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md)
-
-### [Basic firewall deployment]()
-#### [Checklist: Implementing a basic firewall policy design](checklist-implementing-a-basic-firewall-policy-design.md)
-
-
-
-### [Domain isolation deployment]()
-#### [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
-
-
-
-### [Server isolation deployment]()
-#### [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md)
-
-
-
-### [Certificate-based authentication]()
-#### [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md)
-
-
-
-## [Best practices]()
-### [Configuring the firewall](best-practices-configuring.md)
-### [Securing IPsec](securing-end-to-end-ipsec-connections-by-using-ikev2.md)
-### [PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
-### [Isolating Microsoft Store Apps on Your Network](isolating-apps-on-your-network.md)
-
-
-## [How-to]()
-### [Add Production devices to the membership group for a zone](add-production-devices-to-the-membership-group-for-a-zone.md)
-### [Add test devices to the membership group for a zone](add-test-devices-to-the-membership-group-for-a-zone.md)
-### [Assign security group filters to the GPO](assign-security-group-filters-to-the-gpo.md)
-### [Change rules from request to require mode](Change-Rules-From-Request-To-Require-Mode.Md)
-### [Configure authentication methods](Configure-authentication-methods.md)
-### [Configure data protection (Quick Mode) settings](configure-data-protection-quick-mode-settings.md)
-### [Configure Group Policy to autoenroll and deploy certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)
-### [Configure key exchange (main mode) settings](configure-key-exchange-main-mode-settings.md)
-### [Configure the rules to require encryption](configure-the-rules-to-require-encryption.md)
-### [Configure the Windows Firewall log](configure-the-windows-firewall-log.md)
-### [Configure the workstation authentication certificate template](configure-the-workstation-authentication-certificate-template.md)
-### [Configure Windows Firewall to suppress notifications when a program is blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
-### [Confirm that certificates are deployed correctly](confirm-that-certificates-are-deployed-correctly.md)
-### [Copy a GPO to create a new GPO](copy-a-gpo-to-create-a-new-gpo.md)
-### [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)
-### [Create a Group Policy Object](create-a-group-policy-object.md)
-### [Create an authentication exemption list rule](create-an-authentication-exemption-list-rule.md)
-### [Create an authentication request rule](create-an-authentication-request-rule.md)
-### [Create an inbound ICMP rule](create-an-inbound-icmp-rule.md)
-### [Create an inbound port rule](create-an-inbound-port-rule.md)
-### [Create an inbound program or service rule](create-an-inbound-program-or-service-rule.md)
-### [Create an outbound port rule](create-an-outbound-port-rule.md)
-### [Create an outbound program or service rule](create-an-outbound-program-or-service-rule.md)
-### [Create inbound rules to support RPC](create-inbound-rules-to-support-rpc.md)
-### [Create WMI filters for the GPO](create-wmi-filters-for-the-gpo.md)
-### [Create Windows Firewall rules in Intune](create-windows-firewall-rules-in-intune.md)
-### [Enable predefined inbound rules](enable-predefined-inbound-rules.md)
-### [Enable predefined outbound rules](enable-predefined-outbound-rules.md)
-### [Exempt ICMP from authentication](exempt-icmp-from-authentication.md)
-### [Link the GPO to the domain](link-the-gpo-to-the-domain.md)
-### [Modify GPO filters](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
-### [Open IP security policies](open-the-group-policy-management-console-to-ip-security-policies.md)
-### [Open Group Policy](open-the-group-policy-management-console-to-windows-firewall.md)
-### [Open Group Policy](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
-### [Open Windows Firewall](open-windows-firewall-with-advanced-security.md)
-### [Restrict server access](restrict-server-access-to-members-of-a-group-only.md)
-### [Enable Windows Firewall](turn-on-windows-firewall-and-configure-default-behavior.md)
-### [Verify Network Traffic](verify-that-network-traffic-is-authenticated.md)
-
-
-## [References]()
-### [Checklist: Creating Group Policy objects](checklist-creating-group-policy-objects.md)
-### [Checklist: Creating inbound firewall rules](checklist-creating-inbound-firewall-rules.md)
-### [Checklist: Creating outbound firewall rules](checklist-creating-outbound-firewall-rules.md)
-### [Checklist: Configuring basic firewall settings](checklist-configuring-basic-firewall-settings.md)
-
-
-### [Checklist: Configuring rules for the isolated domain](checklist-configuring-rules-for-the-isolated-domain.md)
-### [Checklist: Configuring rules for the boundary zone](checklist-configuring-rules-for-the-boundary-zone.md)
-### [Checklist: Configuring rules for the encryption zone](checklist-configuring-rules-for-the-encryption-zone.md)
-### [Checklist: Configuring rules for an isolated server zone](checklist-configuring-rules-for-an-isolated-server-zone.md)
-
-### [Checklist: Configuring rules for servers in a standalone isolated server zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)
-### [Checklist: Creating rules for clients of a standalone isolated server zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)
-
-
-### [Appendix A: Sample GPO template files for settings used in this guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
-
-
-
-## [Troubleshooting]()
-### [Troubleshooting UWP app connectivity issues in Windows Firewall](troubleshooting-uwp-firewall.md)
-### [Filter origin audit log improvements](filter-origin-documentation.md)
-### [Quarantine behavior](quarantine.md)
-### [Firewall settings lost on upgrade](firewall-settings-lost-on-upgrade.md)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/security/threat-protection/windows-firewall/TOC.yml b/windows/security/threat-protection/windows-firewall/TOC.yml
new file mode 100644
index 0000000000..efaa07fa4e
--- /dev/null
+++ b/windows/security/threat-protection/windows-firewall/TOC.yml
@@ -0,0 +1,252 @@
+- name: Windows Firewall with Advanced Security
+ href: windows-firewall-with-advanced-security.md
+ items:
+ - name: Plan deployment
+ items:
+ - name: Design guide
+ href: windows-firewall-with-advanced-security-design-guide.md
+ - name: Design process
+ href: understanding-the-windows-firewall-with-advanced-security-design-process.md
+ - name: Implementation goals
+ items:
+ - name: Identify implementation goals
+ href: identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
+ - name: Protect devices from unwanted network traffic
+ href: protect-devices-from-unwanted-network-traffic.md
+ - name: Restrict access to only trusted devices
+ href: restrict-access-to-only-trusted-devices.md
+ - name: Require encryption
+ href: require-encryption-when-accessing-sensitive-network-resources.md
+ - name: Restrict access
+ href: restrict-access-to-only-specified-users-or-devices.md
+ - name: Implementation designs
+ items:
+ - name: Mapping goals to a design
+ href: mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
+ - name: Basic firewall design
+ href: basic-firewall-policy-design.md
+ items:
+ - name: Basic firewall design example
+ href: firewall-policy-design-example.md
+ - name: Domain isolation design
+ href: domain-isolation-policy-design.md
+ items:
+ - name: Domain isolation design example
+ href: domain-isolation-policy-design-example.md
+ - name: Server isolation design
+ href: server-isolation-policy-design.md
+ items:
+ - name: Server Isolation design example
+ href: server-isolation-policy-design-example.md
+ - name: Certificate-based isolation design
+ href: certificate-based-isolation-policy-design.md
+ items:
+ - name: Certificate-based Isolation design example
+ href: certificate-based-isolation-policy-design-example.md
+ - name: Design planning
+ items:
+ - name: Planning your design
+ href: planning-your-windows-firewall-with-advanced-security-design.md
+ - name: Planning settings for a basic firewall policy
+ href: planning-settings-for-a-basic-firewall-policy.md
+ - name: Planning domain isolation zones
+ items:
+ - name: Domain isolation zones
+ href: planning-domain-isolation-zones.md
+ - name: Exemption list
+ href: exemption-list.md
+ - name: Isolated domain
+ href: isolated-domain.md
+ - name: Boundary zone
+ href: boundary-zone.md
+ - name: Encryption zone
+ href: encryption-zone.md
+ - name: Planning server isolation zones
+ href: planning-server-isolation-zones.md
+ - name: Planning certificate-based authentication
+ href: planning-certificate-based-authentication.md
+ items:
+ - name: Documenting the Zones
+ href: documenting-the-zones.md
+ - name: Planning group policy deployment for your isolation zones
+ href: planning-group-policy-deployment-for-your-isolation-zones.md
+ items:
+ - name: Planning isolation groups for the zones
+ href: planning-isolation-groups-for-the-zones.md
+ - name: Planning network access groups
+ href: planning-network-access-groups.md
+ - name: Planning the GPOs
+ href: planning-the-gpos.md
+ items:
+ - name: Firewall GPOs
+ href: firewall-gpos.md
+ items:
+ - name: GPO_DOMISO_Firewall
+ href: gpo-domiso-firewall.md
+ - name: Isolated domain GPOs
+ href: isolated-domain-gpos.md
+ items:
+ - name: GPO_DOMISO_IsolatedDomain_Clients
+ href: gpo-domiso-isolateddomain-clients.md
+ - name: GPO_DOMISO_IsolatedDomain_Servers
+ href: gpo-domiso-isolateddomain-servers.md
+ - name: Boundary zone GPOs
+ href: boundary-zone-gpos.md
+ items:
+ - name: GPO_DOMISO_Boundary
+ href: gpo-domiso-boundary.md
+ - name: Encryption zone GPOs
+ href: encryption-zone-gpos.md
+ items:
+ - name: GPO_DOMISO_Encryption
+ href: gpo-domiso-encryption.md
+ - name: Server isolation GPOs
+ href: server-isolation-gpos.md
+ - name: Planning GPO deployment
+ href: planning-gpo-deployment.md
+ - name: Planning to deploy
+ href: planning-to-deploy-windows-firewall-with-advanced-security.md
+ - name: Deployment guide
+ items:
+ - name: Deployment overview
+ href: windows-firewall-with-advanced-security-deployment-guide.md
+ - name: Implementing your plan
+ href: implementing-your-windows-firewall-with-advanced-security-design-plan.md
+ - name: Basic firewall deployment
+ items:
+ - name: "Checklist: Implementing a basic firewall policy design"
+ href: checklist-implementing-a-basic-firewall-policy-design.md
+ - name: Domain isolation deployment
+ items:
+ - name: "Checklist: Implementing a Domain Isolation Policy Design"
+ href: checklist-implementing-a-domain-isolation-policy-design.md
+ - name: Server isolation deployment
+ items:
+ - name: "Checklist: Implementing a Standalone Server Isolation Policy Design"
+ href: checklist-implementing-a-standalone-server-isolation-policy-design.md
+ - name: Certificate-based authentication
+ items:
+ - name: "Checklist: Implementing a Certificate-based Isolation Policy Design"
+ href: checklist-implementing-a-certificate-based-isolation-policy-design.md
+ - name: Best practices
+ items:
+ - name: Configuring the firewall
+ href: best-practices-configuring.md
+ - name: Securing IPsec
+ href: securing-end-to-end-ipsec-connections-by-using-ikev2.md
+ - name: PowerShell
+ href: windows-firewall-with-advanced-security-administration-with-windows-powershell.md
+ - name: Isolating Microsoft Store Apps on Your Network
+ href: isolating-apps-on-your-network.md
+ - name: How-to
+ items:
+ - name: Add Production devices to the membership group for a zone
+ href: add-production-devices-to-the-membership-group-for-a-zone.md
+ - name: Add test devices to the membership group for a zone
+ href: add-test-devices-to-the-membership-group-for-a-zone.md
+ - name: Assign security group filters to the GPO
+ href: assign-security-group-filters-to-the-gpo.md
+ - name: Change rules from request to require mode
+ href: Change-Rules-From-Request-To-Require-Mode.Md
+ - name: Configure authentication methods
+ href: Configure-authentication-methods.md
+ - name: Configure data protection (Quick Mode) settings
+ href: configure-data-protection-quick-mode-settings.md
+ - name: Configure Group Policy to autoenroll and deploy certificates
+ href: configure-group-policy-to-autoenroll-and-deploy-certificates.md
+ - name: Configure key exchange (main mode) settings
+ href: configure-key-exchange-main-mode-settings.md
+ - name: Configure the rules to require encryption
+ href: configure-the-rules-to-require-encryption.md
+ - name: Configure the Windows Firewall log
+ href: configure-the-windows-firewall-log.md
+ - name: Configure the workstation authentication certificate template
+ href: configure-the-workstation-authentication-certificate-template.md
+ - name: Configure Windows Firewall to suppress notifications when a program is blocked
+ href: configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
+ - name: Confirm that certificates are deployed correctly
+ href: confirm-that-certificates-are-deployed-correctly.md
+ - name: Copy a GPO to create a new GPO
+ href: copy-a-gpo-to-create-a-new-gpo.md
+ - name: Create a Group Account in Active Directory
+ href: create-a-group-account-in-active-directory.md
+ - name: Create a Group Policy Object
+ href: create-a-group-policy-object.md
+ - name: Create an authentication exemption list rule
+ href: create-an-authentication-exemption-list-rule.md
+ - name: Create an authentication request rule
+ href: create-an-authentication-request-rule.md
+ - name: Create an inbound ICMP rule
+ href: create-an-inbound-icmp-rule.md
+ - name: Create an inbound port rule
+ href: create-an-inbound-port-rule.md
+ - name: Create an inbound program or service rule
+ href: create-an-inbound-program-or-service-rule.md
+ - name: Create an outbound port rule
+ href: create-an-outbound-port-rule.md
+ - name: Create an outbound program or service rule
+ href: create-an-outbound-program-or-service-rule.md
+ - name: Create inbound rules to support RPC
+ href: create-inbound-rules-to-support-rpc.md
+ - name: Create WMI filters for the GPO
+ href: create-wmi-filters-for-the-gpo.md
+ - name: Create Windows Firewall rules in Intune
+ href: create-windows-firewall-rules-in-intune.md
+ - name: Enable predefined inbound rules
+ href: enable-predefined-inbound-rules.md
+ - name: Enable predefined outbound rules
+ href: enable-predefined-outbound-rules.md
+ - name: Exempt ICMP from authentication
+ href: exempt-icmp-from-authentication.md
+ - name: Link the GPO to the domain
+ href: link-the-gpo-to-the-domain.md
+ - name: Modify GPO filters
+ href: modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
+ - name: Open IP security policies
+ href: open-the-group-policy-management-console-to-ip-security-policies.md
+ - name: Open Group Policy
+ href: open-the-group-policy-management-console-to-windows-firewall.md
+ - name: Open Group Policy
+ href: open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
+ - name: Open Windows Firewall
+ href: open-windows-firewall-with-advanced-security.md
+ - name: Restrict server access
+ href: restrict-server-access-to-members-of-a-group-only.md
+ - name: Enable Windows Firewall
+ href: turn-on-windows-firewall-and-configure-default-behavior.md
+ - name: Verify Network Traffic
+ href: verify-that-network-traffic-is-authenticated.md
+ - name: References
+ items:
+ - name: "Checklist: Creating Group Policy objects"
+ href: checklist-creating-group-policy-objects.md
+ - name: "Checklist: Creating inbound firewall rules"
+ href: checklist-creating-inbound-firewall-rules.md
+ - name: "Checklist: Creating outbound firewall rules"
+ href: checklist-creating-outbound-firewall-rules.md
+ - name: "Checklist: Configuring basic firewall settings"
+ href: checklist-configuring-basic-firewall-settings.md
+ - name: "Checklist: Configuring rules for the isolated domain"
+ href: checklist-configuring-rules-for-the-isolated-domain.md
+ - name: "Checklist: Configuring rules for the boundary zone"
+ href: checklist-configuring-rules-for-the-boundary-zone.md
+ - name: "Checklist: Configuring rules for the encryption zone"
+ href: checklist-configuring-rules-for-the-encryption-zone.md
+ - name: "Checklist: Configuring rules for an isolated server zone"
+ href: checklist-configuring-rules-for-an-isolated-server-zone.md
+ - name: "Checklist: Configuring rules for servers in a standalone isolated server zone"
+ href: checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
+ - name: "Checklist: Creating rules for clients of a standalone isolated server zone"
+ href: checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
+ - name: "Appendix A: Sample GPO template files for settings used in this guide"
+ href: appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
+ - name: Troubleshooting
+ items:
+ - name: Troubleshooting UWP app connectivity issues in Windows Firewall
+ href: troubleshooting-uwp-firewall.md
+ - name: Filter origin audit log improvements
+ href: filter-origin-documentation.md
+ - name: Quarantine behavior
+ href: quarantine.md
+ - name: Firewall settings lost on upgrade
+ href: firewall-settings-lost-on-upgrade.md
diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
index a8e18add00..3911fccc53 100644
--- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
+++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
@@ -32,7 +32,7 @@ network. These recommendations cover a wide range of deployments including home
networks and enterprise desktop/server systems.
