99999| Windows Edition | +Supported? | +
|---|---|
| Home | +9 |
+
| Pro | +9 |
+
| Business | +9 |
+
| Enterprise | +9 |
+
| Education | +9 |
+
BIOSRead
This problem is indicated when an application cannot access the Device\PhysicalMemory object beyond the kernel-mode drivers, on any of the Windows Server® 2003 operating systems.
+This problem is indicated when an application cannot access the Device\PhysicalMemory object beyond the kernel-mode drivers, on any of the Windows Server® 2003 operating systems.
The fix enables OEM executable (.exe) files to use the GetSystemFirmwareTable function instead of the NtOpenSection function when the BIOS is queried for the \Device\Physical memory information..
ChangeFolderPathToXPStyle
This fix is required when an application cannot return shell folder paths when it uses the SHGetFolder API.
-The fix intercepts the SHGetFolder path request to the common appdata file path and returns the Windows® XP-style file path instead of the Windows Vista-style file path.
The fix intercepts the SHGetFolder path request to the common appdata file path and returns the Windows® XP-style file path instead of the Windows Vista-style file path.
ClearLastErrorStatusonIntializeCriticalSection
DirectXVersionLie
This problem occurs when an application fails because it does not find the correct version number for DirectX®.
+This problem occurs when an application fails because it does not find the correct version number for DirectX®.
The fix modifies the DXDIAGN GetProp function call to return the correct DirectX version.
You can control this fix further by typing the following command at the command prompt:
MAJORVERSION.MINORVERSION.LETTER
@@ -456,7 +457,7 @@ The following table lists the known compatibility fixes for all Windows operatinIgnoreMSOXMLMF
The problem is indicated by an error message that states that the operating system cannot locate the MSVCR80D.DLL file.
-The fix ignores the registered MSOXMLMF.DLL object, which Microsoft® Office 2007 loads into the operating system any time that you load an XML file, and then it fails the CoGetClassObject for its CLSID. This compatibility fix will just ignore the registered MSOXMLMF and fail the CoGetClassObject for its CLSID.
The fix ignores the registered MSOXMLMF.DLL object, which Microsoft® Office 2007 loads into the operating system any time that you load an XML file, and then it fails the CoGetClassObject for its CLSID. This compatibility fix will just ignore the registered MSOXMLMF and fail the CoGetClassObject for its CLSID.
IgnoreSetROP2
MIG_OFFLINE_PLATFORM_ARCH
32 or 64
While operating offline, this environment variable defines the architecture of the offline system, if the system does not match the WinPE and Scanstate.exe architecture. This environment variable enables the 32-bit ScanState application to gather data from a computer with 64-bit architecture, or the 64-bit ScanState application to gather data from a computer with 32-bit architecture. This is required when auto-detection of the offline architecture doesn’t function properly, for example, when the source system is running a 64-bit version of Windows XP. For example, to set this system environment variable for a 32-bit architecture, at a command prompt type the following:
+While operating offline, this environment variable defines the architecture of the offline system, if the system does not match the WinPE and Scanstate.exe architecture. This environment variable enables the 32-bit ScanState application to gather data from a computer with 64-bit architecture, or the 64-bit ScanState application to gather data from a computer with 32-bit architecture. This is required when auto-detection of the offline architecture doesn't function properly, for example, when the source system is running a 64-bit version of Windows XP. For example, to set this system environment variable for a 32-bit architecture, at a command prompt type the following:
Set MIG_OFFLINE_PLATFORM_ARCH=32You can either:
Specify up to three <role> elements within a <component> — one “Binaries” role element, one “Settings” role element and one “Data” role element. These parameters do not change the migration behavior — their only purpose is to help you categorize the settings that you are migrating. You can nest these <role> elements, but each nested element must be of the same role parameter.
Specify one “Container” <role> element within a <component> element. In this case, you cannot specify any child <rules> elements, only other <component> elements. And each child <component> element must have the same type as that of parent <component> element. For example:
Specify up to three <role> elements within a <component> — one "Binaries" role element, one "Settings" role element and one "Data" role element. These parameters do not change the migration behavior — their only purpose is to help you categorize the settings that you are migrating. You can nest these <role> elements, but each nested element must be of the same role parameter.
Specify one "Container" <role> element within a <component> element. In this case, you cannot specify any child <rules> elements, only other <component> elements. And each child <component> element must have the same type as that of parent <component> element. For example:
<component context="UserAndSystem" type="Application">
<displayName _locID="migapp.msoffice2003">Microsoft Office 2003</displayName>
@@ -3846,7 +3844,7 @@ See the last component in the MigUser.xml file for an example of this element.
~~~
**Example:**
-If GenerateUserPattens('File','%userprofile% \[\*.doc\]','FALSE') is called while USMT is processing user A, then this function will only generate patterns for users B and C. You can use this helper function to build complex rules. For example, to migrate all .doc files from the source computer — but if user X is not migrated, then do not migrate any of the .doc files from user X’s profile.
+If GenerateUserPattens('File','%userprofile% \[\*.doc\]','FALSE') is called while USMT is processing user A, then this function will only generate patterns for users B and C. You can use this helper function to build complex rules. For example, to migrate all .doc files from the source computer — but if user X is not migrated, then do not migrate any of the .doc files from user X's profile.
The following is example code for this scenario. The first <rules> element migrates all.doc files on the source computer with the exception of those inside C:\\Documents and Settings. The second <rules> elements will migrate all .doc files from C:\\Documents and Settings with the exception of the .doc files in the profiles of the other users. Because the second <rules> element will be processed in each migrated user context, the end result will be the desired behavior. The end result is the one we expected.
@@ -4103,12 +4101,12 @@ Syntax:
name
Yes
ID is a string value that is the name used to reference the environment variable. We recommend that ID start with the component’s name to avoid namespace collisions. For example, if your component’s name is MyComponent, and you want a variable that is your component’s install path, you could specify MyComponent.InstallPath.
ID is a string value that is the name used to reference the environment variable. We recommend that ID start with the component's name to avoid namespace collisions. For example, if your component's name is MyComponent, and you want a variable that is your component's install path, you could specify MyComponent.InstallPath.
remap
No, default = FALSE
Specifies whether to evaluate this environment variable as a remapping environment variable. Objects that are located in a path that is underneath this environment variable’s value are automatically moved to where the environment variable points on the destination computer.
Specifies whether to evaluate this environment variable as a remapping environment variable. Objects that are located in a path that is underneath this environment variable's value are automatically moved to where the environment variable points on the destination computer.
@@ -4227,27 +4225,27 @@ The following functions are for internal USMT use only. Do not use them in an .x
You can use the following version tags with various helper functions:
-- “CompanyName”
+- "CompanyName"
-- “FileDescription”
+- "FileDescription"
-- “FileVersion”
+- "FileVersion"
-- “InternalName”
+- "InternalName"
-- “LegalCopyright”
+- "LegalCopyright"
-- “OriginalFilename”
+- "OriginalFilename"
-- “ProductName”
+- "ProductName"
-- “ProductVersion”
+- "ProductVersion"
The following version tags contain values that can be compared:
-- “FileVersion”
+- "FileVersion"
-- “ProductVersion”
+- "ProductVersion"
## Related topics
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index 5b4f53e98a..bc307dfc3a 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -7,6 +7,7 @@ ms.author: greglin
author: greg-lindsay
description: Learn how to configure virtual machines (VMs) to enable Windows 10 Subscription Activation in a Windows Virtual Desktop Access (VDA) scenario.
keywords: upgrade, update, task sequence, deploy
+ms.custom: seo-marvel-apr2020
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index 893b4f6f7c..e9c419383d 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -1,6 +1,7 @@
---
title: Activate using Active Directory-based activation (Windows 10)
-description: Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects.
+description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects.
+ms.custom: seo-marvel-apr2020
ms.assetid: 08cce6b7-7b5b-42cf-b100-66c363a846af
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md
index f4e102124a..952db8ab4a 100644
--- a/windows/deployment/volume-activation/configure-client-computers-vamt.md
+++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md
@@ -24,8 +24,8 @@ To enable the Volume Activation Management Tool (VAMT) to function correctly, ce
Organizations where the VAMT will be widely used may benefit from making these changes inside the master image for Windows.
-> [IMPORTANT]
-> This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](https://docs.microsoft.com/windows/win32/wmisdk/connecting-to-wmi-remotely-with-vbscript).
+> [IMPORTANT]
+> This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](https://docs.microsoft.com/windows/win32/wmisdk/connecting-to-wmi-remotely-with-vbscript).
## Configuring the Windows Firewall to allow VAMT access
diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md
index c73cbc4546..23c0a83614 100644
--- a/windows/deployment/volume-activation/volume-activation-management-tool.md
+++ b/windows/deployment/volume-activation/volume-activation-management-tool.md
@@ -13,13 +13,14 @@ audience: itpro
author: greg-lindsay
ms.date: 04/25/2017
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Volume Activation Management Tool (VAMT) Technical Reference
-The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
+The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in that requires the Microsoft Management Console (MMC) 3.0. VAMT can be installed on any computer that has one of the following Windows operating systems:
-- Windows® 7 or above
+- Windows® 7 or above
- Windows Server 2008 R2 or above
@@ -28,7 +29,7 @@ VAMT is designed to manage volume activation for: Windows 7, Windows 8, Window
VAMT is only available in an EN-US (x86) package.
-## In this Section
+## In this section
|Topic |Description |
|------|------------|
diff --git a/windows/deployment/windows-10-deployment-tools-reference.md b/windows/deployment/windows-10-deployment-tools-reference.md
index 2321163bd1..9bb72ea7bb 100644
--- a/windows/deployment/windows-10-deployment-tools-reference.md
+++ b/windows/deployment/windows-10-deployment-tools-reference.md
@@ -26,5 +26,5 @@ Learn about the tools available to deploy Windows 10.
|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
|[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. |
|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
-|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
+|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals |
diff --git a/windows/deployment/windows-10-deployment-tools.md b/windows/deployment/windows-10-deployment-tools.md
index 33f7b49f5e..6a20248ebe 100644
--- a/windows/deployment/windows-10-deployment-tools.md
+++ b/windows/deployment/windows-10-deployment-tools.md
@@ -26,5 +26,5 @@ Learn about the tools available to deploy Windows 10.
|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
|[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. |
|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
-|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
+|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals |
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index c10e477cff..8e1f84c95e 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -1,6 +1,7 @@
---
title: Step by step - Deploy Windows 10 in a test lab using MDT
-description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT)
+description: In this article, you'll learn how to deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT).
+ms.custom: seo-marvel-apr2020
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index 1db27c1143..87baccf225 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -1,6 +1,6 @@
---
-title: Step by step - Deploy Windows 10 using Microsoft Endpoint Configuration Manager
-description: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager
+title: Steps to deploy Windows 10 with Microsoft Endpoint Configuration Manager
+description: In this article, you'll learn how to deploy Windows 10 in a test lab using Microsoft endpoint configuration manager.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -14,6 +14,7 @@ ms.author: greglin
author: greg-lindsay
audience: itpro
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 6b3110a329..a956b7fa4b 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -1,11 +1,12 @@
---
title: Configure a test lab to deploy Windows 10
+description: In this article, you will learn about concepts and procedures for deploying Windows 10 in a proof of concept lab environment.
+ms.custom: seo-marvel-apr2020
ms.reviewer:
manager: laurawi
ms.audience: itpro
ms.author: greglin
author: greg-lindsay
-description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index dba46b0368..fb1755d660 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -1,7 +1,8 @@
---
title: Windows 10 Subscription Activation
-description: How to dynamically enable Windows 10 Enterprise or Education subscriptions
+description: In this article, you will learn how to dynamically enable Windows 10 Enterprise or Education subscriptions.
keywords: upgrade, update, task sequence, deploy
+ms.custom: seo-marvel-apr2020
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
@@ -39,7 +40,7 @@ Organizations that have an Enterprise agreement can also benefit from the new se
Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later and an active subscription plan with a Windows 10 Enterprise license. For more information, see the [requirements](#windows-10-education-requirements) section.
-## In this article
+## Summary
- [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later.
- [The evolution of Windows 10 deployment](#the-evolution-of-deployment): A short history of Windows deployment.
@@ -60,7 +61,6 @@ To support Inherited Activation, both the host computer and the VM must be runni
## The evolution of deployment
-> [!NOTE]
> The original version of this section can be found at [Changing between Windows SKUs](https://blogs.technet.microsoft.com/mniehaus/2017/10/09/changing-between-windows-skus/).
The following figure illustrates how deploying Windows 10 has evolved with each release. With this release, deployment is automatic.
@@ -105,9 +105,9 @@ If the device is running Windows 10, version 1809 or later:
1. Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch.
2. When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below:
- 
- 
- 
+
+
+
### Windows 10 Education requirements
@@ -116,8 +116,8 @@ If the device is running Windows 10, version 1809 or later:
3. The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription.
4. Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
-> [!IMPORTANT]
-> If Windows 10 Pro is converted to Windows 10 Pro Education [by using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device by using a Windows 10 Pro Education edition.
+> If Windows 10 Pro is converted to Windows 10 Pro Education [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
+
## Benefits
@@ -154,10 +154,9 @@ Before Windows 10, version 1903:
After Windows 10, version 1903:
-> [!NOTE]
-> - A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
->
-> - A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
+Note:
+1. A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
+2. A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
### Scenarios
@@ -196,8 +195,7 @@ When you have the required Azure AD subscription, group-based licensing is the p
If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise.
-> [!CAUTION]
-> Firmware-embedded Windows 10 activation happens automatically only when we go through the Out-of-Box Experience (OOBE).
+Caution: Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE(Out Of Box Experience)
If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key.
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index f0a7008b37..6b57a9ab0d 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -2,7 +2,7 @@
title: Demonstrate Autopilot deployment
ms.reviewer:
manager: laurawi
-description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment
+description: In this article, find step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade
ms.prod: w10
ms.mktglfcycl: deploy
@@ -13,7 +13,9 @@ author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
-ms.custom: autopilot
+ms.custom:
+ - autopilot
+ - seo-marvel-apr2020
---
@@ -218,20 +220,20 @@ PS C:\autopilot>
Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples:
- 
- 
- 
- 
- 
- 
+ 
+ 
+ 
+ 
+ 
+ 
-After the VM restarts, during OOBE, it’s fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
+After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
- 
+ 
Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. You will create multiple checkpoints throughout this lab, which can be used later to go through the process again.
- 
+ 
To create your first checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
@@ -244,7 +246,7 @@ Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see
## Capture the hardware ID
> [!NOTE]
-> Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you’re not going to use the OA3 Tool to capture the full 4K HH for various reasons (you’d have to install the OA3 tool, your device couldn’t have a volume license version of Windows, it’s a more complicated process than using a PS script, etc.). Instead, you’ll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
+> Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you're not going to use the OA3 Tool to capture the full 4K HH for various reasons (you'd have to install the OA3 tool, your device couldn't have a volume license version of Windows, it's a more complicated process than using a PS script, etc.). Instead, you'll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
Follow these steps to run the PS script:
@@ -303,7 +305,7 @@ Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory
-You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
+You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you're using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
@@ -331,11 +333,11 @@ For this lab, you need an AAD Premium subscription. You can tell if you have a
-If the configuration blade shown above does not appear, it’s likely that you don’t have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
+If the configuration blade shown above does not appear, it's likely that you don't have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
-
+
## Configure company branding
@@ -376,7 +378,7 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
> [!NOTE]
> If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared.
-2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It’s okay if other fields (Windows Product ID) are left blank.
+2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It's okay if other fields (Windows Product ID) are left blank.
@@ -409,7 +411,7 @@ Select **Manage** from the top menu, then click the **Windows Autopilot Deployme
Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added.
-
+
## Create and assign a Windows Autopilot deployment profile
@@ -425,7 +427,7 @@ Pick one:
> [!NOTE]
> Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first:
-
+
> The example above lists both a physical device and a VM. Your list should only include only one of these.
@@ -473,7 +475,7 @@ To create a Group, open the Azure portal and select **Azure Active Directory** >
-Select New group from the Groups blade to open the new groups UI. Select the “Security” group type, name the group, and select the “Assigned” membership type:
+Select New group from the Groups blade to open the new groups UI. Select the "Security" group type, name the group, and select the "Assigned" membership type:
Before clicking **Create**, expand the **Members** panel, click your device's serial number (it will then appear under **Selected members**) and then click **Select** to add that device to this group.
@@ -495,9 +497,9 @@ Under **Manage**, click **Assignments**, and then with the **Include** tab highl
Click **Select** and then click **Save**.
-
+
-It’s also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot).
+It's also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot).
### Create a Windows Autopilot deployment profile using MSfB
@@ -517,15 +519,15 @@ To CREATE the profile:
Select your device from the **Devices** list:
-
+
On the Autopilot deployment dropdown menu, select **Create new profile**:
-
+
Name the profile, choose your desired settings, and then click **Create**:
-
+
The new profile is added to the Autopilot deployment list.
@@ -533,25 +535,25 @@ To ASSIGN the profile:
To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown:
-
+
Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column:
-
+
> [!IMPORTANT]
> The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
## See Windows Autopilot in action
-If you shut down your VM after the last reset, it’s time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
+If you shut down your VM after the last reset, it's time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
> [!TIP]
-> If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you’re expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
+> If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you're expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
- Ensure your device has an internet connection.
- Turn on the device
@@ -569,21 +571,21 @@ Windows Autopilot will now take over to automatically join your device into Azur
## Remove devices from Autopilot
-To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [here](https://docs.microsoft.com/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below.
+To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found at [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Remove devices by using wipe, retire, or manually unenrolling the device](https://docs.microsoft.com/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below.
### Delete (deregister) Autopilot device
You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu.
-
+
Click **X** when challenged to complete the operation:
-
+
This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
-
+
The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune.
@@ -592,25 +594,25 @@ The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment
To remove the device from the Autopilot program, select the device and click Delete.
-
+
A warning message appears reminding you to first remove the device from Intune, which we previously did.
-
+
At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
-
+
Once the device no longer appears, you are free to reuse it for other purposes.
If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button:
-
+
## Appendix A: Verify support for Hyper-V
-Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
+Starting with Windows 8, the host computer's microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
@@ -654,19 +656,19 @@ EPT * Supports Intel extended page tables (SLAT)
#### Prepare the app for Intune
-Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool). After downloading the tool, gather the following three bits of information to use the tool:
+Before we can pull an application into Intune to make it part of our AP profile, we need to "package" the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool). After downloading the tool, gather the following three bits of information to use the tool:
1. The source folder for your application
2. The name of the setup executable file
3. The output folder for the new file
-For the purposes of this lab, we’ll use the Notepad++ tool as our Win32 app.
+For the purposes of this lab, we'll use the Notepad++ tool as our Win32 app.
Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then copy the file to a known location, such as C:\Notepad++msi.
Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
-
+
After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps.
@@ -676,19 +678,19 @@ Log into the Azure portal and select **Intune**.
Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
-
+
Under **App Type**, select **Windows app (Win32)**:
-
+
On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**:
-
+
On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
-
+
On the **Program Configuration** blade, supply the install and uninstall commands:
@@ -698,29 +700,29 @@ Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
> [!NOTE]
> Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
-
+
-Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn’t actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
+Simply using an install command like "notepad++.exe /S" will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn't actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
Click **OK** to save your input and activate the **Requirements** blade.
On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
-
+
Next, configure the **Detection rules**. For our purposes, we will select manual format:
-
+
Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule:
-
+
Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
**Return codes**: For our purposes, leave the return codes at their default values:
-
+
Click **OK** to exit.
@@ -730,11 +732,11 @@ Click the **Add** button to finalize and save your app package.
Once the indicator message says the addition has completed.
-
+
You will be able to find your app in your app list:
-
+
#### Assign the app to your Intune profile
@@ -743,7 +745,7 @@ You will be able to find your app in your app list:
In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu:
-
+
Select **Add Group** to open the **Add group** pane that is related to the app.
@@ -753,9 +755,9 @@ For our purposes, select **Required** from the **Assignment type** dropdown menu
Select **Included Groups** and assign the groups you previously created that will use this app:
-
+
-
+
In the **Select groups** pane, click the **Select** button.
@@ -765,7 +767,7 @@ In the **Add group** pane, select **OK**.
In the app **Assignments** pane, select **Save**.
-
+
At this point, you have completed steps to add a Win32 app to Intune.
@@ -779,15 +781,15 @@ Log into the Azure portal and select **Intune**.
Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
-
+
Under **App Type**, select **Office 365 Suite > Windows 10**:
-
+
Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel:
-
+
Click **OK**.
@@ -795,13 +797,13 @@ In the **App Suite Information** pane, enter a unique suite name, and a s
> Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
-
+
Click **OK**.
In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**:
-
+
Click **OK** and then click **Add**.
@@ -812,7 +814,7 @@ Click **OK** and then click **Add**.
In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu:
-
+
Select **Add Group** to open the **Add group** pane that is related to the app.
@@ -822,9 +824,9 @@ For our purposes, select **Required** from the **Assignment type** dropdown menu
Select **Included Groups** and assign the groups you previously created that will use this app:
-
+
-
+
In the **Select groups** pane, click the **Select** button.
@@ -834,7 +836,7 @@ In the **Add group** pane, select **OK**.
In the app **Assignments** pane, select **Save**.
-
+
At this point, you have completed steps to add Office to Intune.
@@ -842,7 +844,7 @@ For more information on adding Office apps to Intune, see [Assign Office 365 app
If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate:
-
+
## Glossary
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 289a9ff9e7..75355791f6 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -42,7 +42,7 @@ landingContent:
links:
- text: Configure Windows 10
url: /windows/configuration/index
- - text: Accesasibility information for IT Pros
+ - text: Accessibility information for IT Pros
url: /windows/configuration/windows-10-accessibility-for-itpros
- text: Configure access to Microsoft Store
url: /windows/configuration/stop-employees-from-using-microsoft-store
diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
index fe1e8ae442..218ce9d25c 100644
--- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md
+++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
audience: ITPro
-ms.author: daniha
+ms.author: siosulli
author: DaniHalfin
manager: dansimp
ms.collection: M365-security-compliance
diff --git a/windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md b/windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md
index 11aacc5fb8..20b56e6e79 100644
--- a/windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md
+++ b/windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.topic: article
f1.keywords:
- NOCSH
-ms.author: daniha
+ms.author: siosulli
author: DaniHalfin
manager: dansimp
audience: itpro
diff --git a/windows/privacy/deploy-data-processor-service-windows.md b/windows/privacy/deploy-data-processor-service-windows.md
index 66bb8268c7..76db1e584d 100644
--- a/windows/privacy/deploy-data-processor-service-windows.md
+++ b/windows/privacy/deploy-data-processor-service-windows.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.topic: article
f1.keywords:
- NOCSH
-ms.author: daniha
+ms.author: siosulli
author: DaniHalfin
manager: dansimp
audience: itpro
diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
index 41c5fa5a8a..4188fd5ad3 100644
--- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
+++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
@@ -30,7 +30,7 @@ ms.reviewer:
Desktop Analytics reports are powered by diagnostic data not included in the Basic level.
-In Windows 10, version 1709, we introduced a new feature: "Limit Enhanced diagnostic data to the minimum required by Windows Analytics". When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to only those described below. Note that the Enhanced level also includes limited crash reports, which are not described below. For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
+In Windows 10, version 1709, we introduced a new feature: "Limit Enhanced diagnostic data to the minimum required by Windows Analytics". When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to only the events described below. The Enhanced level also includes limited crash reports, which are not described below. For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
With the retirement of Windows Analytics, this policy will continue to be supported by Desktop Analytics, but will not include Office related diagnostic data.
@@ -48,7 +48,7 @@ The following fields are available:
- **GhostCount_Sum:** Total number of instances where the application stopped responding
- **HandleCountAtExit_Sum:** Total handle count for a process when it exits
- **HangCount_Max:** Maximum number of hangs detected
-- **HangCount_Sum:** Total number of application hangs detected
+- **HangCount_Sum:** Total number of application hangs that are detected
- **HardFaultCountAtExit_Sum:** Total number of hard page faults detected for a process when it exits
- **HeartbeatCount:** Heartbeats logged for this summary
- **HeartbeatSuspendedCount:** Heartbeats logged for this summary where the process was suspended
@@ -68,7 +68,7 @@ The following fields are available:
- **WriteSizeInKBAtExit_Sum:** Total size of IO writes for a process when it exited
## Microsoft.Office.TelemetryEngine.IsPreLaunch
-Applicable for Office UWP applications. This event is fired when an office application is initiated for the first-time post upgrade/install from the store. This is part of basic diagnostic data, used to track whether a particular session is launch session or not.
+Applicable for Office UWP applications. This event is fired when an Office application is initiated for the first-time post upgrade/install from the store. It's part of basic diagnostic data. It's used to track whether a particular session is a launch session or not.
- **appVersionBuild:** Third part of the version *.*.XXXXX.*
- **appVersionMajor:** First part of the version X.*.*.*
@@ -77,10 +77,10 @@ Applicable for Office UWP applications. This event is fired when an office appli
- **SessionID:** ID of the session
## Microsoft.Office.SessionIdProvider.OfficeProcessSessionStart
-This event sends basic information upon the start of a new Office session. This is used to count the number of unique sessions seen on a given device. This is used as a heartbeat event to ensure that the application is running on a device or not. In addition, it serves as a critical signal for overall application reliability.
+This event sends basic information upon the start of a new Office session. It's used to count the number of unique sessions seen on a given device. The event is used as a heartbeat event to ensure that the application is running on a device. In addition, it serves as a critical signal for overall application reliability.
-- **AppSessionGuid:** ID of the session which maps to the process of the application
-- **processSessionId:** ID of the session which maps to the process of the application
+- **AppSessionGuid:** ID of the session that maps to the process of the application
+- **processSessionId:** ID of the session that maps to the process of the application
## Microsoft.Office.TelemetryEngine.SessionHandOff
Applicable to Win32 Office applications. This event helps us understand whether there was a new session created to handle a user-initiated file open event. It is a critical diagnostic information that is used to derive reliability signal and ensure that the application is working as expected.
@@ -89,7 +89,7 @@ Applicable to Win32 Office applications. This event helps us understand whether
- **appVersionMajor:** First part of the version X.*.*.*
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **childSessionID:** Id of the session that was created to handle the user initiated file open
+- **childSessionID:** ID of the session that was created to handle the user initiated file open
- **parentSessionId:** ID of the session that was already running
## Microsoft.Office.CorrelationMetadata.UTCCorrelationMetadata
@@ -102,15 +102,15 @@ Collects Office metadata through UTC to compare with equivalent data collected t
- **appVersionMajor:** First part of the version X.*.*.*
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRevision:** Fourth part of the version *.*.*.XXXXX
-- **audienceGroup:** Is this part of the insiders or production
+- **audienceGroup:** Is this group part of the insiders or production?
- **audienceId:** ID of the audience setting
- **channel:** Are you part of Semi annual channel or Semi annual channel-Targeted?
-- **deviceClass:** Is this a desktop or a mobile?
+- **deviceClass:** Is this device a desktop device or a mobile device?
- **impressionId:** What features were available to you in this session
- **languageTag:** Language of the app
- **officeUserID:** A unique identifier tied to the office installation on a particular device.
- **osArchitecture:** Is the machine 32 bit or 64 bit?
-- **osEnvironment:** Is this a win32 app or a UWP app?
+- **osEnvironment:** Is this app a win32 app or a UWP app?
- **osVersionString:** Version of the OS
- **sessionID:** ID of the session
@@ -131,7 +131,7 @@ This event is fired when the telemetry engine within an office application is re
- **appVersionMajor:** First part of the version X.*.*.*
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
- **SessionID:** ID of the session
## Microsoft.Office.TelemetryEngine.FirstProcessed
@@ -141,7 +141,7 @@ This event is fired when the telemetry engine within an office application has p
- **appVersionMajor:** First part of the version X.*.*.*
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
- **SessionID:** ID of the session
## Microsoft.Office.TelemetryEngine.FirstRuleRequest
@@ -151,7 +151,7 @@ This event is fired when the telemetry engine within an office application has r
- **appVersionMajor:** First part of the version X.*.*.*
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
- **SessionID:** ID of the session
## Microsoft.Office.TelemetryEngine.Init
@@ -161,18 +161,18 @@ This event is fired when the telemetry engine within an office application has b
- **appVersionMajor:** First part of the version X.*.*.*
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
- **SessionID:** ID of the session
## Microsoft.Office.TelemetryEngine.Resume
-This event is fired when the application resumes from sleep state. Used for understanding whether there are issues in the application life-cycle.
+This event is fired when the application resumes from sleep state. Used for understanding whether there are issues in the application life cycle.
- **appVersionBuild:** Third part of the version *.*.XXXXX.*
- **appVersionMajor:** First part of the version X.*.*.*
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
- **maxSequenceIdSeen:** How many events from this session have seen so far?
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
- **SessionID:** ID of the session
@@ -183,7 +183,7 @@ This event is fired when the telemetry engine within an office application fails
- **appVersionMajor:** First part of the version X.*.*.*
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
- **SessionID:** ID of the session
## Microsoft.Office.TelemetryEngine.RuleRequestFailedDueToClientOffline
@@ -193,7 +193,7 @@ This event is fired when the telemetry engine within an office application fails
- **appVersionMajor:** First part of the version X.*.*.*
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
- **SessionID:** ID of the session
## Microsoft.Office.TelemetryEngine.ShutdownComplete
@@ -204,7 +204,7 @@ This event is fired when the telemetry engine within an office application has p
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
- **maxSequenceIdSeen:** How many events from this session have seen so far?
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
- **SessionID:** ID of the session
@@ -215,7 +215,7 @@ This event is fired when the telemetry engine within an office application been
- **appVersionMajor:** First part of the version X.*.*.*
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
- **SessionID:** ID of the session
@@ -227,26 +227,26 @@ This event is fired when the telemetry engine within an office application has p
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
- **maxSequenceIdSeen:** How many events from this session have seen so far?
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
- **SessionID:** ID of the session
- **SuspendType:** Type of suspend
## Microsoft.Office.TelemetryEngine.SuspendStart
-This event is fired when the office application suspends as per app life-cycle change. Used for understanding whether there are issues in the application life-cycle.
+This event is fired when the office application suspends as per app life-cycle change. Used for understanding whether there are issues in the application life cycle.
- **appVersionBuild:** Third part of the version *.*.XXXXX.*
- **appVersionMajor:** First part of the version X.*.*.*
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
- **maxSequenceIdSeen:** How many events from this session have seen so far?
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
- **SessionID:** ID of the session
- **SuspendType:** Type of suspend
## Microsoft.OSG.OSS.CredProvFramework.ReportResultStop
-This event indicates the result of an attempt to authenticate a user with a credential provider. It helps Microsoft to improve logon reliability. Using this event with Desktop Analytics can help organizations monitor and improve logon success for different methods (for example, biometric) on managed devices.
+This event indicates the result of an attempt to authenticate a user with a credential provider. It helps Microsoft to improve sign-in reliability. Using this event with Desktop Analytics can help organizations monitor and improve sign-in success for different methods (for example, biometric) on managed devices.
The following fields are available:
@@ -262,11 +262,11 @@ The following fields are available:
- **ReturnCode:** Output of the ReportResult function
- **SessionId:** Session identifier
- **Sign-in error status:** The sign-in error status
-- **SubStatus:** Sign-in error sub-status
+- **SubStatus:** Sign-in error substatus
- **UserTag:** Count of the number of times a user has selected a provider
## Microsoft.Windows.Kernel.Power.OSStateChange
-This event denotes the transition between operating system states (e.g., On, Off, Sleep, etc.). By using this event with Desktop Analytics, organizations can use this to monitor reliability and performance of managed devices
+This event denotes the transition between operating system states (On, Off, Sleep, etc.). By using this event with Desktop Analytics, organizations can monitor reliability and performance of managed devices.
The following fields are available:
@@ -281,10 +281,10 @@ The following fields are available:
- **EnergyChangeV2Flags:** Flags for disambiguating EnergyChangeV2 context
- **EventSequence:** A sequential number used to evaluate the completeness of the data
- **LastStateTransition:** ID of the last operating system state transition
-- **LastStateTransitionSub:** ID of the last operating system sub-state transition
+- **LastStateTransitionSub:** ID of the last operating system substate transition
- **StateDurationMS:** Number of milliseconds spent in the last operating system state
- **StateTransition:** ID of the operating system state the system is transitioning to
-- **StateTransitionSub:** ID of the operating system sub-state the system is transitioning to
+- **StateTransitionSub:** ID of the operating system substate the system is transitioning to
- **TotalDurationMS:** Total time (in milliseconds) spent in all states since the last boot
- **TotalUptimeMS:** Total time (in milliseconds) the device was in Up or Running states since the last boot
- **TransitionsToOn:** Number of transitions to the Powered On state since the last boot
@@ -305,7 +305,7 @@ Sends details about any error codes detected during a failed sign-in.