To open Windows Firewall, go to the **Start** menu, select **Run**,
-type **WF.msc**, and then select **OK**. See also [Open Windows Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security).
+type **WF.msc**, and then select **OK**. See also [Open Windows Firewall](./open-windows-firewall-with-advanced-security.md).
## Keep default settings
@@ -62,7 +62,7 @@ Firewall whenever possible. These settings have been designed to secure your dev
> [!IMPORTANT]
> To maintain maximum security, do not change the default Block setting for inbound connections.
-For more on configuring basic firewall settings, see [Turn on Windows Firewall and Configure Default Behavior](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior) and [Checklist: Configuring Basic Firewall Settings](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings).
+For more on configuring basic firewall settings, see [Turn on Windows Firewall and Configure Default Behavior](./turn-on-windows-firewall-and-configure-default-behavior.md) and [Checklist: Configuring Basic Firewall Settings](./checklist-configuring-basic-firewall-settings.md).
## Understand rule precedence for inbound rules
@@ -77,7 +77,7 @@ This can be accomplished by right-clicking either **Inbound Rules** or **Outboun
> [!NOTE]
>This article does not cover step-by-step rule
configuration. See the [Windows Firewall with Advanced Security Deployment
-Guide](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide)
+Guide](./windows-firewall-with-advanced-security-deployment-guide.md)
for general guidance on policy creation.
In many cases, allowing specific types of inbound traffic will be required for
@@ -133,7 +133,7 @@ To determine why some applications are blocked from communicating in the network
*Figure 4: Dialog box to allow access*
-See also [Checklist: Creating Inbound Firewall Rules](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules).
+See also [Checklist: Creating Inbound Firewall Rules](./checklist-creating-inbound-firewall-rules.md).
## Establish local policy merge and application rules
@@ -151,7 +151,7 @@ The rule merging settings either allow or prevent local admins from creating the
*Figure 5: Rule merging setting*
> [!TIP]
-> In the firewall [configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/firewall-csp), the
+> In the firewall [configuration service provider](/windows/client-management/mdm/firewall-csp), the
equivalent setting is *AllowLocalPolicyMerge*. This setting can be found under each respective profile node, *DomainProfile*, *PrivateProfile*, and *PublicProfile*.
If merging of local policies is disabled, centralized deployment of rules is required for any app that needs inbound connectivity.
@@ -159,7 +159,7 @@ If merging of local policies is disabled, centralized deployment of rules is req
Admins may disable *LocalPolicyMerge* in high security environments to maintain tighter control over endpoints. This can impact some apps and services that automatically generate a local firewall policy upon installation as discussed above. For these types of apps and services to work, admins should push rules centrally via group policy (GP), Mobile Device
Management (MDM), or both (for hybrid or co-management environments).
-[Firewall CSP](https://docs.microsoft.com/windows/client-management/mdm/firewall-csp) and [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) also have settings that can affect rule merging.
+[Firewall CSP](/windows/client-management/mdm/firewall-csp) and [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) also have settings that can affect rule merging.
As a best practice, it is important to list and log such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex or customer application deployments, a more thorough analysis may be needed using network packet capture tools.
@@ -203,8 +203,8 @@ What follows are a few general guidelines for configuring outbound rules.
- In high security environments, an inventory of all enterprise-spanning apps must be taken and logged by the administrator or administrators. Records must include whether an app used requires network connectivity. Administrators will need to create new rules specific to each app that needs network connectivity and push those rules centrally, via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments).
-For tasks related to creating outbound rules, see [Checklist: Creating Outbound Firewall Rules](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules).
+For tasks related to creating outbound rules, see [Checklist: Creating Outbound Firewall Rules](./checklist-creating-outbound-firewall-rules.md).
## Document your changes
-When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall.
+When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall.
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
index 51e3460b93..bf9a3f7d47 100644
--- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
+++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
@@ -35,7 +35,7 @@ Select Windows Defender Firewall.
## Firewall rule components
-The firewall rule configurations in Intune use the Windows 10 CSP for Firewall. For more information, see [Firewall CSP](https://docs.microsoft.com/windows/client-management/mdm/firewall-csp).
+The firewall rule configurations in Intune use the Windows 10 CSP for Firewall. For more information, see [Firewall CSP](/windows/client-management/mdm/firewall-csp).
## Application
Control connections for an app or program.
@@ -43,7 +43,7 @@ Apps and programs can be specified either file path, package family name, or Win
The file path of an app is its location on the client device.
For example, C:\Windows\System\Notepad.exe.
-[Learn more](https://aka.ms/intunefirewallfilepathrule)
+[Learn more](/windows/client-management/mdm/firewall-csp#filepath)
Package family names can be retrieved by running the Get-AppxPackage command from PowerShell.
[Learn more](https://aka.ms/intunefirewallPackageNameFromPowerShell)
@@ -51,24 +51,24 @@ Package family names can be retrieved by running the Get-AppxPackage command fro
Windows service short names are used in cases when a service, not an application, is sending or receiving traffic.
Default ia All.
-[Learn more](https://aka.ms/intunefirewallServiceNameRule)
+[Learn more](/windows/client-management/mdm/firewall-csp#servicename)
## Protocol
Select the protocol for this port rule. Transport layer protocols—TCP and UDP—allow you to specify ports or port ranges. For custom protocols, enter a number between 0 and 255 representing the IP protocol.
Default is Any.
-[Learn more](https://aka.ms/intunefirewallprotocolrule)
+[Learn more](/windows/client-management/mdm/firewall-csp#protocol)
## Local ports
Comma separated list of ranges. For example, *100-120,200,300-320*. Default is All.
-[Learn more](https://aka.ms/intunefirewalllocalportrule)
+[Learn more](/windows/client-management/mdm/firewall-csp#localportranges)
## Remote ports
Comma separated list of ranges. For example, *100-120,200,300-320*. Default is All.
-[Learn more](https://aka.ms/intunefirewallremoteportrule)
+[Learn more](/windows/client-management/mdm/firewall-csp#remoteportranges)
## Local addresses
Comma separated list of local addresses covered by the rule. Valid tokens include:
@@ -78,7 +78,7 @@ Comma separated list of local addresses covered by the rule. Valid tokens includ
- An IPv4 address range in the format of "start address-end address" with no spaces included.
- An IPv6 address range in the format of "start address-end address" with no spaces included. Default is Any address.
-[Learn more](https://aka.ms/intunefirewalllocaladdressrule)
+[Learn more](/windows/client-management/mdm/firewall-csp#localaddressranges)
## Remote addresses
List of comma separated tokens specifying the remote addresses covered by the rule. Tokens are case insensitive. Valid tokens include:
@@ -104,15 +104,13 @@ Default is Any address.
## Edge traversal (UI coming soon)
Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default. This setting can only be configured via Intune Graph at this time.
-[Learn more](https://aka.ms/intunefirewalledgetraversal)
+[Learn more](/windows/client-management/mdm/firewall-csp#edgetraversal)
## Authorized users
Specifies the list of authorized local users for this rule. A list of authorized users cannot be specified if the rule being authored is targeting a Windows service. Default is all users.
-[Learn more](https://aka.ms/intunefirewallauthorizedusers)
+[Learn more](/windows/client-management/mdm/firewall-csp#localuserauthorizedlist)
## Configuring firewall rules programmatically
-Coming soon.
-
-
+Coming soon.
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
index d863d37050..9ed555e0c8 100644
--- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
@@ -80,7 +80,7 @@ First, create the WMI filter and configure it to look for a specified version (o
select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1"
```
- Specific versions of Windows 10 can be targeted by including the *major build version* in the query. The following query returns **true** for all devices running Windows 10 20H2 (which has a *major build version* of `19042`), and returns **false** for any server operating system or any other client operating system. Additional information about Windows 10 build versions can be found at [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information).
+ Specific versions of Windows 10 can be targeted by including the *major build version* in the query. The following query returns **true** for all devices running Windows 10 20H2 (which has a *major build version* of `19042`), and returns **false** for any server operating system or any other client operating system. Additional information about Windows 10 build versions can be found at [Windows 10 release information](/windows/release-health/release-information).
```syntax
select * from Win32_OperatingSystem where Version like "10.0.19042" and ProductType="1"
@@ -109,4 +109,4 @@ After you have created a filter with the correct query, link the filter to the G
3. Under **WMI Filtering**, select the correct WMI filter from the list.
-4. Click **Yes** to accept the filter.
+4. Click **Yes** to accept the filter.
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
index e890a72528..c1121baa73 100644
--- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
+++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
@@ -66,8 +66,8 @@ To enable a specific audit event, run the corresponding command in an administra
|**Audit #**|**Enable command**|**Link**|
|:-----|:-----|:-----|
-|**5157**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable`|[5157(F): The Windows Filtering Platform has blocked a connection.](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5157)|
-|**5152**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable`|[5152(F): The Windows Filtering Platform blocked a packet.](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5152)|
+|**5157**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable`|[5157(F): The Windows Filtering Platform has blocked a connection.](../auditing/event-5157.md)|
+|**5152**|`Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable`|[5152(F): The Windows Filtering Platform blocked a packet.](../auditing/event-5152.md)|
## Example flow of debugging packet drops with filter origin
@@ -99,9 +99,9 @@ After identifying the rule that caused the drop, the network admin can now modif
Network drop events from the AppContainer loopback block filter origin occur when localhost loopback is not enabled properly for the Universal Windows Platform (UWP) app.
-To enable localhost loopback in a local debugging environment, see [Communicating with localhost](https://docs.microsoft.com/windows/iot-core/develop-your-app/loopback).
+To enable localhost loopback in a local debugging environment, see [Communicating with localhost](/windows/iot-core/develop-your-app/loopback).