The following fields are available:
- **ntsStatus:** The NTSTATUS error code status returned from an attempted sign-in
-- **ntsSubstatus:** The NTSTATUS error code sub-status returned from an attempted sign-in
+- **ntsSubstatus:** The NTSTATUS error code substatus returned from an attempted sign-in
## Microsoft.Windows.Security.Biometrics.Service.BioServiceActivityCapture
Indicates that a biometric capture was compared to known templates
@@ -327,7 +327,7 @@ The following field is available:
- **ticksSinceBoot:** Duration of boot event (milliseconds)
## Microsoft.Windows.Shell.Desktop.LogonFramework.AllLogonTasks
-This event summarizes the logon procedure to help Microsoft improve performance and reliability. By using this event with Desktop Analytics organizations can help identify logon problems on managed devices.
+This event summarizes the logon procedure to help Microsoft improve performance and reliability. By using this event with Desktop Analytics, organizations can help identify logon problems on managed devices.
The following fields are available:
@@ -341,7 +341,7 @@ The following fields are available:
- **wilActivity:** Indicates errors in the task to help Microsoft improve reliability.
## Microsoft.Windows.Shell.Desktop.LogonFramework.LogonTask
-This event describes system tasks which are part of the user logon sequence and helps Microsoft to improve reliability.
+This event describes system tasks that are part of the user logon sequence and helps Microsoft to improve reliability.
The following fields are available:
@@ -359,7 +359,7 @@ For a device subject to Windows Information Protection policy, learning events a
The following fields are available:
- **actiontype:** Indicates what type of resource access the app was attempting (for example, opening a local document vs. a network resource) when it encountered a policy boundary. Useful for Windows Information Protection administrators to tune policy rules.
-- **appIdType:** Based on the type of application, this indicates what type of app rule a Windows Information Protection administrator would need to create for this app.
+- **appIdType:** Based on the type of application, this field indicates what type of app rule a Windows Information Protection administrator would need to create for this app.
- **appname:** App that triggered the event
- **status:** Indicates whether errors occurred during WIP learning events
@@ -397,11 +397,11 @@ The following fields are available:
- **MonitorWidth:** Number of horizontal pixels in the application host monitor resolution
- **MouseInputSec:** Total number of seconds during which there was mouse input
- **NewProcessCount:** Number of new processes contributing to the aggregate
-- **PartATransform_AppSessionGuidToUserSid:** Flag which influences how other parts of the event are constructed
+- **PartATransform_AppSessionGuidToUserSid:** Flag that influences how other parts of the event are constructed
- **PenInputSec:** Total number of seconds during which there was pen input
- **SpeechRecognitionSec:** Total number of seconds of speech recognition
- **SummaryRound:** Incrementing number indicating the round (batch) being summarized
-- **TargetAsId:** Flag which influences how other parts of the event are constructed
+- **TargetAsId:** Flag that influences how other parts of the event are constructed
- **TotalUserOrDisplayActiveDurationMS:** Total time the user or the display was active (in milliseconds)
- **TouchInputSec:** Total number of seconds during which there was touch input
- **UserActiveDurationMS:** Total time that the user was active including all input methods
@@ -415,7 +415,7 @@ The following fields are available:
## Revisions
### PartA_UserSid removed
-A previous revision of this list stated that a field named PartA_UserSid was a member of the event Microsoft.Windows.LogonController.LogonAndUnlockSubmit. This was incorrect. The list has been updated to reflect that no such field is present in the event.
+A previous revision of this list stated that a field named PartA_UserSid was a member of the event Microsoft.Windows.LogonController.LogonAndUnlockSubmit. This statement was incorrect. The list has been updated to reflect that no such field is present in the event.
### Office events added
In Windows 10, version 1809 (also applies to versions 1709 and 1803 starting with [KB 4462932](https://support.microsoft.com/help/4462932/windows-10-update-kb4462932) and [KB 4462933](https://support.microsoft.com/help/4462933/windows-10-update-kb4462933) respectively), 16 events were added, describing Office app launch and availability. These events were added to improve the precision of Office data in Windows Analytics.
diff --git a/windows/privacy/windows-diagnostic-data-1703.md b/windows/privacy/windows-diagnostic-data-1703.md
index ef7ec52739..ffa7858d15 100644
--- a/windows/privacy/windows-diagnostic-data-1703.md
+++ b/windows/privacy/windows-diagnostic-data-1703.md
@@ -42,7 +42,7 @@ Most diagnostic events contain a header of common data:
| Category Name | Examples |
| - | - |
-| Common Data | Information that is added to most diagnostic events, if relevant and available:
- OS name, version, build, and [locale](https://msdn.microsoft.com/library/windows/desktop/dd318716.aspx)
- User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic diagnostic data
- Xbox UserID
- Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time such the period an app is running or between boots of the OS.
- The diagnostic event name, Event ID, [ETW](https://msdn.microsoft.com/library/windows/desktop/bb968803.aspx) opcode, version, schema signature, keywords, and flags
- HTTP header information, including the IP address. This IP address is the source address that’s provided by the network packet header and received by the diagnostics ingestion service.
- Various IDs that are used to correlate and sequence related events together.
- Device ID. This is not the user provided device name, but an ID that is unique for that device.
- Device class -- Desktop, Server, or Mobile
- Event collection time
- Diagnostic level -- Basic or Full, Sample level -- for sampled data, what sample level is this device opted into
|
+| Common Data | Information that is added to most diagnostic events, if relevant and available:
- OS name, version, build, and [locale](https://msdn.microsoft.com/library/windows/desktop/dd318716.aspx)
- User ID - a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic diagnostic data
- Xbox UserID
- Environment from which the event was logged - Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time such the period an app is running or between boots of the OS.
- The diagnostic event name, Event ID, [ETW](https://msdn.microsoft.com/library/windows/desktop/bb968803.aspx) opcode, version, schema signature, keywords, and flags
- HTTP header information, including the IP address. This IP address is the source address that’s provided by the network packet header and received by the diagnostics ingestion service.
- Various IDs that are used to correlate and sequence related events together.
- Device ID. This ID is not the user provided device name, but an ID that is unique for that device.
- Device class - Desktop, Server, or Mobile
- Event collection time
- Diagnostic level - Basic or Full, Sample level - for sampled data, what sample level is this device opted into
|
## Device, Connectivity, and Configuration data
@@ -50,38 +50,38 @@ This type of data includes details about the device, its configuration and conne
| Category Name | Examples |
| - | - |
-| Device properties | Information about the OS and device hardware, such as:
- OS - version name, Edition
- Installation type, subscription status, and genuine OS status
- Processor architecture, speed, number of cores, manufacturer, and model
- OEM details --manufacturer, model, and serial number
- Device identifier and Xbox serial number
- Firmware/BIOS -- type, manufacturer, model, and version
- Memory -- total memory, video memory, speed, and how much memory is available after the device has reserved memory
- Storage -- total capacity and disk type
- Battery -- charge capacity and InstantOn support
- Hardware chassis type, color, and form factor
- Is this a virtual machine?
|
-| Device capabilities | Information about the specific device capabilities such as:
- Camera -- whether the device has a front facing, a rear facing camera, or both.
- Touch screen -- does the device include a touch screen? If so, how many hardware touch points are supported?
- Processor capabilities -- CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
- Trusted Platform Module (TPM) – whether present and what version
- Virtualization hardware -- whether an IOMMU is present, SLAT support, is virtualization enabled in the firmware
- Voice – whether voice interaction is supported and the number of active microphones
- Number of displays, resolutions, DPI
- Wireless capabilities
- OEM or platform face detection
- OEM or platform video stabilization and quality level set
- Advanced Camera Capture mode (HDR vs. LowLight), OEM vs. platform implementation, HDR probability, and Low Light probability
|
-| Device preferences and settings | Information about the device settings and user preferences such as:
- User Settings – System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
- User-provided device name
- Whether device is domain-joined, or cloud-domain joined (i.e. part of a company-managed network)
- Hashed representation of the domain name
- MDM (mobile device management) enrollment settings and status
- BitLocker, Secure Boot, encryption settings, and status
- Windows Update settings and status
- Developer Unlock settings and status
- Default app choices
- Default browser choice
- Default language settings for app, input, keyboard, speech, and display
- App store update settings
- Enterprise OrganizationID, Commercial ID
|
-| Device peripherals | Information about the device peripherals such as:
- Peripheral name, device model, class, manufacturer and description
- Peripheral device state, install state, and checksum
- Driver name, package name, version, and manufacturer
- HWID - A hardware vendor defined ID to match a device to a driver [INF file](https://msdn.microsoft.com/windows/hardware/drivers/install/hardware-ids)
- Driver state, problem code, and checksum
- Whether driver is kernel mode, signed, and image size
|
-| Device network info | Information about the device network configuration such as:
- Network system capabilities
- Local or Internet connectivity status
- Proxy, gateway, DHCP, DNS details and addresses
- Paid or free network
- Wireless driver is emulated or not
- Access point mode capable
- Access point manufacturer, model, and MAC address
- WDI Version
- Name of networking driver service
- Wi-Fi Direct details
- Wi-Fi device hardware ID and manufacturer
- Wi-Fi scan attempt counts and item counts
- Mac randomization is supported/enabled or not
- Number of spatial streams and channel frequencies supported
- Manual or Auto Connect enabled
- Time and result of each connection attempt
- Airplane mode status and attempts
- Interface description provided by the manufacturer
- Data transfer rates
- Cipher algorithm
- Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)
- Mobile operator and service provider name
- Available SSIDs and BSSIDs
- IP Address type -- IPv4 or IPv6
- Signal Quality percentage and changes
- Hotspot presence detection and success rate
- TCP connection performance
- Miracast device names
- Hashed IP address
+| Device properties | Information about the OS and device hardware, such as:
- OS - version name, Edition
- Installation type, subscription status, and genuine OS status
- Processor architecture, speed, number of cores, manufacturer, and model
- OEM details - manufacturer, model, and serial number
- Device identifier and Xbox serial number
- Firmware/BIOS - type, manufacturer, model, and version
- Memory - total memory, video memory, speed, and how much memory is available after the device has reserved memory
- Storage - total capacity and disk type
- Battery - charge capacity and InstantOn support
- Hardware chassis type, color, and form factor
- Is this machine a virtual machine?
|
+| Device capabilities | Information about the specific device capabilities such as:
- Camera - whether the device has a front facing, a rear facing camera, or both.
- Touch screen - does the device include a touch screen? If so, how many hardware touch points are supported?
- Processor capabilities - CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
- Trusted Platform Module (TPM) – whether present and what version
- Virtualization hardware - whether an IOMMU is present, SLAT support, is virtualization enabled in the firmware
- Voice – whether voice interaction is supported and the number of active microphones
- Number of displays, resolutions, DPI
- Wireless capabilities
- OEM or platform face detection
- OEM or platform video stabilization and quality level set
- Advanced Camera Capture mode (HDR vs. LowLight), OEM vs. platform implementation, HDR probability, and Low Light probability
|
+| Device preferences and settings | Information about the device settings and user preferences such as:
- User Settings – System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
- User-provided device name
- Whether device is domain-joined, or cloud-domain joined (that is, part of a company-managed network)
- Hashed representation of the domain name
- MDM (mobile device management) enrollment settings and status
- BitLocker, Secure Boot, encryption settings, and status
- Windows Update settings and status
- Developer Unlock settings and status
- Default app choices
- Default browser choice
- Default language settings for app, input, keyboard, speech, and display
- App store update settings
- Enterprise OrganizationID, Commercial ID
|
+| Device peripherals | Information about the device peripherals such as:
- Peripheral name, device model, class, manufacturer, and description
- Peripheral device state, install state, and checksum
- Driver name, package name, version, and manufacturer
- HWID - A hardware vendor defined ID to match a device to a driver [INF file](https://msdn.microsoft.com/windows/hardware/drivers/install/hardware-ids)
- Driver state, problem code, and checksum
- Whether driver is kernel mode, signed, and image size
|
+| Device network info | Information about the device network configuration such as:
- Network system capabilities
- Local or Internet connectivity status
- Proxy, gateway, DHCP, DNS details, and addresses
- Paid or free network
- Wireless driver is emulated or not
- Access point mode capable
- Access point manufacturer, model, and MAC address
- WDI Version
- Name of networking driver service
- Wi-Fi Direct details
- Wi-Fi device hardware ID and manufacturer
- Wi-Fi scan attempt counts and item counts
- Mac randomization is supported/enabled or not
- Number of spatial streams and channel frequencies supported
- Manual or Auto Connect enabled
- Time and result of each connection attempt
- Airplane mode status and attempts
- Interface description provided by the manufacturer
- Data transfer rates
- Cipher algorithm
- Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)
- Mobile operator and service provider name
- Available SSIDs and BSSIDs
- IP Address type - IPv4 or IPv6
- Signal Quality percentage and changes
- Hotspot presence detection and success rate
- TCP connection performance
- Miracast device names
- Hashed IP address
## Product and Service Usage data
-This type of data includes details about the usage of the device, operating system, applications and services.
+This type of data includes details about the usage of the device, operating system, applications, and services.
| Category Name | Examples |
| - | - |
-| App usage | Information about Windows and application usage such as:- OS component and app feature usage
- User navigation and interaction with app and Windows features. This could potentially include user input, such as name of a new alarm set, user menu choices, or user favorites.
- Time of and count of app/component launches, duration of use, session GUID, and process ID
- App time in various states – running foreground or background, sleeping, or receiving active user interaction
- User interaction method and duration – whether and length of time user used the keyboard, mouse, pen, touch, speech, or game controller
- Cortana launch entry point/reason
- Notification delivery requests and status
- Apps used to edit images and videos
- SMS, MMS, VCard, and broadcast message usage statistics on primary or secondary line
- Incoming and Outgoing calls and Voicemail usage statistics on primary or secondary line
- Emergency alerts are received or displayed statistics
- Content searches within an app
- Reading activity -- bookmarking used, print used, layout changed
|
-| App or product state | Information about Windows and application state such as:- Start Menu and Taskbar pins
- Online/Offline status
- App launch state –- with deep-link such as Groove launched with an audio track to play, or share contract such as MMS launched to share a picture.
- Personalization impressions delivered
- Whether the user clicked or hovered on UI controls or hotspots
- User feedback Like or Dislike or rating was provided
- Caret location or position within documents and media files -- how much of a book has been read in a single session or how much of a song has been listened to.
|
+| App usage | Information about Windows and application usage such as:- OS component and app feature usage
- User navigation and interaction with app and Windows features. This information could include user input, such as the name of a new alarm set, user menu choices, or user favorites.
- Time of and count of app/component launches, duration of use, session GUID, and process ID
- App time in various states – running foreground or background, sleeping, or receiving active user interaction
- User interaction method and duration – whether and length of time user used the keyboard, mouse, pen, touch, speech, or game controller
- Cortana launch entry point/reason
- Notification delivery requests and status
- Apps used to edit images and videos
- SMS, MMS, VCard, and broadcast message usage statistics on primary or secondary line
- Incoming and Outgoing calls and Voicemail usage statistics on primary or secondary line
- Emergency alerts are received or displayed statistics
- Content searches within an app
- Reading activity - bookmarking used, print used, layout changed
|
+| App or product state | Information about Windows and application state such as:- Start Menu and Taskbar pins
- Online/Offline status
- App launch state –- with deep-link such as Groove launched with an audio track to play, or share contract such as MMS launched to share a picture.
- Personalization impressions delivered
- Whether the user clicked or hovered on UI controls or hotspots
- User feedback Like or Dislike or rating was provided
- Caret location or position within documents and media files - how much of a book has been read in a single session or how much of a song has been listened to.
|
| Login properties | - Login success or failure
- Login sessions and state
|
## Product and Service Performance data
-This type of data includes details about the health of the device, operating system, apps and drivers.
+This type of data includes details about the health of the device, operating system, apps, and drivers.
| Category Name | Description and Examples |
| - | - |
-|Device health and crash data | Information about the device and software health such as:
- Error codes and error messages, name and ID of the app, and process reporting the error
- DLL library predicted to be the source of the error -- xyz.dll
- System generated files -- app or product logs and trace files to help diagnose a crash or hang
- System settings such as registry keys
- User generated files – .doc, .ppt, .csv files where they are indicated as a potential cause for a crash or hang
- Details and counts of abnormal shutdowns, hangs, and crashes
- Crash failure data – OS, OS component, driver, device, 1st and 3rd party app data
- Crash and Hang dumps
- The recorded state of the working memory at the point of the crash.
- Memory in use by the kernel at the point of the crash.
- Memory in use by the application at the point of the crash.
- All the physical memory used by Windows at the point of the crash.
- Class and function name within the module that failed.
|
-|Device performance and reliability data | Information about the device and software performance such as:
- User Interface interaction durations -- Start Menu display times, browser tab switch times, app launch and switch times, and Cortana and search performance and reliability.
- Device on/off performance -- Device boot, shutdown, power on/off, lock/unlock times, and user authentication times (fingerprint and face recognition durations).
- In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction.
- User input responsiveness – onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score.
- UI and media performance and glitches/smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
- Disk footprint -- Free disk space, out of memory conditions, and disk score.
- Excessive resource utilization – components impacting performance or battery life through high CPU usage during different screen and power states
- Background task performance -- download times, Windows Update scan duration, Microsoft Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
- Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness environmental response times
- Device setup -- first setup experience times (time to install updates, install apps, connect to network etc.), time to recognize connected devices (printer and monitor), and time to setup Microsoft Account.
- Power and Battery life – power draw by component (Process/CPU/GPU/Display), hours of screen off time, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use during screen off, auto-brightness details, time device is plugged into AC vs. battery, battery state transitions
- Service responsiveness - Service URI, operation, latency, service success/error codes, and protocol.
- Diagnostic heartbeat – regular signal to validate the health of the diagnostics system
|
-|Movies|Information about movie consumption functionality on the device. This isn't intended to capture user viewing, listening or habits.
- Video Width, height, color pallet, encoding (compression) type, and encryption type
- Instructions for how to stream content for the user -- the smooth streaming manifest of chunks of content files that must be pieced together to stream the content based on screen resolution and bandwidth
- URL for a specific two second chunk of content if there is an error
- Full screen viewing mode details|
-|Music & TV|Information about music and TV consumption on the device. This isn't intended to capture user viewing, listening or habits.
- Service URL for song being downloaded from the music service – collected when an error occurs to facilitate restoration of service
- Content type (video, audio, surround audio)
- Local media library collection statistics -- number of purchased tracks, number of playlists
- Region mismatch -- User OS Region, and Xbox Live region
|
-|Reading|Information about reading consumption functionality on the device. This isn't intended to capture user viewing, listening or habits.
- App accessing content and status and options used to open a Microsoft Store book
- Language of the book
- Time spent reading content
- Content type and size details
|
-|Photos App|Information about photos usage on the device. This isn't intended to capture user viewing, listening or habits.
- File source data -- local, SD card, network device, and OneDrive
- Image & video resolution, video length, file sizes types and encoding
- Collection view or full screen viewer use and duration of view
|
-|On-device file query | Information about local search activity on the device such as: - Kind of query issued and index type (ConstraintIndex, SystemIndex)
- Number of items requested and retrieved
- File extension of search result user interacted with
- Launched item kind, file extension, index of origin, and the App ID of the opening app.
- Name of process calling the indexer and time to service the query.
- A hash of the search scope (file, Outlook, OneNote, IE history)
- The state of the indices (fully optimized, partially optimized, being built)
|
-|Purchasing| Information about purchases made on the device such as:
- Product ID, edition ID and product URI
- Offer details -- price
- Order requested date/time
- Store client type -- web or native client
- Purchase quantity and price
- Payment type -- credit card type and PayPal
|
-|Entitlements | Information about entitlements on the device such as:
- Service subscription status and errors
- DRM and license rights details -- Groove subscription or OS volume license
- Entitlement ID, lease ID, and package ID of the install package
- Entitlement revocation
- License type (trial, offline vs online) and duration
- License usage session
|
+|Device health and crash data | Information about the device and software health such as:
- Error codes and error messages, name and ID of the app, and process reporting the error
- DLL library predicted to be the source of the error - xyz.dll
- System-generated files - app or product logs and trace files to help diagnose a crash or hang
- System settings such as registry keys
- User-generated files – .doc, .ppt, .csv files where they are indicated as a potential cause for a crash or hang
- Details and counts of abnormal shutdowns, hangs, and crashes
- Crash failure data – OS, OS component, driver, device, 1st and 3rd party app data
- Crash and Hang dumps
- The recorded state of the working memory at the point of the crash.
- Memory in use by the kernel at the point of the crash.
- Memory in use by the application at the point of the crash.
- All the physical memory used by Windows at the point of the crash.
- Class and function name within the module that failed.
|
+|Device performance and reliability data | Information about the device and software performance such as:
- User Interface interaction durations - Start Menu display times, browser tab switch times, app launch and switch times, and Cortana and search performance and reliability.
- Device on/off performance - Device boot, shutdown, power on/off, lock/unlock times, and user authentication times (fingerprint and face recognition durations).
- In-app responsiveness - time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction.
- User input responsiveness – onscreen keyboard invocation times for different languages, time to show autocomplete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score.
- UI and media performance and glitches/smoothness - video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
- Disk footprint - Free disk space, out of memory conditions, and disk score.
- Excessive resource utilization – components impacting performance or battery life through high CPU usage during different screen and power states
- Background task performance - download times, Windows Update scan duration, Microsoft Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
- Peripheral and devices - USB device connection times, time to connect to a wireless display, printing times, network availability, and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP, and so on), smart card authentication times, automatic brightness environmental response times
- Device setup - first setup experience times (time to install updates, install apps, connect to network etc.), time to recognize connected devices (printer and monitor), and time to setup Microsoft Account.
- Power and Battery life – power draw by component (Process/CPU/GPU/Display), hours of screen off time, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use during screen off, autobrightness details, time device is plugged into AC vs. battery, battery state transitions
- Service responsiveness - Service URI, operation, latency, service success/error codes, and protocol.
- Diagnostic heartbeat – regular signal to validate the health of the diagnostics system
|
+|Movies|Information about movie consumption functionality on the device. This information isn't intended to capture user viewing, listening, or habits.
- Video Width, height, color pallet, encoding (compression) type, and encryption type
- Instructions for how to stream content for the user - the smooth streaming manifest of chunks of content files that must be pieced together to stream the content based on screen resolution and bandwidth
- URL for a specific two-second chunk of content if there is an error
- Full screen viewing mode details|
+|Music & TV|Information about music and TV consumption on the device. This information isn't intended to capture user viewing, listening, or habits.
- Service URL for song being downloaded from the music service – collected when an error occurs to facilitate restoration of service
- Content type (video, audio, surround audio)
- Local media library collection statistics - number of purchased tracks, number of playlists
- Region mismatch - User OS Region, and Xbox Live region
|
+|Reading|Information about reading consumption functionality on the device. This information isn't intended to capture user viewing, listening, or habits.
- App accessing content and status and options used to open a Microsoft Store book
- Language of the book
- Time spent reading content
- Content type and size details
|
+|Photos App|Information about photos usage on the device. This information isn't intended to capture user viewing, listening, or habits.
- File source data - local, SD card, network device, and OneDrive
- Image & video resolution, video length, file sizes types and encoding
- Collection view or full screen viewer use and duration of view
|
+|On-device file query | Information about local search activity on the device such as: - Type of query issued and index type (ConstraintIndex, SystemIndex)
- Number of items requested and retrieved
- File extension of search result user interacted with
- Launched item kind, file extension, index of origin, and the App ID of the opening app.
- Name of process calling the indexer and time to service the query.
- A hash of the search scope (file, Outlook, OneNote, IE history)
- The state of the indices (fully optimized, partially optimized, being built)
|
+|Purchasing| Information about purchases made on the device such as:
- Product ID, edition ID, and product URI
- Offer details - price
- Order requested date/time
- Store client type - web or native client
- Purchase quantity and price
- Payment type - credit card type and PayPal
|
+|Entitlements | Information about entitlements on the device such as:
- Service subscription status and errors
- DRM and license rights details - Groove subscription or OS volume license
- Entitlement ID, lease ID, and package ID of the install package
- Entitlement revocation
- License type (trial, offline versus online) and duration
- License usage session
|
## Software Setup and Inventory data
@@ -90,7 +90,7 @@ This type of data includes software installation and update information on the d
| Category Name | Data Examples |
| - | - |
| Installed Applications and Install History | Information about apps, drivers, update packages, or OS components installed on the device such as:
- App, driver, update package, or component’s Name, ID, or Package Family Name
- Product, SKU, availability, catalog, content, and Bundle IDs
- OS component, app or driver publisher, language, version and type (Win32 or UWP)
- Install date, method, and install directory, count of install attempts
- MSI package code and product code
- Original OS version at install time
- User or administrator or mandatory installation/update
- Installation type – clean install, repair, restore, OEM, retail, upgrade, and update
|
-| Device update information | Information about Windows Update such as:
- Update Readiness analysis of device hardware, OS components, apps, and drivers (progress, status, and results)
- Number of applicable updates, importance, type
- Update download size and source -- CDN or LAN peers
- Delay upgrade status and configuration
- OS uninstall and rollback status and count
- Windows Update server and service URL
- Windows Update machine ID
- Windows Insider build details
+| Device update information | Information about Windows Update such as:
- Update Readiness analysis of device hardware, OS components, apps, and drivers (progress, status, and results)
- Number of applicable updates, importance, type
- Update download size and source - CDN or LAN peers
- Delay upgrade status and configuration
- OS uninstall and rollback status and count
- Windows Update server and service URL
- Windows Update machine ID
- Windows Insider build details
## Browsing History data
@@ -98,7 +98,7 @@ This type of data includes details about web browsing in the Microsoft browsers.
| Category Name | Description and Examples |
| - | - |
-| Microsoft browser data | Information about Address bar and search box performance on the device such as:- Text typed in address bar and search box
- Text selected for Ask Cortana search
- Service response time
- Auto-completed text if there was an auto-complete
- Navigation suggestions provided based on local history and favorites
- Browser ID
- URLs (which may include search terms)
- Page title
|
+| Microsoft browser data | Information about Address bar and search box performance on the device such as:- Text typed in address bar and search box
- Text selected for Ask Cortana search
- Service response time
- Autocompleted text if there was an autocomplete
- Navigation suggestions provided based on local history and favorites
- Browser ID
- URLs (which may include search terms)
- Page title
|
## Inking Typing and Speech Utterance data
@@ -107,4 +107,4 @@ This type of data gathers details about the voice, inking, and typing input feat
| Category Name | Description and Examples |
| - | - |
-| Voice, inking, and typing | Information about voice, inking and typing features such as:
- Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used
- Pen gestures (click, double click, pan, zoom, rotate)
- Palm Touch x,y coordinates
- Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate
- Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values) which could be used to reconstruct the original content or associate the input to the user.
- Text input from Windows Mobile on-screen keyboards except from password fields and private sessions - processed to remove identifiers, sequencing information, and other data (such as email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user.
- Text of speech recognition results -- result codes and recognized text
- Language and model of the recognizer, System Speech language
- App ID using speech features
- Whether user is known to be a child
- Confidence and Success/Failure of speech recognition
|
+| Voice, inking, and typing | Information about voice, inking, and typing features such as:
- Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used
- Pen gestures (click, double-click, pan, zoom, rotate)
- Palm Touch x,y coordinates
- Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate
- Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values) which could be used to reconstruct the original content or associate the input to the user.
- Text input from Windows Mobile on-screen keyboards except from password fields and private sessions - processed to remove identifiers, sequencing information, and other data (such as email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user.
- Text of speech recognition results - result codes and recognized text
- Language and model of the recognizer, System Speech language
- App ID using speech features
- Whether user is known to be a child
- Confidence and Success/Failure of speech recognition
|
diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md
index 150b4905bd..2fc94568eb 100644
--- a/windows/privacy/windows-diagnostic-data.md
+++ b/windows/privacy/windows-diagnostic-data.md
@@ -28,7 +28,7 @@ Applies to:
Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 20H2 required diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields).
-In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944:2017 Information technology -- Cloud computing -- Cloud services and devices: Data flow, data categories and data use](https://www.iso.org/standard/66674.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard.
+In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944:2017 Information technology - Cloud computing - Cloud services and devices: Data flow, data categories, and data use](https://www.iso.org/standard/66674.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard.
The data covered in this article is grouped into the following types:
@@ -52,21 +52,21 @@ Header data supports the use of data associated with all diagnostic events. Ther
Information that is added to most diagnostic events, if relevant and available:
-- Diagnostic level -- Basic or Full, Sample level -- for sampled data, what sample level is this device opted into (8.2.3.2.4 Observed Usage of the Service Capability)
+- Diagnostic level - Basic or Full, Sample level - for sampled data, what sample level is this device opted into (8.2.3.2.4 Observed Usage of the Service Capability)
- Operating system name, version, build, and locale (8.2.3.2.2 Telemetry data)
- Event collection time (8.2.3.2.2 Telemetry data)
-- User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic - diagnostic data (8.2.5 Account data)
+- User ID - a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic - diagnostic data (8.2.5 Account data)
- Xbox UserID (8.2.5 Account data)
-- Device ID -- This is not the user provided device name, but an ID that is unique for that device. (8.2.3.2.3 Connectivity data)
-- Device class -- Desktop, Server, or Mobile (8.2.3.2.3 Connectivity data)
-- Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time, such as the amount of time an app is running or between boots of the operating system (8.2.4 Cloud service provider data)
+- Device ID - This ID is not the user provided device name, but an ID that is unique for that device. (8.2.3.2.3 Connectivity data)
+- Device class - Desktop, Server, or Mobile (8.2.3.2.3 Connectivity data)
+- Environment from which the event was logged - Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time, such as the amount of time an app is running or between boots of the operating system (8.2.4 Cloud service provider data)
- Diagnostic event name, Event ID, ETW opcode, version, schema signature, keywords, and flags (8.2.4 Cloud service provider data)
- HTTP header information, including the IP address. This IP address is the source address that’s provided by the network packet header and received by the diagnostics ingestion service (8.2.4 Cloud service provider data)
- Various IDs that are used to correlate and sequence related events together (8.2.4 Cloud service provider data)
## Device, Connectivity, and Configuration data
-This type of data includes details about the device, its configuration and connectivity capabilities, and status. Device, Connectivity, and Configuration Data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.3 Connectivity data.
+This type of data includes details about the device, its configuration and connectivity capabilities, and status. Device, Connectivity, and Configuration data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.3 Connectivity data.
### Data Use for Device, Connectivity, and Configuration data
@@ -88,41 +88,41 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
- Data about device properties and capabilities is used to provide tips about how to use or configure the device to get the best performance and user experience.
-- Data about device capabilities, such as whether the device is pen-enabled, is used to recommend (Microsoft and third-party) apps that are appropriate for the device. These may be free or paid apps.
+- Data about device capabilities, such as whether the device is pen-enabled, is used to recommend (Microsoft and third-party) apps that are appropriate for the device. These apps might be free or paid.
### Data Description for Device, Connectivity, and Configuration data type
-**Device properties sub-type:** Information about the operating system and device hardware
+**Device properties subtype:** Information about the operating system and device hardware
- Operating system - version name, edition
- Installation type, subscription status, and genuine operating system status
- Processor architecture, speed, number of cores, manufacturer, and model
-- OEM details --manufacturer, model, and serial number
+- OEM details - manufacturer, model, and serial number
- Device identifier and Xbox serial number
-- Firmware/BIOS operating system -- type, manufacturer, model, and version
-- Memory -- total memory, video memory, speed, and how much memory is available after the device has reserved memory
-- Storage -- total capacity and disk type
-- Battery -- charge capacity and InstantOn support
+- Firmware/BIOS operating system - type, manufacturer, model, and version
+- Memory - total memory, video memory, speed, and how much memory is available after the device has reserved memory
+- Storage - total capacity and disk type
+- Battery - charge capacity and InstantOn support
- Hardware chassis type, color, and form factor
-- Is this a virtual machine?
+- Is this machine a virtual machine?
-**Device capabilities sub-type:** Information about the capabilities of the device
+**Device capabilities subtype:** Information about the capabilities of the device
-- Camera -- whether the device has a front facing camera, a rear facing camera, or both.
-- Touch screen -- Whether the device has a touch screen? If yes, how many hardware touch points are supported?
-- Processor capabilities -- CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
-- Trusted Platform Module (TPM) -- whether a TPM exists and if yes, what version
-- Virtualization hardware -- whether an IOMMU exists, whether it includes SLAT support, and whether virtualization is enabled in the firmware
-- Voice -- whether voice interaction is supported and the number of active microphones
+- Camera - whether the device has a front facing camera, a rear facing camera, or both.
+- Touch screen - Does the device have a touch screen? If yes, how many hardware touch points are supported?
+- Processor capabilities - CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
+- Trusted Platform Module (TPM) - whether a TPM exists and if yes, what version
+- Virtualization hardware - whether an IOMMU exists, whether it includes SLAT support, and whether virtualization is enabled in the firmware
+- Voice - whether voice interaction is supported and the number of active microphones
- Number of displays, resolutions, and DPI
- Wireless capabilities
- OEM or platform face detection
- OEM or platform video stabilization and quality-level set
- Advanced Camera Capture mode (HDR versus Low Light), OEM versus platform implementation, HDR probability, and Low Light probability
-**Device preferences and settings sub-type:** Information about the device settings and user preferences
+**Device preferences and settings subtype:** Information about the device settings and user preferences
-- User Settings -- System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
+- User Settings - System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
- User-provided device name
- Whether device is domain-joined, or cloud-domain joined (for example, part of a company-managed network)
- Hashed representation of the domain name
@@ -136,7 +136,7 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
- App store update settings
- Enterprise OrganizationID, Commercial ID
-**Device peripherals sub-type:** Information about the peripherals of the device
+**Device peripherals subtype:** Information about the peripherals of the device
- Peripheral name, device model, class, manufacturer, and description
- Peripheral device state, install state, and checksum
@@ -145,7 +145,7 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
- Driver state, problem code, and checksum
- Whether driver is kernel mode, signed, and image size
-**Device network info sub-type:** Information about the device network configuration
+**Device network info subtype:** Information about the device network configuration
- Network system capabilities
- Local or Internet connectivity status
@@ -170,7 +170,7 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
- Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)
- Mobile operator and service provider name
- Available SSIDs and BSSIDs
-- IP Address type -- IPv4 or IPv6
+- IP Address type - IPv4 or IPv6
- Signal Quality percentage and changes
- Hotspot presence detection and success rate
- TCP connection performance
@@ -178,7 +178,7 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
- Hashed IP address
## Product and Service Usage data
-This type of data includes details about the usage of the device, operating system, applications and services. Product and Service Usage data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.4 Observed Usage of the Service Capability.
+This type of data includes details about the usage of the device, operating system, applications, and services. Product and Service Usage data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.4 Observed Usage of the Service Capability.
### Data Use for Product and Service Usage data
@@ -195,16 +195,16 @@ This type of data includes details about the usage of the device, operating syst
**With (optional) Tailored experiences:**
If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
-- If data shows that a user has not used a particular feature of Windows, we may recommend that the user try that feature.
-- Data about which apps are most-used on a device is used to provide recommendations for similar or complementary (Microsoft or third-party) apps. These may be free or paid apps.
+- If data shows that a user has not used a particular feature of Windows, we might recommend that the user try that feature.
+- Data about which apps are most-used on a device is used to provide recommendations for similar or complementary (Microsoft or third-party) apps. These apps might be free or paid.
### Data Description for Product and Service Usage data type
-**App usage sub-type:** Information about Windows and application usage
+**App usage subtype:** Information about Windows and application usage
- Operating system component and app feature usage
-- User navigation and interaction with app and Windows features. This could potentially include user input, such as name of a new alarm set, user menu choices, or user favorites
+- User navigation and interaction with app and Windows features. This information could include user input, such as the name of a new alarm set, user menu choices, or user favorites
- Time of and count of app and component launches, duration of use, session GUID, and process ID
- App time in various states –- running in the foreground or background, sleeping, or receiving active user interaction
- User interaction method and duration –- whether the user used a keyboard, mouse, pen, touch, speech, or game controller, and for how long
@@ -215,9 +215,9 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- Incoming and outgoing calls and voicemail usage statistics on primary or secondary lines
- Emergency alerts are received or displayed statistics
- Content searches within an app
-- Reading activity -- bookmarked, printed, or had the layout changed
+- Reading activity - bookmarked, printed, or had the layout changed
-**App or product state sub-type:** Information about Windows and application state
+**App or product state subtype:** Information about Windows and application state
- Start Menu and Taskbar pins
- Online and offline status
@@ -225,18 +225,18 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- Personalization impressions delivered
- Whether the user clicked on, or hovered over, UI controls or hotspots
- User provided feedback, such as Like, Dislike or a rating
-- Caret location or position within documents and media files -- how much has been read in a book in a single session, or how much of a song has been listened to.
+- Caret location or position within documents and media files - how much has been read in a book in a single session, or how much of a song has been listened to.
-**Purchasing sub-type:** Information about purchases made on the device
+**Purchasing subtype:** Information about purchases made on the device
-- Product ID, edition ID and product URI
-- Offer details -- price
+- Product ID, edition ID, and product URI
+- Offer details - price
- Date and time an order was requested
-- Microsoft Store client type -- web or native client
+- Microsoft Store client type - web or native client
- Purchase quantity and price
-- Payment type -- credit card type and PayPal
+- Payment type - credit card type and PayPal
-**Login properties sub-type:** Information about logins on the device
+**Login properties subtype:** Information about logins on the device
- Login success or failure
- Login sessions and state
@@ -259,21 +259,21 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- Data about battery performance on a device may be used to recommend settings changes that can improve battery performance.
- If data shows a device is running low on file storage, we may recommend Windows-compatible cloud storage solutions to free up space.
-- If data shows the device is experiencing performance issues, we may provide recommendations for Windows apps that can help diagnose or resolve these issues. These may be free or paid apps.
+- If data shows the device is experiencing performance issues, we may provide recommendations for Windows apps that can help diagnose or resolve these issues. These apps might be free or paid.
**Microsoft doesn't use crash and hang dump data to [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) any product or service.**
### Data Description for Product and Service Performance data type
-**Device health and crash data sub-type:** Information about the device and software health
+**Device health and crash data subtype:** Information about the device and software health
- Error codes and error messages, name and ID of the app, and process reporting the error
-- DLL library predicted to be the source of the error -- for example, xyz.dll
-- System generated files -- app or product logs and trace files to help diagnose a crash or hang
+- DLL library predicted to be the source of the error - for example, xyz.dll
+- System-generated files - app or product logs and trace files to help diagnose a crash or hang
- System settings, such as registry keys
-- User generated files -- files that are indicated as a potential cause for a crash or hang. For example, .doc, .ppt, .csv files
+- User-generated files - files that are indicated as a potential cause for a crash or hang. For example, .doc, .ppt, .csv files
- Details and counts of abnormal shutdowns, hangs, and crashes
-- Crash failure data -- operating system, operating system component, driver, device, and 1st and 3rd-party app data
+- Crash failure data - operating system, operating system component, driver, device, and first-party and third-party app data
- Crash and hang dumps, including:
- The recorded state of the working memory at the point of the crash
- Memory in-use by the kernel at the point of the crash.
@@ -281,43 +281,43 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- All the physical memory used by Windows at the point of the crash
- Class and function name within the module that failed.
-**Device performance and reliability data sub-type:** Information about the device and software performance
+**Device performance and reliability data subtype:** Information about the device and software performance
-- User interface interaction durations -- Start menu display times, browser tab switch times, app launch and switch times, and Cortana and Search performance and reliability
-- Device on and off performance -- Device boot, shutdown, power on and off, lock and unlock times, and user authentication times (fingerprint and face recognition durations)
-- In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction
-- User input responsiveness -- onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score
-- UI and media performance and glitches versus smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
-- Disk footprint -- Free disk space, out of memory conditions, and disk score
-- Excessive resource utilization -- components impacting performance or battery life through high CPU usage during different screen and power states
-- Background task performance -- download times, Windows Update scan duration, Microsoft Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
-- Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness, and environmental response times
-- Device setup -- first setup experience times (time to install updates, install apps, connect to network, and so on), time to recognize connected devices (printer and monitor), and time to set up a Microsoft Account
-- Power and Battery life -- power draw by component (Process/CPU/GPU/Display), hours of time the screen is off, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use while the screen is off, auto-brightness details, time device is plugged into AC versus battery, and battery state transitions
-- Service responsiveness -- Service URI, operation, latency, service success and error codes, and protocol
-- Diagnostic heartbeat -- regular signal used to validate the health of the diagnostics system
+- User interface interaction durations - Start menu display times, browser tab switch times, app launch and switch times, and Cortana and Search performance and reliability
+- Device on and off performance - Device boot, shutdown, power on and off, lock and unlock times, and user authentication times (fingerprint and face recognition durations)
+- In-app responsiveness - time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction
+- User input responsiveness - onscreen keyboard invocation times for different languages, time to show autocomplete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score
+- UI and media performance and glitches versus smoothness - video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
+- Disk footprint - Free disk space, out of memory conditions, and disk score
+- Excessive resource utilization - components impacting performance or battery life through high CPU usage during different screen and power states
+- Background task performance - download times, Windows Update scan duration, Microsoft Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
+- Peripheral and devices - USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness, and environmental response times
+- Device setup - first setup experience times (time to install updates, install apps, connect to network, and so on), time to recognize connected devices (printer and monitor), and time to set up a Microsoft Account
+- Power and Battery life - power draw by component (Process/CPU/GPU/Display), hours of time the screen is off, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use while the screen is off, autobrightness details, time device is plugged into AC versus battery, and battery state transitions
+- Service responsiveness - Service URI, operation, latency, service success and error codes, and protocol
+- Diagnostic heartbeat - regular signal used to validate the health of the diagnostics system
-**Movies sub-type:** Information about movie consumption functionality on the device
+**Movies subtype:** Information about movie consumption functionality on the device
> [!NOTE]
> This isn't intended to capture user viewing, listening, or habits.
- Video Width, height, color palette, encoding (compression) type, and encryption type
-- Instructions about how to stream content for the user -- the smooth streaming manifest of content file chunks that must be pieced together to stream the content based on screen resolution and bandwidth
+- Instructions about how to stream content for the user - the smooth streaming manifest of content file chunks that must be pieced together to stream the content based on screen resolution and bandwidth
- URL for a specific two-second chunk of content if there is an error
- Full-screen viewing mode details
-**Music & TV sub-type:** Information about music and TV consumption on the device
+**Music & TV subtype:** Information about music and TV consumption on the device
> [!NOTE]
> This isn't intended to capture user viewing, listening, or habits.
-- Service URL for song being downloaded from the music service -- collected when an error occurs to facilitate restoration of service
+- Service URL for song being downloaded from the music service - collected when an error occurs to facilitate restoration of service
- Content type (video, audio, or surround audio)
-- Local media library collection statistics -- number of purchased tracks and number of playlists
-- Region mismatch -- User's operating system region and Xbox Live region
+- Local media library collection statistics - number of purchased tracks and number of playlists
+- Region mismatch - User's operating system region and Xbox Live region
-**Reading sub-type:** Information about reading consumption functionality on the device
+**Reading subtype:** Information about reading consumption functionality on the device
> [!NOTE]
> This isn't intended to capture user viewing, listening, or habits.
@@ -327,42 +327,42 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- Time spent reading content
- Content type and size details
-**Photos app sub-type:** Information about photos usage on the device
+**Photos app subtype:** Information about photos usage on the device
> [!NOTE]
> This isn't intended to capture user viewing, listening, or habits.
-- File source data -- local, SD card, network device, and OneDrive
+- File source data - local, SD card, network device, and OneDrive
- Image and video resolution, video length, file sizes types, and encoding
- Collection view or full screen viewer use and duration of view
-**On-device file query sub-type:** Information about local search activity on the device
+**On-device file query subtype:** Information about local search activity on the device
-- Kind of query issued and index type (ConstraintIndex or SystemIndex)
+- Type of query issued and index type (ConstraintIndex or SystemIndex)
- Number of items requested and retrieved
- File extension of search result with which the user interacted
- Launched item type, file extension, index of origin, and the App ID of the opening app
- Name of process calling the indexer and the amount of time to service the query
- A hash of the search scope (file, Outlook, OneNote, or IE history). The state of the indices (fully optimized, partially optimized, or being built)
-**Entitlements sub-type:** Information about entitlements on the device
+**Entitlements subtype:** Information about entitlements on the device
- Service subscription status and errors
-- DRM and license rights details -- Groove subscription or operating system volume license
+- DRM and license rights details - Groove subscription or operating system volume license
- Entitlement ID, lease ID, and package ID of the install package
- Entitlement revocation
- License type (trial, offline versus online) and duration
- License usage session
## Software Setup and Inventory data
-This type of data includes software installation and update information on the device. Software Setup and Inventory Data is a sub-type of ISO/IEC 19944:2017 8.2.3.2.4 Observed Usage of the Service Capability.
+This type of data includes software installation and update information on the device. Software Setup and Inventory Data is a subtype of ISO/IEC 19944:2017 8.2.3.2.4 Observed Usage of the Service Capability.
### Data Use for Software Setup and Inventory data
**For Diagnostics:**
[Pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
-- Data about the specific drivers that are installed on a device is used to understand whether there are any hardware or driver compatibility issues which should block or delay a Windows update.
+- Data about the specific drivers that are installed on a device is used to understand whether there are any hardware or driver compatibility issues that should block or delay a Windows update.
- Data about when a download starts and finishes on a device is used to understand and address download problems.
- Data about the specific Microsoft Store apps that are installed on a device is used to determine which app updates to provide to the device.
- Data about the antimalware installed on a device is used to understand malware transmissions vectors.
@@ -374,7 +374,7 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
### Data Description for Software Setup and Inventory data type
-**Installed applications and install history sub-type:** Information about apps, drivers, update packages, or operating system components installed on the device
+**Installed applications and install history subtype:** Information about apps, drivers, update packages, or operating system components installed on the device
- App, driver, update package, or component’s Name, ID, or Package Family Name
- Product, SKU, availability, catalog, content, and Bundle IDs
@@ -383,13 +383,13 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- MSI package and product code
- Original operating system version at install time
- User, administrator, or mandatory installation or update
-- Installation type -- clean install, repair, restore, OEM, retail, upgrade, or update
+- Installation type - clean install, repair, restore, OEM, retail, upgrade, or update
-**Device update information sub-type:** Information about apps, drivers, update packages, or operating system components installed on the device
+**Device update information subtype:** Information about apps, drivers, update packages, or operating system components installed on the device
- Update Readiness analysis of device hardware, operating system components, apps, and drivers (progress, status, and results)
- Number of applicable updates, importance, and type
-- Update download size and source -- CDN or LAN peers
+- Update download size and source - CDN or LAN peers
- Delay upgrade status and configuration
- Operating system uninstall and rollback status and count
- Windows Update server and service URL
@@ -397,7 +397,7 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- Windows Insider build details
## Browsing History data
-This type of data includes details about web browsing in the Microsoft browsers. Browsing History data is equivalent to ISO/IEC 19944:2017 8.2.3.2.8 Client side browsing history.
+This type of data includes details about web browsing in the Microsoft browsers. Browsing History data is equivalent to ISO/IEC 19944:2017 8.2.3.2.8 Client-side browsing history.
### Data Use for Browsing History data
@@ -413,23 +413,23 @@ This type of data includes details about web browsing in the Microsoft browsers.
**With (optional) Tailored experiences:**
If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
-- We may recommend that a user download a compatible app from the Microsoft Store if they have browsed to the related website. For example, if a user uses the Facebook website, we may recommend the Facebook app.
+- We might recommend that a user download a compatible app from the Microsoft Store if they have browsed to the related website. For example, if a user uses the Facebook website, we may recommend the Facebook app.
### Data Description for Browsing History data type
-**Microsoft browser data sub-type:** Information about **Address** bar and **Search** box performance on the device
+**Microsoft browser data subtype:** Information about **Address** bar and **Search** box performance on the device
- Text typed in **Address** bar and **Search** box
- Text selected for an Ask Cortana search
- Service response time
-- Auto-completed text, if there was an auto-complete
+- Autocompleted text, if there was an autocomplete
- Navigation suggestions provided based on local history and favorites
- Browser ID
- URLs (may include search terms)
- Page title
## Inking Typing and Speech Utterance data
-This type of data gathers details about the voice, inking, and typing input features on the device. Inking, Typing and Speech Utterance data is a sub-type of ISO/IEC 19944:2017 8.2.3.2.1 End User Identifiable information.
+This type of data gathers details about the voice, inking, and typing input features on the device. Inking, Typing, and Speech Utterance data is a subtype of ISO/IEC 19944:2017 8.2.3.2.1 End User Identifiable information.
### Data Use for Inking, Typing, and Speech Utterance data
@@ -438,7 +438,7 @@ This type of data gathers details about the voice, inking, and typing input feat
- Data about words marked as spelling mistakes and replaced with another word from the context menu is used to improve the spelling feature.
- Data about alternate words shown and selected by the user after right-clicking is used to improve the word recommendation feature.
-- Data about auto-corrected words that were restored back to the original word by the user is used to improve the auto-correct feature.
+- Data about autocorrected words that were restored back to the original word by the user is used to improve the autocorrect feature.
- Data about whether Narrator detected and recognized a touch gesture is used to improve touch gesture recognition.
- Data about handwriting samples sent from the Handwriting Panel is used to help Microsoft improve handwriting recognition.
@@ -448,15 +448,15 @@ This type of data gathers details about the voice, inking, and typing input feat
### Data Description for Inking, Typing, and Speech Utterance data type
-**Voice, inking, and typing sub-type:** Information about voice, inking and typing features
+**Voice, inking, and typing subtype:** Information about voice, inking, and typing features
- Type of pen used (highlighter, ball point, or pencil), pen color, stroke height and width, and how long it is used
- Pen gestures (click, double click, pan, zoom, or rotate)
- Palm Touch x,y coordinates
- Input latency, missed pen signals, number of frames, strokes, first frame commit time, and sample rate
-- Ink strokes written, text before and after the ink insertion point, recognized text entered, input language -- processed to remove identifiers, sequencing information, and other data (such as email addresses and - numeric values), which could be used to reconstruct the original content or associate the input to the user
-- Text input from Windows 10 Mobile on-screen keyboards, except from password fields and private sessions -- processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user
-- Text of speech recognition results -- result codes and recognized text
+- Ink strokes written, text before and after the ink insertion point, recognized text entered, input language - processed to remove identifiers, sequencing information, and other data (such as email addresses and - numeric values), which could be used to reconstruct the original content or associate the input to the user
+- Text input from Windows 10 Mobile on-screen keyboards, except from password fields and private sessions - processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user
+- Text of speech recognition results - result codes and recognized text
- Language and model of the recognizer and the System Speech language
- App ID using speech features
- Whether user is known to be a child
@@ -496,9 +496,9 @@ Use of the specified data categories give recommendations about Microsoft produc
ISO/IEC 19944:2017 Reference: **9.3.5 Offer upgrades or upsell**
-Implies the source of the data is Microsoft products and services, and the upgrades offered come from Microsoft products and services that are relevant to the context of the current capability. The target audience for the offer is Microsoft customers.
+Implies that the source of the data is Microsoft products and services, and the upgrades offered come from Microsoft products and services that are relevant to the context of the current capability. The target audience for the offer is Microsoft customers.
-Specifically, use of the specified data categories to make an offer or upsell new capability or capacity of a Microsoft product or service which is (i) contextually relevant to the product or service in which it appears; (ii) likely to result in additional future revenue for Microsoft from end user; and (iii) Microsoft receives no consideration for placement.
+Specifically, use of the specified data categories to make an offer or upsell new capability or capacity of a Microsoft product or service that is (i) contextually relevant to the product or service in which it appears; (ii) likely to result in additional future revenue for Microsoft from end user; and (iii) Microsoft receives no consideration for placement.
### Promote
@@ -508,7 +508,7 @@ Use of the specified data categories to promote a product or service in or on a
### Data identification qualifiers
-Here are the list of data identification qualifiers and the ISO/IEC 19944:2017 reference:
+Here are the data identification qualifiers and the ISO/IEC 19944:2017 reference:
- **Pseudonymized Data** 8.3.3 Pseudonymized data. Microsoft usage notes are as defined.
- **Anonymized Data** 8.3.5 Anonymized data. Microsoft usage notes are as defined.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
index 73e002c7c2..5a790c046a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
@@ -57,9 +57,6 @@ The remainder of the provisioning includes Windows Hello for Business requesting
> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
> Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
-> [!NOTE]
-> Microsoft is actively investigating ways to reduce the synchronization latency and delays.
-
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index 4bf706bbbc..824c20a5f1 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -26,9 +26,9 @@ Debugging and tracing smart card issues requires a variety of tools and approach
- [Certutil](#certutil)
-- [Debugging and tracing using WPP](#debugging-and-tracing-using-wpp)
+- [Debugging and tracing using Windows software trace preprocessor (WPP)](#debugging-and-tracing-using-wpp)
-- [Kerberos protocol, KDC, and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing)
+- [Kerberos protocol, Key Distribution Center (KDC), and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing)
- [Smart Card service](#smart-card-service)
@@ -42,22 +42,22 @@ For a complete description of Certutil including examples that show how to use i
### List certificates available on the smart card
-To list certificates that are available on the smart card, type certutil -scinfo.
+To list certificates that are available on the smart card, type `certutil -scinfo`.
> [!NOTE]
> Entering a PIN is not required for this operation. You can press ESC if you are prompted for a PIN.
### Delete certificates on the smart card
-Each certificate is enclosed in a container. When you delete a certificate on the smart card, you are deleting the container for the certificate.
+Each certificate is enclosed in a container. When you delete a certificate on the smart card, you're deleting the container for the certificate.
-To find the container value, type certutil -scinfo.
+To find the container value, type `certutil -scinfo`.
To delete a container, type **certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider"** "<*ContainerValue*>".
## Debugging and tracing using WPP
-Windows software trace preprocessor (WPP) simplifies tracing the operation of the trace provider. It provides a mechanism for the trace provider to log real-time binary messages. Logged messages can be converted to a human-readable trace of the operation. For more information, see [Diagnostics with WPP - The NDIS blog](https://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx).
+WPP simplifies tracing the operation of the trace provider. It provides a mechanism for the trace provider to log real-time binary messages. Logged messages can be converted to a human-readable trace of the operation. For more information, see [Diagnostics with WPP - The NDIS blog](https://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx).
### Enable the trace
@@ -65,21 +65,21 @@ Using WPP, use one of the following commands to enable tracing:
- **tracelog.exe -kd -rt -start** <*FriendlyName*> **-guid \#**<*GUID*> **-f .\\**<*LogFileName*>**.etl -flags** <*flags*> **-ft 1**
-- **logman start** <*FriendlyName*> **-ets -p {**<*GUID*>**} -**<*Flags*> **-ft 1 -rt -o .\\**<*LogFileName*>**.etl -mode 0x00080000*
+- **logman start** <*FriendlyName*> **-ets -p {**<*GUID*>**} -**<*Flags*> **-ft 1 -rt -o .\\**<*LogFileName*>**.etl -mode 0x00080000**
You can use the parameters in the following table.
| Friendly name | GUID | Flags |
|-------------------|--------------------------------------|-----------|
-| scardsvr | 13038e47-ffec-425d-bc69-5707708075fe | 0xffff |
-| winscard | 3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01 | 0xffff |
-| basecsp | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
-| scksp | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
-| msclmd | fb36caf4-582b-4604-8841-9263574c4f2c | 0x7 |
-| credprov | dba0e0e0-505a-4ab6-aa3f-22f6f743b480 | 0xffff |
-| certprop | 30eae751-411f-414c-988b-a8bfa8913f49 | 0xffff |
-| scfilter | eed7f3c9-62ba-400e-a001-658869df9a91 | 0xffff |
-| wudfusbccid | a3c09ba3-2f62-4be5-a50f-8278a646ac9d | 0xffff |
+| `scardsvr` | 13038e47-ffec-425d-bc69-5707708075fe | 0xffff |
+| `winscard` | 3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01 | 0xffff |
+| `basecsp` | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
+| `scksp` | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
+| `msclmd` | fb36caf4-582b-4604-8841-9263574c4f2c | 0x7 |
+| `credprov` | dba0e0e0-505a-4ab6-aa3f-22f6f743b480 | 0xffff |
+| `certprop` | 30eae751-411f-414c-988b-a8bfa8913f49 | 0xffff |
+| `scfilter` | eed7f3c9-62ba-400e-a001-658869df9a91 | 0xffff |
+| `wudfusbccid` | a3c09ba3-2f62-4be5-a50f-8278a646ac9d | 0xffff |
Examples
@@ -109,7 +109,7 @@ To stop a trace:
- **logman -stop scardsvr -ets**
-## Kerberos protocol, KDC and NTLM debugging and tracing
+## Kerberos protocol, KDC, and NTLM debugging and tracing
@@ -119,11 +119,11 @@ You can use these resources to troubleshoot these protocols and the KDC:
- [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit). You can use the trace log tool in this SDK to debug Kerberos authentication failures.
-To begin tracing, you can use Tracelog. Different components use different control GUIDs as explained in these examples. For more information, see [Tracelog](https://msdn.microsoft.com/library/windows/hardware/ff552994.aspx).
+To begin tracing, you can use `Tracelog`. Different components use different control GUIDs as explained in these examples. For more information, see [`Tracelog`](https://msdn.microsoft.com/library/windows/hardware/ff552994.aspx).
### NTLM
-To enable tracing for NTLM authentication, run the following at the command line:
+To enable tracing for NTLM authentication, run the following command on the command line:
- **tracelog.exe -kd -rt -start ntlm -guid \#5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\\ntlm.etl -flags 0x15003 -ft 1**
@@ -143,11 +143,11 @@ To stop tracing for Kerberos authentication, run this command:
### KDC
-To enable tracing for the Key Distribution Center (KDC), run the following at the command line:
+To enable tracing for the KDC, run the following command on the command line:
- **tracelog.exe -kd -rt -start kdc -guid \#1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\\kdc.etl -flags 0x803 -ft 1**
-To stop tracing for the KDC, run the following at the command line:
+To stop tracing for the KDC, run the following command on the command line:
- **tracelog.exe -stop kdc**
@@ -166,7 +166,7 @@ You can also configure tracing by editing the Kerberos registry values shown in
| Kerberos | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos
Value name: LogToFile
Value type: DWORD
Value data: 00000001
HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters
Value name: KerbDebugLevel
Value type: DWORD
Value data: c0000043
HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters
Value name: LogToFile
Value type: DWORD
Value data: 00000001 |
| KDC | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Kdc
Value name: KdcDebugLevel
Value type: DWORD
Value data: c0000803 |
-If you used Tracelog, look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl.
+If you used `Tracelog`, look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl.
If you used the registry key settings shown in the previous table, look for the trace log files in the following locations:
@@ -176,7 +176,7 @@ If you used the registry key settings shown in the previous table, look for the
- KDC: %systemroot%\\tracing\\kdcsvc
-To decode event trace files, you can use Tracefmt (tracefmt.exe). Tracefmt is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. Tracefmt can display the messages in the Command Prompt window or save them in a text file. It is located in the \\tools\\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [Tracefmt](https://msdn.microsoft.com/library/ff552974.aspx).
+To decode event trace files, you can use `Tracefmt` (tracefmt.exe). `Tracefmt` is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. `Tracefmt` can display the messages in the Command Prompt window or save them in a text file. It is located in the \\tools\\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [`Tracefmt`](https://msdn.microsoft.com/library/ff552974.aspx).
## Smart Card service
@@ -184,11 +184,11 @@ The smart card resource manager service runs in the context of a local service.
**To check if Smart Card service is running**
-1. Press CTRL+ALT+DEL, and then click **Start Task Manager**.
+1. Press CTRL+ALT+DEL, and then select **Start Task Manager**.
-2. In the **Windows Task Manager** dialog box, click the **Services** tab.
+2. In the **Windows Task Manager** dialog box, select the **Services** tab.
-3. Click the **Name** column to sort the list alphabetically, and then type **s**.
+3. Select the **Name** column to sort the list alphabetically, and then type **s**.
4. In the **Name** column, look for **SCardSvr**, and then look under the **Status** column to see if the service is running or stopped.
@@ -196,15 +196,15 @@ The smart card resource manager service runs in the context of a local service.
1. Run as administrator at the command prompt.
-2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
-3. At the command prompt, type **net stop SCardSvr**.
+3. At the command prompt, type `net stop SCardSvr`.
-4. At the command prompt, type **net start SCardSvr**.
+4. At the command prompt, type `net start SCardSvr`.
-You can use the following command at the command prompt to check whether the service is running: **sc queryex scardsvr**.
+You can use the following command at the command prompt to check whether the service is running: `sc queryex scardsvr`.
-This is an example output from this command:
+The following code sample is an example output from this command:
```console
SERVICE_NAME: scardsvr
@@ -228,14 +228,14 @@ As with any device connected to a computer, Device Manager can be used to view p
1. Navigate to **Computer**.
-2. Right-click **Computer**, and then click **Properties**.
+2. Right-click **Computer**, and then select **Properties**.
-3. Under **Tasks**, click **Device Manager**.
+3. Under **Tasks**, select **Device Manager**.
-4. In Device Manager, expand **Smart card readers**, select the name of the smart card reader you want to check, and then click **Properties**.
+4. In Device Manager, expand **Smart card readers**, select the name of the smart card reader you want to check, and then select **Properties**.
> [!NOTE]
-> If the smart card reader is not listed in Device Manager, in the **Action** menu, click **Scan for hardware changes**.
+> If the smart card reader is not listed in Device Manager, in the **Action** menu, select **Scan for hardware changes**.
## CryptoAPI 2.0 Diagnostics
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index 19df534358..29b5df1daf 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -316,7 +316,7 @@ After you configure the settings that you want using ProfileXML, you can apply i
## Learn more
-- [Learn how to configure VPN connections in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/vpn-connections-in-microsoft-intune)
+- [Create VPN profiles to connect to VPN servers in Intune](https://docs.microsoft.com/mem/intune/configuration/vpn-settings-configure)
- [VPNv2 configuration service provider (CSP) reference](https://go.microsoft.com/fwlink/p/?LinkId=617588)
- [How to Create VPN Profiles in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=618028)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
index d6bad09f03..c248a61b46 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
@@ -29,16 +29,16 @@ ms.custom: bitlocker
Stored information | Description
-------------------|------------
Hash of the TPM owner password | Beginning with Windows 10, the password hash is not stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in.
-BitLocker recovery password | The recovery password allows you to unlock and access the drive in the event of a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md).
-BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, Repair-bde.
+BitLocker recovery password | The recovery password allows you to unlock and access the drive after a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md).
+BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, `Repair-bde`.
## What if BitLocker is enabled on a computer before the computer has joined the domain?
-If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered** and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require that the computer be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.
+If BitLocker is enabled on a drive before Group Policy has been applied to enforce a backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
-The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, you would use the following command script from an elevated command prompt:
+The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The `manage-bde` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, you would use the following command script from an elevated command prompt:
```PowerShell
$BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
@@ -61,13 +61,13 @@ Ultimately, determining whether a legitimate backup exists in AD DS requires qu
No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object.
-## What happens if the backup initially fails? Will BitLocker retry the backup?
+## What happens if the backup initially fails? Will BitLocker retry it?
If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS.
-When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, **Choose how BitLocker-protected removable data drives can be recovered** policy settings, this prevents users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
+When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
-When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored.
+When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index dc0d879c78..8ad995065c 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -1,6 +1,6 @@
---
title: BitLocker basic deployment (Windows 10)
-description: This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
+description: This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
ms.assetid: 97c646cb-9e53-4236-9678-354af41151c4
ms.reviewer:
ms.prod: w10
@@ -24,7 +24,7 @@ ms.custom: bitlocker
- Windows 10
-This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
+This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
## Using BitLocker to encrypt volumes
@@ -39,12 +39,12 @@ BitLocker encryption can be done using the following methods:
- BitLocker control panel
- Windows Explorer
-- manage-bde command line interface
+- manage-bde command-line interface
- BitLocker Windows PowerShell cmdlets
### Encrypting volumes using the BitLocker control panel
-Encrypting volumes with the BitLocker control panel (click **Start**, type **bitlocker**, click **Manage BitLocker**) is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
+Encrypting volumes with the BitLocker control panel (select **Start**, type *bitlocker*, select **Manage BitLocker**) is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume).