-To enable localhost loopback for a published app that requires loopback access to communicate with another UWP or packaged win32 app, see [uap4:LoopbackAccessRules](https://docs.microsoft.com/uwp/schemas/appxpackage/uapmanifestschema/element-uap4-loopbackaccessrules).
+To enable localhost loopback for a published app that requires loopback access to communicate with another UWP or packaged win32 app, see [uap4:LoopbackAccessRules](/uwp/schemas/appxpackage/uapmanifestschema/element-uap4-loopbackaccessrules).
**Boottime default**
@@ -158,15 +158,14 @@ Set-NetFirewallProfile -NotifyOnListen False
Network drops from stealth filters are typically made to prevent port scanning.
-To disable stealth-mode, see [Disable stealth mode in Windows](https://docs.microsoft.com/troubleshoot/windows-server/networking/disable-stealth-mode).
+To disable stealth-mode, see [Disable stealth mode in Windows](/troubleshoot/windows-server/networking/disable-stealth-mode).
**UWP default**
Network drops from Universal Windows Platform (UWP) default inbound/outbound block filters are often caused by the UWP app not being configured correctly (that is, the UWP app is missing the correct capability tokens or loopback is not enabled) or the private range is configured incorrectly.
-For more information on how to debug drops caused by UWP default block filters, see [Troubleshooting UWP App Connectivity Issues](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall).
+For more information on how to debug drops caused by UWP default block filters, see [Troubleshooting UWP App Connectivity Issues](./troubleshooting-uwp-firewall.md).
**WSH default**
-Network drops from Windows Service Hardening (WSH) default filters indicate that there wasn’t an explicit Windows Service Hardening allow rule to allow network traffic for the protected service. The service owner will need to configure allow rules for the service if the block is not expected.
-
+Network drops from Windows Service Hardening (WSH) default filters indicate that there wasn’t an explicit Windows Service Hardening allow rule to allow network traffic for the protected service. The service owner will need to configure allow rules for the service if the block is not expected.
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
index 8d8f65a0a5..e75e426e2c 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md
@@ -30,7 +30,7 @@ This topic discusses several other things that you should examine to see whether
Because IPsec uses mathematically intensive cryptographic techniques, it can consume significant overhead on a device. Areas to watch:
-- **Encryption.** You might use 256-bit Advanced Encryption Standard (AES-256) and 384-bit Secure Hash Algorithm (SHA-384) to check integrity in situations that require the strongest available encryption and key exchange protection. If you have NICs that support IPsec Task Offload, you can reduce the effect that encryption has on network throughput. For more information, see [IPsec Task Offload](https://technet.microsoft.com/network/dd277647.aspx).
+- **Encryption.** You might use 256-bit Advanced Encryption Standard (AES-256) and 384-bit Secure Hash Algorithm (SHA-384) to check integrity in situations that require the strongest available encryption and key exchange protection. If you have NICs that support IPsec Task Offload, you can reduce the effect that encryption has on network throughput. For more information, see [IPsec Task Offload](/previous-versions/windows/it-pro/windows-server-2003/cc776369(v=ws.10)).
- **Security association (SA) negotiation.** You can use a shorter lifetime for the main mode SA, such as three hours, but then you might need to make tradeoffs. Because each main mode SA occupies approximately 5 KB of RAM, situations in which a server brokers tens of thousands of concurrent connections can lead to overutilization.
@@ -83,4 +83,4 @@ Network Monitor includes parsers for the ISAKMP (IKE), AH, and ESP protocols. Ne
Message Analyzer is available on the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=44226).
-**Next:** [Determining the Trusted State of Your Devices](determining-the-trusted-state-of-your-devices.md)
+**Next:** [Determining the Trusted State of Your Devices](determining-the-trusted-state-of-your-devices.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-firewall/quarantine.md b/windows/security/threat-protection/windows-firewall/quarantine.md
index be83308889..87bab115a6 100644
--- a/windows/security/threat-protection/windows-firewall/quarantine.md
+++ b/windows/security/threat-protection/windows-firewall/quarantine.md
@@ -51,7 +51,7 @@ These filters are added in the FWPM_SUBLAYER_MPSSVC_QUARANTINE sublayer and thes
>[!NOTE]
> Any firewall rules added by the customers will not affect the filters in the quarantine sublayer as filters from Firewall rules are added in the FWPM_SUBLAYER_MPSSVC_WF sublayer. In other words, customers cannot add their own exception filters to prevent packets from being evaluated by quarantine filters.
-For more information about WFP layers and sublayers, see [WFP Operation](https://docs.microsoft.com/windows/win32/fwp/basic-operation).
+For more information about WFP layers and sublayers, see [WFP Operation](/windows/win32/fwp/basic-operation).
### Quarantine default inbound block filter
@@ -209,6 +209,6 @@ Get-NetIPInterface –InterfaceIndex 5
Using the interface name, event viewer can be searched for any interface related changes.
-To enable more networking audit events, see [Enable IPsec and Windows Firewall Audit Events](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754714(v=ws.10)?redirectedfrom=MSDN).
+To enable more networking audit events, see [Enable IPsec and Windows Firewall Audit Events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754714(v=ws.10)).
-Packet drops from the quarantine default inbound block filter are often transient and do not signify anything more than a network change on the interface.
+Packet drops from the quarantine default inbound block filter are often transient and do not signify anything more than a network change on the interface.
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
index d074ada7fc..4c6f3f4fb7 100644
--- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
+++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
@@ -49,7 +49,7 @@ You can use IKEv2 as a virtual private network (VPN) tunneling protocol that sup
- [Troubleshooting](#troubleshooting)
->**Note:** This topic includes sample Windows PowerShell cmdlets. For more info, see [How to Run a Windows PowerShell Cmdlet](https://go.microsoft.com/fwlink/p/?linkid=230693).
+>**Note:** This topic includes sample Windows PowerShell cmdlets. For more info, see [How to Run a Windows PowerShell Cmdlet](/previous-versions//bb648607(v=vs.85)).
## Prerequisites
@@ -190,9 +190,3 @@ You might not find the exact answer for the issue, but you can find good hints.
-
-
-
-
-
-
diff --git a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
index ca95cee02b..de14c20840 100644
--- a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
@@ -41,9 +41,9 @@ filters ensures network isolation for UWP applications. Specifically, it guarant
For more information on the filter arbitration algorithm and network isolation,
see [Filter
-Arbitration](https://docs.microsoft.com/windows/win32/fwp/filter-arbitration)
+Arbitration](/windows/win32/fwp/filter-arbitration)
and
-[Isolation](https://docs.microsoft.com/windows/win32/secauthz/appcontainer-isolation).
+[Isolation](/windows/win32/secauthz/appcontainer-isolation).
The following sections cover debugging case examples for loopback and non-loopback UWP app network connectivity issues.
@@ -70,7 +70,12 @@ You can ensure loopback is enabled by checking the appx manifests of both the se
For more information about loopback scenarios, see [Communicating with
localhost
-(loopback)](https://docs.microsoft.com/windows/iot-core/develop-your-app/loopback).
+(loopback)](/windows/iot-core/develop-your-app/loopback).
+
+>[!NOTE]
+>If you are in the middle of developing a UWA application and want to test its loopback, ensure to uninstall and re-install the UWA app if the network capabilities change for whatever reason.
+
+Also, see [How to enable loopback and troubleshoot network isolation (Windows Runtime apps)](https://docs.microsoft.com/previous-versions/windows/apps/hh780593(v=win.10)#debug-network-isolation-issues).
## Debugging Live Drops
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
index c21749b77b..3e383743a4 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
@@ -31,7 +31,7 @@ In future versions of Windows, Microsoft might remove the netsh functionality fo
Windows PowerShell and netsh command references are at the following locations.
-- [Netsh Commands for Windows Defender Firewall](https://technet.microsoft.com/library/cc771920)
+- [Netsh Commands for Windows Defender Firewall](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771920(v=ws.10))
## Scope
@@ -349,7 +349,7 @@ New-NetIPsecRule -DisplayName “Require Inbound Authentication” -PolicyStore
### Add custom authentication methods to an IPsec rule
-If you want to create a custom set of quick-mode proposals that includes both AH and ESP in an IPsec rule object, you create the associated objects separately and link their associations. For more information about authentication methods, see [Choosing the IPsec Protocol](https://technet.microsoft.com/library/cc757847(WS.10).aspx) .
+If you want to create a custom set of quick-mode proposals that includes both AH and ESP in an IPsec rule object, you create the associated objects separately and link their associations. For more information about authentication methods, see [Choosing the IPsec Protocol](/previous-versions/windows/it-pro/windows-server-2003/cc757847(v=ws.10)) .
You can then use the newly created custom quick-mode policies when you create IPsec rules. The cryptography set object is linked to an IPsec rule object.
@@ -586,7 +586,7 @@ To deploy server isolation, we layer a firewall rule that restricts traffic to a
The following firewall rule allows Telnet traffic from user accounts that are members of a custom group called “Authorized to Access Server.” This access can additionally be restricted based on the device, user, or both by specifying the restriction parameters.
-A Security Descriptor Definition Language (SDDL) string is created by extending a user or group’s security identifier (SID). For more information about finding a group’s SID, see: [Finding the SID for a group account](https://technet.microsoft.com/library/cc753463(WS.10).aspx#bkmk_FINDSID).
+A Security Descriptor Definition Language (SDDL) string is created by extending a user or group’s security identifier (SID). For more information about finding a group’s SID, see: [Finding the SID for a group account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753463(v=ws.10)#bkmk_FINDSID).
Restricting access to a group allows administrations to extend strong authentication support through Windows Defender Firewall and/or IPsec policies.
@@ -608,7 +608,7 @@ Windows PowerShell
$secureMachineGroup = "D:(A;;CC;;;$SIDofSecureMachineGroup)"
```
-For more information about how to create security groups or how to determine the SDDL string, see [Working with SIDs](https://technet.microsoft.com/library/ff730940.aspx).
+For more information about how to create security groups or how to determine the SDDL string, see [Working with SIDs](/previous-versions/windows/it-pro/windows-powershell-1.0/ff730940(v=technet.10)).
Telnet is an application that does not provide encryption. This application can send data, such as names and passwords, over the network. This data can be intercepted by malicious users. If an administrator would like to allow the use of Telnet, but protect the traffic, a firewall rule that requires IPsec encryption can be created. This is necessary so that the administrator can be certain that when this application is used, all of the traffic sent or received by this port is encrypted. If IPsec fails to authorize the connection, no traffic is allowed from this application.
@@ -641,7 +641,7 @@ Set-NetFirewallSetting -RemoteMachineTransportAuthorizationList $secureMachineGr
### Create firewall rules that allow IPsec-protected network traffic (authenticated bypass)
-Authenticated bypass allows traffic from a specified trusted device or user to override firewall block rules. This is helpful when an administrator wants to use scanning servers to monitor and update devices without the need to use port-level exceptions. For more information, see [How to enable authenticated firewall bypass](https://technet.microsoft.com/library/cc753463(WS.10).aspx).
+Authenticated bypass allows traffic from a specified trusted device or user to override firewall block rules. This is helpful when an administrator wants to use scanning servers to monitor and update devices without the need to use port-level exceptions. For more information, see [How to enable authenticated firewall bypass](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753463(v=ws.10)).
In this example, we assume that a blocking firewall rule exists. This example permits any network traffic on any port from any IP address to override the block rule, if the traffic is authenticated as originating from a device or user account that is a member of the specified device or user security group.
@@ -663,43 +663,38 @@ New-NetFirewallRule –DisplayName “Inbound Secure Bypass Rule" –Direction I
For more information about Windows PowerShell concepts, see the following topics.
-- [Windows PowerShell Getting Started Guide](https://go.microsoft.com/fwlink/p/?linkid=113440)
+- [Windows PowerShell Getting Started Guide](/powershell/scripting/overview)
-- [Windows PowerShell User Guide](https://go.microsoft.com/fwlink/p/?linkid=113441)
+- [Windows PowerShell User Guide](/powershell/scripting/overview)
- [Windows PowerShell About Help Topics](https://go.microsoft.com/fwlink/p/?linkid=113206)
-- [about\_Functions](https://go.microsoft.com/fwlink/p/?linkid=113231)
+- [about\_Functions](/powershell/module/microsoft.powershell.core/about/about_functions)
-- [about\_Functions\_Advanced](https://go.microsoft.com/fwlink/p/?linkid=144511)
+- [about\_Functions\_Advanced](/powershell/module/microsoft.powershell.core/about/about_functions_advanced)
-- [about\_Execution\_Policies](https://go.microsoft.com/fwlink/p/?linkid=135170)
+- [about\_Execution\_Policies](/powershell/module/microsoft.powershell.core/about/about_execution_policies)
-- [about\_Foreach](https://go.microsoft.com/fwlink/p/?linkid=113229)
+- [about\_Foreach](/powershell/module/microsoft.powershell.core/about/about_foreach)
-- [about\_Objects](https://go.microsoft.com/fwlink/p/?linkid=113241)
+- [about\_Objects](/powershell/module/microsoft.powershell.core/about/about_objects)
-- [about\_Properties](https://go.microsoft.com/fwlink/p/?linkid=113249)
+- [about\_Properties](/powershell/module/microsoft.powershell.core/about/about_properties)
-- [about\_While](https://go.microsoft.com/fwlink/p/?linkid=113275)
+- [about\_While](/powershell/module/microsoft.powershell.core/about/about_while)
-- [about\_Scripts](https://go.microsoft.com/fwlink/p/?linkid=144310)
+- [about\_Scripts](/powershell/module/microsoft.powershell.core/about/about_scripts)
-- [about\_Signing](https://go.microsoft.com/fwlink/p/?linkid=113268)
+- [about\_Signing](/powershell/module/microsoft.powershell.core/about/about_signing)
-- [about\_Throw](https://go.microsoft.com/fwlink/p/?linkid=145153)
+- [about\_Throw](/powershell/module/microsoft.powershell.core/about/about_throw)
-- [about\_PSSessions](https://go.microsoft.com/fwlink/p/?linkid=135181)
+- [about\_PSSessions](/powershell/module/microsoft.powershell.core/about/about_pssessions)
-- [about\_Modules](https://go.microsoft.com/fwlink/p/?linkid=144311)
+- [about\_Modules](/powershell/module/microsoft.powershell.core/about/about_modules)
-- [about\_Command\_Precedence](https://go.microsoft.com/fwlink/p/?linkid=113214)
+- [about\_Command\_Precedence](/powershell/module/microsoft.powershell.core/about/about_command_precedence)
-
-
-
-
-
-
+
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index 81f95a98be..869b04185e 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -46,17 +46,31 @@ The following video provides an overview of Windows Sandbox.
## Installation
1. Ensure that your machine is using Windows 10 Pro or Enterprise, build version 18305 or later.
+
2. Enable virtualization on the machine.
- If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS.
- - If you're using a virtual machine, run the following PowerShell command to enable nested virtualization:
**Set-VMProcessor -VMName \
[1803 (RS4)](https://docs.microsoft.com/archive/blogs/secguide/security-baseline-for-windows-10-v1803-redstone-4-draft)
[1709 (RS3)](https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-for-windows-10-fall-creators-update-v1709-draft/)
[1703 (RS2)](https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/)
[1607 (RS1)](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/)
[1511 (TH2)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1511-threshold-2-final/)
[1507 (TH1)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update/)| October 2018
March 2018
October 2017
August 2017
October 2016
January 2016
January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-Windows 8.1 |[9600 (April Update)](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)| October 2013| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-Windows 8 |[9200](https://technet.microsoft.com/library/jj916413.aspx) |October 2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
-Windows 7 |[7601 (SP1)](https://technet.microsoft.com/library/ee712767.aspx)| October 2009| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-| Vista |[6002 (SP2)](https://technet.microsoft.com/library/dd450978.aspx)| January 2007| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-| Windows XP |[2600 (SP3)](https://technet.microsoft.com/library/cc163061.aspx)| October 2001| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+| Windows 10 | [1809 (October 2018)](/archive/blogs/secguide/security-baseline-draft-for-windows-10-v1809-and-windows-server-2019)
[1803 (RS4)](/archive/blogs/secguide/security-baseline-for-windows-10-v1803-redstone-4-draft)
[1709 (RS3)](/archive/blogs/secguide/security-baseline-for-windows-10-fall-creators-update-v1709-draft)
[1703 (RS2)](/archive/blogs/secguide/security-baseline-for-windows-10-creators-update-v1703-final)
[1607 (RS1)](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)
[1511 (TH2)](/archive/blogs/secguide/security-baseline-for-windows-10-v1511-threshold-2-final)
[1507 (TH1)](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2018
March 2018
October 2017
August 2017
October 2016
January 2016
January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+Windows 8 |[9200](/previous-versions/tn-archive/jj916413(v=technet.10)) |October 2012| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10))|
+Windows 7 |[7601 (SP1)](/previous-versions/tn-archive/ee712767(v=technet.10))| October 2009| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+| Vista |[6002 (SP2)](/previous-versions/tn-archive/dd450978(v=technet.10))| January 2007| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+| Windows XP |[2600 (SP3)](/previous-versions/tn-archive/cc163061(v=technet.10))| October 2001| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10))|
@@ -70,13 +70,13 @@ Windows 7 |[7601 (SP1)](https://technet.microsoft.com/library/ee712767.aspx)| Oc
| Name | Build | Baseline Release Date | Security Tools |
|---|---|---|---|
-|Windows Server 2016 | [SecGuide](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/) |October 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-|Windows Server 2012 R2|[SecGuide](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/)|August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|
-|Windows Server 2012|[Technet](https://technet.microsoft.com/library/jj898542.aspx) |2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-Windows Server 2008 R2 |[SP1](https://technet.microsoft.com/library/gg236605.aspx)|2009 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-| Windows Server 2008 |[SP2](https://technet.microsoft.com/library/cc514539.aspx)| 2008 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-|Windows Server 2003 R2|[Technet](https://technet.microsoft.com/library/cc163140.aspx)| 2003 | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
-|Windows Server 2003|[Technet](https://technet.microsoft.com/library/cc163140.aspx)|2003|[SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
+|Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) |October 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+|Windows Server 2012 R2|[SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)|August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|
+|Windows Server 2012|[Technet](/previous-versions/tn-archive/jj898542(v=technet.10)) |2012| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+Windows Server 2008 R2 |[SP1](/previous-versions/tn-archive/gg236605(v=technet.10))|2009 | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+| Windows Server 2008 |[SP2](/previous-versions/tn-archive/cc514539(v=technet.10))| 2008 | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+|Windows Server 2003 R2|[Technet](/previous-versions/tn-archive/cc163140(v=technet.10))| 2003 | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10))|
+|Windows Server 2003|[Technet](/previous-versions/tn-archive/cc163140(v=technet.10))|2003|[SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10))|
@@ -85,14 +85,14 @@ Windows Server 2008 R2 |[SP1](https://technet.microsoft.com/library/gg236605.asp
| Name | Details | Security Tools |
|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
-| Internet Explorer 11 | [SecGuide](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Internet Explorer 10 | [Technet](https://technet.microsoft.com/library/jj898540.aspx) | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-| Internet Explorer 9 | [Technet](https://technet.microsoft.com/library/hh539027.aspx) | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-| Internet Explorer 8 | [Technet](https://technet.microsoft.com/library/ee712766.aspx) | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-| Exchange Server 2010 | [Technet](https://technet.microsoft.com/library/hh913521.aspx) | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-| Exchange Server 2007 | [Technet](https://technet.microsoft.com/library/hh913520.aspx) | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-| Microsoft Office 2010 | [Technet](https://technet.microsoft.com/library/gg288965.aspx) | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
-| Microsoft Office 2007 SP2 | [Technet](https://technet.microsoft.com/library/cc500475.aspx) | [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
+| Internet Explorer 11 | [SecGuide](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Internet Explorer 10 | [Technet](/previous-versions/tn-archive/jj898540(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+| Internet Explorer 9 | [Technet](/previous-versions/tn-archive/hh539027(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+| Internet Explorer 8 | [Technet](/previous-versions/tn-archive/ee712766(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+| Exchange Server 2010 | [Technet](/previous-versions/tn-archive/hh913521(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+| Exchange Server 2007 | [Technet](/previous-versions/tn-archive/hh913520(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+| Microsoft Office 2010 | [Technet](/previous-versions/tn-archive/gg288965(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
+| Microsoft Office 2007 SP2 | [Technet](/previous-versions/tn-archive/cc500475(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
@@ -101,4 +101,4 @@ Windows Server 2008 R2 |[SP1](https://technet.microsoft.com/library/gg236605.asp
## See also
-[Windows security baselines](windows-security-baselines.md)
+[Windows security baselines](windows-security-baselines.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
index 43cab9aa77..417dd71e21 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -55,7 +55,7 @@ The Security Compliance Toolkit consists of:
- Local Group Policy Object (LGPO) tool
-You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/).
+You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](/archive/blogs/secguide/).
## What is the Policy Analyzer tool?
@@ -67,7 +67,7 @@ The Policy Analyzer is a utility for analyzing and comparing sets of Group Polic
Policy Analyzer lets you treat a set of GPOs as a single unit. This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set.
-More information on the Policy Analyzer tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/22/new-tool-policy-analyzer/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+More information on the Policy Analyzer tool can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/new-tool-policy-analyzer) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
## What is the Local Group Policy Object (LGPO) tool?
@@ -77,4 +77,4 @@ LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files
It can export local policy to a GPO backup.
It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.
-Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
+Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/lgpo-exe-local-group-policy-object-utility-v1-0) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
index 6f6dcedfad..cfb7427cbc 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
@@ -32,7 +32,7 @@ Even though Windows and Windows Server are designed to be secure out-of-the-box,
We recommend that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This helps increase flexibility and reduce costs.
-Here is a good blog about [Sticking with Well-Known and Proven Solutions](https://blogs.technet.microsoft.com/fdcc/2010/10/06/sticking-with-well-known-and-proven-solutions/).
+Here is a good blog about [Sticking with Well-Known and Proven Solutions](/archive/blogs/fdcc/sticking-with-well-known-and-proven-solutions).
## What are security baselines?
@@ -65,7 +65,7 @@ The security baselines are included in the [Security Compliance Toolkit (SCT)](s
## Community
-[](https://blogs.technet.microsoft.com/secguide/)
+[](/archive/blogs/secguide/)
## Related Videos
@@ -74,8 +74,8 @@ You may also be interested in this msdn channel 9 video:
## See Also
-- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/)
-- [Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/)
-- [Microsoft Security Guidance Blog](https://blogs.technet.microsoft.com/secguide/)
+- [Microsoft Endpoint Configuration Manager](/configmgr/)
+- [Azure Monitor](/azure/azure-monitor/)
+- [Microsoft Security Guidance Blog](/archive/blogs/secguide/)
- [Microsoft Security Compliance Toolkit Download](https://www.microsoft.com/download/details.aspx?id=55319)
-- [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319)
+- [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319)
\ No newline at end of file
diff --git a/windows/threat-protection/docfx.json b/windows/threat-protection/docfx.json
index ad59eb692c..ed96201d45 100644
--- a/windows/threat-protection/docfx.json
+++ b/windows/threat-protection/docfx.json
@@ -50,7 +50,7 @@
"jborsecnik",
"tiburd",
"garycentric"
- ],
+ ]
},
"fileMetadata": {},
"template": [],
diff --git a/windows/update/docfx.json b/windows/update/docfx.json
index 769331235a..10a5192bee 100644
--- a/windows/update/docfx.json
+++ b/windows/update/docfx.json
@@ -44,7 +44,7 @@
"jborsecnik",
"tiburd",
"garycentric"
- ],
+ ]
},
"fileMetadata": {},
"template": [],
diff --git a/windows/whats-new/contribute-to-a-topic.md b/windows/whats-new/contribute-to-a-topic.md
index 8c38cd61c8..1387997652 100644
--- a/windows/whats-new/contribute-to-a-topic.md
+++ b/windows/whats-new/contribute-to-a-topic.md
@@ -21,17 +21,17 @@ You can make suggestions and update existing, public content with just a GitHub
Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner of an article, you can suggest changes to it. You can specifically edit articles in the following libraries:
-- [Windows 10](https://docs.microsoft.com/windows/windows-10)
+- [Windows 10](/windows/windows-10)
- [Windows Server](/windows-server/)
-- [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy)
-- [Surface](https://docs.microsoft.com/surface)
-- [Surface Hub](https://docs.microsoft.com/surface-hub)
-- [HoloLens](https://docs.microsoft.com/hololens)
-- [Microsoft Store](https://docs.microsoft.com/microsoft-store)
-- [Windows 10 for Education](https://docs.microsoft.com/education/windows)
-- [Windows 10 for SMB](https://docs.microsoft.com/windows/smb)
-- [Internet Explorer 11](https://docs.microsoft.com/internet-explorer)
-- [Microsoft Desktop Optimization Pack](https://docs.microsoft.com/microsoft-desktop-optimization-pack)
+- [Microsoft Edge](/microsoft-edge/deploy)
+- [Surface](/surface)
+- [Surface Hub](/surface-hub)
+- [HoloLens](/hololens)
+- [Microsoft Store](/microsoft-store)
+- [Windows 10 for Education](/education/windows)
+- [Windows 10 for SMB](/windows/smb)
+- [Internet Explorer 11](/internet-explorer)
+- [Microsoft Desktop Optimization Pack](/microsoft-desktop-optimization-pack)
**To edit a topic**
@@ -81,4 +81,4 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner
If you've previously contributed to topics in the Microsoft repositories, congratulations! You've already completed this step.
-Next, the pull request is sent to one of our writers to review your edits for technical and editorial accuracy. If we have any suggestions or questions, we'll add them to the pull request where we can discuss them with you. If we accept your edits, you'll see your changes the next time the article is published.
+Next, the pull request is sent to one of our writers to review your edits for technical and editorial accuracy. If we have any suggestions or questions, we'll add them to the pull request where we can discuss them with you. If we accept your edits, you'll see your changes the next time the article is published.