### Operating system volume
@@ -54,7 +54,7 @@ Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets t
|Requirement|Description|
|--- |--- |
|Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.|
-|Operating system|BitLocker is an optional feature which can be installed by Server Manager on Windows Server 2012 and later.|
+|Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.|
|Hardware TPM|TPM version 1.2 or 2.0. A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.|
|BIOS configuration|
A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The boot order must be set to start first from the hard disk, and not the USB or CD drives. The firmware must be able to read from a USB flash drive during startup. |
|File system|For computers that boot natively with UEFI firmware, at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive.
For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.|
@@ -75,11 +75,11 @@ It is recommended that drives with little to no data utilize the **used disk spa
> [!NOTE]
> Deleted files appear as free space to the file system, which is not encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
-Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. It is recommended to run this system check before starting the encryption process. If the system check is not run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
+Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. We recommend running this system check before starting the encryption process. If the system check is not run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
After completing the system check (if selected), the BitLocker Drive Encryption Wizard will restart the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel.
-Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning BitLocker off.
+Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning off BitLocker.
### Data volume
@@ -97,12 +97,12 @@ Encryption status displays in the notification area or within the BitLocker cont
There is a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers are not members of a domain and that the user is using a Microsoft Account. Local accounts do not give the option to utilize OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that are not joined to a domain.
-Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder which is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive,
+Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder that is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive,
they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
### Using BitLocker within Windows Explorer
-Windows Explorer allows users to launch the BitLocker Drive Encryption wizard by right clicking on a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, you must first install the BitLocker and Desktop-Experience features for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel.
+Windows Explorer allows users to launch the BitLocker Drive Encryption wizard by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, you must first install the BitLocker and Desktop-Experience features for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel.
## Down-level compatibility
@@ -118,13 +118,13 @@ Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Window
|Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A|
|Partially encrypted volume from Windows 7|Windows 10 and Windows 8.1 will complete encryption regardless of policy|Windows 8 will complete encryption regardless of policy|N/A|
-## Encrypting volumes using the manage-bde command line interface
+## Encrypting volumes using the manage-bde command-line interface
Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
-Manage-bde offers a multitude of wider options for configuring BitLocker. This means that using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected.
+Manage-bde offers a multitude of wider options for configuring BitLocker. So using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected.
-Command line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes.
+Command-line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes.
### Operating system volume
@@ -136,7 +136,7 @@ A good practice when using manage-bde is to determine the volume status on the t
`manage-bde -status`
-This command returns the volumes on the target, current encryption status and volume type (operating system or data) for each volume. Using this information, users can determine the best encryption method for their environment.
+This command returns the volumes on the target, current encryption status, and volume type (operating system or data) for each volume. Using this information, users can determine the best encryption method for their environment.
**Enabling BitLocker without a TPM**
@@ -149,29 +149,29 @@ manage-bde -on C:
**Enabling BitLocker with a TPM only**
-It is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this is:
+It is possible to encrypt the operating system volume without any defined protectors by using manage-bde. Use this command:
`manage-bde -on C:`
-This will encrypt the drive using the TPM as the protector. If a user is unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information with the command:
+This command will encrypt the drive using the TPM as the protector. If a user is unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information with the command:
`manage-bde -protectors -get `
**Provisioning BitLocker with two protectors**
-Another example is a user on non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. This is done with the command:
+Another example is a user on non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. Use this command:
`manage-bde -protectors -add C: -pw -sid `
-This command will require the user to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn BitLocker on.
+This command will require the user to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn on BitLocker.
### Data volume
-Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or users can choose to add protectors to the volume. It is recommended that at least one primary protector and a recovery protector be added to a data volume.
+Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or users can choose to add protectors to the volume. We recommend that you add at least one primary protector and a recovery protector to a data volume.
**Enabling BitLocker with a password**
-A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on.
+A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn on BitLocker.
```powershell
manage-bde -protectors -add -pw C:
@@ -322,7 +322,7 @@ Occasionally, all protectors may not be shown when using **Get-BitLockerVolume**
Get-BitLockerVolume C: | fl
```
-If you wanted to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
+If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this task requires the GUID associated with the protector to be removed.
A simple script can pipe the values of each **Get-BitLockerVolume** return out to another variable as seen below:
```powershell
@@ -330,7 +330,7 @@ $vol = Get-BitLockerVolume
$keyprotectors = $vol.KeyProtector
```
-Using this, we can display the information in the **$keyprotectors** variable to determine the GUID for each protector.
+Using this script, we can display the information in the **$keyprotectors** variable to determine the GUID for each protector.
Using this information, we can then remove the key protector for a specific volume using the command:
```powershell
@@ -343,7 +343,8 @@ Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}"
### Operating system volume
Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell.
-To enable BitLocker with just the TPM protector. This can be done using the command:
+
+To enable BitLocker with just the TPM protector, use this command:
```powershell
Enable-BitLocker C:
@@ -357,7 +358,7 @@ Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTes
### Data volume
-Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user defined password. Last, encryption begins.
+Data volume encryption using Windows PowerShell is the same as for operating system volumes. Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user-defined password. Last, encryption begins.
```powershell
$pw = Read-Host -AsSecureString
@@ -365,14 +366,14 @@ $pw = Read-Host -AsSecureString
Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
```
-### Using a SID based protector in Windows PowerShell
+### Using a SID-based protector in Windows PowerShell
-The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and be unlocked to any member computer of the cluster.
+The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over and be unlocked to any member computer of the cluster.
> [!WARNING]
> The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes.
-To add an ADAccountOrGroup protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
+To add an ADAccountOrGroup protector to a volume, you need either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
```powershell
Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
@@ -389,7 +390,7 @@ Get-ADUser -filter {samaccountname -eq "administrator"}
>
> **Tip:** In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
-In the example below, the user wishes to add a domain SID based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command:
+In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command:
```powershell
Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup ""
@@ -400,7 +401,7 @@ Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "
## Checking BitLocker status
-To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We will look at each of the available methods in the following section.
+To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We will look at each of the available methods in the following section.
### Checking BitLocker status with the control panel
@@ -421,7 +422,7 @@ Once BitLocker protector activation is completed, the completion notice is displ
### Checking BitLocker status with manage-bde
-Administrators who prefer a command line interface can utilize manage-bde to check volume status. Manage-bde is capable of returning more information about the volume than the graphical user interface tools in the control panel. For example, manage-bde can display the BitLocker version in use, the encryption type, and the protectors associated with a volume.
+Administrators who prefer a command-line interface can utilize manage-bde to check volume status. Manage-bde is capable of returning more information about the volume than the graphical user interface tools in the control panel. For example, manage-bde can display the BitLocker version in use, the encryption type, and the protectors associated with a volume.
To check the status of a volume using manage-bde, use the following command:
@@ -446,7 +447,7 @@ This command will display information about the encryption method, volume type,
### Provisioning BitLocker during operating system deployment
-Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment. This is done with a randomly generated clear key protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk Space Only option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes.
+Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment. This task is done with a randomly generated clear key protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk Space Only option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes.
### Decrypting BitLocker volumes
@@ -461,9 +462,9 @@ The control panel does not report decryption progress but displays it in the not
Once decryption is complete, the drive will update its status in the control panel and is available for encryption.
-### Decrypting volumes using the manage-bde command line interface
+### Decrypting volumes using the manage-bde command-line interface
-Decrypting volumes using manage-bde is very straightforward. Decryption with manage-bde offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is:
+Decrypting volumes using manage-bde is straightforward. Decryption with manage-bde offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is:
```powershell
manage-bde -off C:
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
index ea8ab3bf7a..064a82cf8e 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
@@ -37,7 +37,7 @@ Generally it imposes a single-digit percentage performance overhead.
## How long will initial encryption take when BitLocker is turned on?
-Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting very large drives, you may want to set encryption to occur during times when you will not be using the drive.
+Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting large drives, you may want to set encryption to occur during times when you will not be using the drive.
You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.
@@ -82,11 +82,11 @@ The TPM is not involved in any recovery scenarios, so recovery is still possible
## What can prevent BitLocker from binding to PCR 7?
-This happens if a non-Windows OS booted prior to Windows, or if Secure Boot is not available to the device, either because it has been disabled or the hardware does not support it.
+BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot is not available to the device, either because it has been disabled or the hardware does not support it.
## Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive?
-Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
+Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive. So if you want to prepare a backup operating system or data drive in case a disk fails, make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
## Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index f31dcd8374..4f3681db63 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -1,6 +1,6 @@
---
title: BitLocker recovery guide (Windows 10)
-description: This topic for IT professionals describes how to recover BitLocker keys from AD DS.
+description: This article for IT professionals describes how to recover BitLocker keys from AD DS.
ms.assetid: d0f722e9-1773-40bf-8456-63ee7a95ea14
ms.reviewer:
ms.prod: w10
@@ -24,7 +24,7 @@ ms.custom: bitlocker
- Windows 10
-This topic for IT professionals describes how to recover BitLocker keys from AD DS.
+This article for IT professionals describes how to recover BitLocker keys from AD DS.
Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. Creating a recovery model for BitLocker while you are planning your BitLocker deployment is recommended.
@@ -46,11 +46,11 @@ BitLocker recovery is the process by which you can restore access to a BitLocker
The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:
-- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/microsoft-intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
+- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/microsoft-intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised.
- Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
- Failing to boot from a network drive before booting from the hard drive.
-- Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. This means that if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked.
+- Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. So if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked.
- Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition.
- Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated. Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting PIN entries until after a certain amount of time has passed.
- Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if you are using USB-based keys instead of a TPM.
@@ -64,7 +64,7 @@ The following list provides examples of specific events that will cause BitLocke
- Changes to the master boot record on the disk.
- Changes to the boot manager on the disk.
- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software.
-- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs.
+- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This problem can prevent the entry of enhanced PINs.
- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change.
> [!NOTE]
@@ -93,25 +93,25 @@ For planned scenarios, such as a known hardware or firmware upgrades, you can av
> [!NOTE]
> If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool.
-If software maintenance requires the computer be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method.
+If software maintenance requires the computer to be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method.
Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user.
## Testing recovery
-Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery process works for both end users (people who call your helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The –forcerecovery command of manage-bde is an easy way for you to step through the recovery process before your users encounter a recovery situation.
+Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery process works for both end users (people who call your helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The -forcerecovery command of manage-bde is an easy way for you to step through the recovery process before your users encounter a recovery situation.
**To force a recovery for the local computer:**
-1. Click the **Start** button, type **cmd** in the **Start Search** box, right-click **cmd.exe**, and then click **Run as administrator**.
-2. At the command prompt, type the following command and then press ENTER:
+1. Select the **Start** button, type *cmd* in the **Start Search** box, right-click **cmd.exe**, and then select **Run as administrator**.
+2. At the command prompt, type the following command and then press **Enter**:
`manage-bde -forcerecovery `
**To force recovery for a remote computer:**
-1. On the Start screen, type **cmd.exe**, and then click **Run as administrator**.
+1. On the Start screen, type **cmd.exe**, and then select **Run as administrator**.
2. At the command prompt, type the following command and then press ENTER:
`manage-bde -ComputerName -forcerecovery `
@@ -125,7 +125,7 @@ When planning the BitLocker recovery process, first consult your organization's
Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/mbam-v25/).
-After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. You must consider both self-recovery and recovery password retrieval methods for your organization.
+After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. Consider both self-recovery and recovery password retrieval methods for your organization.
When you determine your recovery process, you should:
@@ -141,12 +141,12 @@ When you determine your recovery process, you should:
### Self-recovery
-In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization create a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users should be warned not to store the USB flash drive in the same place as the PC, especially during travel, for example if both the PC and the recovery items are in the same bag it would be very easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified.
+In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization create a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users should be warned not to store the USB flash drive in the same place as the PC, especially during travel, for example if both the PC and the recovery items are in the same bag, then it's easy for an unauthorized user to access the PC. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified.
### Recovery password retrieval
-If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain the recovery password can be backed up to AD DS. However, this does not happen by default, you must have configured the appropriate Group Policy settings before BitLocker was enabled on the PC. BitLocker Group Policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
+If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS. However, this does not happen by default. You must have configured the appropriate Group Policy settings before BitLocker was enabled on the PC. BitLocker Group Policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
- **Choose how BitLocker-protected operating system drives can be recovered**
- **Choose how BitLocker-protected fixed drives can be recovered**
@@ -176,7 +176,7 @@ You can use the name of the user's computer to locate the recovery password in A
### Verify the user's identity
-You should verify that the person that is asking for the recovery password is truly the authorized user of that computer. You may also wish to verify that the computer with the name the user provided belongs to the user.
+Verify that the person that is asking for the recovery password is truly the authorized user of that computer. You might also want to verify that the computer with the name the user provided belongs to the user.
### Locate the recovery password in AD DS
@@ -200,7 +200,7 @@ Before you give the user the recovery password, you should gather any informatio
### Give the user the recovery password
-Because the recovery password is 48 digits long the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password.
+Because the recovery password is 48 digits long, the user might need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password.
> [!NOTE]
> Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.
@@ -228,11 +228,11 @@ Review and answer the following questions for your organization:
1. What BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC?
2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be?
3. If TPM mode was in effect, was recovery caused by a boot file change?
-4. If recovery was caused by a boot file change, is this due to an intended user action (for example, BIOS upgrade), or to malicious software?
+4. If recovery was caused by a boot file change, was the change an intended user action (for example, BIOS upgrade), or was it caused by malicious software?
5. When was the user last able to start the computer successfully, and what might have happened to the computer since then?
6. Might the user have encountered malicious software or left the computer unattended since the last successful startup?
-To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if boot file change occurred). Both of these capabilities can be performed remotely.
+To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if the boot file changed). Both of these capabilities can be performed remotely.
### Resolve the root cause
@@ -257,9 +257,9 @@ If a user has forgotten the PIN, you must reset the PIN while you are logged on
1. Unlock the computer using the recovery password.
2. Reset the PIN:
- 1. Right-click the drive and then click **Change PIN**.
- 2. In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account you must provide administrative credentials at this time.
- 3. In the PIN reset dialog, provide and confirm the new PIN to use and then click **Finish**.
+ 1. Right-click the drive and then select **Change PIN**.
+ 2. In the BitLocker Drive Encryption dialog, select **Reset a forgotten PIN**. If you are not logged in with an administrator account, provide administrative credentials at this time.
+ 3. In the PIN reset dialog, provide and confirm the new PIN to use and then select **Finish**.
3. You will use the new PIN the next time you unlock the drive.
@@ -271,17 +271,17 @@ If you have lost the USB flash drive that contains the startup key, then you mus
1. Log on as an administrator to the computer that has the lost startup key.
2. Open Manage BitLocker.
-3. Click **Duplicate start up key**, insert the clean USB drive on which you are going to write the key and then click **Save**.
+3. Select **Duplicate start up key**, insert the clean USB drive on which you are going to write the key and then select **Save**.
### Changes to boot files
-This error might occur if you updated the firmware. As a best practice you should suspend BitLocker before making changes to the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time.
+This error might occur if you updated the firmware. As a best practice, you should suspend BitLocker before making changes to the firmware and then resume protection after the update has completed. This action prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on, then log on to the computer using the recovery password, and the platform validation profile will be updated so that recovery will not occur the next time.
## Windows RE and BitLocker Device Encryption
-Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
+Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically from the PC and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
## BitLocker recovery screen
@@ -307,7 +307,7 @@ Example of customized recovery screen:
### BitLocker recovery key hints
-BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed in both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen.
+BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen.
@@ -337,7 +337,7 @@ There are rules governing which hint is shown during the recovery (in order of p
| Printed | No |
| Saved to file | No |
-**Result:** The hint for the Microsoft Account and custom URL are displayed.
+**Result:** The hint for the Microsoft Account and the custom URL are displayed.
@@ -378,7 +378,7 @@ There are rules governing which hint is shown during the recovery (in order of p
|----------------------|-----------------|
| Saved to Microsoft Account | No |
| Saved to Azure AD | No |
-| Saved to Acive Directory | No |
+| Saved to Active Directory | No |
| Printed | No |
| Saved to file | Yes |
| Creation time | **1PM** |
@@ -444,17 +444,17 @@ If the recovery methods discussed earlier in this document do not unlock the vol
> [!NOTE]
> You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package.
-The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc).
+The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS, you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details about how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc).
## Resetting recovery passwords
-You should invalidate a recovery password after it has been provided and used. It should also be done when you intentionally want to invalidate an existing recovery password for any reason.
+Invalidate a recovery password after it has been provided and used. It should also be done when you intentionally want to invalidate an existing recovery password for any reason.
You can reset the recovery password in two ways:
-- **Use manage-bde** You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method.
-- **Run a script** You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords.
+- **Use manage-bde**: You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method.
+- **Run a script**: You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords.
**To reset a recovery password using manage-bde:**
@@ -470,13 +470,13 @@ You can reset the recovery password in two ways:
Manage-bde –protectors –add C: -RecoveryPassword
```
-3. Get the ID of the new recovery password. From the screen copy the ID of the recovery password.
+3. Get the ID of the new recovery password. From the screen, copy the ID of the recovery password.
```powershell
Manage-bde –protectors –get C: -Type RecoveryPassword
```
-4. Backup the new recovery password to AD DS
+4. Back up the new recovery password to AD DS.
```powershell
Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
@@ -488,7 +488,7 @@ You can reset the recovery password in two ways:
**To run the sample recovery password script:**
1. Save the following sample script in a VBScript file. For example: ResetPassword.vbs.
-2. At the command prompt, type a command similar to the following:
+2. At the command prompt, type a command similar to the following sample script:
**cscript ResetPassword.vbs**
@@ -576,15 +576,15 @@ WScript.Echo "A new recovery password has been added. Old passwords have been re
You can use two methods to retrieve the key package, as described in [Using Additional Recovery Information](#bkmk-usingaddrecovery):
-- **Export a previously-saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS.
+- **Export a previously saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS.
- **Export a new key package from an unlocked, BitLocker-protected volume.** You must have local administrator access to the working volume, before any damage has occurred.
-The following sample script exports all previously-saved key packages from AD DS.
+The following sample script exports all previously saved key packages from AD DS.
**To run the sample key package retrieval script:**
1. Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackageADDS.vbs.
-2. At the command prompt, type a command similar to the following:
+2. At the command prompt, type a command similar to the following sample script:
**cscript GetBitLockerKeyPackageADDS.vbs -?**
@@ -733,7 +733,7 @@ The following sample script exports a new key package from an unlocked, encrypte
**To run the sample key package retrieval script:**
1. Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackage.vbs
-2. Open an administrator command prompt, type a command similar to the following:
+2. Open an administrator command prompt, and then type a command similar to the following sample script:
**cscript GetBitLockerKeyPackage.vbs -?**
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
index f06b11a197..9ed6f0f984 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: #medium
+ms.localizationpriority: medium
ms.author: v-maave
author: martyav
manager: dansimp
diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
index c34ddf46f1..871f49b5a8 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
@@ -1,6 +1,6 @@
---
title: BitLocker To Go FAQ (Windows 10)
-description: Learn more about BitLocker To Go — BitLocker drive encryption for removable drives.
+description: "Learn more about BitLocker To Go: BitLocker drive encryption for removable drives."
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.author: dansimp
@@ -25,7 +25,14 @@ ms.custom: bitlocker
## What is BitLocker To Go?
-BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems. Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](https://docs.microsoft.com/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements).
+BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of:
-As with BitLocker, drives that are encrypted using BitLocker To Go can be opened with a password or smart card on another computer by using **BitLocker Drive Encryption** in Control Panel.
+- USB flash drives
+- SD cards
+- External hard disk drives
+- Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.
+
+Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](https://docs.microsoft.com/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements).
+
+As with BitLocker, you can open drives that are encrypted by BitLocker To Go by using a password or smart card on another computer. In Control Panel, use **BitLocker Drive Encryption**.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index bf20c5efdd..793722ef06 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -1,6 +1,6 @@
---
title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker (Windows 10)
-description: This topic for the IT professional describes how to use tools to manage BitLocker.
+description: This article for the IT professional describes how to use tools to manage BitLocker.
ms.assetid: e869db9c-e906-437b-8c70-741dd61b5ea6
ms.reviewer:
ms.prod: w10
@@ -23,9 +23,9 @@ ms.custom: bitlocker
**Applies to**
- Windows 10
-This topic for the IT professional describes how to use tools to manage BitLocker.
+This article for the IT professional describes how to use tools to manage BitLocker.
-BitLocker Drive Encryption Tools include the command line tools manage-bde and repair-bde and the BitLocker cmdlets for Windows PowerShell.
+BitLocker Drive Encryption Tools include the command-line tools manage-bde and repair-bde and the BitLocker cmdlets for Windows PowerShell.
Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel and are appropriate to use for automated deployments and other scripting scenarios.
@@ -39,11 +39,11 @@ Repair-bde is a special circumstance tool that is provided for disaster recovery
Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the manage-bde options, see the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line reference.
-Manage-bde includes less default settings and requires greater customization for configuring BitLocker. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde.
+Manage-bde includes fewer default settings and requires greater customization for configuring BitLocker. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde.
### Using manage-bde with operating system volumes
-Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on ` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. It is recommended that at least one primary protector and a recovery protector be added to an operating system volume.
+Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on ` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. We recommend that you add at least one primary protector and a recovery protector to an operating system volume.
A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status:
@@ -54,7 +54,7 @@ This command returns the volumes on the target, current encryption status, encry
-The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process.
+The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process.
```powershell
manage-bde –protectors -add C: -startupkey E:
@@ -63,30 +63,30 @@ manage-bde -on C:
>**Note:** After the encryption is completed, the USB startup key must be inserted before the operating system can be started.
-An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. This is done with the command:
+An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. To add them, use this command:
```powershell
manage-bde -protectors -add C: -pw -sid
```
-This command will require you to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, you can then turn BitLocker on.
+This command will require you to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, you can then turn on BitLocker.
-On computers with a TPM it is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this is:
+On computers with a TPM, it is possible to encrypt the operating system volume without any defined protectors using manage-bde. Use this command:
```powershell
manage-bde -on C:
```
-This will encrypt the drive using the TPM as the default protector. If you are not sure if a TPM protector is available, to list the protectors available for a volume, run the following command:
+This command encrypts the drive using the TPM as the default protector. If you are not sure if a TPM protector is available, to list the protectors available for a volume, run the following command:
```powershell
manage-bde -protectors -get
```
### Using manage-bde with data volumes
-Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or you can choose to add additional protectors to the volume first. It is recommended that at least one primary protector and a recovery protector be added to a data volume.
+Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or you can choose to add additional protectors to the volume first. We recommend that you add at least one primary protector and a recovery protector to a data volume.
-A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on.
+A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn on BitLocker.
```powershell
manage-bde -protectors -add -pw C:
@@ -101,11 +101,11 @@ The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a
>**Tip:** If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume.
-The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. You should use Repair-bde if the following conditions are true:
+The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. Use Repair-bde if the following conditions are true:
-1. You have encrypted the drive by using BitLocker Drive Encryption.
-2. Windows does not start, or you cannot start the BitLocker recovery console.
-3. You do not have a copy of the data that is contained on the encrypted drive.
+- You have encrypted the drive by using BitLocker Drive Encryption.
+- Windows does not start, or you cannot start the BitLocker recovery console.
+- You do not have a copy of the data that is contained on the encrypted drive.
>**Note:** Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.
@@ -249,7 +249,7 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the Get-BitLockerVolume cmdlet.
-The Get-BitLockerVolume cmdlet output gives information on the volume type, protectors, protection status and other details.
+The Get-BitLockerVolume cmdlet output gives information on the volume type, protectors, protection status, and other details.
>**Tip:** Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors.
`Get-BitLockerVolume C: | fl`
@@ -263,9 +263,9 @@ $vol = Get-BitLockerVolume
$keyprotectors = $vol.KeyProtector
```
-Using this, you can display the information in the $keyprotectors variable to determine the GUID for each protector.
+By using this script, you can display the information in the $keyprotectors variable to determine the GUID for each protector.
-Using this information, you can then remove the key protector for a specific volume using the command:
+By using this information, you can then remove the key protector for a specific volume using the command:
```powershell
Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}"
@@ -291,8 +291,8 @@ Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTes
### Using the BitLocker Windows PowerShell cmdlets with data volumes
-Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a
-SecureString value to store the user defined password.
+Data volume encryption using Windows PowerShell is the same as for operating system volumes. Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a
+SecureString value to store the user-defined password.
```powershell
$pw = Read-Host -AsSecureString
@@ -301,11 +301,11 @@ Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
```
### Using an AD Account or Group protector in Windows PowerShell
-The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover to and be unlocked by any member computer of the cluster.
+The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and be unlocked by any member computer of the cluster.
>**Warning:** The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes
-To add an **ADAccountOrGroup** protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
+To add an **ADAccountOrGroup** protector to a volume, use either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
```powershell
Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
index ac4286c885..e71fba3cbd 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
@@ -37,7 +37,7 @@ BitLocker has a storage driver stack that ensures memory dumps are encrypted whe
## Can BitLocker support smart cards for pre-boot authentication?
-BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them very difficult.
+BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them difficult.
## Can I use a non-Microsoft TPM driver?
@@ -69,7 +69,7 @@ The **Save to USB** option is not shown by default for removable drives. If the
## Why am I unable to automatically unlock my drive?
-Automatic unlocking for fixed data drives requires that the operating system drive also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers.
+Automatic unlocking for fixed data drives requires the operating system drive to also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers.
## Can I use BitLocker in Safe Mode?
@@ -95,8 +95,8 @@ Yes. However, shadow copies made prior to enabling BitLocker will be automatical
## Does BitLocker support virtual hard disks (VHDs)?
BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run.
-- With TPM - Yes it is supported
-- Without TPM - Yes it is supported (with password protector)
+- With TPM: Yes, it is supported.
+- Without TPM: Yes, it is supported (with password protector).
BitLocker is also supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.
diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
index ac7c00f8b6..01a07590a5 100644
--- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -1,6 +1,6 @@
---
title: Protecting cluster shared volumes and storage area networks with BitLocker (Windows 10)
-description: This topic for IT pros describes how to protect CSVs and SANs with BitLocker.
+description: This article for IT pros describes how to protect CSVs and SANs with BitLocker.
ms.assetid: ecd25a10-42c7-4d31-8a7e-ea52c8ebc092
ms.reviewer:
ms.prod: w10
@@ -23,7 +23,7 @@ ms.custom: bitlocker
**Applies to**
- Windows Server 2016
-This topic for IT pros describes how to protect CSVs and SANs with BitLocker.
+This article for IT pros describes how to protect CSVs and SANs with BitLocker.
BitLocker can protect both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes allows for an additional layer of protection for administrators wishing to protect sensitive, highly available data. By adding additional protectors to the clustered volume, administrators can also add an additional barrier of security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume.
@@ -38,15 +38,15 @@ BitLocker on volumes within a cluster are managed based on how the cluster servi
Alternatively, the volume can be a cluster-shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume will need to turn on
BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations will complete.
-Windows PowerShell or the manage-bde command line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item.
+Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item.
>**Note:** Mount points can be used to support remote mount points on SMB based network shares. This type of share is not supported for BitLocker encryption.
-For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This is blocked in order to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space.
+For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This action is blocked in order to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space.
### Active Directory-based protector
-You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order:
+You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account, or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order:
1. Clear key
2. Driver-based auto-unlock key
@@ -61,7 +61,7 @@ You can also use an Active Directory Domain Services (AD DS) protector for prote
### Turning on BitLocker before adding disks to a cluster using Windows PowerShell
-BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation. To turn on BitLocker for a disk before adding it to a cluster, do the following:
+BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation. To turn on BitLocker for a disk before adding it to a cluster:
1. Install the BitLocker Drive Encryption feature if it is not already installed.
2. Ensure the disk is formatted NTFS and has a drive letter assigned to it.
@@ -84,7 +84,7 @@ BitLocker encryption is available for disks before or after addition to a cluste
### Turning on BitLocker for a clustered disk using Windows PowerShell
-When the cluster service owns a disk resource already, it needs to be set into maintenance mode before BitLocker can be enabled. Use the following steps for turning BitLocker on for a clustered disk:
+When the cluster service owns a disk resource already, it needs to be set into maintenance mode before BitLocker can be enabled. Use the following steps for turning on BitLocker for a clustered disk:
1. Install the BitLocker Drive Encryption feature if it is not already installed.
2. Check the status of the cluster disk using Windows PowerShell.
@@ -122,11 +122,11 @@ When the cluster service owns a disk resource already, it needs to be set into m
### Adding BitLocker encrypted volumes to a cluster using manage-bde
-You can also use manage-bde to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster includes the following:
+You can also use manage-bde to enable BitLocker on clustered volumes. Follow these steps to add a physical disk resource or CSV2.0 volume to an existing cluster:
1. Verify the BitLocker Drive Encryption feature is installed on the computer.
2. Ensure new storage is formatted as NTFS.
-3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using the manage-bde command line interface (see example):
+3. Encrypt the volume, add a recovery key, and add the cluster administrator as a protector key by using the manage-bde command-line interface (see example):
- `Manage-bde -on -used -RP -sid domain\CNO$ -sync`
@@ -135,16 +135,17 @@ You can also use manage-bde to enable BitLocker on clustered volumes. The steps
4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered
- - Once the disk is clustered it can also be enabled for CSV.
+ - Once the disk is clustered, it can also be enabled for CSV.
5. During the resource online operation, cluster will check to see if the disk is BitLocker encrypted.
1. If the volume is not BitLocker enabled, traditional cluster online operations occur.
2. If the volume is BitLocker enabled, the following check occurs:
- - If volume is **locked**, BitLocker will impersonate the CNO and unlock the volume using the CNO protector. If this operation fails an event will be logged that the volume could not be unlocked and the online operation will fail.
+ - If volume is **locked**, BitLocker will impersonate the CNO and unlock the volume using the CNO protector. If this operation fails, an event will be logged that the volume could not be unlocked and the online operation will fail.
+
+6. Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource and choosing **Add to cluster shared volumes**.
-6. Once the disk is online in the storage pool, it can be added to a CSV by right clicking on the disk resource and choosing "**Add to cluster shared volumes**".
CSVs can include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption, administrators can utilize the manage-bde -status command with a path to the volume inside the CSV namespace as seen in the example command line below.
```powershell
@@ -153,11 +154,11 @@ manage-bde -status "C:\ClusterStorage\volume1"
### Physical Disk Resources
-Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This means that operations such as encrypting, decrypting, locking or unlocking volumes require context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available.
+Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. So operations such as encrypting, decrypting, locking, or unlocking volumes require context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available.
### Restrictions on BitLocker actions with cluster volumes
-The following table contains information about both Physical Disk Resources (i.e. traditional failover cluster volumes) and Cluster Shared Volumes (CSV) and the actions that are allowed by BitLocker in each situation.
+The following table contains information about both Physical Disk Resources (that is, traditional failover cluster volumes) and Cluster Shared Volumes (CSV) and the actions that are allowed by BitLocker in each situation.
@@ -268,7 +269,7 @@ In the case where a physical disk resource experiences a failover event during c
### Other considerations when using BitLocker on CSV2.0
-Some other considerations to take into account for BitLocker on clustered storage include the following:
+Also take these considerations into account for BitLocker on clustered storage:
- BitLocker volumes have to be initialized and beginning encryption before they are available to add to a CSV2.0 volume.
- If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete.
- If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it in maintenance mode.
diff --git a/windows/security/information-protection/index.md b/windows/security/information-protection/index.md
index 84ea720232..e72f8d6c68 100644
--- a/windows/security/information-protection/index.md
+++ b/windows/security/information-protection/index.md
@@ -1,6 +1,6 @@
---
title: Information protection (Windows 10)
-description: Learn more about how to protect sesnsitive data across your ogranization.