\ No newline at end of file
diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml
index 20d56ff5c8..ee9d04bd21 100644
--- a/windows/whats-new/index.yml
+++ b/windows/whats-new/index.yml
@@ -45,15 +45,15 @@ landingContent:
- linkListType: overview
links:
- text: Windows 10 release information
- url: https://docs.microsoft.com/en-us/windows/release-health/release-information
+ url: /windows/release-health/release-information
- text: Windows 10 release health dashboard
- url: https://docs.microsoft.com/windows/release-information/
+ url: /windows/release-information/
- text: Windows 10 update history
url: https://support.microsoft.com/topic/windows-10-update-history-7dd3071a-3906-fa2c-c342-f7f86728a6e3
- text: Windows 10 features we’re no longer developing
- url: https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features
+ url: /windows/deployment/planning/windows-10-deprecated-features
- text: Features and functionality removed in Windows 10
- url: https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features
+ url: /windows/deployment/planning/windows-10-removed-features
- text: Compare Windows 10 Editions
url: https://go.microsoft.com/fwlink/p/?LinkId=690485
diff --git a/windows/whats-new/ltsc/TOC.md b/windows/whats-new/ltsc/TOC.md
deleted file mode 100644
index a16525cda0..0000000000
--- a/windows/whats-new/ltsc/TOC.md
+++ /dev/null
@@ -1,4 +0,0 @@
-# [Windows 10 Enterprise LTSC](index.md)
-## [What's new in Windows 10 Enterprise LTSC 2019](whats-new-windows-10-2019.md)
-## [What's new in Windows 10 Enterprise LTSC 2016](whats-new-windows-10-2016.md)
-## [What's new in Windows 10 Enterprise LTSC 2015](whats-new-windows-10-2015.md)
diff --git a/windows/whats-new/ltsc/TOC.yml b/windows/whats-new/ltsc/TOC.yml
new file mode 100644
index 0000000000..aaabcc56ee
--- /dev/null
+++ b/windows/whats-new/ltsc/TOC.yml
@@ -0,0 +1,9 @@
+- name: Windows 10 Enterprise LTSC
+ href: index.md
+ items:
+ - name: What's new in Windows 10 Enterprise LTSC 2019
+ href: whats-new-windows-10-2019.md
+ - name: What's new in Windows 10 Enterprise LTSC 2016
+ href: whats-new-windows-10-2016.md
+ - name: What's new in Windows 10 Enterprise LTSC 2015
+ href: whats-new-windows-10-2015.md
diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md
index 171020f940..7e088e312d 100644
--- a/windows/whats-new/ltsc/index.md
+++ b/windows/whats-new/ltsc/index.md
@@ -48,5 +48,5 @@ For detailed information about Windows 10 servicing, see [Overview of Windows as
## See Also
-[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
-[Windows 10 - Release information](https://docs.microsoft.com/windows/release-health/release-information): Windows 10 current versions by servicing option.
+[What's New in Windows 10](../index.yml): See what’s new in other versions of Windows 10.
+[Windows 10 - Release information](/windows/release-health/release-information): Windows 10 current versions by servicing option.
\ No newline at end of file
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
index d0408f77d6..cfa7b18595 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
@@ -40,9 +40,9 @@ AppLocker was available for Windows 8.1, and is improved with Windows 10. See [R
Enhancements to AppLocker in Windows 10 include:
-- A new parameter was added to the [New-AppLockerPolicy](https://technet.microsoft.com/library/hh847211.aspx) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**.
-- A new [AppLocker](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server.
-- You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx).
+- A new parameter was added to the [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**.
+- A new [AppLocker](/windows/client-management/mdm/applocker-csp) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server.
+- You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](/windows/client-management/mdm/applocker-csp).
[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview).
@@ -50,9 +50,9 @@ Enhancements to AppLocker in Windows 10 include:
Enhancements to AppLocker in Windows 10 include:
-- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](https://technet.microsoft.com/itpro/windows/keep-secure/windows-10-security-guide#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online.
-- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
-- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the [Configure pre-boot recovery message and URL](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-group-policy-settings#bkmk-configurepreboot) section in "BitLocker Group Policy settings."
+- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online.
+- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
+- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the [Configure pre-boot recovery message and URL](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-configurepreboot) section in "BitLocker Group Policy settings."
[Learn how to deploy and manage BitLocker within your organization](/windows/device-security/bitlocker/bitlocker-overview).
@@ -117,7 +117,7 @@ The logon event ID 4624 has been updated to include more verbose information to
A list of all of the groups in the user's token.
6. **RestrictedAdminMode** String: yes or no
If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes.
- For more info on restricted admin mode, see [Restricted Admin mode for RDP](https://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx).
+ For more info on restricted admin mode, see [Restricted Admin mode for RDP](/archive/blogs/kfalde/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2).
#### New fields in the process creation event
@@ -200,7 +200,7 @@ For more info about how manage UAC, see [UAC Group Policy Settings and Registry
In Windows 10, User Account Control has added some improvements:
-- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](https://msdn.microsoft.com/library/windows/desktop/dn889587.aspx) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked.
+- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](/windows/win32/amsi/antimalware-scan-interface-portal) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked.
[Learn how to manage User Account Control within your organization](/windows/access-protection/user-account-control/user-account-control-overview).
@@ -227,7 +227,7 @@ MDM policies for Windows 10 align with the policies supported in Windows 8.1 a
MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification.
-Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=533172)
+Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. [Reference for Mobile device management for Windows 10](/windows/client-management/mdm/)
### Unenrollment
@@ -246,7 +246,7 @@ Enterprises have the following identity and management choices.
| Device management | Group Policy; Microsoft Endpoint Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI) |
> **Note**
-With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](https://go.microsoft.com/fwlink/p/?LinkID=613512).
+With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. For more information about support lifecycles, see [Microsoft Support Lifecycle](/lifecycle/).
### Device lockdown
@@ -258,11 +258,11 @@ Do you need a computer that can only do one thing? For example:
- A portable device that drivers can use to check a route on a map.
- A device that a temporary worker uses to enter data.
-You can configure a persistent locked down state to [create a kiosk-type device](https://technet.microsoft.com/itpro/windows/manage/set-up-a-device-for-anyone-to-use). When the locked-down account is logged on, the device displays only the app that you select.
+You can configure a persistent locked down state to [create a kiosk-type device](/windows/configuration/kiosk-methods). When the locked-down account is logged on, the device displays only the app that you select.
-You can also [configure a lockdown state](https://technet.microsoft.com/itpro/windows/manage/lock-down-windows-10-to-specific-apps) that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify.
+You can also [configure a lockdown state](/windows/configuration/lock-down-windows-10-to-specific-apps) that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify.
-Lockdown settings can also be configured for device look and feel, such as a theme or a [custom layout on the Start screen](https://technet.microsoft.com/itpro/windows/manage/windows-10-start-layout-options-and-policies).
+Lockdown settings can also be configured for device look and feel, such as a theme or a [custom layout on the Start screen](/windows/configuration/windows-10-start-layout-options-and-policies).
### Start layout
@@ -274,15 +274,15 @@ Administrators can also use mobile device management (MDM) or Group Policy to di
Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service.
-By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing:
+By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing:
- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met).
- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient.
-- **Use with existing tools** such as Microsoft Endpoint Manager and the [Enterprise Mobility Suite](https://docs.microsoft.com/enterprise-mobility-security).
+- **Use with existing tools** such as Microsoft Endpoint Manager and the [Enterprise Mobility Suite](/enterprise-mobility-security).
-Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr).
+Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)) and [Microsoft Endpoint Configuration Manager](/configmgr).
Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
@@ -295,5 +295,4 @@ Microsoft Edge is not available in the LTSC release of Windows 10.
## See Also
-[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release.
-
+[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release.
\ No newline at end of file
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
index 3b3891912c..328eca8680 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
@@ -34,7 +34,7 @@ Windows ICD now includes simplified workflows for creating provisioning packages
- [Simple provisioning to set up common settings for Active Directory-joined devices](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment)
- [Advanced provisioning to deploy certificates and apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates)
-- [School provisioning to set up classroom devices for Active Directory](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain)
+- [School provisioning to set up classroom devices for Active Directory](/education/windows/set-up-students-pcs-to-join-domain)
[Learn more about using provisioning packages in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages)
@@ -94,7 +94,7 @@ Additional changes for Windows Hello in Windows 10 Enterprise LTSC 2016:
#### New Security auditing features
-- The [WindowsSecurityAuditing](https://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](https://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices.
+- The [WindowsSecurityAuditing](/windows/client-management/mdm/windowssecurityauditing-csp) and [Reporting](/windows/client-management/mdm/reporting-csp) configuration service providers allow you to add security audit policies to mobile devices.
### Trusted Platform Module
@@ -108,10 +108,10 @@ With the increase of employee-owned devices in the enterprise, there’s also an
Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
-- [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy)
-- [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip)
+- [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy)
+- [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip)
-[Learn more about Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip)
+[Learn more about Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip)
### Windows Defender
@@ -134,7 +134,7 @@ With the growing threat from more sophisticated targeted attacks, a new security
- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients.
- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection.
-- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607)
+- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew_1607)
- Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins.
## Management
@@ -149,7 +149,7 @@ Enterprise administrators can add and remove pinned apps from the taskbar. Users
### Mobile device management and configuration service providers (CSPs)
-Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for this version of Windows 10, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607).
+Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for this version of Windows 10, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew_1607).
### Shared PC mode
@@ -175,5 +175,4 @@ With the release of this version of Windows 10, UE-V is included with the Window
## See Also
-[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release.
-
+[Windows 10 Enterprise LTSC](index.md): A description of the LTSC servicing channel with links to information about each release.
\ No newline at end of file
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 62b6502a5e..b1d44ab68b 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -36,7 +36,7 @@ The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC use
## Microsoft Intune
-Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching.
+Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows 10 Update Rings Device profiles do not support LTSC releases, therefore you should use [Policy configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update), WSUS, or Configuration Manager for patching.
## Security
@@ -58,7 +58,7 @@ Attack surface reduction includes host-based intrusion prevention systems such a
###### Windows Defender Firewall
-Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](https://docs.microsoft.com/windows/wsl/release-notes#build-17618-skip-ahead).
+Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](/windows/wsl/release-notes#build-17618-skip-ahead).
##### Windows Defender Device Guard
@@ -74,7 +74,7 @@ But these protections can also be configured separately. And, unlike HVCI, code
Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal.
- Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus).
+ Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus).
We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). The new library includes information on:
- [Deploying and enabling AV protection](/windows/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus)
@@ -94,7 +94,7 @@ Endpoint detection and response is improved. Enterprise customers can now take a
**Endpoint detection and response** is also enhanced. New **detection** capabilities include:
- [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
- - [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
+ - [Custom detection](/windows/security/threat-protection/windows-defender-atp/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
- Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks.
- Upgraded detections of ransomware and other advanced attacks.
- Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed.
@@ -105,11 +105,11 @@ Endpoint detection and response is improved. Enterprise customers can now take a
Additional capabilities have been added to help you gain a holistic view on **investigations** include:
-- [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
+- [Threat analytics](/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
-- [Query data using Advanced hunting in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
+- [Query data using Advanced hunting in Microsoft Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
-- [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)
+- [Use Automated investigations to investigate and remediate threats](/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)
- [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
@@ -121,17 +121,17 @@ Other enhanced security features include:
- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Microsoft Defender for Endpoint service and fix known issues.
-- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
+- [Managed security service provider (MSSP) support](/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
-- [Integration with Azure Defender](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration Azure Defender can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers.
+- [Integration with Azure Defender](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration Azure Defender can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers.
-- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Defender for Endpoint monitored machines.
+- [Integration with Microsoft Cloud App Security](/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Defender for Endpoint monitored machines.
-- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
+- [Onboard Windows Server 2019](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
-- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor.
+- [Onboard previous versions of Windows](/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor.
-- [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
+- [Enable conditional access to better protect users, devices, and data](/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on.
@@ -141,7 +141,7 @@ This also means you’ll see more links to other security apps within **Windows
You can read more about ransomware mitigations and detection capability at:
- [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/)
-- [Ransomware security intelligence](https://docs.microsoft.com/windows/security/threat-protection/intelligence/ransomware-malware)
+- [Ransomware security intelligence](/windows/security/threat-protection/intelligence/ransomware-malware)
- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/)
Also see [New capabilities of Microsoft Defender for Endpoint further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97)
@@ -166,13 +166,13 @@ This release enables support for WIP with Files on Demand, allows file encryptio
### BitLocker
-The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3).
+The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3).
#### Silent enforcement on fixed drives
Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI.
-This is an update to the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others.
+This is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others.
This feature will soon be enabled on Olympia Corp as an optional feature.
@@ -184,14 +184,14 @@ For example, you can choose the XTS-AES 256 encryption algorithm, and have it ap
To achieve this:
-1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm.
+1. Configure the [encryption method settings](/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm.
-2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group.
+2. [Assign the policy](/intune/device-profile-assign) to your Autopilot device group.
> [!IMPORTANT]
> The encryption policy must be assigned to **devices** in the group, not users.
-3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices.
+3. Enable the Autopilot [Enrollment Status Page](/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices.
> [!IMPORTANT]
> If the ESP is not enabled, the policy will not apply before encryption starts.
@@ -212,7 +212,7 @@ New features in [Windows Hello for Business](/windows/security/identity-protecti
- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset).
-[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration).
+[Windows Hello](/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration).
- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/).
@@ -222,7 +222,7 @@ New features in [Windows Hello for Business](/windows/security/identity-protecti
- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
-- New [public API](https://docs.microsoft.com/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider.
+- New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider.
- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off).
@@ -243,11 +243,11 @@ For more information, see [Credential Guard Security Considerations](/windows/ac
#### Windows security baselines
-Microsoft has released new [Windows security baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10).
+Microsoft has released new [Windows security baselines](/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10).
-**Windows security baselines** have been updated for Windows 10. A [security baseline](https://docs.microsoft.com/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10).
+**Windows security baselines** have been updated for Windows 10. A [security baseline](/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10).
-The new [security baseline for Windows 10 version 1803](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10) has been published.
+The new [security baseline for Windows 10 version 1803](/windows/security/threat-protection/security-compliance-toolkit-10) has been published.
#### SMBLoris vulnerability
@@ -274,7 +274,7 @@ A new security policy setting
#### Windows 10 in S mode
-We’ve continued to work on the **Current threats** area in [Virus & threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen:
+We’ve continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen:
@@ -282,17 +282,17 @@ We’ve continued to work on the **Current threats** area in [Virus & threat pr
### Windows Autopilot
-[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise LTSC 2019 (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10.
+[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise LTSC 2019 (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10.
Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog) or this article for updated information.
Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly.
-You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](https://docs.microsoft.com/microsoft-store/add-profile-to-devices).
+You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](/microsoft-store/add-profile-to-devices).
#### Autopilot Reset
-IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset).
+IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](/education/windows/autopilot-reset).
### MBR2GPT.EXE
@@ -320,7 +320,7 @@ The following new DISM commands have been added to manage feature updates:
- **DISM /Online /Set-OSUninstallWindow**
- Sets the number of days after upgrade during which uninstall can be performed.
-For more information, see [DISM operating system uninstall command-line options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options).
+For more information, see [DISM operating system uninstall command-line options](/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options).
### Windows Setup
@@ -330,13 +330,13 @@ Prerequisites:
- Windows 10, version 1803 or Windows 10 Enterprise LTSC 2019, or later.
- Windows 10 Enterprise or Pro
-For more information, see [Run custom actions during feature update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions).
+For more information, see [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions).
It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option.
`/PostRollback
-[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
-[What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
+[What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
+[What's new in Windows 10, version 1709](/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
[Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Microsoft Defender for Endpoint in Windows 10, version 1709.
-[Threat protection on Windows 10](https://docs.microsoft.com/windows/security/threat-protection/):Detects advanced attacks and data breaches, automates security incidents and improves security posture.
-
-
-
+[Threat protection on Windows 10](/windows/security/threat-protection/):Detects advanced attacks and data breaches, automates security incidents and improves security posture.
\ No newline at end of file
diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
index f18ad34787..38bb41cfbf 100644
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -20,7 +20,7 @@ ms.topic: article
This article lists new and updated features and content that are of interest to IT Pros for Windows 10 version 1803, also known as the Windows 10 April 2018 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1709.
->If you are not an IT Pro, see the following topics for information about what's new in Windows 10, version 1803 in [hardware](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows), for [developers](https://docs.microsoft.com/windows/uwp/whats-new/windows-10-build-17134), and for [consumers](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update).
+>If you are not an IT Pro, see the following topics for information about what's new in Windows 10, version 1803 in [hardware](/windows-hardware/get-started/what-s-new-in-windows), for [developers](/windows/uwp/whats-new/windows-10-build-17134), and for [consumers](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update).
The following 3-minute video summarizes some of the new features that are available for IT Pros in this release.
@@ -30,7 +30,7 @@ The following 3-minute video summarizes some of the new features that are availa
### Windows Autopilot
-[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot) provides a modern device lifecycle management service powered by the cloud that delivers a zero touch experience for deploying Windows 10.
+[Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot) provides a modern device lifecycle management service powered by the cloud that delivers a zero touch experience for deploying Windows 10.
Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly.
@@ -49,7 +49,7 @@ Some additional information about Windows 10 in S mode:
If you want to switch out of S mode, you will be able to do so at no charge, regardless of edition. Once you switch out of S mode, you cannot switch back.
-For more information, see [Windows 10 Pro/Enterprise in S mode](https://docs.microsoft.com/windows/deployment/windows-10-pro-in-s-mode).
+For more information, see [Windows 10 Pro/Enterprise in S mode](/windows/deployment/windows-10-pro-in-s-mode).
### Windows 10 kiosk and Kiosk Browser
@@ -72,7 +72,7 @@ For more information, see:
With this release, Subscription Activation supports Inherited Activation. Inherited Activation allows Windows 10 virtual machines to inherit activation state from their Windows 10 host.
-For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation#inherited-activation).
+For more information, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-enterprise-subscription-activation#inherited-activation).
### DISM
@@ -87,7 +87,7 @@ The following new DISM commands have been added to manage feature updates:
DISM /Online /Set-OSUninstallWindow
– Sets the number of days after upgrade during which uninstall can be performed.
-For more information, see [DISM operating system uninstall command-line options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options).
+For more information, see [DISM operating system uninstall command-line options](/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options).
### Windows Setup
@@ -97,13 +97,13 @@ Prerequisites:
- Windows 10, version 1803 or later.
- Windows 10 Enterprise or Pro
-For more information, see [Run custom actions during feature update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions).
+For more information, see [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions).
It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option.
/PostRollback
+- [Threat analytics](/windows/security/threat-protection/windows-defender-atp/threat-analytics)
Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
-- [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)
+- [Custom detection](/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)
With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
-- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
+- [Managed security service provider (MSSP) support](/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration.
The integration will allow MSSPs to take the following actions:
Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
-- [Integration with Azure Defender](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
+- [Integration with Azure Defender](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration Azure Defender can leverage the power of Microsoft Defender for Endpoint to provide improved threat detection for Windows Servers.
-- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)
+- [Integration with Microsoft Cloud App Security](/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)
Microsoft Cloud App Security leverages Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender for Endpoint monitored machines.
-- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019)
+- [Onboard Windows Server 2019](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019)
Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
-- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
+- [Onboard previous versions of Windows](/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor
## Cloud Clipboard
@@ -197,7 +197,7 @@ Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk typ
-Learn more about [Microsoft Edge kiosk mode](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy).
+Learn more about [Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy).
## Registry editor improvements
@@ -267,4 +267,4 @@ See the following example:
-
+
\ No newline at end of file
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index fbe745b3a6..805067c0cb 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -27,23 +27,23 @@ This article lists new and updated features and content that are of interest to
### Windows Autopilot
-[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. The following Windows Autopilot features are available in Windows 10, version 1903 and later:
+[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. The following Windows Autopilot features are available in Windows 10, version 1903 and later:
-- [Windows Autopilot for white glove deployment](https://docs.microsoft.com/windows/deployment/windows-autopilot/white-glove) is new in this version of Windows. "White glove" deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users.
-- The Intune [enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
-- [Cortana voiceover](https://docs.microsoft.com/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
+- [Windows Autopilot for white glove deployment](/windows/deployment/windows-autopilot/white-glove) is new in this version of Windows. "White glove" deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users.
+- The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
+- [Cortana voiceover](/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
- Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
-- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
+- Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
### Windows 10 Subscription Activation
Windows 10 Education support has been added to Windows 10 Subscription Activation.
-With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation).
+With Windows 10, version 1903, you can step-up from Windows 10 Pro Education to the enterprise-grade edition for educational institutions – Windows 10 Education. For more information, see [Windows 10 Subscription Activation](/windows/deployment/windows-10-subscription-activation).
### SetupDiag
-[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) version 1.4.1 is available.
+[SetupDiag](/windows/deployment/upgrade/setupdiag) version 1.4.1 is available.
SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
@@ -53,8 +53,8 @@ SetupDiag is a command-line tool that can help diagnose why a Windows 10 update
## Servicing
-- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Manager content coming soon!
-- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
+- [**Delivery Optimization**](/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Manager content coming soon!
+- [**Automatic Restart Sign-on (ARSO)**](/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again.
@@ -66,7 +66,7 @@ SetupDiag is a command-line tool that can help diagnose why a Windows 10 update
### Windows Information Protection
-With this release, Microsoft Defender for Endpoint extends discovery and protection of sensitive information with [Auto Labeling](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels#how-wip-protects-automatically-classified-files).
+With this release, Microsoft Defender for Endpoint extends discovery and protection of sensitive information with [Auto Labeling](/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels#how-wip-protects-automatically-classified-files).
### Security configuration framework
@@ -74,16 +74,16 @@ With this release of Windows 10, Microsoft is introducing a [new taxonomy for se
### Security baseline for Windows 10 and Windows Server
-The draft release of the [security configuration baseline settings](https://blogs.technet.microsoft.com/secguide/2019/04/24/security-baseline-draft-for-windows-10-v1903-and-windows-server-v1903/) for Windows 10, version 1903 and for Windows Server version 1903 is available.
+The draft release of the [security configuration baseline settings](/archive/blogs/secguide/security-baseline-draft-for-windows-10-v1903-and-windows-server-v1903) for Windows 10, version 1903 and for Windows Server version 1903 is available.
### Intune security baselines
-[Intune Security Baselines](https://docs.microsoft.com/intune/security-baselines) (Preview): Now includes many settings supported by Intune that you can use to help secure and protect your users and devices. You can automatically set these settings to values recommended by security teams.
+[Intune Security Baselines](/intune/security-baselines) (Preview): Now includes many settings supported by Intune that you can use to help secure and protect your users and devices. You can automatically set these settings to values recommended by security teams.
### Microsoft Defender for Endpoint
-- [Attack surface area reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses.
-- [Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
+- [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses.
+- [Next generation protection](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
- Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform.
- Tamper-proofing capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Microsoft Defender for Endpoint’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
@@ -100,7 +100,7 @@ The draft release of the [security configuration baseline settings](https://blog
- [Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849): Isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device.
- [Microphone privacy settings](https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy-microsoft-privacy): A microphone icon appears in the notification area letting you see which apps are using your microphone.
-- [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements:
+- [Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements:
- Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
- WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigations to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
@@ -113,15 +113,15 @@ The draft release of the [security configuration baseline settings](https://blog
- WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
-- [Windows Defender Application Control (WDAC)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC has a number of new features that light up key scenarios and provide feature parity with AppLocker.
- - [Multiple Policies](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
- - [Path-Based Rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
+- [Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC has a number of new features that light up key scenarios and provide feature parity with AppLocker.
+ - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
+ - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.
- - [Allow COM Object Registration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
+ - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
#### System Guard
-[System Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has added a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, OS memory and secrets are protected from SMM. There are currently no devices out there with compatible hardware, but they will be coming out in the next few months.
+[System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has added a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, OS memory and secrets are protected from SMM. There are currently no devices out there with compatible hardware, but they will be coming out in the next few months.
This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly:
@@ -130,15 +130,15 @@ This new feature is displayed under the Device Security page with the string “
### Identity Protection
- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
-- [Streamlined Windows Hello PIN reset experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
-- Sign-in with [Password-less](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience!
-- [Remote Desktop with Biometrics](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
+- [Streamlined Windows Hello PIN reset experience](/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
+- Sign-in with [Password-less](/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience!
+- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-features#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
### Security management
- [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97): Lets you add rules for WSL process, just like for Windows processes.
-- [Windows Security app](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations.
-- [Tamper Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features.
+- [Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) improvements now include Protection history, including detailed and easier to understand information about threats and available actions, Controlled Folder Access blocks are now in the Protection history, Windows Defender Offline Scanning tool actions, and any pending recommendations.
+- [Tamper Protection](/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection) lets you prevent others from tampering with important security features.
## Microsoft Edge
@@ -146,8 +146,8 @@ Several new features are coming in the next version of Edge. See the [news from
## See Also
-[What's New in Windows Server, version 1903](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1903): New and updated features in Windows Server.
+[What's New in Windows Server, version 1903](/windows-server/get-started/whats-new-in-windows-server-1903): New and updated features in Windows Server.
[Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
-[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
-[What's new in Windows 10](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
-[What's new in Windows 10 for developers](https://blogs.windows.com/buildingapps/2019/04/18/start-developing-on-windows-10-may-2019-update-today/#2Lp8FUFQ3Jm8KVcq.97): New and updated features in Windows 10 that are of interest to developers.
+[What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
+[What's new in Windows 10](/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
+[What's new in Windows 10 for developers](https://blogs.windows.com/buildingapps/2019/04/18/start-developing-on-windows-10-may-2019-update-today/#2Lp8FUFQ3Jm8KVcq.97): New and updated features in Windows 10 that are of interest to developers.
\ No newline at end of file
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index 7b71eef3d5..06ab700d68 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -44,7 +44,7 @@ If you are using WUfB, you will receive the Windows 10, version 1909 update in t
### Windows Defender Credential Guard
-[Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for additional protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
+[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for additional protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
### Microsoft BitLocker
@@ -66,7 +66,7 @@ An experimental implementation of TLS 1.3 is included in Windows 10, version 190
## Windows Virtual Desktop
-[Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) (WVD) is now generally available globally!