+description: Learn more about how to protect sensitive data across your organization.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 7cb35259d5..1d2ce21e5e 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -65,6 +65,7 @@
##### [Remediate vulnerabilities](microsoft-defender-atp/tvm-remediation.md)
##### [Exceptions for security recommendations](microsoft-defender-atp/tvm-exception.md)
##### [Plan for end-of-support software](microsoft-defender-atp/tvm-end-of-support-software.md)
+##### [Mitigate zero-day vulnerabilities](microsoft-defender-atp/tvm-zero-day-vulnerabilities.md)
#### [Understand vulnerabilities on your devices]()
##### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
##### [Vulnerabilities in my organization](microsoft-defender-atp/tvm-weaknesses.md)
@@ -753,7 +754,7 @@
#### [Virus information alliance](intelligence/virus-information-alliance-criteria.md)
#### [Microsoft virus initiative](intelligence/virus-initiative-criteria.md)
#### [Coordinated malware eradication](intelligence/coordinated-malware-eradication.md)
-### [Information for developers](intelligence/developer-info.md)
+### [Information for developers]()
#### [Software developer FAQ](intelligence/developer-faq.md)
#### [Software developer resources](intelligence/developer-resources.md)
diff --git a/windows/security/threat-protection/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md
index 74c7755cb8..bea0be45b0 100644
--- a/windows/security/threat-protection/auditing/audit-user-device-claims.md
+++ b/windows/security/threat-protection/auditing/audit-user-device-claims.md
@@ -1,6 +1,6 @@
---
title: Audit User/Device Claims (Windows 10)
-description: Audit User/Device Claims is an audit policy setting which enables you to audit security events that are generated by user and device claims.
+description: Audit User/Device Claims is an audit policy setting that enables you to audit security events that are generated by user and device claims.
ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486
ms.reviewer:
manager: dansimp
@@ -25,7 +25,7 @@ Audit User/Device Claims allows you to audit user and device claims information
For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
-***Important***: [Audit Logon](audit-logon.md) subcategory must also be enabled in order to get events from this subcategory.
+***Important***: Enable the [Audit Logon](audit-logon.md) subcategory in order to get events from this subcategory.
**Event volume**:
diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md
index e00e49b666..bd4e2bb72a 100644
--- a/windows/security/threat-protection/auditing/event-1105.md
+++ b/windows/security/threat-protection/auditing/event-1105.md
@@ -13,7 +13,7 @@ manager: dansimp
ms.author: dansimp
---
-# 1105(S): Event log automatic backup.
+# 1105(S): Event log automatic backup
**Applies to**
- Windows 10
@@ -71,7 +71,7 @@ This event generates, for example, if the maximum size of Security Event Log fil
***Field Descriptions:***
-**Log** \[Type = UnicodeString\]: the name of the log which was archived (new event log file was created and previous event log was archived). Always “**Security”** for Security Event Logs.
+**Log** \[Type = UnicodeString\]: the name of the log that was archived (new event log file was created and previous event log was archived). Always “**Security”** for Security Event Logs.
**File**: \[Type = FILETIME\]: full path and filename of archived log file.
diff --git a/windows/security/threat-protection/auditing/event-4618.md b/windows/security/threat-protection/auditing/event-4618.md
index 9dcc575df1..4155868172 100644
--- a/windows/security/threat-protection/auditing/event-4618.md
+++ b/windows/security/threat-protection/auditing/event-4618.md
@@ -32,7 +32,7 @@ Account must have **SeAuditPrivilege** (Generate security audits) to be able to
- Only **OrgEventID**, **ComputerName**, and **EventCount** are required—others are optional. Fields not specified appear with “**-**“ in the event description field.
-- If a field doesn’t match the expected data type, the event is not generated. (i.e., if **EventCount** = “XYZ” then no event is generated.)
+- If a field doesn’t match the expected data type, the event is not generated. That is, if **EventCount** = “XYZ”, then no event is generated.
- **UserSid**, **UserName**, and **UserDomain** are not related to each other (think **SubjectUser** fields, where they are)
@@ -98,5 +98,5 @@ Account must have **SeAuditPrivilege** (Generate security audits) to be able to
For 4618(S): A monitored security event pattern has occurred.
-- This event can be invoked only manually/intentionally, it is up to you how interpret this event depends on information you put inside of it.
+- This event can be invoked only manually/intentionally, it is up to you how to interpret this event depends on information you put inside of it.
diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md
index 220876b84a..293e52c57f 100644
--- a/windows/security/threat-protection/auditing/event-4625.md
+++ b/windows/security/threat-protection/auditing/event-4625.md
@@ -99,7 +99,7 @@ This event generates on domain controllers, member servers, and workstations.
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about logon failure.
-- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+- **Account Domain** \[Type = UnicodeString\]**:** subject's domain or computer name. Here are some examples of formats:
- Domain NETBIOS name example: CONTOSO
@@ -111,7 +111,7 @@ This event generates on domain controllers, member servers, and workstations.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-- **Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field.
+- **Logon Type** \[Type = UInt32\]**:** the type of logon that was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field.
**Table 11: Windows Logon Types**
@@ -138,7 +138,7 @@ This event generates on domain controllers, member servers, and workstations.
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was specified in the logon attempt.
-- **Account Domain** \[Type = UnicodeString\]**:** domain or computer name. Formats vary, and include the following:
+- **Account Domain** \[Type = UnicodeString\]**:** domain or computer name. Here are some examples of formats:
- Domain NETBIOS name example: CONTOSO
@@ -154,9 +154,9 @@ This event generates on domain controllers, member servers, and workstations.
**Failure Information:**
-- **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event it typically has “**Account locked out**” value.
+- **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event, it typically has “**Account locked out**” value.
-- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event it typically has “**0xC0000234**” value. The most common status codes are listed in Table 12. Windows logon status codes.
+- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event, it typically has “**0xC0000234**” value. The most common status codes are listed in Table 12. Windows logon status codes.
**Table 12: Windows logon status codes.**
@@ -165,7 +165,7 @@ This event generates on domain controllers, member servers, and workstations.
| 0XC000005E | There are currently no logon servers available to service the logon request. |
| 0xC0000064 | User logon with misspelled or bad user account |
| 0xC000006A | User logon with misspelled or bad password |
- | 0XC000006D | This is either due to a bad username or authentication information |
+ | 0XC000006D | The cause is either a bad username or authentication information |
| 0XC000006E | Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions). |
| 0xC000006F | User logon outside authorized hours |
| 0xC0000070 | User logon from unauthorized workstation |
@@ -173,23 +173,23 @@ This event generates on domain controllers, member servers, and workstations.
| 0xC0000072 | User logon to account disabled by administrator |
| 0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. |
| 0XC0000133 | Clocks between DC and other computer too far out of sync |
- | 0XC000015B | The user has not been granted the requested logon type (aka logon right) at this machine |
+ | 0XC000015B | The user has not been granted the requested logon type (also called the *logon right*) at this machine |
| 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. |
- | 0XC0000192 | An attempt was made to logon, but the N**etlogon** service was not started. |
+ | 0XC0000192 | An attempt was made to logon, but the **Netlogon** service was not started. |
| 0xC0000193 | User logon with expired account |
| 0XC0000224 | User is required to change password at next logon |
| 0XC0000225 | Evidently a bug in Windows and not a risk |
| 0xC0000234 | User logon with account locked |
| 0XC00002EE | Failure Reason: An Error occurred during Logon |
- | 0XC0000413 | Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
+ | 0XC0000413 | Logon Failure: The machine you are logging on to is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
| 0x0 | Status OK. |
> [!NOTE]
-> To see the meaning of other status\\sub-status codes you may also check for status code in the Window header file ntstatus.h in Windows SDK.
+> To see the meaning of other status or substatus codes, you might also check for status code in the Window header file ntstatus.h in Windows SDK.
More information:
-- **Sub Status** \[Type = HexInt32\]**:** additional information about logon failure. The most common sub-status codes listed in the “Table 12. Windows logon status codes.”.
+- **Sub Status** \[Type = HexInt32\]**:** additional information about logon failure. The most common substatus codes listed in the “Table 12. Windows logon status codes.”.
**Process Information:**
@@ -213,7 +213,7 @@ More information:
- ::1 or 127.0.0.1 means localhost.
-- **Source Port** \[Type = UnicodeString\]: source port which was used for logon attempt from remote machine.
+- **Source Port** \[Type = UnicodeString\]: source port that was used for logon attempt from remote machine.
- 0 for interactive logons.
@@ -221,7 +221,7 @@ More information:
- **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon attempt. See event “[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority” description for more information.
-- **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package which was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “[4622](event-4622.md): A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
+- **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package that was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “[4622](event-4622.md): A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
- **NTLM** – NTLM-family Authentication
@@ -231,7 +231,7 @@ More information:
- **Transited Services** \[Type = UnicodeString\] \[Kerberos-only\]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see
-- **Package Name (NTLM only)** \[Type = UnicodeString\]**:** The name of the LAN Manager sub-package ([NTLM-family](https://msdn.microsoft.com/library/cc236627.aspx) protocol name) that was used during the logon attempt. Possible values are:
+- **Package Name (NTLM only)** \[Type = UnicodeString\]**:** The name of the LAN Manager subpackage ([NTLM-family](https://msdn.microsoft.com/library/cc236627.aspx) protocol name) that was used during the logon attempt. Possible values are:
- “NTLM V1”
@@ -241,7 +241,7 @@ More information:
Only populated if “**Authentication Package” = “NTLM”**.
-- **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](https://msdn.microsoft.com/library/cc236650.aspx) key. Typically it has 128 bit or 56 bit length. This parameter is always 0 if “**Authentication Package” = “Kerberos”**, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using **Negotiate** authentication package.
+- **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](https://msdn.microsoft.com/library/cc236650.aspx) key. Typically, it has a length of 128 bits or 56 bits. This parameter is always 0 if **"Authentication Package" = "Kerberos"**, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using **Negotiate** authentication package.
## Security Monitoring Recommendations
@@ -264,9 +264,9 @@ For 4625(F): An account failed to log on.
- If you have a high-value domain or local account for which you need to monitor every lockout, monitor all [4625](event-4625.md) events with the **“Subject\\Security ID”** that corresponds to the account.
-- We recommend monitoring all [4625](event-4625.md) events for local accounts, because these accounts typically should not be locked out. This is especially relevant for critical servers, administrative workstations, and other high value assets.
+- We recommend monitoring all [4625](event-4625.md) events for local accounts, because these accounts typically should not be locked out. Monitoring is especially relevant for critical servers, administrative workstations, and other high-value assets.
-- We recommend monitoring all [4625](event-4625.md) events for service accounts, because these accounts should not be locked out or prevented from functioning. This is especially relevant for critical servers, administrative workstations, and other high value assets.
+- We recommend monitoring all [4625](event-4625.md) events for service accounts, because these accounts should not be locked out or prevented from functioning. Monitoring is especially relevant for critical servers, administrative workstations, and other high value assets.
- If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
@@ -286,15 +286,15 @@ For 4625(F): An account failed to log on.
| Field | Value to monitor for |
|----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
- | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.”
This is typically not a security issue but it can be an infrastructure or availability issue. |
- | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”.
Especially if you get a number of these in a row, it can be a sign of user enumeration attack. |
+ | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.”
This issue is typically not a security issue, but it can be an infrastructure or availability issue. |
+ | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”.
Especially if you get several of these events in a row, it can be a sign of a user enumeration attack. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts.
Especially watch for a number of such events in a row. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts.
Especially watch for a number of such events in a row. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006F – “User logon outside authorized hours”. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000070 – “User logon from unauthorized workstation”. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000072 – “User logon to account disabled by administrator”. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. |
- | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”.
This is typically not a security issue but it can be an infrastructure or availability issue. |
+ | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”.
This issue is typically not a security issue but it can be an infrastructure or availability issue. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. |
diff --git a/windows/security/threat-protection/auditing/event-4692.md b/windows/security/threat-protection/auditing/event-4692.md
index 15199dbda5..dc84c4c3d6 100644
--- a/windows/security/threat-protection/auditing/event-4692.md
+++ b/windows/security/threat-protection/auditing/event-4692.md
@@ -30,7 +30,7 @@ This event generates every time that a backup is attempted for the [DPAPI](https
When a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. When a Master Key is generated, DPAPI communicates with a domain controller. Domain controllers have a domain-wide public/private key pair, associated solely with DPAPI. The local DPAPI client gets the domain controller public key from a domain controller by using a mutually authenticated and privacy protected RPC call. The client encrypts the Master Key with the domain controller public key. It then stores this backup Master Key along with the Master Key protected by the user's password.
-Periodically, a domain-joined machine will try to send an RPC request to a domain controller to back up the user’s master key so that the user can recover secrets in case his or her password has to be reset. Although the user's keys are stored in the user profile, a domain controller must be contacted to encrypt the master key with a domain recovery key.
+Periodically, a domain-joined machine tries to send an RPC request to a domain controller to back up the user’s master key so that the user can recover secrets in case their password has to be reset. Although the user's keys are stored in the user profile, a domain controller must be contacted to encrypt the master key with a domain recovery key.
This event also generates every time a new DPAPI Master Key is generated, for example.
@@ -91,7 +91,7 @@ Failure event generates when a Master Key backup operation fails for some reason
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested backup operation.
-- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Here are some examples of formats:
- Domain NETBIOS name example: CONTOSO
@@ -107,17 +107,17 @@ Failure event generates when a Master Key backup operation fails for some reason
**Key Information:**
-- **Key Identifier** \[Type = UnicodeString\]: unique identifier of a master key which backup was created. The Master Key is used, with some additional data, to generate an actual symmetric session key to encrypt\\decrypt the data using DPAPI. All of user's Master Keys are located in user profile -> %APPDATA%\\Roaming\\Microsoft\\Windows\\Protect\\%SID% folder. The name of every Master Key file is it’s ID.
+- **Key Identifier** \[Type = UnicodeString\]: unique identifier of a master key which backup was created. The Master Key is used, with some additional data, to generate an actual symmetric session key to encrypt\\decrypt the data using DPAPI. All of user's Master Keys are located in user profile -> %APPDATA%\\Roaming\\Microsoft\\Windows\\Protect\\%SID% folder. The name of every Master Key file is its ID.
- **Recovery Server** \[Type = UnicodeString\]: the name (typically – DNS name) of the computer that you contacted to back up your Master Key. For domain joined machines, it’s typically a name of a domain controller. This parameter might not be captured in the event, and in that case will be empty.
-- **Recovery Key ID** \[Type = UnicodeString\]**:** unique identifier of a recovery key. The recovery key is generated when a user chooses to create a Password Reset Disk (PRD) from the user's Control Panel or when first Master Key is generated. First, DPAPI generates a RSA public/private key pair, which is the recovery key. In this field you will see unique Recovery key ID which was used for Master key backup operation.
+- **Recovery Key ID** \[Type = UnicodeString\]**:** unique identifier of a recovery key. The recovery key is generated when a user chooses to create a Password Reset Disk (PRD) from the user's Control Panel or when first Master Key is generated. First, DPAPI generates an RSA public/private key pair, which is the recovery key. In this field, you will see unique Recovery key ID that was used for Master key backup operation.
- For Failure events this field is typically empty.
+ For Failure events, this field is typically empty.
**Status Information:**
-- **Status Code** \[Type = HexInt32\]**:** hexadecimal unique status code of performed operation. For Success events this field is typically “**0x0**”. To see the meaning of status code you need to convert it to decimal value and us “**net helpmsg STATUS\_CODE**” command to see the description for specific STATUS\_CODE. Here is an example of “net helpmsg” command output for status code 0x3A:
+- **Status Code** \[Type = HexInt32\]**:** hexadecimal unique status code of performed operation. For Success events, this field is typically “**0x0**”. To see the meaning of status code you need to convert it to decimal value and us “**net helpmsg STATUS\_CODE**” command to see the description for specific STATUS\_CODE. Here is an example of “net helpmsg” command output for status code 0x3A:
> \[Net helpmsg 58 illustration](..images/net-helpmsg-58.png)
diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
index af44f02711..9c6cb7f55a 100644
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@@ -26,7 +26,7 @@ ms.author: dansimp
***Event Description:***
-This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This can occur when a domain controller doesn’t have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the user’s password has expired, or the wrong password was provided.
+This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This problem can occur when a domain controller doesn’t have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the user’s password has expired, or the wrong password was provided.
This event generates only on domain controllers.
@@ -103,7 +103,7 @@ This event is not generated if “Do not require Kerberos preauthentication” o
**Network Information:**
-- **Client Address** \[Type = UnicodeString\]**:** IP address of the computer from which the TGT request was received. Formats vary, and include the following:
+- **Client Address** \[Type = UnicodeString\]**:** IP address of the computer from which the TGT request was received. Here are some examples of formats:
- **IPv6** or **IPv4** address.
@@ -117,7 +117,7 @@ This event is not generated if “Do not require Kerberos preauthentication” o
**Additional Information:**
-- **Ticket Options**: \[Type = HexInt32\]: this is a set of different Ticket Flags in hexadecimal format.
+- **Ticket Options**: \[Type = HexInt32\]: this set of different Ticket Flags is in hexadecimal format.
Example:
@@ -125,7 +125,7 @@ This event is not generated if “Do not require Kerberos preauthentication” o
- Binary view: 01000000100000010000000000010000
- - Using **MSB 0** bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize, Renewable-ok.
+ - Using **MSB 0**-bit numbering, we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize, Renewable-ok.
> **Note** In the table below **“MSB 0”** bit numbering is used, because RFC documents use this style. In “MSB 0” style bit numbering begins from left.
@@ -146,15 +146,15 @@ The most common values:
| 4 | Proxy | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket. |
| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
-| 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set. |
+| 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets that have this flag set. |
| 8 | Renewable | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically. |
| 9 | Initial | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT. |
| 10 | Pre-authent | Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon. |
| 11 | Opt-hardware-auth | This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC. |
| 12 | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag. |
| 13 | Ok-as-delegate | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation. |
-| 14 | Request-anonymous | KILE not use this flag. |
-| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. |
+| 14 | Request-anonymous | KILE does not use this flag. |
+| 15 | Name-canonicalize | To request referrals, the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. |
| 16-25 | Unused | - |
| 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor
the DISABLE-TRANSITED-CHECK option.
Should not be in use, because Transited-policy-checked flag is not supported by KILE. |
| 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. |
@@ -169,11 +169,11 @@ The most common values:
| Code | Code Name | Description | Possible causes |
|------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). |
+| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). |
| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The user’s password has expired. |
| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided. |
-- **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](https://technet.microsoft.com/library/cc772815(v=ws.10).aspx) type which was used in TGT request.
+- **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](https://technet.microsoft.com/library/cc772815(v=ws.10).aspx) type that was used in TGT request.
## Table 5. Kerberos Pre-Authentication types.
@@ -181,7 +181,7 @@ The most common values:
| Type | Type Name | Description |
|------|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0 | - | Logon without Pre-Authentication. |
-| 2 | PA-ENC-TIMESTAMP | This is a normal type for standard password authentication. |
+| 2 | PA-ENC-TIMESTAMP | This type is normal for standard password authentication. |
| 11 | PA-ETYPE-INFO | The ETYPE-INFO pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in Microsoft Active Directory environment. |
| 15 | PA-PK-AS-REP\_OLD | Used for Smart Card logon authentication. |
| 16 | PA-PK-AS-REQ | Request sent to KDC in Smart Card authentication scenarios.|
@@ -193,7 +193,7 @@ The most common values:
**Certificate Information:**
-- **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of Certification Authority which issued smart card certificate. Populated in **Issued by** field in certificate. Always empty for [4771](event-4771.md) events.
+- **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of Certification Authority that issued smart card certificate. Populated in **Issued by** field in certificate. Always empty for [4771](event-4771.md) events.
- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate’s serial number. Can be found in **Serial number** field in the certificate. Always empty for [4771](event-4771.md) events.
@@ -208,14 +208,14 @@ For 4771(F): Kerberos pre-authentication failed.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Security ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Security ID”** that corresponds to the accounts that should never be used. |
-| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Security ID”** for accounts that are outside the allow list. |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Security ID”** for accounts that are outside the allow list. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
- You can track all [4771](event-4771.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges.
- If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4771](event-4771.md) events. If **Client Address** is not from the allow list, generate the alert.
-- All **Client Address** = ::1 means local authentication. If you know the list of accounts which should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = ::1 and **Account Name** is not allowed to log on to any domain controller.
+- All **Client Address** = ::1 means local authentication. If you know the list of accounts that should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = ::1 and **Account Name** is not allowed to log on to any domain controller.
- All [4771](event-4771.md) events with **Client Port** field value > 0 and < 1024 should be examined, because a well-known port was used for outbound connection.
@@ -227,5 +227,5 @@ For 4771(F): Kerberos pre-authentication failed.
| **Pre-Authentication Type** | Value is **not 2** when only standard password authentication is in use in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). |
| **Pre-Authentication Type** | Value is **not 138** when Kerberos Armoring is enabled for all Kerberos communications in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). |
| **Failure Code** | **0x10** (KDC has no support for PADATA type (pre-authentication data)). This error can help you to more quickly identify smart-card related problems with Kerberos authentication. |
-| **Failure Code** | **0x18** ((Pre-authentication information was invalid), if you see, for example N events in last N minutes. This can be an indicator of brute-force attack on the account password, especially for highly critical accounts. |
+| **Failure Code** | **0x18** ((Pre-authentication information was invalid), if you see, for example N events in last N minutes. This issue can indicate a brute-force attack on the account password, especially for highly critical accounts. |
diff --git a/windows/security/threat-protection/auditing/event-4947.md b/windows/security/threat-protection/auditing/event-4947.md
index deffae0186..a4906d1dbc 100644
--- a/windows/security/threat-protection/auditing/event-4947.md
+++ b/windows/security/threat-protection/auditing/event-4947.md
@@ -90,11 +90,11 @@ This event doesn't generate when Firewall rule was modified via Group Policy.
- **Rule ID** \[Type = UnicodeString\]: the unique identifier for modified firewall rule.
- To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
+ To see the unique ID of the rule, navigate to the“**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
-- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was modified. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+- **Rule Name** \[Type = UnicodeString\]: the name of the rule that was modified. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
@@ -102,5 +102,5 @@ This event doesn't generate when Firewall rule was modified via Group Policy.
For 4947(S): A change has been made to Windows Firewall exception list. A rule was modified.
-- This event can be helpful in case you want to monitor all Firewall rules modifications which were done locally.
+- This event can be helpful in case you want to monitor all Firewall rules modifications that were done locally.
diff --git a/windows/security/threat-protection/auditing/event-4953.md b/windows/security/threat-protection/auditing/event-4953.md
index 0c705ce6cc..1e9dcd7898 100644
--- a/windows/security/threat-protection/auditing/event-4953.md
+++ b/windows/security/threat-protection/auditing/event-4953.md
@@ -93,11 +93,11 @@ It can happen if Windows Firewall rule registry entry was corrupted.
- **ID** \[Type = UnicodeString\]: the unique identifier for ignored firewall rule.
- To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
+ To see the unique ID of the rule, navigate to the “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
-- **Name** \[Type = UnicodeString\]: the name of the rule which was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+- **Name** \[Type = UnicodeString\]: the name of the rule that was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md
index a675d79c58..96e278db56 100644
--- a/windows/security/threat-protection/auditing/event-5056.md
+++ b/windows/security/threat-protection/auditing/event-5056.md
@@ -20,7 +20,7 @@ ms.author: dansimp
- Windows Server 2016
-This event generates in CNG Self-Test function. This is a Cryptographic Next Generation (CNG) function.
+This event generates in CNG Self-Test function. This function is a Cryptographic Next Generation (CNG) function.
For more information about Cryptographic Next Generation (CNG) visit these pages:
@@ -32,7 +32,7 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
-
-This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
+This event is mainly used for CNG troubleshooting.
There is no example of this event in this document.
@@ -40,7 +40,7 @@ There is no example of this event in this document.
***Event Schema:***
-*A cryptographic self test was performed.*
+*A cryptographic self-test was performed.*
*Subject:*
diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md
index 96344c475f..e24e71d924 100644
--- a/windows/security/threat-protection/auditing/event-5060.md
+++ b/windows/security/threat-protection/auditing/event-5060.md
@@ -1,6 +1,6 @@
---
title: 5060(F) Verification operation failed. (Windows 10)
-description: Describes security event 5060(F) Verification operation failed. This event is generated in case of CNG verification operation failure.
+description: Describes security event 5060(F) Verification operation failed. This event is generated when the CNG verification operation fails.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -20,9 +20,9 @@ ms.author: dansimp
- Windows Server 2016
-This event generates in case of CNG verification operation failure.
+This event generates when the Cryptographic Next Generation (CNG) verification operation fails.
-For more information about Cryptographic Next Generation (CNG) visit these pages:
+For more information about CNG, visit these pages:
-
@@ -32,7 +32,7 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
-
-This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
+This event is mainly used for CNG troubleshooting.
There is no example of this event in this document.
diff --git a/windows/security/threat-protection/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md
index a13a14a7de..ece1e4566d 100644
--- a/windows/security/threat-protection/auditing/event-5152.md
+++ b/windows/security/threat-protection/auditing/event-5152.md
@@ -128,9 +128,9 @@ This event is generated for every received network packet.
- 127.0.0.1 , ::1 - localhost
-- **Destination Port** \[Type = UnicodeString\]**:** port number which was used from remote machine to send the packet.
+- **Destination Port** \[Type = UnicodeString\]**:** port number that was used from remote machine to send the packet.
-- **Protocol** \[Type = UInt32\]: number of protocol which was used.
+- **Protocol** \[Type = UInt32\]**:** number of the protocol that was used.
| Service | Protocol Number |
|----------------------------------------------------|-----------------|
@@ -152,15 +152,15 @@ This event is generated for every received network packet.
**Filter Information:**
-- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocked the packet.
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocked the packet.
- To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+ To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
-- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
@@ -168,7 +168,7 @@ This event is generated for every received network packet.
For 5152(F): The Windows Filtering Platform blocked a packet.
-- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+- If you have a pre-defined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
@@ -178,13 +178,13 @@ For 5152(F): The Windows Filtering Platform blocked a packet.
- If the computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5152](event-5152.md) events where **Destination Address** is an IP address from the Internet (not from private IP ranges).
-- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.”
+- If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in **Destination Address**.
-- If you have an allow list of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in **“Destination Address”** that are not in the allow list.
+- If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in **“Destination Address”** that are not in the allow list.
- If you need to monitor all inbound connections to a specific local port, monitor for [5152](event-5152.md) events with that “**Source Port**.**”**
-- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 1, 6, or 17.
+- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17.
- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
diff --git a/windows/security/threat-protection/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md
index f66366168d..b464c877d6 100644
--- a/windows/security/threat-protection/auditing/event-5154.md
+++ b/windows/security/threat-protection/auditing/event-5154.md
@@ -75,7 +75,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
**Application Information**:
-- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was permitted to listen on the port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that was permitted to listen on the port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
@@ -103,7 +103,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
- 127.0.0.1 , ::1 - localhost
-- **Source Port** \[Type = UnicodeString\]: source TCP\\UDP port number which was requested for listening by application.
+- **Source Port** \[Type = UnicodeString\]: source TCP\\UDP port number that was requested for listening by application.
- **Protocol** \[Type = UInt32\]: protocol number. For example:
@@ -115,15 +115,15 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
**Filter Information:**
-- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which allows application to listen on the specific port. By default Windows firewall won't prevent a port from being listened by an application and if this application doesn’t match any filters you will get value **0** in this field.
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows application to listen on the specific port. By default Windows firewall won't prevent a port from being listened by an application and if this application doesn’t match any filters you will get value **0** in this field.
- To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+ To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
-- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
@@ -131,7 +131,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
For 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
-- If you have a “whitelist” of applications that are associated with certain operating systems or server roles, and that are expected to listen on specific ports, monitor this event for **“Application Name”** and other relevant information.
+- If you have an “allow list” of applications that are associated with certain operating systems or server roles, and that are expected to listen on specific ports, monitor this event for **“Application Name”** and other relevant information.
- If a certain application is allowed to listen only on specific port numbers, monitor this event for **“Application Name”** and **“Network Information\\Source Port**.**”**
@@ -139,7 +139,7 @@ For 5154(S): The Windows Filtering Platform has permitted an application or serv
- If a certain application is allowed to use only TCP or UDP protocols, monitor this event for **“Application Name”** and the protocol number in **“Network Information\\Protocol**.**”**
-- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+- If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md
index 6a97371b47..d44b9a921f 100644
--- a/windows/security/threat-protection/auditing/event-5156.md
+++ b/windows/security/threat-protection/auditing/event-5156.md
@@ -80,7 +80,7 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
**Application Information**:
-- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which received the connection. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that received the connection. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
@@ -130,7 +130,7 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
- **Destination Port** \[Type = UnicodeString\]**:** port number where the connection was received.
-- **Protocol** \[Type = UInt32\]: number of protocol which was used.
+- **Protocol** \[Type = UInt32\]: number of the protocol that was used.
| Service | Protocol Number |
|----------------------------------------------------|-----------------|
@@ -152,15 +152,15 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
**Filter Information:**
-- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which allowed the connection.
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allowed the connection.
- To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+ To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
-- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
@@ -168,7 +168,7 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
For 5156(S): The Windows Filtering Platform has permitted a connection.
-- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+- If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
@@ -178,9 +178,9 @@ For 5156(S): The Windows Filtering Platform has permitted a connection.
- If the computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5156](event-5156.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
-- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
+- If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
-- If you have an allow list of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
+- If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
- If you need to monitor all inbound connections to a specific local port, monitor for [5156](event-5156.md) events with that “**Source Port**.**”**
diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md
index f35e1cf804..88bc5b1315 100644
--- a/windows/security/threat-protection/auditing/event-5157.md
+++ b/windows/security/threat-protection/auditing/event-5157.md
@@ -128,9 +128,9 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
- 127.0.0.1 , ::1 - localhost
-- **Destination Port** \[Type = UnicodeString\]**:** port number which was used from remote machine to initiate connection.
+- **Destination Port** \[Type = UnicodeString\]**:** port number that was used from remote machine to initiate connection.
-- **Protocol** \[Type = UInt32\]: number of protocol which was used.
+- **Protocol** \[Type = UInt32\]: number of the protocol that was used.
| Service | Protocol Number |
|----------------------------------------------------|-----------------|
@@ -152,15 +152,15 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
**Filter Information:**
-- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocked the connection.
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocked the connection.
- To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+ To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
-- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
@@ -168,7 +168,7 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
For 5157(F): The Windows Filtering Platform has blocked a connection.
-- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+- If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
@@ -178,13 +178,13 @@ For 5157(F): The Windows Filtering Platform has blocked a connection.
- If the\` computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5157](event-5157.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
-- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
+- If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
-- If you have an allow list of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
+- If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
- If you need to monitor all inbound connections to a specific local port, monitor for [5157](event-5157.md) events with that “**Source Port**.**”**
-- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 1, 6, or 17.
+- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17.
- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md
index 55dd4c04da..76bb82efef 100644
--- a/windows/security/threat-protection/auditing/event-5158.md
+++ b/windows/security/threat-protection/auditing/event-5158.md
@@ -75,7 +75,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
**Application Information**:
-- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
@@ -107,7 +107,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
- **Source Port** \[Type = UnicodeString\]**:** port number which application was bind.
-- **Protocol** \[Type = UInt32\]: number of protocol which was used.
+- **Protocol** \[Type = UInt32\]: number of the protocol that was used.
| Service | Protocol Number |
|----------------------------------------------------|-----------------|
@@ -129,15 +129,15 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
**Filter Information:**
-- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which allows application to bind the port. By default Windows firewall won't prevent a port from being binded by an application and if this application doesn’t match any filters you will get value 0 in this field.
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows the application to bind the port. By default, Windows firewall won't prevent a port from being bound by an application. If this application doesn’t match any filters, you will get value 0 in this field.
- To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+ To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
-- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
@@ -145,7 +145,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
For 5158(S): The Windows Filtering Platform has permitted a bind to a local port.
-- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+- If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
@@ -155,7 +155,7 @@ For 5158(S): The Windows Filtering Platform has permitted a bind to a local port
- If you need to monitor all actions with a specific local port, monitor for [5158](event-5158.md) events with that “**Source Port.”**
-- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 6 or 17.
+- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 6 or 17.
- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md
index 998321eae5..460e244dd8 100644
--- a/windows/security/threat-protection/auditing/event-5159.md
+++ b/windows/security/threat-protection/auditing/event-5159.md
@@ -73,7 +73,7 @@ This event is logged if the Windows Filtering Platform has blocked a bind to a l
**Application Information**:
-- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
@@ -127,15 +127,15 @@ This event is logged if the Windows Filtering Platform has blocked a bind to a l
**Filter Information:**
-- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesn’t match any filters, you will get value 0 in this field.
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesn’t match any filters, you will get value 0 in this field.