+[Windows Virtual Desktop](/azure/virtual-desktop/overview) (WVD) is now generally available globally!
Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It’s the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Microsoft 365 Apps for enterprise, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features. Windows Virtual Desktop requires a Microsoft E3 or E5 license, or a Microsoft 365 E3 or E5 license, as well as an Azure tenant.
@@ -74,25 +74,25 @@ Windows Virtual Desktop is a comprehensive desktop and app virtualization servic
#### Microsoft Endpoint Manager
-Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797).
+Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797).
### Windows 10 Pro and Enterprise in S mode
- You can now deploy and run traditional Win32 (desktop) apps without leaving the security of S mode by configuring the Windows 10 in S mode policy to support Win32 apps, and deploy them with Mobile Device Management (MDM) software such as Microsoft Intune. For more information, see [Allow Line-of-Business Win32 Apps on Intune-Managed S Mode Devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/lob-win32-apps-on-s).
+ You can now deploy and run traditional Win32 (desktop) apps without leaving the security of S mode by configuring the Windows 10 in S mode policy to support Win32 apps, and deploy them with Mobile Device Management (MDM) software such as Microsoft Intune. For more information, see [Allow Line-of-Business Win32 Apps on Intune-Managed S Mode Devices](/windows/security/threat-protection/windows-defender-application-control/lob-win32-apps-on-s).
### SetupDiag
-[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) version 1.6.0.42 is available.
+[SetupDiag](/windows/deployment/upgrade/setupdiag) version 1.6.0.42 is available.
SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. .
### Windows Assessment and Deployment Toolkit (ADK)
-A new [Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) will **not be released** for Windows 10, version 1909. You can use the Windows ADK for Windows 10, version 1903 to deploy Windows 10, version 1909.
+A new [Windows ADK](/windows-hardware/get-started/adk-install) will **not be released** for Windows 10, version 1909. You can use the Windows ADK for Windows 10, version 1903 to deploy Windows 10, version 1909.
## Desktop Analytics
-[Desktop Analytics](https://docs.microsoft.com/configmgr/desktop-analytics/overview) is now generally available globally! Desktop Analytics is a cloud-connected service, integrated with Configuration Manager, which gives you data-driven insights to the management of your Windows endpoints. It provides insight and intelligence that you can use to make more informed decisions about the update readiness of your Windows endpoints. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.
+[Desktop Analytics](/configmgr/desktop-analytics/overview) is now generally available globally! Desktop Analytics is a cloud-connected service, integrated with Configuration Manager, which gives you data-driven insights to the management of your Windows endpoints. It provides insight and intelligence that you can use to make more informed decisions about the update readiness of your Windows endpoints. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.
## Microsoft Connected Cache
@@ -106,7 +106,7 @@ This release adds the ability for Narrator and other assistive technologies to r
### Requirements
-[Windows Processor Requirements](https://docs.microsoft.com/windows-hardware/design/minimum/windows-processor-requirements) have been updated for this version of Windows.
+[Windows Processor Requirements](/windows-hardware/design/minimum/windows-processor-requirements) have been updated for this version of Windows.
### Favored CPU Core Optimization
@@ -126,12 +126,12 @@ General battery life and power efficiency improvements for PCs with certain proc
## See Also
-[What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
+[What's New in Windows Server](/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
-[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
+[What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
[What Windows 10, version 1909 Means for Developers](https://blogs.windows.com/windowsdeveloper/2019/10/16/what-windows-10-version-1909-means-for-developers/): New and updated features in Windows 10 that are of interest to developers.
-[Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.
-[Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
+[Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
+[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
[How to get the Windows 10 November 2019 Update](https://aka.ms/how-to-get-1909): John Cable blog.
[How to get Windows 10, Version 1909: Enablement Mechanics](https://aka.ms/1909mechanics): Mechanics blog.
-[What’s new for IT pros in Windows 10, version 1909](https://aka.ms/whats-new-in-1909): Windows IT Pro blog.
+[What’s new for IT pros in Windows 10, version 1909](https://aka.ms/whats-new-in-1909): Windows IT Pro blog.
\ No newline at end of file
diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md
index 6e7a63e0fe..ac0d4984f2 100644
--- a/windows/whats-new/whats-new-windows-10-version-2004.md
+++ b/windows/whats-new/whats-new-windows-10-version-2004.md
@@ -33,13 +33,13 @@ To download and install Windows 10, version 2004, use Windows Update (**Settings
- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
-- Windows Hello PIN sign-in support is [added to Safe mode](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
+- Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
-- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
+- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
### Windows Defender System Guard
-In this release, [Windows Defender System Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to additional resources like registers and IO.
+In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to additional resources like registers and IO.
With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. This feature is forward-looking and currently requires new hardware available soon.
@@ -47,7 +47,7 @@ With this improvement, the OS can detect a higher level of SMM compliance, enabl
### Windows Defender Application Guard
-[Windows Defender Application Guard](https://docs.microsoft.com/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020.
+[Windows Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020.
Note: [Application Guard for Office](https://support.office.com/article/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46) is coming soon.
@@ -55,7 +55,7 @@ Note: [Application Guard for Office](https://support.office.com/article/applicat
### Windows Setup
-Windows Setup [answer files](https://docs.microsoft.com/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs) (unattend.xml) have [improved language handling](https://oofhours.com/2020/06/01/new-in-windows-10-2004-better-language-handling/).
+Windows Setup [answer files](/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs) (unattend.xml) have [improved language handling](https://oofhours.com/2020/06/01/new-in-windows-10-2004-better-language-handling/).
Improvements in Windows Setup with this release also include:
- Reduced offline time during feature updates
@@ -69,13 +69,13 @@ For more information, see Windows Setup enhancements in the [Windows IT Pro Blog
In Windows 10, version 2004, SetupDiag is now automatically installed.
-[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues.
+[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues.
During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, Windows Setup now also installs SetupDiag.exe to this directory. If there is an issue with the upgrade, SetupDiag is automatically run to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under %SystemDrive%\Windows.Old for cleanup.
### Windows Autopilot
-With this release, you can configure [Windows Autopilot user-driven](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.
+With this release, you can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.
If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, this was only supported with self-deploying profiles.
@@ -83,19 +83,19 @@ If you configure the language settings in the Autopilot profile and the device i
An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuration Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364).
-Also see [What's new in Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/whats-new).
+Also see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
### Windows Assessment and Deployment Toolkit (ADK)
-Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 here: [Download and install the Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install).
+Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 here: [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
-For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004).
+For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004).
### Microsoft Deployment Toolkit (MDT)
MDT version 8456 supports Windows 10, version 2004, but there is currently an issue that causes MDT to incorrectly detect that UEFI is present. There is an [update available](https://support.microsoft.com/help/4564442/windows-10-deployments-fail-with-microsoft-deployment-toolkit) for MDT to address this issue.
-For the latest information about MDT, see the [MDT release notes](https://docs.microsoft.com/mem/configmgr/mdt/release-notes).
+For the latest information about MDT, see the [MDT release notes](/mem/configmgr/mdt/release-notes).
## Servicing
@@ -108,10 +108,10 @@ Windows PowerShell cmdlets have been improved:
- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting.
Additional improvements:
-- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
+- Enterprise network [throttling is enhanced](/windows-insider/archive/new-in-20H1#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
- Automatic cloud-based congestion detection is available for PCs with cloud service support.
-The following [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) policies are removed in this release:
+The following [Delivery Optimization](/windows/deployment/update/waas-delivery-optimization) policies are removed in this release:
- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
- Reason: Replaced with separate policies for foreground and background.
@@ -122,7 +122,7 @@ The following [Delivery Optimization](https://docs.microsoft.com/windows/deploym
### Windows Update for Business
-[Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) enhancements in this release include:
+[Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) enhancements in this release include:
- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
@@ -138,7 +138,7 @@ Windows now supports the latest Wi-Fi standards with [Wi-Fi 6 and WPA3](https://
### TEAP
-In this release, Tunnel Extensible Authentication Protocol (TEAP) has been added as an authentication method to allow chaining together multiple credentials into a single EAP transaction. TEAP networks can be configured by [enterprise policy](https://docs.microsoft.com/openspecs/windows_protocols/ms-gpwl/94cf6896-c28e-4865-b12a-d83ee38cd3ea).
+In this release, Tunnel Extensible Authentication Protocol (TEAP) has been added as an authentication method to allow chaining together multiple credentials into a single EAP transaction. TEAP networks can be configured by [enterprise policy](/openspecs/windows_protocols/ms-gpwl/94cf6896-c28e-4865-b12a-d83ee38cd3ea).
## Virtualization
@@ -146,7 +146,7 @@ In this release, Tunnel Extensible Authentication Protocol (TEAP) has been added
[Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849) is an isolated desktop environment where you can install software without the fear of lasting impact to your device. This feature was released with Windows 10, version 1903. Windows 10, version 2004 includes bug fixes and enables even more control over configuration.
-[Windows Sandbox configuration](https://docs.microsoft.com/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file) includes:
+[Windows Sandbox configuration](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file) includes:
- MappedFolders now supports a destination folder. Previously no destination could be specified, it was always mapped to the Sandbox desktop.
- AudioInput/VideoInput settings now enable you to share their host microphone or webcam with the Sandbox.
- ProtectedClient is a new security setting that runs the connection to the Sandbox with extra security settings enabled. This is disabled by default due to issues with copy & paste.
@@ -166,13 +166,13 @@ Windows Sandbox also has improved accessibility in this release, including:
With this release, memory that is no longer in use in a Linux VM will be freed back to Windows. Previously, a WSL VM's memory could grow, but would not shrink when no longer needed.
-[WSL2](https://docs.microsoft.com/windows/wsl/wsl2-index) support has been added for ARM64 devices if your device supports virtualization.
+[WSL2](/windows/wsl/wsl2-index) support has been added for ARM64 devices if your device supports virtualization.
-For a full list of updates to WSL, see the [WSL release notes](https://docs.microsoft.com/windows/wsl/release-notes).
+For a full list of updates to WSL, see the [WSL release notes](/windows/wsl/release-notes).
### Windows Virtual Desktop (WVD)
-Windows 10 is an integral part of WVD, and several enhancements are available in the Spring 2020 update. Check out [Windows Virtual Desktop documentation](https://aka.ms/wvdgetstarted) for the latest and greatest information, as well as the [WVD Virtual Event from March](https://aka.ms/wvdvirtualevent).
+Windows 10 is an integral part of WVD, and several enhancements are available in the Spring 2020 update. Check out [Windows Virtual Desktop documentation](/azure/virtual-desktop/) for the latest and greatest information, as well as the [WVD Virtual Event from March](https://aka.ms/wvdvirtualevent).
## Microsoft Edge
@@ -182,7 +182,7 @@ Also see information about the exciting new Edge browser [here](https://blogs.wi
## Application settings
-This release enables explicit [Control over restarting apps at sign-in (Build 18965)](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#control-over-restarting-apps-at-sign-in-build-18965) that were open when you restart your PC.
+This release enables explicit [Control over restarting apps at sign-in (Build 18965)](/windows-insider/archive/new-in-20H1#control-over-restarting-apps-at-sign-in-build-18965) that were open when you restart your PC.
## Windows Shell
@@ -196,7 +196,7 @@ Several enhancements to the Windows 10 user interface are implemented in this re
- In the coming months, with regular app updates through the Microsoft Store, we’ll enhance this experience to support wake word invocation and enable listening when you say “Cortana,” offer more productivity capabilities such as surfacing relevant emails and documents to help you prepare for meetings, and expand supported capabilities for international users.
-- Security: tightened access to Cortana so that you must be securely logged in with your work or school account or your Microsoft account before using Cortana. Because of this tightened access, some consumer skills including music, connected home, and third-party skills will no longer be available. Additionally, users [get cloud-based assistance services that meet Office 365’s enterprise-level privacy, security, and compliance promises](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide) as set out in the Online Services Terms.
+- Security: tightened access to Cortana so that you must be securely logged in with your work or school account or your Microsoft account before using Cortana. Because of this tightened access, some consumer skills including music, connected home, and third-party skills will no longer be available. Additionally, users [get cloud-based assistance services that meet Office 365’s enterprise-level privacy, security, and compliance promises](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide) as set out in the Online Services Terms.
- Move the Cortana window: drag the Cortana window to a more convenient location on your desktop.
@@ -208,21 +208,21 @@ Windows Search is improved in several ways. For more information, see [Superchar
### Virtual Desktops
-There is a new [Update on Virtual Desktop renaming (Build 18975)](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#update-on-virtual-desktop-renaming-build-18975), where, instead of getting stuck with the system-issued names like Desktop 1, you can now rename your virtual desktops more freely.
+There is a new [Update on Virtual Desktop renaming (Build 18975)](/windows-insider/archive/new-in-20H1#update-on-virtual-desktop-renaming-build-18975), where, instead of getting stuck with the system-issued names like Desktop 1, you can now rename your virtual desktops more freely.
### Bluetooth pairing
-Pairing Bluetooth devices with your computer will occur through notifications, so you won't need to go to the Settings app to finish pairing. Other improvements include faster pairing and device name display. For more information, see [Improving your Bluetooth pairing experience](https://docs.microsoft.com/windows-insider/archive/new-in-20h1#improving-your-bluetooth-pairing-experience-build-18985).