- To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As a result of this command, **filters.xml** file will be generated. You need to open this file and find the specific substring with the required filter ID (**<filterId>**)**,** for example:
+ To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find the specific substring with the required filter ID (**<filterId>**)**,** for example:
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
-- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find the specific substring with the required layer ID (**<layerId>**)**,** for example:
diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
index 0762f04322..58bd7574f2 100644
--- a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
+++ b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
@@ -1,6 +1,6 @@
---
title: How to get a list of XML data name elements in (Windows 10)
-description: This reference topic for the IT professional explains how to use PowerShell to get a list of XML data name elements that can appear in .
+description: This reference article for the IT professional explains how to use PowerShell to get a list of XML data name elements that can appear in .
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -20,15 +20,15 @@ ms.author: dansimp
The Security log uses a manifest where you can get all of the event schema.
-Run the following from an elevated PowerShell prompt:
+Run the following command from an elevated PowerShell prompt:
```powershell
$secEvents = get-winevent -listprovider "microsoft-windows-security-auditing"
```
-The .events property is a collection of all of the events listed in the manifest on the local machine.
+The `.events` property is a collection of all of the events listed in the manifest on the local machine.
-For each event, there is a .Template property for the XML template used for the event properties (if there are any).
+For each event, there is a `.Template` property for the XML template used for the event properties (if there are any).
For example:
@@ -90,7 +90,7 @@ PS C:\WINDOWS\system32> $SecEvents.events[100].Template
You can use the <Template> and <Description> to map the data name elements that appear in XML view to the names that appear in the event description.
-The <Description> is just the format string (if you’re used to Console.Writeline or sprintf statements) and the <Template> is the source of the input parameters for the <Description>.
+The <Description> is just the format string (if you’re used to `Console.Writeline` or `sprintf` statements), and the <Template> is the source of the input parameters for the <Description>.
Using Security event 4734 as an example:
@@ -124,9 +124,9 @@ Description : A security-enabled local group was deleted.
```
-For the **Subject: Security Id:** text element, it will use the fourth element in the Template, **SubjectUserSid**.
+For the **Subject: Security ID:** text element, it will use the fourth element in the Template, **SubjectUserSid**.
-For **Additional Information Privileges:**, it would use the eighth element **PrivilegeList**.
+For **Additional Information Privileges:**, it would use the eighth element, **PrivilegeList**.
-A caveat to this is an oft-overlooked property of events called Version (in the <SYSTEM> element) that indicates the revision of the event schema and description. Most events have 1 version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least 3 versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description.
+A caveat to this principle is an often overlooked property of events called Version (in the <SYSTEM> element) that indicates the revision of the event schema and description. Most events have one version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least three versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description.
diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md
index 9b911ac29f..867aadf0d5 100644
--- a/windows/security/threat-protection/fips-140-validation.md
+++ b/windows/security/threat-protection/fips-140-validation.md
@@ -72,7 +72,7 @@ This caveat identifies required configuration and security rules that must be fo
### What is the relationship between FIPS 140-2 and Common Criteria?
-These are two separate security standards with different, but complementary, purposes. FIPS 140-2 is designed specifically for validating software and hardware cryptographic modules, while Common Criteria are designed to evaluate security functions in IT software and hardware products. Common Criteria evaluations often rely on FIPS 140-2 validations to provide assurance that basic cryptographic functionality is implemented properly.
+These are two separate security standards with different, but complementary, purposes. FIPS 140-2 is designed specifically for validating software and hardware cryptographic modules, while Common Criteria is designed to evaluate security functions in IT software and hardware products. Common Criteria evaluations often rely on FIPS 140-2 validations to provide assurance that basic cryptographic functionality is implemented properly.
### How does FIPS 140 relate to Suite B?
diff --git a/windows/security/threat-protection/intelligence/TOC.md b/windows/security/threat-protection/intelligence/TOC.md
index 18ea7845de..9919f7d8d2 100644
--- a/windows/security/threat-protection/intelligence/TOC.md
+++ b/windows/security/threat-protection/intelligence/TOC.md
@@ -48,7 +48,7 @@
### [Coordinated malware eradication](coordinated-malware-eradication.md)
-## [Information for developers](developer-info.md)
+## [Information for developers]()
### [Software developer FAQ](developer-faq.md)
diff --git a/windows/security/threat-protection/intelligence/developer-info.md b/windows/security/threat-protection/intelligence/developer-info.md
deleted file mode 100644
index eb0ac99896..0000000000
--- a/windows/security/threat-protection/intelligence/developer-info.md
+++ /dev/null
@@ -1,29 +0,0 @@
----
-title: Information for developers
-ms.reviewer:
-description: This page provides answers to common questions we receive from software developers and other useful resources
-keywords: software, developer, faq, dispute, false-positive, classify, installer, software, bundler, blocking
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Information for developers
-
-Learn about the common questions we receive from software developers and get other developer resources such as detection criteria and file submissions.
-
-## In this section
-
-Topic | Description
-:---|:---
-[Software developer FAQ](developer-faq.md) | Provides answers to common questions we receive from software developers.
-[Developer resources](developer-resources.md) | Provides information about how to submit files and the detection criteria. Learn how to check your software against the latest security intelligence and cloud protection from Microsoft.
diff --git a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
index df44f6142a..bd1b4f57e7 100644
--- a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
+++ b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
@@ -17,22 +17,22 @@ search.appverid: met150
---
# Troubleshooting malware submission errors caused by administrator block
-In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to the [Microsoft Security intelligence website](https://www.microsoft.com/wdsi) for analysis. The following process shows how to resolve this.
+In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to the [Microsoft Security intelligence website](https://www.microsoft.com/wdsi) for analysis. The following process shows how to resolve this problem.
## Review your settings
Open your Azure [Enterprise application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/). Under **Enterprise Applications** > **Users can consent to apps accessing company data on their behalf**, check whether Yes or No is selected.
-- If this is set to **No**, an AAD administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with AAD, users might be able to submit a request right from the same dialog box. If there’s no option to ask for admin consent, users need to request for these permissions to be added to their AAD admin. Go to the following section for more information.
+- If **No** is selected, an Azure AD administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with Azure AD, users might be able to submit a request right from the same dialog box. If there’s no option to ask for admin consent, users need to request for these permissions to be added to their Azure AD admin. Go to the following section for more information.
-- It this is set to **Yes**, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign-in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). If this is set to **No** you'll need to request an AAD admin enable it.
+- If **Yes** is selected, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). If **No** is selected, you'll need to request an Azure AD admin enable it.
## Implement Required Enterprise Application permissions
This process requires a global or application admin in the tenant.
1. Open [Enterprise Application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d).
- 2. Click **Grant admin consent for organization**.
- 3. If you're able to do so, Review the API permissions required for this application. This should be exactly the same as in the following image. Provide consent for the tenant.
+ 2. Select **Grant admin consent for organization**.
+ 3. If you're able to do so, review the API permissions required for this application, as the following image shows. Provide consent for the tenant.
- 
+ 
4. If the administrator receives an error while attempting to provide consent manually, try either [Option 1](#option-1-approve-enterprise-application-permissions-by-user-request) or [Option 2](#option-2-provide-admin-consent-by-authenticating-the-application-as-an-admin) as possible workarounds.
@@ -59,15 +59,15 @@ This process requires that global admins go through the Enterprise customer sign
-Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and click **Accept**.
+Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and then select **Accept**.
All users in the tenant will now be able to use this application.
-## Option 3: Delete and re-add app permissions
+## Option 3: Delete and readd app permissions
If neither of these options resolve the issue, try the following steps (as an admin):
1. Remove previous configurations for the application. Go to [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/982e94b2-fea9-4d1f-9fca-318cda92f90b)
-and click **delete**.
+and select **delete**.
@@ -78,7 +78,7 @@ and click **delete**.
-4. Review the permissions required by the application, and then click **Accept**.
+4. Review the permissions required by the application, and then select **Accept**.
5. Confirm the permissions are applied in the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/ce60a464-5fca-4819-8423-bcb46796b051).
diff --git a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
index 5aded1e416..fa58868aa8 100644
--- a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
+++ b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
@@ -18,21 +18,28 @@ ms.topic: article
The Virus Information Alliance (VIA) is a public antimalware collaboration program for security software providers, security service providers, antimalware testing organizations, and other organizations involved in fighting cybercrime.
-Members of the VIA program collaborate by exchanging technical information on malicious software with Microsoft, with the goal of improving protection for Microsoft customers.
+Members of the VIA program collaborate by exchanging technical information on malicious software with Microsoft. The goal is to improve protection for Microsoft customers.
## Better protection for customers against malware
-The VIA program gives members access to information that will help improve protection for Microsoft customers. For example, the program provides malware telemetry and samples to security product teams to identify gaps in their protection and prioritize new threat coverage.
+The VIA program gives members access to information that will help them improve protection. For example, the program provides malware telemetry and samples to security teams so they can identify gaps and prioritize new threat coverage.
-Malware prevalence data is provided to antimalware testers to assist them in selecting sample sets and setting scoring criteria that represent the real-world threat landscape. Service organizations, such as a CERT, can leverage our data to help assess the impact of policy changes or to help shut down malicious activity.
+Malware prevalence data is provided to antimalware testers to assist them in selecting sample sets. The data also helps set scoring criteria that represent the real-world threat landscape. Service organizations, such as a CERT, can leverage our data to help assess the impact of policy changes or to help shut down malicious activity.
Microsoft is committed to continuous improvement to help reduce the impact of malware on customers. By sharing malware-related information, Microsoft enables members of this community to work towards better protection for customers.
## Becoming a member of VIA
-Microsoft has well-defined, objective, measurable, and tailored membership criteria for prospective members of the Virus Information Alliance (VIA). The criteria is designed to ensure that Microsoft is able to work with security software providers, security service providers, antimalware testing organizations, and other organizations involved in the fight against cybercrime to protect a broad range of customers.
+Microsoft has well-defined, objective, measurable, and tailored membership criteria for prospective members of the Virus Information Alliance (VIA).
-Members will receive information to facilitate effective malware detection, deterrence, and eradication. This includes technical information on malware as well as metadata on malicious activity. Information shared through VIA is governed by the VIA membership agreement and a Microsoft non-disclosure agreement, where applicable.
+The criteria is designed to ensure that Microsoft can work with the following groups to protect a broad range of customers:
+
+- Security software providers
+- Security service providers
+- Antimalware testing organizations
+- Other organizations involved in the fight against cybercrime
+
+Members will receive information to facilitate effective malware detection, deterrence, and eradication. This information includes technical information on malware as well as metadata on malicious activity. Information shared through VIA is governed by the VIA membership agreement and a Microsoft non-disclosure agreement, where applicable.
VIA has an open enrollment for potential members.
@@ -43,11 +50,12 @@ To be eligible for VIA your organization must:
1. Be willing to sign a non-disclosure agreement with Microsoft.
2. Fit into one of the following categories:
- * Your organization develops antimalware technology that can run on Windows and your organization’s product is commercially available.
- * Your organization provides security services to Microsoft customers or for Microsoft products.
- * Your organization publishes antimalware testing reports on a regular basis.
- * Your organization has a research or response team dedicated to fighting malware to protect your organization, your customers, or the general public.
+
+ - Your organization develops antimalware technology that can run on Windows and your organization’s product is commercially available.
+ - Your organization provides security services to Microsoft customers or for Microsoft products.
+ - Your organization publishes antimalware testing reports on a regular basis.
+ - Your organization has a research or response team dedicated to fighting malware to protect your organization, your customers, or the general public.
3. Be willing to sign and adhere to the VIA membership agreement.
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). For questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
index a896140ce6..5f8f3c8139 100644
--- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
+++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
@@ -19,13 +19,13 @@ ms.topic: article
The Microsoft Virus Initiative (MVI) helps organizations to get their products working and integrated with Windows.
-MVI members receive access to Windows APIs and other technologies including IOAV, AMSI and Cloud files. Members also get malware telemetry and samples and invitations to security related events and conferences.
+MVI members receive access to Windows APIs and other technologies including IOAV, AMSI, and Cloud files. Members also get malware telemetry and samples and invitations to security-related events and conferences.
## Become a member
-A request for membership is made by an individual as a representative of an organization that develops and produces antimalware or antivirus technology. Your organization must meet the following eligibility requirements to qualify for the MVI program:
+You can request membership if you're a representative for an organization that develops and produces antimalware or antivirus technology. Your organization must meet the following requirements to qualify for the MVI program:
-1. Offer an antimalware or antivirus product that is one of the following:
+1. Offer an antimalware or antivirus product that meets one of the following criteria:
* Your organization's own creation.
* Developed by using an SDK (engine and other components) from another MVI Partner company and your organization adds a custom UI and/or other functionality.
@@ -34,7 +34,7 @@ A request for membership is made by an individual as a representative of an orga
3. Be active and have a positive reputation in the antimalware industry.
- * Activity can include participation in industry conferences or being reviewed in an industry standard report such as AV Comparatives, OPSWAT or Gartner.
+ * Activity can include participation in industry conferences or being reviewed in an industry standard report such as AV Comparatives, OPSWAT, or Gartner.
4. Be willing to sign a non-disclosure agreement (NDA) with Microsoft.
@@ -49,14 +49,14 @@ A request for membership is made by an individual as a representative of an orga
Test Provider | Lab Test Type | Minimum Level / Score
------------- |---------------|----------------------
AV-Comparatives | Real-World Protection Test https://www.av-comparatives.org/testmethod/real-world-protection-tests/ |“Approved” rating from AV Comparatives
-AV-Test | Must pass tests for Windows. Certifications for Mac and Linux are not accepted https://www.av-test.org/en/about-the-institute/certification/ | Achieve "AV-TEST Certified" (for home users) or "AV-TEST Approved” (for corporate users)
+AV-Test | Must pass tests for Windows. Certifications for Mac and Linux aren't accepted https://www.av-test.org/en/about-the-institute/certification/ | Achieve "AV-TEST Certified" (for home users) or "AV-TEST Approved” (for corporate users)
ICSA Labs | Endpoint Anti-Malware Detection https://www.icsalabs.com/technology-program/anti-virus/criteria |PASS/Certified
NSS Labs | Advanced Endpoint Protection AEP 3.0, which covers automatic threat prevention and threat event reporting capabilities https://www.nsslabs.com/tested-technologies/advanced-endpoint-protection/ |“Neutral” rating from NSS
-SKD Labs | Certification Requirements Product: Anti-virus or Antimalware http://www.skdlabs.com/html/english/ http://www.skdlabs.com/cert/ |SKD Labs Star Check Certification Requirements Pass >= 98.5 % with On Demand, On Access and Total Detection tests
+SKD Labs | Certification Requirements Product: Anti-virus or Antimalware http://www.skdlabs.com/html/english/ http://www.skdlabs.com/cert/ |SKD Labs Star Check Certification Requirements Pass >= 98.5% with On Demand, On Access and Total Detection tests
SE Labs | Protection A rating or Small Business EP A rating or Enterprise EP Protection A rating https://selabs.uk/en/reports/consumers |Home or Enterprise “A” rating
VB 100 | VB100 Certification Test V1.1 https://www.virusbulletin.com/testing/vb100/vb100-methodology/vb100-methodology-ver1-1/ | VB100 Certification
West Coast Labs | Checkmark Certified http://www.checkmarkcertified.com/sme/ | “A” Rating on Product Security Performance
## Apply now
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). For questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md
index 04c8f8280f..ca62c08fd9 100644
--- a/windows/security/threat-protection/intelligence/worms-malware.md
+++ b/windows/security/threat-protection/intelligence/worms-malware.md
@@ -22,19 +22,19 @@ A worm is a type of malware that can copy itself and often spreads through a net
## How worms work
-Worms represent a large category of malware. Different worms use different methods to infect devices. Depending on the variant, they can steal sensitive information, change security settings, send information to malicious hackers, stop users from accessing files, and other malicious activities.
+Worms represent a large category of malware. Different worms use different methods to infect devices. Depending on the variant, they can steal sensitive information, change security settings, send information to malicious hackers, stop users from accessing files, and other malicious activities.
-Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have consistently remained at the top of the list of malware that infect users running Microsoft security software. Although these worms share some commonalities, it is interesting to note that they also have distinct characteristics.
+Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have consistently remained at the top of the list of malware that infects users running Microsoft software. Although these worms share some commonalities, it's interesting to note that they also have distinct characteristics.
* **Jenxcus** has capabilities of not only infecting removable drives but can also act as a backdoor that connects back to its server. This threat typically gets into a device from a drive-by download attack, meaning it's installed when users just visit a compromised web page.
-* **Gamarue** typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. We’ve seen it distribute other malware such as infostealers, spammers, clickers, downloaders, and rogues.
+* **Gamarue** typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. We’ve seen it distribute other malware such as info stealers, spammers, clickers, downloaders, and rogues.
* **Bondat** typically arrives through fictitious Nullsoft Scriptable Install System (NSIS), Java installers, and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server.
-Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they are doing, they try to avoid detection by security software.
+Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they're doing, they try to avoid detection by security software.
-* [**WannaCrypt**](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/WannaCrypt) also deserves a mention here. Unlike older worms that often spread just because they could, modern worms often spread to drop a payload (e.g. ransomware).
+* [**WannaCrypt**](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/WannaCrypt) also deserves a mention here. Unlike older worms that often spread just because they could, modern worms often spread to drop a payload (like ransomware).
This image shows how a worm can quickly spread through a shared USB drive.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
index 534f46eef6..248f41713e 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
@@ -13,7 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
-ms.date: 10/21/2020
+ms.date: 11/02/2020
---
# Manage Microsoft Defender Antivirus updates and apply baselines
@@ -69,14 +69,32 @@ For more information, see [Manage the sources for Microsoft Defender Antivirus p
For information how to update or how to install the platform update, see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform).
-All our updates contain:
-- performance improvements
-- serviceability improvements
-- integration improvements (Cloud, Microsoft 365 Defender)
+All our updates contain
+- performance improvements;
+- serviceability improvements; and
+- integration improvements (Cloud, Microsoft 365 Defender).
+ October-2020 (Platform: 4.18.2010.x | Engine: 1.1.17600.5)
+
+ Security intelligence update version: **1.327.7.0**
+ Released: **October 29, 2020**
+ Platform: **4.18.2010.x**
+ Engine: **1.1.17600.5**
+ Support phase: **Security and Critical Updates**
+
+### What's new
+- New descriptions for special threat categories
+- Improved emulation capabilities
+- Improved host address allow/block capabilities
+- New option in Defender CSP to Ignore merging of local user exclusions
+
+### Known Issues
+No known issues
+
+
September-2020 (Platform: 4.18.2009.7 | Engine: 1.1.17500.4)
Security intelligence update version: **1.325.10.0**
@@ -88,7 +106,7 @@ All our updates contain:
### What's new
- Admin permissions are required to restore files in quarantine
- XML formatted events are now supported
-- CSP support for ignoring exclusion merge
+- CSP support for ignoring exclusion merges
- New management interfaces for:
- UDP Inspection
- Network Protection on Server 2019
@@ -318,7 +336,7 @@ During the technical support (only) phase, commercially reasonable support incid
The below table provides the Microsoft Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases:
|Windows 10 release |Platform version |Engine version |Support phase |
-|-|-|-|-|
+|:---|:---|:---|:---|
|2004 (20H1) |4.18.2004.6 |1.1.17000.2 | Technical upgrade Support (Only) |
|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade Support (Only) |
|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade Support (Only) |
@@ -333,10 +351,10 @@ Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsof
## See also
-Article | Description
----|---
-[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through a number of sources.
-[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) | You can schedule when protection updates should be downloaded.
-[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan at the next logon.
-[Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events.
-[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines.
+| Article | Description |
+|:---|:---|
+|[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through a number of sources. |
+|[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) | You can schedule when protection updates should be downloaded. |
+|[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan the next time a user signs in. |
+|[Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events. |
+|[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines. |
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index a89853180f..8facb0d850 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -50,7 +50,7 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh
(1) On Windows Server 2016 or 2019, Microsoft Defender Antivirus will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [consider uninstalling Microsoft Defender Antivirus on Windows Server 2016 or 2019](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-microsoft-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a machine.
-If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key:
+If you are using Windows Server, version 1803 or Windows Server 2019, you can enable passive mode by setting this registry key:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
- Name: ForceDefenderPassiveMode
- Type: REG_DWORD
@@ -78,7 +78,7 @@ The following table summarizes the functionality and features that are available
- In Active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself).
- In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode.
-- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) (currently in private preview) is turned on, Microsoft Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items.
+- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on, Microsoft Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items.
- In Automatic disabled mode, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.
## Keep the following points in mind
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
index a95fc2b95f..153100cb9f 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
@@ -1,5 +1,5 @@
---
-title: Schedule regular quick and full scans with Microsoft Defender AV
+title: Schedule regular quick and full scans with Microsoft Defender Antivirus
description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
keywords: quick scan, full scan, quick vs full, schedule scan, daily, weekly, time, scheduled, recurring, regular
search.product: eADQiWindows 10XVcnh
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 10/26/2020
+ms.date: 11/02/2020
ms.reviewer: pauhijbr
manager: dansimp
---
@@ -25,6 +25,7 @@ manager: dansimp
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+
> [!NOTE]
> By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default.
@@ -44,7 +45,9 @@ This article describes how to configure scheduled scans with Group Policy, Power
5. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below.
-6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration.
+
+7. Click **OK**, and repeat for any other settings.
Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) topics.
@@ -74,12 +77,13 @@ Scheduled scans will run at the day and time you specify. You can use Group Poli
### Use Group Policy to schedule scans
-| Location | Setting | Description | Default setting (if not configured) |
+|Location | Setting | Description | Default setting (if not configured) |
|:---|:---|:---|:---|
|Scan | Specify the scan type to use for a scheduled scan | Quick scan |
|Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never |
-| Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.). | 2 a.m. |
-| Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.
In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled |
+|Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.). | 2 a.m. |
+|Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.
In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled |
+
### Use PowerShell cmdlets to schedule scans
@@ -100,8 +104,10 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
-SignatureFallbackOrder
-SignatureDefinitionUpdateFileSharesSouce
+ScanParameters
+ScanScheduleDay
+ScanScheduleTime
+RandomizeScheduleTaskTimes
```
See the following for more information and allowed parameters:
@@ -138,8 +144,7 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
-SignatureFallbackOrder
-SignatureDefinitionUpdateFileSharesSouce
+ScanOnlyIfIdleEnabled
```
See the following for more information and allowed parameters:
@@ -173,8 +178,8 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
-SignatureFallbackOrder
-SignatureDefinitionUpdateFileSharesSouce
+RemediationScheduleDay
+RemediationScheduleTime
```
See the following for more information and allowed parameters:
@@ -190,7 +195,8 @@ You can enable a daily quick scan that can be run in addition to your other sche
### Use Group Policy to schedule daily scans
-| Location | Setting | Description | Default setting (if not configured)|
+
+|Location | Setting | Description | Default setting (if not configured) |
|:---|:---|:---|:---|
|Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never |
|Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.) | 2 a.m. |
@@ -210,8 +216,7 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
-SignatureFallbackOrder
-SignatureDefinitionUpdateFileSharesSouce
+ScanScheduleQuickScanTime
```
See the following for more information and allowed parameters:
@@ -224,9 +229,9 @@ You can force a scan to occur after every [protection update](manage-protection-
### Use Group Policy to schedule scans after protection updates
-Location | Setting | Description | Default setting (if not configured)
----|---|---|---
-Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled
+|Location | Setting | Description | Default setting (if not configured)|
+|:---|:---|:---|:---|
+|Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled |
## See also
- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
index 867107aeaa..007fa751d5 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 10/29/2020
+ms.date: 11/03/2020
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -22,8 +22,8 @@ Answering frequently asked questions about Microsoft Defender Application Guard
## Frequently Asked Questions
-### Can I enable Application Guard on machines equipped with 4 GB RAM?
-We recommend 8 GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
+### Can I enable Application Guard on machines equipped with 4-GB RAM?
+We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.)
@@ -33,7 +33,7 @@ We recommend 8 GB RAM for optimal performance but you may use the following regi
### Can employees download documents from the Application Guard Edge session onto host devices?
-In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy.
+In Windows 10 Enterprise edition 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy.
In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.
@@ -71,19 +71,19 @@ The following Input Method Editors (IME) introduced in Windows 10, version 1903
### I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
-This feature is currently experimental only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature.
+This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature.
### What is the WDAGUtilityAccount local account?
-This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware.
+This account is part of Application Guard beginning with Windows 10, version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware.
### How do I trust a subdomain in my site list?
-To trust a subdomain, you must precede your domain with two dots, for example: `..contoso.com` will ensure `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted.
+To trust a subdomain, you must precede your domain with two dots, for example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted.
### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
-When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
+When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
### Is there a size limit to the domain lists that I need to configure?
@@ -91,27 +91,27 @@ Yes, both the Enterprise Resource domains hosted in the cloud and the Domains ca
### Why does my encryption driver break Microsoft Defender Application Guard?
-Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message ("0x80070013 ERROR_WRITE_PROTECT").
+Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
### Why do the Network Isolation policies in Group Policy and CSP look different?
-There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy WDAG are different between CSP and GP.
+There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP.
-Mandatory network isolation GP policy to deploy WDAG: "DomainSubnets or CloudResources"
-Mandatory network isolation CSP policy to deploy WDAG: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)"
+Mandatory network isolation GP policy to deploy Application Guard: "DomainSubnets or CloudResources"
+Mandatory network isolation CSP policy to deploy Application Guard: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)"
For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
-Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
+Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
### Why did Application Guard stop working after I turned off hyperthreading?
If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
-### Why am I getting the error message ("ERROR_VIRTUAL_DISK_LIMITATION")?
+### Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"?
-Application Guard may not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
+Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
-### Why am I getting the error message ("ERR_NAME_NOT_RESOLVED") after not being able to reach PAC file?
+### Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach PAC file?
This is a known issue. To mitigate this you need to create two firewall rules.
For guidance on how to create a firewall rule by using group policy, see:
@@ -119,8 +119,8 @@ For guidance on how to create a firewall rule by using group policy, see:
- [Open Group Policy management console for Microsoft Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security)
First rule (DHCP Server):
-1. Program path: %SystemRoot%\System32\svchost.exe
-2. Local Service: Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))
+1. Program path: `%SystemRoot%\System32\svchost.exe`
+2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))`
3. Protocol UDP
4. Port 67
@@ -129,7 +129,7 @@ This is the same as the first rule, but scoped to local port 68.
In the Microsoft Defender Firewall user interface go through the following steps:
1. Right click on inbound rules, create a new rule.
2. Choose **custom rule**.
-3. Program path: **%SystemRoot%\System32\svchost.exe**.
+3. Program path: `%SystemRoot%\System32\svchost.exe`.
4. Protocol Type: UDP, Specific ports: 67, Remote port: any.
5. Any IP addresses.
6. Allow the connection.
@@ -139,23 +139,26 @@ In the Microsoft Defender Firewall user interface go through the following steps
### Why can I not launch Application Guard when Exploit Guard is enabled?
-There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to Windows Security-> App and Browser control -> Exploit Protection Setting -> switch CFG to the “use default".
+There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**.
### How can I have ICS in enabled state yet still use Application Guard?
-This is a two-step process.
+ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
-Step 1:
+1. In the Group Policy setting called, *Prohibit use of Internet Connection Sharing on your DNS domain network*, set it to **Disabled**.
-Enable Internet Connection sharing by changing the Group Policy setting *Prohibit use of Internet Connection Sharing on your DNS domain network*, which is part of the MS Security baseline from Enabled to Disabled.
-
-Step 2:
-
-1. Disable IpNat.sys from ICS load
-System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1
-2. Configure ICS (SharedAccess) to enabled
-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3
-3. Disabling IPNAT (Optional)
-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4
-4. Reboot.
\ No newline at end of file
+2. Disable IpNat.sys from ICS load as follows:
+`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`
+
+3. Configure ICS (SharedAccess) to enabled as follows:
+`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`
+
+4. (This is optional) Disable IPNAT as follows:
+`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`
+
+5. Reboot the device.
+
+## See also
+
+[Configure Microsoft Defender Application Guard policy settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md
index 0d6e8dcd1c..03ef3030af 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md
@@ -52,7 +52,7 @@ DO NOT USE THE APPLICATION.**
1. **INSTALLATION AND USE RIGHTS.**
1. **Installation and Use.** You may install and use any number of copies
- of this application on Android enabled device or devices which you own
+ of this application on Android enabled device or devices that you own
or control. You may use this application with your company's valid
subscription of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) or
an online service that includes MDATP functionalities.
@@ -60,13 +60,13 @@ DO NOT USE THE APPLICATION.**
2. **Updates.** Updates or upgrades to MDATP may be required for full
functionality. Some functionality may not be available in all countries.
- 3. **Third Party Programs.** The application may include third party
+ 3. **Third-Party Programs.** The application may include third-party
programs that Microsoft, not the third party, licenses to you under this
agreement. Notices, if any, for the third-party program are included for
your information only.
2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to
- Internet access, data transfer and other services per the terms of the data
+ Internet access, data transfer, and other services per the terms of the data
service plan and any other agreement you have with your network operator due
to use of the application. You are solely responsible for any network
operator charges.
@@ -92,21 +92,21 @@ DO NOT USE THE APPLICATION.**
improve Microsoft products and services and enhance your experience.
You may limit or control collection of some usage and performance
data through your device settings. Doing so may disrupt your use of
- certain features of the application. For additional information on
- Microsoft's data collection and use, see the [Online Services
+ certain features of the application. For more information about
+ Microsoft data collection and use, see the [Online Services
Terms](https://go.microsoft.com/fwlink/?linkid=2106777).
2. Misuse of Internet-based Services. You may not use any Internet-based
service in any way that could harm it or impair anyone else's use of it
or the wireless network. You may not use the service to try to gain
- unauthorized access to any service, data, account or network by any
+ unauthorized access to any service, data, account, or network by any
means.
4. **FEEDBACK.** If you give feedback about the application to Microsoft, you
- give to Microsoft, without charge, the right to use, share and commercialize
+ give to Microsoft, without charge, the right to use, share, and commercialize
your feedback in any way and for any purpose. You also give to third
parties, without charge, any patent rights needed for their products,
- technologies and services to use or interface with any specific parts of a
+ technologies, and services to use or interface with any specific parts of a
Microsoft software or service that includes the feedback. You will not give
feedback that is subject to a license that requires Microsoft to license its
software or documentation to third parties because we include your feedback
@@ -130,35 +130,34 @@ DO NOT USE THE APPLICATION.**
- publish the application for others to copy;
- - rent, lease or lend the application; or
+ - rent, lease, or lend the application; or
- transfer the application or this agreement to any third party.
6. **EXPORT RESTRICTIONS.** The application is subject to United States export
laws and regulations. You must comply with all domestic and international
export laws and regulations that apply to the application. These laws
- include restrictions on destinations, end users and end use. For additional
+ include restrictions on destinations, end users, and end use. For more
information,
- see[www.microsoft.com/exporting](https://www.microsoft.com/exporting).
+ see [www.microsoft.com/exporting](https://www.microsoft.com/exporting).
7. **SUPPORT SERVICES.** Because this application is "as is," we may not
provide support services for it. If you have any issues or questions about
your use of this application, including questions about your company's
- privacy policy, please contact your company's admin. Do not contact the
+ privacy policy, contact your company's admin. Do not contact the
application store, your network operator, device manufacturer, or Microsoft.
The application store provider has no obligation to furnish support or
maintenance with respect to the application.
8. **APPLICATION STORE.**
- 1. If you obtain the application through an application store (e.g., Google
- Play), please review the applicable application store terms to ensure
+ 1. If you obtain the application through an application store (for example, Google
+ Play), review the applicable application store terms to ensure
your download and use of the application complies with such terms.
- Please note that these Terms are between you and Microsoft and not with
+ Note that these Terms are between you and Microsoft and not with
the application store.
- 2. The respective application store provider and its subsidiaries are third
- party beneficiaries of these Terms, and upon your acceptance of these
+ 2. The respective application store provider and its subsidiaries are third-party beneficiaries of these Terms, and upon your acceptance of these
Terms, the application store provider(s) will have the right to directly
enforce and rely upon any provision of these Terms that grants them a
benefit or rights.
@@ -213,20 +212,20 @@ DO NOT USE THE APPLICATION.**
This limitation applies to:
- anything related to the application, services, content (including code) on
- third party Internet sites, or third party programs; and
+ third-party internet sites, or third-party programs; and
-- claims for breach of contract, warranty, guarantee or condition; consumer
+- claims for breach of contract, warranty, guarantee, or condition; consumer
protection; deception; unfair competition; strict liability, negligence,
- misrepresentation, omission, trespass or other tort; violation of statute or
+ misrepresentation, omission, trespass, or other tort; violation of statute or
regulation; or unjust enrichment; all to the extent permitted by applicable
law.
It also applies even if:
-a. Repair, replacement or refund for the application does not fully compensate
+a. Repair, replacement, or refund for the application does not fully compensate
you for any losses; or
b. Covered Parties knew or should have known about the possibility of the
damages.
-The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.
+The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential, or other damages.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
index 34f925b4d8..ed7b21ccdf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
@@ -57,7 +57,7 @@ You can access Microsoft Defender ATP API with **Application Context** or **User
- **User Context:**
Used to perform actions in the API on behalf of a user.
- Steps that needs to be taken to access Microsoft Defender ATP API with application context:
+ Steps that need to be taken to access Microsoft Defender ATP API with user context:
1. Create AAD Native-Application.
2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc.
3. Get token using the application with user credentials.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
index 82b023af7d..4fd549fcdb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
@@ -30,9 +30,9 @@ ms.topic: article
Refer to the instructions below to use basic permissions management.
-You can use either of the following:
+You can use either of the following solutions:
- Azure PowerShell
-- Azure Portal
+- Azure portal
For granular control over permissions, [switch to role-based access control](rbac.md).
@@ -42,21 +42,21 @@ You can assign users with one of the following levels of permissions:
- Read-only access
### Before you begin
-- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
+- Install Azure PowerShell. For more information, see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
> [!NOTE]
> You need to run the PowerShell cmdlets in an elevated command-line.
-- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx).
+- Connect to your Azure Active Directory. For more information, see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx).
**Full access**
Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package.
Assigning full access rights requires adding the users to the "Security Administrator" or "Global Administrator" AAD built-in roles.
-**Read only access**
-Users with read only access can log in, view all alerts, and related information.
+**Read-only access**
+Users with read-only access can log in, view all alerts, and related information.
They will not be able to change alert states, submit files for deep analysis or perform any state changing operations.
-Assigning read only access rights requires adding the users to the "Security Reader" AAD built-in role.
+Assigning read-only access rights requires adding the users to the "Security Reader" Azure AD built-in role.
Use the following steps to assign security roles:
@@ -64,12 +64,12 @@ Use the following steps to assign security roles:
```text
Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
```
-- For **read only** access, assign users to the security reader role by using the following command:
+- For **read-only** access, assign users to the security reader role by using the following command:
```text
Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com"
```
-For more information see, [Add or remove group memberships](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
+For more information, see, [Add, or remove group memberships](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
## Assign user access using the Azure portal
For more information, see [Assign administrator and non-administrator roles to uses with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
index d4c8c750c8..b4b47744f4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
@@ -34,13 +34,13 @@ This offering is currently available to US Office 365 GCC High customers and is
The following OS versions are supported:
- Windows 10, version 1903
-- Windows 10, version 1809 (OS Build 17763.404 with [KB4490481](https://support.microsoft.com/en-us/help/4490481))
+- Windows 10, version 1809 (OS Build 17763.404 with [KB4490481](https://support.microsoft.com/help/4490481))
- Windows 10, version 1803 (OS Build 17134.799 with [KB4499183](https://support.microsoft.com/help/4499183))
- Windows 10, version 1709 (OS Build 16299.1182 with [KB4499147](https://support.microsoft.com/help/4499147))
-- Windows Server, 2019 (with [KB4490481](https://support.microsoft.com/en-us/help/4490481))
+- Windows Server, 2019 (with [KB4490481](https://support.microsoft.com/help/4490481))
>[!NOTE]
->A patch must be deployed before device onboarding in order to configure Microsoft Defender ATP to the correct environment.
+>The above mentioned patch level must be deployed before device onboarding in order to configure Microsoft Defender ATP to the correct environment.
The following OS versions are supported via Azure Security Center:
- Windows Server 2008 R2 SP1
diff --git a/windows/security/threat-protection/microsoft-defender-atp/common-errors.md b/windows/security/threat-protection/microsoft-defender-atp/common-errors.md
index d34460c4bf..fdb92321bb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/common-errors.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/common-errors.md
@@ -22,9 +22,9 @@ ms.topic: article
* The error codes listed in the following table may be returned by an operation on any of Microsoft Defender ATP APIs.
-* Note that in addition to the error code, every error response contains an error message which can help resolving the problem.
-* Note that the message is a free text that can be changed.
-* At the bottom of the page you can find response examples.
+* In addition to the error code, every error response contains an error message, which can help resolving the problem.
+* The message is a free text that can be changed.
+* At the bottom of the page, you can find response examples.
Error code |HTTP status code |Message
:---|:---|:---
@@ -40,7 +40,7 @@ MaximumBatchSizeExceeded | BadRequest (400) | Maximum batch size exceeded. Recei
MissingRequiredParameter | BadRequest (400) | Parameter {the missing parameter} is missing.
OsPlatformNotSupported | BadRequest (400) | OS Platform {the client OS Platform} is not supported for this action.
ClientVersionNotSupported | BadRequest (400) | {The requested action} is supported on client version {supported client version} and above.
-Unauthorized | Unauthorized (401) | Unauthorized (usually invalid or expired authorization header).
+Unauthorized | Unauthorized (401) | Unauthorized (invalid or expired authorization header).
Forbidden | Forbidden (403) | Forbidden (valid token but insufficient permission for the action).
DisabledFeature | Forbidden (403) | Tenant feature is not enabled.
DisallowedOperation | Forbidden (403) | {the disallowed operation and the reason}.
@@ -48,11 +48,11 @@ NotFound | Not Found (404) | General Not Found error message.
ResourceNotFound | Not Found (404) | Resource {the requested resource} was not found.
InternalServerError | Internal Server Error (500) | (No error message, try retry the operation or contact us if it does not resolved)
-## Body parameters are case sensitive
+## Body parameters are case-sensitive
-The submitted body parameters are currently case sensitive.
+The submitted body parameters are currently case-sensitive.
If you experience an **InvalidRequestBody** or **MissingRequiredParameter** errors, it might be caused from a wrong parameter capital or lower-case letter.
-
It is recommended to go to the requested Api documentation page and check that the submitted parameters match the relevant example.
+
We recommend that you go to the requested API documentation page and check that the submitted parameters match the relevant example.
## Correlation request ID
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
index 03c9870858..95305f3a79 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@@ -39,9 +39,9 @@ ms.date: 04/16/2020
Microsoft Defender ATP supports non-persistent VDI session onboarding.
>[!Note]
->To onboard non-persistent VDI sessions, VDI devices must be on Windows 10.
+>To onboard non-persistent VDI sessions, VDI devices must be Windows 10 or Windows Server 2019.
>
->While other Windows versions might work, only Windows 10 is supported.
+>While other Windows versions might work, only Windows 10 and Windows Server 2019 are supported.
There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
index b5d1923c6e..0d53517158 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
@@ -35,7 +35,7 @@ ms.topic: article
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
-Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
+Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (Azure AD) using the OAuth 2.0 authentication protocol for an Azure AD application that represents the specific SIEM connector installed in your environment.
Microsoft Defender ATP currently supports the following specific SIEM solution tools through a dedicated SIEM integration model:
@@ -45,14 +45,14 @@ Microsoft Defender ATP currently supports the following specific SIEM solution t
Other SIEM solutions (such as Splunk, RSA NetWitness) are supported through a different integration model based on the new Alert API. For more information, view the [Partner application](https://securitycenter.microsoft.com/interoperability/partners) page and select the Security Information and Analytics section for full details.
-To use either of these supported SIEM tools you'll need to:
+To use either of these supported SIEM tools, you'll need to:
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
- Configure the supported SIEM tool:
- [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
- Configure IBM QRadar to pull Microsoft Defender ATP detections For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
-For more information on the list of fields exposed in the Detection API see, [Microsoft Defender ATP Detection fields](api-portal-mapping.md).
+For more information on the list of fields exposed in the Detection API, see, [Microsoft Defender ATP Detection fields](api-portal-mapping.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
index 6e76ce4bee..82693ece17 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
@@ -29,7 +29,7 @@ ms.topic: conceptual
This section covers some of the most frequently asked questions regarding privacy and data handling for Microsoft Defender ATP.
> [!NOTE]
-> This document explains the data storage and privacy details related to Microsoft Defender ATP. For more information related to Microsoft Defender ATP and other products and services like Microsoft Defender Antivirus and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information.
+> This document explains the data storage and privacy details related to Microsoft Defender ATP. For more information related to Microsoft Defender ATP and other products and services like Microsoft Defender Antivirus and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). For more information, see [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577).
## What data does Microsoft Defender ATP collect?
@@ -47,7 +47,7 @@ This data enables Microsoft Defender ATP to:
Microsoft does not use your data for advertising.
## Data protection and encryption
-The Microsoft Defender ATP service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure.
+The Microsoft Defender ATP service utilizes state-of-the-art data protection technologies, which are based on Microsoft Azure infrastructure.
There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Microsoft Defender ATP service, see [Azure encryption overview](https://docs.microsoft.com/azure/security/security-azure-encryption-overview).
@@ -79,20 +79,20 @@ Access to data for services deployed in Microsoft Azure Government data centers
## Is data shared with other customers?
-No. Customer data is isolated from other customers and is not shared. However, insights on the data resulting from Microsoft processing, and which don’t contain any customer specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
+No. Customer data is isolated from other customers and is not shared. However, insights on the data resulting from Microsoft processing, and which don’t contain any customer-specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
## How long will Microsoft store my data? What is Microsoft’s data retention policy?
**At service onboarding**
-You can choose the data retention policy for your data. This determines how long Window Defender ATP will store your data. There’s a flexibility of choosing in the range of 1 month to six months to meet your company’s regulatory compliance needs.
+You can choose the data retention policy for your data. This determines how long Window Defender ATP will store your data. There’s a flexibility of choosing in the range of one month to six months to meet your company’s regulatory compliance needs.
**At contract termination or expiration**
Your data will be kept and will be available to you while the license is under grace period or suspended mode. At the end of this period, that data will be erased from Microsoft’s systems to make it unrecoverable, no later than 180 days from contract termination or expiration.
## Can Microsoft help us maintain regulatory compliance?
-Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Microsoft Defender ATP services against their own legal and regulatory requirements. Microsoft Defender ATP has achieved a number of certifications including ISO, SOC, FedRAMP High, and PCI and continues to pursue additional national, regional and industry-specific certifications.
+Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Microsoft Defender ATP services against their own legal and regulatory requirements. Microsoft Defender ATP has achieved a number of certifications including ISO, SOC, FedRAMP High, and PCI and continues to pursue additional national, regional, and industry-specific certifications.
-By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run.
+By providing customers with compliant, independently verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run.
For more information on the Microsoft Defender ATP certification reports, see [Microsoft Trust Center](https://servicetrust.microsoft.com/).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
index 36216eb833..109f729fae 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@@ -84,7 +84,7 @@ The following is a sample for reference, using [GUID values for ASR rules](attac
`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules`
-`Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1`
+`Value: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84=2|3B576869-A4EC-4529-8536-B80A7769E899=1|D4F940AB-401B-4EfC-AADC-AD5F3C50688A=2|D3E037E1-3EB8-44C8-A917-57927947596D=1|5BEB7EFE-FD9A-4556-801D-275E5FFC04CC=0|BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550=1`
The values to enable, disable, or enable in audit mode are:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
index c53ee2581c..0bdc19aaac 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
@@ -28,7 +28,7 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
-Enable security information and event management (SIEM) integration so you can pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API.
+Enable security information and event management (SIEM) integration so you can pull detections from Microsoft Defender Security Center. Pull detections using your SIEM solution or by connecting directly to the detections REST API.
>[!NOTE]
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
@@ -36,7 +36,14 @@ Enable security information and event management (SIEM) integration so you can p
>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
## Prerequisites
-- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is someone with the following roles: Security Administrator and either Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
+
+- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is someone with the following roles:
+
+ - Security Administrator and either Global Administrator
+ - Cloud Application Administrator
+ - Application Administrator
+ - Owner of the service principal
+
- During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you allow pop-ups for this site.
## Enabling SIEM integration
@@ -47,7 +54,7 @@ Enable security information and event management (SIEM) integration so you can p
>[!TIP]
>If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability.
-2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant.
+2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under your Azure Active Directory (Azure AD) tenant.
> [!WARNING]
>The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
index 4d724bc3ca..22c665b822 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
@@ -24,10 +24,10 @@ ms.topic: conceptual
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-Endpoint detection and response capabilities in Microsoft Defender ATP for Mac are now in preview. To get these and other preview features, you must set up your Mac device to be an "Insider" device as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune).
+To get preview features for Mac, you must set up your device to be an "Insider" device as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune).
->[!IMPORTANT]
->Make sure you have enabled [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md#how-to-install-microsoft-defender-atp-for-mac), and pay attention to the “earlyPreview” flag. See documentation for [Jamf](mac-install-with-jamf.md), [Intune](mac-install-with-intune.md) and [manual deployment](mac-install-manually.md) instructions.
+> [!IMPORTANT]
+> Make sure you have enabled [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md#how-to-install-microsoft-defender-atp-for-mac), and pay attention to the “earlyPreview” flag. See documentation for [Jamf](mac-install-with-jamf.md), [Intune](mac-install-with-intune.md), and [manual deployment](mac-install-manually.md) instructions.
## Enable the Insider program with Jamf
@@ -49,7 +49,7 @@ Endpoint detection and response capabilities in Microsoft Defender ATP for Mac a
1. From the JAMF console, navigate to **Computers > Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**.
-1. Create an entry with com.microsoft.wdav as the preference domain and upload the .plist created earlier.
+1. Create an entry with com.microsoft.wdav as the preference domain and upload the `.plist` created earlier.
> [!WARNING]
> You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product
@@ -117,7 +117,7 @@ Endpoint detection and response capabilities in Microsoft Defender ATP for Mac a
1. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
-1. Save the .plist created earlier as com.microsoft.wdav.xml.
+1. Save the `.plist` created earlier as com.microsoft.wdav.xml.
1. Enter com.microsoft.wdav as the custom configuration profile name.
@@ -150,17 +150,17 @@ For versions earlier than 100.78.0, run:
To get the latest version of the Microsoft Defender ATP for Mac, set the Microsoft AutoUpdate to “Fast Ring”. To get “Microsoft AutoUpdate”, download it from [Release history for Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/officeupdates/release-history-microsoft-autoupdate).
-To verify you are running the correct version, run ‘mdatp --health’ on the device.
+To verify you are running the correct version, run `mdatp --health` on the device.
* The required version is 100.72.15 or later.
-* If the version is not as expected, verify that Microsoft Auto Update is set to automatically download and install updates by running ‘defaults read com.microsoft.autoupdate2’ from terminal.
-* To change update settings use documentation in [Update Office for Mac automatically](https://support.office.com/article/update-office-for-mac-automatically-bfd1e497-c24d-4754-92ab-910a4074d7c1).
+* If the version is not as expected, verify that Microsoft Auto Update is set to automatically download and install updates by running `defaults read com.microsoft.autoupdate2` from the terminal.
+* To change update settings, see [Update Office for Mac automatically](https://support.office.com/article/update-office-for-mac-automatically-bfd1e497-c24d-4754-92ab-910a4074d7c1).
* If you are not using Office for Mac, download and run the AutoUpdate tool.
### A device still does not appear on Microsoft Defender Security Center
-After a successful deployment and onboarding of the correct version, check that the device has connectivity to the cloud service by running ‘mdatp --connectivity-test’.
+After a successful deployment and onboarding of the correct version, check that the device has connectivity to the cloud service by running `mdatp --connectivity-test`.
-* Check that you enabled the early preview flag. In terminal run “mdatp –health” and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”.
+* Check that you enabled the early preview flag. In the terminal, run `mdatp –health` and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”.
If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation-macos-1015-and-older-versions) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
index 20194e3e9e..c93c7f464b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
@@ -56,7 +56,7 @@ This page explains how to create an AAD application, get an access token to Micr
-3. In the registration from, enter the following information then click **Register**.
+3. In the registration from, enter the following information then select **Register**.
@@ -65,45 +65,45 @@ This page explains how to create an AAD application, get an access token to Micr
4. Allow your Application to access Microsoft Defender ATP and assign it 'Read alerts' permission:
- - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
+ - On your application page, select **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and select on **WindowsDefenderATP**.
- **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
- - Choose **Delegated permissions** > **Alert.Read** > Click on **Add permissions**
+ - Choose **Delegated permissions** > **Alert.Read** > select **Add permissions**
- - **Important note**: You need to select the relevant permissions. 'Read alerts' is only an example!
+ - **Important note**: Select the relevant permissions. Read alerts is only an example.
For instance,
- To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
- To [isolate a device](isolate-machine.md), select 'Isolate machine' permission
- - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
+ - To determine which permission you need, view the **Permissions** section in the API you are interested to call.
- - Click **Grant consent**
+ - Select **Grant consent**
- **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect.
+ **Note**: Every time you add permission you must select on **Grant consent** for the new permission to take effect.
6. Write down your application ID and your tenant ID:
- - On your application page, go to **Overview** and copy the following:
+ - On your application page, go to **Overview** and copy the following information:
## Get an access token
-For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
+For more information on AAD token, see [Azure AD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
### Using C#
- Copy/Paste the below class in your application.
-- Use **AcquireUserTokenAsync** method with the your application ID, tenant ID, user name and password to acquire a token.
+- Use **AcquireUserTokenAsync** method with your application ID, tenant ID, user name, and password to acquire a token.
```csharp
namespace WindowsDefenderATP
@@ -145,10 +145,10 @@ For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.co
## Validate the token
-Sanity check to make sure you got a correct token:
+Verify to make sure you got a correct token:
- Copy/paste into [JWT](https://jwt.ms) the token you got in the previous step in order to decode it
- Validate you get a 'scp' claim with the desired app permissions
-- In the screen shot below you can see a decoded token acquired from the app in the tutorial:
+- In the screenshot below you can see a decoded token acquired from the app in the tutorial:
@@ -156,7 +156,7 @@ Sanity check to make sure you got a correct token:
- Choose the API you want to use - [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
- Set the Authorization header in the HTTP request you send to "Bearer {token}" (Bearer is the Authorization scheme)
-- The Expiration time of the token is 1 hour (you can send more then one request with the same token)
+- The Expiration time of the token is 1 hour (you can send more than one request with the same token)
- Example of sending a request to get a list of alerts **using C#**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
index 6e860b794b..22c4b8dd35 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
@@ -26,21 +26,21 @@ ms.topic: article
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-This page describes how to create an AAD application to get programmatic access to Microsoft Defender ATP on behalf of your customers.
+This page describes how to create an Azure Active Directory (Azure AD) application to get programmatic access to Microsoft Defender ATP on behalf of your customers.
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate work flows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
In general, you’ll need to take the following steps to use the APIs:
-- Create a **multi-tenant** AAD application.
+- Create a **multi-tenant** Azure AD application.
- Get authorized(consent) by your customer administrator for your application to access Microsoft Defender ATP resources it needs.
- Get an access token using this application.
- Use the token to access Microsoft Defender ATP API.
-The following steps with guide you how to create an AAD application, get an access token to Microsoft Defender ATP and validate the token.
+The following steps with guide you how to create an Azure AD application, get an access token to Microsoft Defender ATP and validate the token.
## Create the multi-tenant app
-1. Log on to your [Azure tenant](https://portal.azure.com) with user that has **Global Administrator** role.
+1. Sign in to your [Azure tenant](https://portal.azure.com) with user that has **Global Administrator** role.
2. Navigate to **Azure Active Directory** > **App registrations** > **New registration**.
@@ -59,15 +59,15 @@ The following steps with guide you how to create an AAD application, get an acce
4. Allow your Application to access Microsoft Defender ATP and assign it with the minimal set of permissions required to complete the integration.
- - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
+ - On your application page, select **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and select on **WindowsDefenderATP**.
- - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
+ - **Note**: WindowsDefenderATP does not appear in the original list. Start writing its name in the text box to see it appear.
### Request API permissions
- To determine which permission you need, please look at the **Permissions** section in the API you are interested to call. For instance:
+ To determine which permission you need, review the **Permissions** section in the API you are interested to call. For instance:
- To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
@@ -75,20 +75,20 @@ The following steps with guide you how to create an AAD application, get an acce
In the following example we will use **'Read all alerts'** permission:
- Choose **Application permissions** > **Alert.Read.All** > Click on **Add permissions**
+ Choose **Application permissions** > **Alert.Read.All** > select on **Add permissions**
-5. Click **Grant consent**
+5. Select **Grant consent**
- - **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect.
+ - **Note**: Every time you add permission you must select on **Grant consent** for the new permission to take effect.
6. Add a secret to the application.
- - Click **Certificates & secrets**, add description to the secret and click **Add**.
+ - Select **Certificates & secrets**, add description to the secret and select **Add**.
**Important**: After click Add, **copy the generated secret value**. You won't be able to retrieve after you leave!
@@ -96,7 +96,7 @@ The following steps with guide you how to create an AAD application, get an acce
7. Write down your application ID:
- - On your application page, go to **Overview** and copy the following:
+ - On your application page, go to **Overview** and copy the following information:
@@ -104,7 +104,7 @@ The following steps with guide you how to create an AAD application, get an acce
You need your application to be approved in each customer tenant where you intend to use it. This is because your application interacts with Microsoft Defender ATP application on behalf of your customer.
- A user with **Global Administrator** from your customer's tenant need to click the consent link and approve your application.
+ A user with **Global Administrator** from your customer's tenant need to select the consent link and approve your application.
Consent link is of the form:
@@ -114,7 +114,7 @@ The following steps with guide you how to create an AAD application, get an acce
Where 00000000-0000-0000-0000-000000000000 should be replaced with your Application ID
- After clicking on the consent link, login with the Global Administrator of the customer's tenant and consent the application.
+ After clicking on the consent link, sign in with the Global Administrator of the customer's tenant and consent the application.
@@ -123,11 +123,11 @@ The following steps with guide you how to create an AAD application, get an acce
- **Done!** You have successfully registered an application!
- See examples below for token acquisition and validation.
-## Get an access token examples:
+## Get an access token example:
-**Note:** to get access token on behalf of your customer, use the customer's tenant ID on the following token acquisitions.
+**Note:** To get access token on behalf of your customer, use the customer's tenant ID on the following token acquisitions.
-
For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
+
For more information on AAD token, see [AAD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
### Using PowerShell
@@ -158,14 +158,14 @@ return $token
>The below code was tested with Nuget Microsoft.IdentityModel.Clients.ActiveDirectory
- Create a new Console Application
-- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/)
+- Install NuGet [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/)
- Add the below using
```
using Microsoft.IdentityModel.Clients.ActiveDirectory;
```
-- Copy/Paste the below code in your application (do not forget to update the 3 variables: ```tenantId, appId, appSecret```)
+- Copy/Paste the below code in your application (do not forget to update the three variables: ```tenantId, appId, appSecret```)
```
string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here
@@ -221,7 +221,7 @@ Sanity check to make sure you got a correct token:
- Choose the API you want to use, for more information, see [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
- Set the Authorization header in the Http request you send to "Bearer {token}" (Bearer is the Authorization scheme)
-- The Expiration time of the token is 1 hour (you can send more then one request with the same token)
+- The Expiration time of the token is 1 hour (you can send more than one request with the same token)
- Example of sending a request to get a list of alerts **using C#**
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
index bdb9fddc2c..ca41b7420b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
@@ -1,5 +1,5 @@
---
-title: Advanced Hunting with Powershell API Guide
+title: Advanced Hunting with PowerShell API Guide
ms.reviewer:
description: Use these code samples, querying several Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) APIs.
keywords: apis, supported apis, advanced hunting, query
@@ -28,7 +28,7 @@ ms.date: 09/24/2018
Full scenario using multiple APIs from Microsoft Defender ATP.
-In this section we share PowerShell samples to
+In this section, we share PowerShell samples to
- Retrieve a token
- Use token to retrieve the latest alerts in Microsoft Defender ATP
- For each alert, if the alert has medium or high priority and is still in progress, check how many times the device has connected to suspicious URL.
@@ -43,15 +43,15 @@ In this section we share PowerShell samples to
Set-ExecutionPolicy -ExecutionPolicy Bypass
```
-For more details, refer to [PowerShell documentation](https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy)
+For more information, see [PowerShell documentation](https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy)
## Get token
Run the below:
-- $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant)
-- $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Microsoft Defender ATP)
-- $appSecret: Secret of your AAD app
+- $tenantId: ID of the tenant on behalf of which you want to run the query (that is, the query will be run on the data of this tenant)
+- $appId: ID of your Azure AD app (the app must have 'Run advanced queries' permission to Microsoft Defender ATP)
+- $appSecret: Secret of your Azure AD app
- $suspiciousUrl: The URL
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
index ea5713e42e..51dbfaed23 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
@@ -1,6 +1,6 @@
---
-title: Get machine log on users API
-description: Learn how to use the Get machine log on users API to retrieve a collection of logged on users on a device in Microsoft Defender Advanced Threat Protection.
+title: Get machine logon users API
+description: Learn how to use the Get machine logon users API to retrieve a collection of logged on users on a device in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, device, log on, users
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -16,7 +16,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Get machine log on users API
+# Get machine logon users API
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
@@ -45,8 +45,8 @@ Delegated (work or school account) | User.Read.All | 'Read user profiles'
>[!Note]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include users only if the device is visible to the user, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+>- The user needs to have at least the following role permission: 'View Data'. For more information, see [Create and manage roles](user-roles.md) )
+>- Response will include users only if the device is visible to the user, based on device group settings. For more information, see [Create and manage device groups](machine-groups.md).
## HTTP request
```http
@@ -64,7 +64,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
-If successful and device exist - 200 OK with list of [user](user.md) entities in the body. If device was not found - 404 Not Found.
+If successful and device exists - 200 OK with list of [user](user.md) entities in the body. If device was not found - 404 Not Found.
## Example
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
index 09c65fdff1..8bea8e41dc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
@@ -1,7 +1,7 @@
---
title: Become a Microsoft Defender ATP partner
ms.reviewer:
-description: Learn the steps and requirements so that you can integrate your solution with Microsoft Defender ATP and be a partner
+description: Learn the steps and requirements to integrate your solution with Microsoft Defender ATP and be a partner
keywords: partner, integration, solution validation, certification, requirements, member, misa, application portal
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -29,7 +29,7 @@ ms.topic: conceptual
To become a Microsoft Defender ATP solution partner, you'll need to follow and complete the following steps.
## Step 1: Subscribe to a Microsoft Defender ATP Developer license
-Subscribing to the [Microsoft Defender ATP Developer license](https://winatpregistration-prd.trafficmanager.net/Developer/UserAgreement?Length=9) allows you to use a Microsoft Defender ATP tenant with up to 10 devices for developing solutions to integrate with Microsoft Defender ATP.
+Subscribe to the [Microsoft Defender ATP Developer license](https://winatpregistration-prd.trafficmanager.net/Developer/UserAgreement?Length=9). Subscribing allows you to use a Microsoft Defender ATP tenant with up to 10 devices to developing solutions that integrate with Microsoft Defender ATP.
## Step 2: Fulfill the solution validation and certification requirements
The best way for technology partners to certify that their integration works is to have a joint customer approve the suggested integration design (the customer can use the **Recommend a partner** option in the [Partner Application page](https://securitycenter.microsoft.com/interoperability/partners) in the Microsoft Defender Security Center) and have it tested and demoed to the Microsoft Defender ATP team.
@@ -42,16 +42,16 @@ Once the Microsoft Defender ATP team has reviewed and approves the integration,
## Step 4: Get listed in the Microsoft Defender ATP partner application portal
Microsoft Defender ATP supports third-party applications discovery and integration using the in-product [partner page](partner-applications.md) that is embedded within the Microsoft Defender ATP management portal.
-To have your company listed as a partner in the in-product partner page, you will need to provide the following:
+To have your company listed as a partner in the in-product partner page, you will need to provide the following information:
1. A square logo (SVG).
2. Name of the product to be presented.
3. Provide a 15-word product description.
-4. Link to the landing page for the customer to complete the integration or blog post that will include sufficient information for customers. Please note that any press release including the Microsoft Defender ATP product name should be reviewed by the marketing and engineering teams. You should allow at least 10 days for review process to be performed.
-5. If you use a multi-tenant Azure AD approach, we will need the AAD application name to track usage of the application.
-6. We'd like to request that you include the User-Agent field in each API call made to Microsoft Defender ATP public set of APIs or Graph Security APIs. This will be used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA).
+4. Link to the landing page for the customer to complete the integration or blog post that will include sufficient information for customers. Any press release including the Microsoft Defender ATP product name should be reviewed by the marketing and engineering teams. Wait for at least 10 days for the review process to be done.
+5. If you use a multi-tenant Azure AD approach, we will need the Azure AD application name to track usage of the application.
+6. Include the User-Agent field in each API call made to Microsoft Defender ATP public set of APIs or Graph Security APIs. This will be used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA).
Follow these steps:
- 1. Identify a name adhering to the following nomenclature that includes your company name and the Microsoft Defender ATP integrated product with the version of the product that includes this integration.
+ 1. Identify a name adhering to the following nomenclature that includes your company name and the Microsoft Defender ATP-integrated product with the version of the product that includes this integration.
- ISV Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{Version}`
- Security partner Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{TenantID}`
@@ -59,7 +59,7 @@ To have your company listed as a partner in the in-product partner page, you wil
For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43). For example, User-Agent: `MdatpPartner-Contoso-ContosoCognito/1.0.0`
-Partnership with Microsoft Defender ATP help our mutual customers to further streamline, integrate, and orchestrate defenses. We are happy that you chose to become a Microsoft Defender ATP partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together.
+Partnerships with Microsoft Defender ATP help our mutual customers to further streamline, integrate, and orchestrate defenses. We are happy that you chose to become a Microsoft Defender ATP partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together.
## Related topics
- [Technical partner opportunities](partner-integration.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
index 95225803d9..5ccd353fa2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
@@ -1,5 +1,5 @@
---
-title: Get user related alerts API
+title: Get user-related alerts API
description: Retrieve a collection of alerts related to a given user ID using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: apis, graph api, supported apis, get, user, related, alerts
search.product: eADQiWindows 10XVcnh
@@ -16,7 +16,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Get user related alerts API
+# Get user-related alerts API
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
@@ -46,7 +46,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
>[!Note]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+>- The user needs to have at least the following role permission: 'View Data'. For more information, see [Create and manage roles](user-roles.md).
>- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
@@ -54,7 +54,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
GET /api/users/{id}/alerts
```
-**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts)**
+**The ID is not the full UPN, but only the user name. (for example, to retrieve alerts for user1@contoso.com use /api/users/user1/alerts)**
## Request headers
@@ -67,7 +67,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
-If successful and user exist - 200 OK. If the user do not exist - 404 Not Found.
+If successful and user exists - 200 OK. If the user does not exist - 404 Not Found.
## Example
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
index f3b126e12f..4fe938bf97 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
@@ -1,6 +1,6 @@
---
-title: Get user related machines API
-description: Learn how to use the Get user related machines API to retrieve a collection of devices related to a user ID in Microsoft Defender Advanced Threat Protection.
+title: Get user-related machines API
+description: Learn how to use the Get user-related machines API to retrieve a collection of devices related to a user ID in Microsoft Defender Advanced Threat Protection.
keywords: apis, graph api, supported apis, get, user, user related alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@@ -16,7 +16,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Get user related machines API
+# Get user-related machines API
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
@@ -46,15 +46,15 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
>[!Note]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only devices that the user can access, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+>- The user needs to have at least the following role permission: 'View Data'. For more information, see [Create and manage roles](user-roles.md) )
+>- Response will include only devices that the user can access, based on device group settings. For more information, see [Create and manage device groups](machine-groups.md).
## HTTP request
```
GET /api/users/{id}/machines
```
-**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines)**
+**The ID is not the full UPN, but only the user name. (for example, to retrieve machines for user1@contoso.com use /api/users/user1/machines)**
## Request headers
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-dashboard.png
new file mode 100644
index 0000000000..fa995418a3
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-dashboard.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-patch.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-patch.jpg
new file mode 100644
index 0000000000..e0fa906808
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-patch.jpg differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-security-recommendation.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-security-recommendation.png
new file mode 100644
index 0000000000..a1f9e7d70a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-security-recommendation.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout-400.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout-400.png
new file mode 100644
index 0000000000..04b9835601
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout-400.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout.png
new file mode 100644
index 0000000000..941dd99ba8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-inventory.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-inventory.png
new file mode 100644
index 0000000000..b4b4696b61
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-inventory.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-page.png
new file mode 100644
index 0000000000..b3fd3b18a8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-page.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-top-vulnerable-software.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-top-vulnerable-software.png
new file mode 100644
index 0000000000..0b3b30e812
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-top-vulnerable-software.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-weakness-name.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-weakness-name.png
new file mode 100644
index 0000000000..ac2610fdaa
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-weakness-name.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
index 06ed19033e..871b6e1473 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
@@ -68,7 +68,8 @@ Select **Investigations** to see all the automatic investigations launched by th
## Going through the evidence
-Microsoft Defender Advanced Threat Protection automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with auto-response and information about the important files, processes, services, and more. This helps quickly detect and block potential threats in the incident.