+Pairing Bluetooth devices with your computer will occur through notifications, so you won't need to go to the Settings app to finish pairing. Other improvements include faster pairing and device name display. For more information, see [Improving your Bluetooth pairing experience](/windows-insider/archive/new-in-20h1#improving-your-bluetooth-pairing-experience-build-18985).
### Reset this PC
-The 'reset this PC' recovery function now includes a [cloud download](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#reset-your-pc-from-the-cloud-build-18970) option.
+The 'reset this PC' recovery function now includes a [cloud download](/windows-insider/archive/new-in-20H1#reset-your-pc-from-the-cloud-build-18970) option.
### Task Manager
The following items are added to Task Manager in this release:
- GPU Temperature is available on the Performance tab for devices with a dedicated GPU card.
-- Disk type is now [listed for each disk on the Performance tab](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#disk-type-now-visible-in-task-manager-performance-tab-build-18898).
+- Disk type is now [listed for each disk on the Performance tab](/windows-insider/archive/new-in-20H1#disk-type-now-visible-in-task-manager-performance-tab-build-18898).
## Graphics & display
@@ -232,7 +232,7 @@ The following items are added to Task Manager in this release:
### 2-in-1 PCs
-See [Introducing a new tablet experience for 2-in-1 convertible PCs! (Build 18970)](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#introducing-a-new-tablet-experience-for-2-in-1-convertible-pcs-build-18970) for details on a new tablet experience for two-in-one convertible PCs that is now available. The screen will be optimized for touch when you detach your two-in-one's keyboard, but you'll still keep the familiar look of your desktop without interruption.
+See [Introducing a new tablet experience for 2-in-1 convertible PCs! (Build 18970)](/windows-insider/archive/new-in-20H1#introducing-a-new-tablet-experience-for-2-in-1-convertible-pcs-build-18970) for details on a new tablet experience for two-in-one convertible PCs that is now available. The screen will be optimized for touch when you detach your two-in-one's keyboard, but you'll still keep the familiar look of your desktop without interruption.
### Specialized displays
@@ -250,19 +250,19 @@ To prevent Windows from using a display, choose Settings > Display and click Adv
## Desktop Analytics
-[Desktop Analytics](https://docs.microsoft.com/configmgr/desktop-analytics/overview) is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.
+[Desktop Analytics](/configmgr/desktop-analytics/overview) is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.
-For information about Desktop Analytics and this release of Windows 10, see [What's new in Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/whats-new).
+For information about Desktop Analytics and this release of Windows 10, see [What's new in Desktop Analytics](/mem/configmgr/desktop-analytics/whats-new).
## See Also
- [What’s new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog.
- [What’s new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog.
-- [What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
+- [What's New in Windows Server](/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
- [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
-- [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
+- [What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
- [Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.
-- [What's new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/Active-Dev-Branch): A preview of new features for businesses.
-- [What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.
-- [Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.
-- [Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
+- [What's new for business in Windows 10 Insider Preview Builds](/windows-insider/Active-Dev-Branch): A preview of new features for businesses.
+- [What's new in Windows 10, version 2004 - Windows Insiders](/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.
+- [Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
+- [Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
\ No newline at end of file
diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md
index ec7ffb671e..d7e404f25e 100644
--- a/windows/whats-new/whats-new-windows-10-version-20H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-20H2.md
@@ -29,7 +29,7 @@ To download and install Windows 10, version 20H2, use Windows Update (**Settings
## Microsoft Edge
-This release automatically includes the new Chromium-based [Microsoft Edge](https://www.microsoft.com/edge/business) browser instead of the legacy version of Edge. For more information, see the [Microsoft Edge documentation](https://docs.microsoft.com/microsoft-edge/).
+This release automatically includes the new Chromium-based [Microsoft Edge](https://www.microsoft.com/edge/business) browser instead of the legacy version of Edge. For more information, see the [Microsoft Edge documentation](/microsoft-edge/).
## Servicing
@@ -41,48 +41,48 @@ Starting with Windows 10, version 20H2, LCUs and SSUs have been combined into a
## Deployment
-New guidance is available to help prepare a [servicing strategy](https://docs.microsoft.com/windows/deployment/update/waas-servicing-strategy-windows-10-updates) and move your devices to the latest version of Windows 10 quickly and as seamlessly as possible.
+New guidance is available to help prepare a [servicing strategy](/windows/deployment/update/waas-servicing-strategy-windows-10-updates) and move your devices to the latest version of Windows 10 quickly and as seamlessly as possible.
Activities are grouped into the following phases: **Plan** > **Prepare** > **Deploy**:
**Plan** your deployment by evaluating and understanding essential activities:
-- Create a [phased deployment plan](https://docs.microsoft.com/windows/deployment/update/create-deployment-plan)
-- Assign [roles and responsibilities](https://docs.microsoft.com/windows/deployment/update/plan-define-readiness#process-manager) within your organization
-- Set [criteria](https://docs.microsoft.com/windows/deployment/update/plan-define-readiness#set-criteria-for-rating-apps) to establish readiness for the upgrade process
-- Evaluate your [infrastructure and tools](https://docs.microsoft.com/windows/deployment/update/eval-infra-tools)
-- Determine [readiness](https://docs.microsoft.com/windows/deployment/update/plan-determine-app-readiness) for your business applications
-- Create an effective, schedule-based [servicing strategy](https://docs.microsoft.com/windows/deployment/update/plan-define-strategy)
+- Create a [phased deployment plan](/windows/deployment/update/create-deployment-plan)
+- Assign [roles and responsibilities](/windows/deployment/update/plan-define-readiness#process-manager) within your organization
+- Set [criteria](/windows/deployment/update/plan-define-readiness#set-criteria-for-rating-apps) to establish readiness for the upgrade process
+- Evaluate your [infrastructure and tools](/windows/deployment/update/eval-infra-tools)
+- Determine [readiness](/windows/deployment/update/plan-determine-app-readiness) for your business applications
+- Create an effective, schedule-based [servicing strategy](/windows/deployment/update/plan-define-strategy)
**Prepare** your devices and environment for deployment by performing necessary actions:
-- Update [infrastructure and tools](https://docs.microsoft.com/windows/deployment/update/prepare-deploy-windows#prepare-infrastructure-and-environment)
-- Ensure the needed [services](https://docs.microsoft.com/windows/deployment/update/prepare-deploy-windows#prepare-applications-and-devices) are available
-- Resolve issues with [unhealthy devices](https://docs.microsoft.com/windows/deployment/update/prepare-deploy-windows#address-unhealthy-devices)
-- Ensure that [users are ready](https://docs.microsoft.com/windows/deployment/update/prepare-deploy-windows) for updates
+- Update [infrastructure and tools](/windows/deployment/update/prepare-deploy-windows#prepare-infrastructure-and-environment)
+- Ensure the needed [services](/windows/deployment/update/prepare-deploy-windows#prepare-applications-and-devices) are available
+- Resolve issues with [unhealthy devices](/windows/deployment/update/prepare-deploy-windows#address-unhealthy-devices)
+- Ensure that [users are ready](/windows/deployment/update/prepare-deploy-windows) for updates
**Deploy** and manage Windows 10 strategically in your organization:
-- Use [Windows Autopilot](https://docs.microsoft.com/mem/autopilot/windows-autopilot) to streamline the set up, configuration, and delivery of new devices
-- Use [Configuration Manager](https://docs.microsoft.com/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager) or [MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt) to deploy new devices and update existing devices
-- Use [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb) with Group Policy to [customize update settings](https://docs.microsoft.com/windows/deployment/update/waas-wufb-group-policy) for your devices
-- [Deploy Windows updates](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wsus) with Windows Server Update Services (WSUS)
-- Manage bandwidth for updates with [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization)
-- [Monitor Windows Updates](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor) with Update Compliance
+- Use [Windows Autopilot](/mem/autopilot/windows-autopilot) to streamline the set up, configuration, and delivery of new devices
+- Use [Configuration Manager](/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager) or [MDT](/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt) to deploy new devices and update existing devices
+- Use [Windows Update for Business](/windows/deployment/update/waas-configure-wufb) with Group Policy to [customize update settings](/windows/deployment/update/waas-wufb-group-policy) for your devices
+- [Deploy Windows updates](/windows/deployment/update/waas-manage-updates-wsus) with Windows Server Update Services (WSUS)
+- Manage bandwidth for updates with [Delivery Optimization](/windows/deployment/update/waas-delivery-optimization)
+- [Monitor Windows Updates](/windows/deployment/update/update-compliance-monitor) with Update Compliance
### Windows Autopilot
Enhancements to Windows Autopilot since the last release of Windows 10 include:
- [Windows Autopilot for HoloLens](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-autopilot-for-hololens-2/ba-p/1371494): Set up HoloLens 2 devices with Windows Autopilot for HoloLens 2 self-deploying mode.
-- [Windows Autopilot with co-management](https://docs.microsoft.com/mem/configmgr/comanage/quickstart-autopilot): Co-management and Autopilot together can help you reduce cost and improve the end user experience.
+- [Windows Autopilot with co-management](/mem/configmgr/comanage/quickstart-autopilot): Co-management and Autopilot together can help you reduce cost and improve the end user experience.
- Enhancements to Windows Autopilot deployment reporting are in preview. From the Microsoft Endpoint Manager admin center (endpoint.microsoft.com), select **Devices** > **Monitor** and scroll down to the **Enrollment** section. Click **Autopilot deployment (preview)**.
### Windows Assessment and Deployment Toolkit (ADK)
-There is no new ADK for Windows 10, version 20H2. The ADK for Windows 10, version 2004 will also work with Windows 10, version 20H2. For more information, see [Download and install the Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install).
+There is no new ADK for Windows 10, version 20H2. The ADK for Windows 10, version 2004 will also work with Windows 10, version 20H2. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
## Device management
-Modern Device Management (MDM) policy is extended with new [Local Users and Groups settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-localusersandgroups) that match the options available for devices managed through Group Policy.
+Modern Device Management (MDM) policy is extended with new [Local Users and Groups settings](/windows/client-management/mdm/policy-csp-localusersandgroups) that match the options available for devices managed through Group Policy.
-For more information about what's new in MDM, see [What's new in mobile device enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management)
+For more information about what's new in MDM, see [What's new in mobile device enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management)
## Security
@@ -90,11 +90,11 @@ For more information about what's new in MDM, see [What's new in mobile device e
This release includes improved support for non-ASCII file paths for Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR).
-The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) parameter is deprecated in this release.
+The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) parameter is deprecated in this release.
### Microsoft Defender Application Guard for Office
-Microsoft Defender Application Guard now supports Office: With [Microsoft Defender Application Guard for Office](https://docs.microsoft.com/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.
+Microsoft Defender Application Guard now supports Office: With [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.
### Windows Hello
@@ -104,7 +104,7 @@ With specialized hardware and software components available on devices shipping
### Windows Sandbox
-New policies for [Windows Sandbox](https://docs.microsoft.com/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview) are available in this release. For more information, see [Policy CSP - WindowsSandbox](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowssandbox).
+New policies for [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview) are available in this release. For more information, see [Policy CSP - WindowsSandbox](/windows/client-management/mdm/policy-csp-windowssandbox).
### Windows Virtual Desktop (WVD)
@@ -131,22 +131,22 @@ On a 2-in-1 device, Windows will now automatically switch to tablet mode when yo
## Surface
-Windows 10 Pro and Enterprise are now [available on Surface Hub 2](https://techcommunity.microsoft.com/t5/surface-it-pro-blog/announcing-the-availability-of-windows-10-pro-and-enterprise-on/ba-p/1624107). For more information, see [What's new in Surface Hub 2S for IT admins](https://docs.microsoft.com/surface-hub/surface-hub-2s-whats-new).
+Windows 10 Pro and Enterprise are now [available on Surface Hub 2](https://techcommunity.microsoft.com/t5/surface-it-pro-blog/announcing-the-availability-of-windows-10-pro-and-enterprise-on/ba-p/1624107). For more information, see [What's new in Surface Hub 2S for IT admins](/surface-hub/surface-hub-2s-whats-new).
## Desktop Analytics
-[Desktop Analytics](https://docs.microsoft.com/configmgr/desktop-analytics/overview) is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.
+[Desktop Analytics](/configmgr/desktop-analytics/overview) is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.
-For information about Desktop Analytics and this release of Windows 10, see [What's new in Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/whats-new).
+For information about Desktop Analytics and this release of Windows 10, see [What's new in Desktop Analytics](/mem/configmgr/desktop-analytics/whats-new).
## See Also
[What’s new for IT pros in Windows 10, version 20H2](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-20h2/ba-p/1800132)
[Get started with the October 2020 update to Windows 10](https://www.linkedin.com/learning/windows-10-october-2020-update-new-features-2/get-started-with-the-october-2020-update-to-windows-10)
[Learn Windows 10 with the October 2020 Update](https://www.linkedin.com/learning/windows-10-october-2020-update-essential-training/learn-windows-10-with-the-october-2020-update)
-[What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
+[What's New in Windows Server](/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
-[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
+[What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
[Announcing more ways we’re making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.
-[Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.
-[Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
+[Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
+[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
\ No newline at end of file