+Microsoft Defender Advanced Threat Protection automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with autoresponse and information about the important files, processes, services, and more.
+
Each of the analyzed entities will be marked as infected, remediated, or suspicious.
@@ -81,7 +82,7 @@ The **Graph** tells the story of the cybersecurity attack. For example, it shows
-You can click the circles on the incident graph to view the details of the malicious files, associated file detections, how many instances has there been worldwide, whether it’s been observed in your organization, if so, how many instances.
+You can click the circles on the incident graph to view the details of the malicious files, associated file detections, how many instances have there been worldwide, whether it’s been observed in your organization, if so, how many instances.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
index a56afd0ef7..9a095843cc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
@@ -776,8 +776,6 @@ Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac](
8. Select **Open**. Set the **Display Name** to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**.
- - Manifest File: Select **Upload Manifest File**.
-
**Options tab**
Keep default values.
**Limitations tab**
Keep default values.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md
index 4fbc97c8a3..e2c6f6756f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md
@@ -59,7 +59,7 @@ lastExternalIpAddress | String | Last IP through which the [machine](machine.md)
healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication"
rbacGroupName | String | Machine group Name.
rbacGroupId | Int | Machine group unique ID.
-riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
+riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Informational', 'Low', 'Medium' and 'High'.
exposureScore | Nullable Enum | [Exposure score](tvm-exposure-score.md) as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is AAD Joined).
machineTags | String collection | Set of [machine](machine.md) tags.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
index 19f660b07e..90bf8cebb8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
@@ -25,7 +25,7 @@ ms.topic: article
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-- See [Response Actions](respond-machine-alerts.md) for more information
+- For more information, see [Response Actions](respond-machine-alerts.md).
| Method | Return Type | Description |
|:------------------------------------------------------------------|:-----------------------------------|:------------------------------------------------------------|
@@ -47,17 +47,17 @@ ms.topic: article
| Property | Type | Description |
|:--------------------|:---------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| id | Guid | Identity of the [Machine Action](machineaction.md) entity. |
+| ID | Guid | Identity of the [Machine Action](machineaction.md) entity. |
| type | Enum | Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution" |
-| scope | string | Scope of the action. "Full" or "Selective" in case of Isolation, "Quick" or "Full" in case of Anti-Virus scan. |
+| scope | string | Scope of the action. "Full" or "Selective" for Isolation, "Quick" or "Full" for Anti-Virus scan. |
| requestor | String | Identity of the person that executed the action. |
| requestorComment | String | Comment that was written when issuing the action. |
-| status | Enum | Current status of the command. Possible values are: "Pending", "InProgress", "Succeeded", "Failed", "TimeOut" and "Cancelled". |
-| machineId | String | Id of the [machine](machine.md) on which the action was executed. |
+| status | Enum | Current status of the command. Possible values are: "Pending", "InProgress", "Succeeded", "Failed", "TimeOut" and "Canceled". |
+| machineId | String | ID of the [machine](machine.md) on which the action was executed. |
| machineId | String | Name of the [machine](machine.md) on which the action was executed. |
| creationDateTimeUtc | DateTimeOffset | The date and time when the action was created. |
| lastUpdateTimeUtc | DateTimeOffset | The last date and time when the action status was updated. |
-| relatedFileInfo | Class | Contains two Properties. string ```fileIdentifier```, Enum ```fileIdentifierType``` with the possible values: "Sha1" ,"Sha256" and "Md5". |
+| relatedFileInfo | Class | Contains two Properties. string ```fileIdentifier```, Enum ```fileIdentifierType``` with the possible values: "Sha1", "Sha256" and "Md5". |
## Json representation
diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
index 0a71770ee3..c3176ac54a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
@@ -55,12 +55,12 @@ The Microsoft Defender ATP APIs can be grouped into three:
## Microsoft Defender ATP APIs
-Microsoft Defender ATP offers a layered API model exposing data and capabilities in a structured, clear and easy to use model, exposed through a standard Azure AD-based authentication and authorization model allowing access in context of users or SaaS applications. The API model was designed to expose entities and capabilities in a consistent form.
+Microsoft Defender ATP offers a layered API model exposing data and capabilities in a structured, clear, and easy to use model, exposed through a standard Azure AD-based authentication and authorization model allowing access in context of users or SaaS applications. The API model was designed to expose entities and capabilities in a consistent form.
Watch this video for a quick overview of Microsoft Defender ATP's APIs.
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4d73M]
-The **Investigation API** exposes the richness of Microsoft Defender ATP - exposing calculated or 'profiled' entities (for example, device, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information see, [Supported APIs](exposed-apis-list.md).
+The **Investigation API** exposes the richness of Microsoft Defender ATP - exposing calculated or 'profiled' entities (for example, device, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information, see, [Supported APIs](exposed-apis-list.md).
The **Response API** exposes the ability to take actions in the service and on devices, enabling customers to ingest indicators, manage settings, alert status, as well as take response actions on devices programmatically such as isolate devices from the network, quarantine files, and others.
@@ -69,11 +69,11 @@ Microsoft Defender ATP raw data streaming API provides the ability for customers
The Microsoft Defender ATP event information is pushed directly to Azure storage for long-term data retention, or to Azure Event Hubs for consumption by visualization services or additional data processing engines.
-For more information see, [Raw data streaming API](raw-data-export.md).
+For more information, see, [Raw data streaming API](raw-data-export.md).
## SIEM API
-When you enable security information and event management (SIEM) integration it allows you to pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. This activates the SIEM connector access details section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant. For more information see, [SIEM integration](enable-siem-integration.md)
+When you enable security information and event management (SIEM) integration, it allows you to pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. This activates the SIEM connector access details section with pre-populated values and an application is created under your Azure Active Directory (Azure AD) tenant. For more information, see, [SIEM integration](enable-siem-integration.md)
## Related topics
- [Access the Microsoft Defender Advanced Threat Protection APIs ](apis-intro.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
index d45c5c585e..c25bf6630c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
@@ -33,8 +33,7 @@ Microsoft Defender Advanced Threat Protection is an enterprise endpoint security
Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
-- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors
- collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Microsoft Defender ATP.
+- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated, cloud instance of Microsoft Defender ATP.
- **Cloud security analytics**: Leveraging big-data, device-learning, and
@@ -46,7 +45,7 @@ Microsoft Defender ATP uses the following combination of technology built into W
- **Threat intelligence**: Generated by Microsoft hunters, security teams,
and augmented by threat intelligence provided by partners, threat
intelligence enables Microsoft Defender ATP to identify attacker
- tools, techniques, and procedures, and generate alerts when these
+ tools, techniques, and procedures, and generate alerts when they
are observed in collected sensor data.
@@ -86,7 +85,7 @@ This built-in capability uses a game-changing risk-based approach to the discove
**[Attack surface reduction](overview-attack-surface-reduction.md)**
-The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation. This set of capabilities also includes [network protection](network-protection.md) and [web protection](web-protection-overview.md), which regulate access to malicious IP addresses, domains, and URLs.
+The attack surface reduction set of capabilities provides the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, the capabilities resist attacks and exploitation. This set of capabilities also includes [network protection](network-protection.md) and [web protection](web-protection-overview.md), which regulate access to malicious IP addresses, domains, and URLs.
@@ -135,7 +134,7 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf
- Microsoft Cloud App Security
**[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**
- With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks.
+ With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.
## Related topic
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index b659b20797..0f05ee52c8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -51,8 +51,8 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr
Microsoft Defender Advanced Threat Protection, on Windows Server, requires one of the following licensing options:
-- [Azure Security Center Standard plan](https://docs.microsoft.com/azure/security-center/security-center-pricing) (per node)
-- Microsoft Defender ATP for Servers (one per covered Server)
+- [Azure Security Center with Azure Defender enabled](https://docs.microsoft.com/azure/security-center/security-center-pricing)
+- Microsoft Defender ATP for Servers (one per covered server)
> [!NOTE]
> Customers with a combined minimum of 50 licenses for one or more of the following may acquire Server SLs for Microsoft Defender Advanced Threat Protection for Servers (one per covered Server OSE): Microsoft Defender Advanced Threat Protection, Windows E5/A5, Microsoft 365 E5/A5 and Microsoft 365 E5 Security User SLs. This license applies to Microsoft Defender ATP for Linux.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md
index dc8e5dab0c..78edeae3ef 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard.md
@@ -1,7 +1,7 @@
---
title: Configure and manage Microsoft Defender ATP capabilities
ms.reviewer:
-description: Configure and manage Microsoft Defender ATP capabilities such as attack surface reduction, next-generation protection, and security controls
+description: Configure and manage Microsoft Defender ATP capabilities such as attack surface reduction, and next-generation protection
keywords: configure, manage, capabilities, attack surface reduction, next-generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -32,12 +32,12 @@ Configure and manage all the Microsoft Defender ATP capabilities to get the best
## In this section
Topic | Description
:---|:---
-[Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
+[Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation.
[Configure next-generation protection](../microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md) | Configure next-generation protection to catch all types of emerging threats.
[Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts.
[Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Microsoft Defender ATP.
[Management and API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports.
-[Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure portal related settings such as general settings, advanced features, enable the preview experience and others.
+[Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure portal-related settings such as general settings, advanced features, enable the preview experience and others.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
index 19b0432ed6..822b5afaab 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
@@ -30,9 +30,15 @@ ms.topic: conceptual
Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform.
-The support for third-party solutions help to further streamline, integrate, and orchestrate defenses from other vendors with Microsoft Defender ATP; enabling security teams to effectively respond better to modern threats.
+The support for third-party solutions helps to further streamline, integrate, and orchestrate defenses from other vendors with Microsoft Defender ATP; enabling security teams to effectively respond better to modern threats.
-Microsoft Defender ATP seamlessly integrates with existing security solutions — providing out of the box integration with SIEM, ticketing and IT service management solutions, managed security service providers (MSSP), IoC indicators ingestions and matching, automated device investigation and remediation based on external alerts, and integration with Security orchestration and automation response (SOAR) systems.
+Microsoft Defender ATP seamlessly integrates with existing security solutions. The integration provides integration with the following solutions such as:
+- SIEM
+- Ticketing and IT service management solutions
+- Managed security service providers (MSSP)
+- IoC indicators ingestions and matching
+- Automated device investigation and remediation based on external alerts
+- Integration with Security orchestration and automation response (SOAR) systems
## Supported applications
@@ -49,7 +55,7 @@ Logo |Partner name | Description
 | [Micro Focus ArcSight](https://go.microsoft.com/fwlink/?linkid=2113548) | Use Micro Focus ArcSight to pull Microsoft Defender ATP detections
 | [RSA NetWitness](https://go.microsoft.com/fwlink/?linkid=2118566) | Stream Microsoft Defender ATP Alerts to RSA NetWitness leveraging Microsoft Graph Security API
 | [SafeBreach](https://go.microsoft.com/fwlink/?linkid=2114114)| Gain visibility into Microsoft Defender ATP security events that are automatically correlated with SafeBreach simulations
- | [Skybox Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2127467) | Skybox Vulnerability Control cuts through the noise of vulnerability management, correlating business, network and threat context to uncover your riskiest vulnerabilities
+ | [Skybox Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2127467) | Skybox Vulnerability Control cuts through the noise of vulnerability management, correlating business, network, and threat context to uncover your riskiest vulnerabilities
 | [Splunk](https://go.microsoft.com/fwlink/?linkid=2129805) | The Microsoft Defender ATP Add-on allows Splunk users to ingest all of the alerts and supporting information to their Splunk
 | [XM Cyber](https://go.microsoft.com/fwlink/?linkid=2136700) | Prioritize your response to an alert based on risk factors and high value assets
@@ -60,7 +66,7 @@ Logo |Partner name | Description
:---|:---|:---
 | [CyberSponse CyOps](https://go.microsoft.com/fwlink/?linkid=2115943) | CyOps integrates with Microsoft Defender ATP to automate customers' high-speed incident response playbooks
 | [Delta Risk ActiveEye](https://go.microsoft.com/fwlink/?linkid=2127468) | Delta Risk, a leading provider of SOC-as-a-Service and security services, integrate Microsoft Defender ATP with its cloud-native SOAR platform, ActiveEye.
- | [Demisto, a Palo Alto Networks Company](https://go.microsoft.com/fwlink/?linkid=2108414) | Demisto integrates with Microsoft Defender ATP to enable security teams to orchestrate and automate endpoint security monitoring, enrichment and response
+ | [Demisto, a Palo Alto Networks Company](https://go.microsoft.com/fwlink/?linkid=2108414) | Demisto integrates with Microsoft Defender ATP to enable security teams to orchestrate and automate endpoint security monitoring, enrichment, and response
 | [Microsoft Flow & Azure Functions](https://go.microsoft.com/fwlink/?linkid=2114300) | Use the Microsoft Defender ATP connectors for Azure Logic Apps & Microsoft Flow to automating security procedures
 | [Rapid7 InsightConnect](https://go.microsoft.com/fwlink/?linkid=2116040) | InsightConnect integrates with Microsoft Defender ATP to accelerate, streamline, and integrate your time-intensive security processes
 | [ServiceNow](https://go.microsoft.com/fwlink/?linkid=2135621) | Ingest alerts into ServiceNow Security Operations solution based on Microsoft Graph API integration
@@ -93,7 +99,7 @@ Logo |Partner name | Description
 | [Better Mobile](https://go.microsoft.com/fwlink/?linkid=2086214)| AI based MTD solution to stop mobile threats & phishing. Private internet browsing to protect user privacy
| [Corrata](https://go.microsoft.com/fwlink/?linkid=2081148) | Mobile solution — Protect your mobile devices with granular visibility and control from Corrata
| [Lookout](https://go.microsoft.com/fwlink/?linkid=866935)| Get Lookout Mobile Threat Protection telemetry for Android and iOS mobile devices
- | [Symantec Endpoint Protection Mobile](https://go.microsoft.com/fwlink/?linkid=2090992)| SEP Mobile helps businesses predict, detect and prevent security threats and vulnerabilities on mobile devices
+ | [Symantec Endpoint Protection Mobile](https://go.microsoft.com/fwlink/?linkid=2090992)| SEP Mobile helps businesses predict, detect, and prevent security threats and vulnerabilities on mobile devices
| [Zimperium](https://go.microsoft.com/fwlink/?linkid=2118044)|Extend your Microsoft Defender ATP to iOS and Android with Machine Learning-based Mobile Threat Defense
@@ -121,7 +127,7 @@ Microsoft Defender ATP offers unique automated investigation and remediation cap
Integrating the automated investigation and response capability with other solutions such as IDS and firewalls help to address alerts and minimize the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices.
-External alerts can be pushed into Microsoft Defender ATP and is presented side-by-side with additional device-based alerts from Microsoft Defender ATP. This view provides a full context of the alert — with the real process and the full story of attack.
+External alerts can be pushed into Microsoft Defender ATP and is presented side by side with additional device-based alerts from Microsoft Defender ATP. This view provides a full context of the alert — with the real process and the full story of attack.
## Indicators matching
You can use threat-intelligence from providers and aggregators to maintain and use indicators of compromise (IOCs).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md
index efb88424f7..7aa19efe08 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md
@@ -31,26 +31,27 @@ ms.topic: conceptual
Partners can easily extend their existing security offerings on top of the open framework and a rich and complete set of APIs to build extensions and integrations with Microsoft Defender ATP.
-The APIs span functional areas including detection, management, response, vulnerabilities and intelligence wide range of use cases. Based on the use case and need, partners can either stream or query data from Microsoft Defender ATP.
+The APIs span functional areas including detection, management, response, vulnerabilities, and intelligence-wide range of use cases. Based on the use case and need, partners can either stream or query data from Microsoft Defender ATP.
## Scenario 1: External alert correlation and Automated investigation and remediation
Microsoft Defender ATP offers unique automated investigation and remediation capabilities to drive incident response at scale.
-Integrating the automated investigation and response capability with other solutions such as network security products or other endpoint security products will help to address alerts and minimize the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices.
+Integrating the automated investigation and response capability with other solutions such as network security products or other endpoint security products will help to address alerts. The integration also minimizes the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices.
Microsoft Defender ATP adds support for this scenario in the following forms:
-- External alerts can be pushed into Microsoft Defender ATP and presented side-by-side with additional device-based alerts from Microsoft Defender ATP. This view provides the full context of the alert - with the real process and the full story of attack.
+
+- External alerts can be pushed into Microsoft Defender ATP and presented side by side with additional device-based alerts from Microsoft Defender ATP. This view provides the full context of the alert - with the real process and the full story of attack.
- Once an alert is generated, the signal is shared across all Microsoft Defender ATP protected endpoints in the enterprise. Microsoft Defender ATP takes immediate automated or operator-assisted response to address the alert.
## Scenario 2: Security orchestration and automation response (SOAR) integration
-Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs exposes to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others.
+Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs expose to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others.
## Scenario 3: Indicators matching
-Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Microsoft Defender ATP and gives the ability to set a list of indicators for prevention, detection and exclusion of entities. One can define the action to be taken as well as the duration for when to apply the action.
+Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Microsoft Defender ATP and gives the ability to set a list of indicators for prevention, detection, and exclusion of entities. One can define the action to be taken as well as the duration for when to apply the action.
-The above scenarios serve as examples of the extensibility of the platform. You are not limited to these and we certainly encourage you leverage the open framework to discover and explore other scenarios.
+The above scenarios serve as examples of the extensibility of the platform. You are not limited to the examples and we certainly encourage you to leverage the open framework to discover and explore other scenarios.
Follow the steps in [Become a Microsoft Defender ATP partner](get-started-partner-integration.md) to integrate your solution in Microsoft Defender ATP.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
index c0279badc8..fe2d128e37 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
@@ -1,6 +1,6 @@
---
title: Prepare Microsoft Defender ATP deployment
-description: Prepare stakeholder sign-off, timelines, environment considerations, and adoption order when deploying Microsoft Defender ATP
+description: Prepare stakeholder approval, timelines, environment considerations, and adoption order when deploying Microsoft Defender ATP
keywords: deploy, prepare, stakeholder, timeline, environment, endpoint, server, management, adoption
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -71,14 +71,14 @@ You are currently in the preparation phase.
Preparation is key to any successful deployment. In this article, you'll be guided on the points you'll need to consider as you prepare to deploy Microsoft Defender ATP.
-## Stakeholders and Sign-off
+## Stakeholders and approval
The following section serves to identify all the stakeholders that are involved
-in the project and need to sign-off, review, or stay informed.
+in the project and need to approve, review, or stay informed.
Add stakeholders
to the table below as appropriate for your organization.
-- SO = Sign-off on this project
+- SO = Approve project
- R = Review this project and provide input
@@ -90,14 +90,14 @@ to the table below as appropriate for your organization.
| Enter name and email | **Head of Cyber Defense Operations Center (CDOC)** *A representative from the CDOC team in charge of defining how this change is aligned with the processes in the customers security operations team.* | SO |
| Enter name and email | **Security Architect** *A representative from the Security team in charge of defining how this change is aligned with the core Security architecture in the organization.* | R |
| Enter name and email | **Workplace Architect** *A representative from the IT team in charge of defining how this change is aligned with the core workplace architecture in the organization.* | R |
-| Enter name and email | **Security Analyst** *A representative from the CDOC team who can provide input on the detection capabilities, user experience and overall usefulness of this change from a security operations perspective.* | I |
+| Enter name and email | **Security Analyst** *A representative from the CDOC team who can provide input on the detection capabilities, user experience, and overall usefulness of this change from a security operations perspective.* | I |
## Environment
This section is used to ensure your environment is deeply understood by the
-stakeholders which will help identify potential dependencies and/or changes
+stakeholders, which will help identify potential dependencies and/or changes
required in technologies or processes.
| What | Description |
@@ -112,14 +112,14 @@ required in technologies or processes.
## Role-based access control
Microsoft recommends using the concept of least privileges. Microsoft Defender
-ATP leverages built-in roles within Azure Active Directory. Microsoft recommend
+ATP leverages built-in roles within Azure Active Directory. Microsoft recommends
[review the different roles that are
available](https://docs.microsoft.com/azure/active-directory/active-directory-assign-admin-roles-azure-portal)
and choose the right one to solve your needs for each persona for this
application. Some roles may need to be applied temporarily and removed after the
deployment has been completed.
-| Personas | Roles | Azure AD Role (if required) | Assign to |
+| Personas | Roles | Azure AD Role (if necessary) | Assign to |
|------------------------------|-------|-----------------------------|-----------|
| Security Administrator | | | |
| Security Analyst | | | |
@@ -157,13 +157,13 @@ structure required for your environment.
|--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
| Tier 1 | **Local security operations team / IT team**
This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required. | |
| Tier 2 | **Regional security operations team**
This team can see all the devices for their region and perform remediation actions. | View data |
-| Tier 3 | **Global security operations team**
This team consists of security experts and are authorized to see and perform all actions from the portal. | View data
Alerts investigation Active remediation actions
Alerts investigation Active remediation actions
Manage portal system settings
Manage security settings |
+| Tier 3 | **Global security operations team**
This team consists of security experts and is authorized to see and perform all actions from the portal. | View data
Alerts investigation Active remediation actions
Alerts investigation Active remediation actions
Manage portal system settings
Manage security settings |
## Adoption Order
In many cases, organizations will have existing endpoint security products in
-place. The bare minimum every organization should have is an antivirus solution. But in some cases, an organization might also have implanted an EDR solution already.
+place. The bare minimum every organization should have been an antivirus solution. But in some cases, an organization might also have implanted an EDR solution already.
Historically, replacing any security solution used to be time intensive and difficult
to achieve due to the tight hooks into the application layer and infrastructure
@@ -179,7 +179,7 @@ how the endpoint security suite should be enabled.
| Endpoint Detection & Response (EDR) | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 |
|Threat & Vulnerability Management (TVM)|Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Invaluable device vulnerability context during incident investigations
- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager
[Learn more](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845).| 2 |
| Next-generation protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes:
-Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.
- Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").
- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research.
[Learn more](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). |3 |
-| Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in the organization from new and emerging threats.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 4 |
+| Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender ATP help protect the devices and applications in the organization from new and emerging threats.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 4 |
| Auto Investigation & Remediation (AIR) | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable |
| Microsoft Threat Experts (MTE) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts) | Not applicable |
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
index c95d5dc155..dfb227ec23 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
@@ -1,5 +1,5 @@
---
-title: Advanced Hunting with Powershell API Basics
+title: Advanced Hunting with PowerShell API Basics
ms.reviewer:
description: Learn the basics of querying the Microsoft Defender Advanced Threat Protection API, using PowerShell.
keywords: apis, supported apis, advanced hunting, query
@@ -27,7 +27,7 @@ ms.topic: article
Run advanced queries using PowerShell, see [Advanced Hunting API](run-advanced-query-api.md).
-In this section we share PowerShell samples to retrieve a token and use it to run a query.
+In this section, we share PowerShell samples to retrieve a token and use it to run a query.
## Before you begin
You first need to [create an app](apis-intro.md).
@@ -40,7 +40,7 @@ You first need to [create an app](apis-intro.md).
Set-ExecutionPolicy -ExecutionPolicy Bypass
```
->For more details, see [PowerShell documentation](https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy)
+>For more information, see [PowerShell documentation](https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy)
## Get token
@@ -64,9 +64,9 @@ $aadToken = $response.access_token
```
where
-- $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant)
-- $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Microsoft Defender ATP)
-- $appSecret: Secret of your AAD app
+- $tenantId: ID of the tenant on behalf of which you want to run the query (that is, the query will be run on the data of this tenant)
+- $appId: ID of your Azure AD app (the app must have 'Run advanced queries' permission to Microsoft Defender ATP)
+- $appSecret: Secret of your Azure AD app
## Run query
@@ -88,7 +88,7 @@ $results = $response.Results
$schema = $response.Schema
```
-- $results contains the results of your query
+- $results contain the results of your query
- $schema contains the schema of the results of your query
### Complex queries
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
index ad9c61aa16..55f4d1ec1b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
@@ -28,13 +28,13 @@ ms.topic: article
Run advanced queries using Python, see [Advanced Hunting API](run-advanced-query-api.md).
-In this section we share Python samples to retrieve a token and use it to run a query.
+In this section, we share Python samples to retrieve a token and use it to run a query.
>**Prerequisite**: You first need to [create an app](apis-intro.md).
## Get token
-- Run the following:
+- Run the following commands:
```
@@ -67,9 +67,9 @@ aadToken = jsonResponse["access_token"]
```
where
-- tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant)
-- appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Microsoft Defender ATP)
-- appSecret: Secret of your AAD app
+- tenantId: ID of the tenant on behalf of which you want to run the query (that is, the query will be run on the data of this tenant)
+- appId: ID of your Azure AD app (the app must have 'Run advanced queries' permission to Microsoft Defender ATP)
+- appSecret: Secret of your Azure AD app
## Run query
@@ -96,7 +96,7 @@ results = jsonResponse["Results"]
```
- schema contains the schema of the results of your query
-- results contains the results of your query
+- results contain the results of your query
### Complex queries
diff --git a/windows/security/threat-protection/microsoft-defender-atp/service-status.md b/windows/security/threat-protection/microsoft-defender-atp/service-status.md
index b95ecdb603..1373591e5d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/service-status.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/service-status.md
@@ -29,7 +29,7 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-servicestatus-abovefoldlink)
-The **Service health** provides information on the current status of the Microsoft Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time.
+**Service health** provides information on the current status of the Microsoft Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see information such as when the issue was detected, what the preliminary root cause is, and the expected resolution time.
You'll also see information on historical issues that have been resolved and details such as the date and time when the issue was resolved. When there are no issues on the service, you'll see a healthy status.
@@ -51,7 +51,7 @@ The **Current status** tab shows the current state of the Microsoft Defender ATP
- Next steps
- Expected resolution time
-Updates on the progress of an issue is reflected on the page as the issue gets resolved. You'll see updates on information such as an updated estimate resolution time or next steps.
+Updates on the progress of an issue are reflected on the page as the issue gets resolved. You'll see updates on information such as an updated estimate resolution time or next steps.
When an issue is resolved, it gets recorded in the **Status history** tab.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
index 4158bfea2b..0ad991db3c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
@@ -1,6 +1,6 @@
---
title: Supported Microsoft Defender Advanced Threat Protection response APIs
-description: Learn about the specific response related Microsoft Defender Advanced Threat Protection API calls.
+description: Learn about the specific response-related Microsoft Defender Advanced Threat Protection API calls.
keywords: response apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -28,24 +28,24 @@ ms.topic: conceptual
> [!TIP]
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-supported-response-apis-abovefoldlink)
-Learn about the supported response related API calls you can run and details such as the required request headers, and expected response from the calls.
+Learn about the supported response-related API calls you can run and details such as the required request headers, and expected response from the calls.
## In this section
Topic | Description
:---|:---
-Collect investigation package | Run this to collect an investigation package from a device.
-Isolate device | Run this to isolate a device from the network.
+Collect investigation package | Run this API to collect an investigation package from a device.
+Isolate device | Run this API to isolate a device from the network.
Unisolate device | Remove a device from isolation.
-Restrict code execution | Run this to contain an attack by stopping malicious processes. You can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
+Restrict code execution | Run this API to contain an attack by stopping malicious processes. You can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
Unrestrict code execution | Run this to reverse the restriction of applications policy after you have verified that the compromised device has been remediated.
Run antivirus scan | Remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised device.
Stop and quarantine file | Run this call to stop running processes, quarantine files, and delete persistency such as registry keys.
Request sample | Run this call to request a sample of a file from a specific device. The file will be collected from the device and uploaded to a secure storage.
-Block file | Run this to prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware.
+Block file | Run this API to prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware.
Unblock file | Allow a file run in the organization using Microsoft Defender Antivirus.
-Get package SAS URI | Run this to get a URI that allows downloading an investigation package.
-Get MachineAction object | Run this to get MachineAction object.
+Get package SAS URI | Run this API to get a URI that allows downloading an investigation package.
+Get MachineAction object | Run this API to get MachineAction object.
Get MachineActions collection | Run this to get MachineAction collection.
-Get FileActions collection | Run this to get FileActions collection.
-Get FileMachineAction object | Run this to get FileMachineAction object.
-Get FileMachineActions collection | Run this to get FileMachineAction collection.
+Get FileActions collection | Run this API to get FileActions collection.
+Get FileMachineAction object | Run this API to get FileMachineAction object.
+Get FileMachineActions collection | Run this API to get FileMachineAction collection.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
index e6ed78f7f8..2305bcbf00 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
@@ -57,11 +57,11 @@ If while trying to take an action during a live response session, you encounter
## Slow live response sessions or delays during initial connections
Live response leverages Microsoft Defender ATP sensor registration with WNS service in Windows.
-If you are having connectivity issues with live response, please confirm the following:
-1. `notify.windows.com` is not blocked in your environment. For more information see, [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
+If you are having connectivity issues with live response, confirm the following details:
+1. `notify.windows.com` is not blocked in your environment. For more information, see, [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
2. WpnService (Windows Push Notifications System Service) is not disabled.
-Please refer to the articles below to fully understand the WpnService service behavior and requirements:
+Refer to the articles below to fully understand the WpnService service behavior and requirements:
- [Windows Push Notification Services (WNS) overview](https://docs.microsoft.com/windows/uwp/design/shell/tiles-and-notifications/windows-push-notification-services--wns--overview)
- [Enterprise Firewall and Proxy Configurations to Support WNS Traffic](https://docs.microsoft.com/windows/uwp/design/shell/tiles-and-notifications/firewall-allowlist-config)
- [Microsoft Push Notifications Service (MPNS) Public IP ranges](https://www.microsoft.com/en-us/download/details.aspx?id=44535)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
index 16f93645cd..73945ccbcd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
@@ -36,15 +36,15 @@ If you receive an error message, Microsoft Defender Security Center will provide
## No subscriptions found
-If while accessing Microsoft Defender Security Center you get a **No subscriptions found** message, it means the Azure Active Directory (AAD) used to login the user to the portal, does not have a Microsoft Defender ATP license.
+If while accessing Microsoft Defender Security Center you get a **No subscriptions found** message, it means the Azure Active Directory (Azure AD) used to log in the user to the portal, does not have a Microsoft Defender ATP license.
Potential reasons:
- The Windows E5 and Office E5 licenses are separate licenses.
-- The license was purchased but not provisioned to this AAD instance.
+- The license was purchased but not provisioned to this Azure AD instance.
- It could be a license provisioning issue.
- - It could be you inadvertently provisioned the license to a different Microsoft AAD than the one used for authentication into the service.
+ - It could be you inadvertently provisioned the license to a different Microsoft Azure AD than the one used for authentication into the service.
-For both cases you should contact Microsoft support at [General Microsoft Defender ATP Support](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or
+For both cases, you should contact Microsoft support at [General Microsoft Defender ATP Support](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or
[Volume license support](https://www.microsoft.com/licensing/servicecenter/Help/Contact.aspx).
@@ -63,16 +63,16 @@ You can choose to renew or extend the license at any point in time. When accessi
## You are not authorized to access the portal
If you receive a **You are not authorized to access the portal**, be aware that Microsoft Defender ATP is a security monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the user.
-For more information see, [**Assign user access to the portal**](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection).
+For more information, see, [**Assign user access to the portal**](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection).
## Data currently isn't available on some sections of the portal
-If the portal dashboard, and other sections show an error message such as "Data currently isn't available":
+If the portal dashboard and other sections show an error message such as "Data currently isn't available":
-You'll need to allow the `securitycenter.windows.com` and all sub-domains under it. For example `*.securitycenter.windows.com`.
+You'll need to allow the `securitycenter.windows.com` and all subdomains under it. For example, `*.securitycenter.windows.com`.
## Portal communication issues
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md
new file mode 100644
index 0000000000..32fbab4e0d
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md
@@ -0,0 +1,104 @@
+---
+title: Mitigate zero-day vulnerabilities - threat and vulnerability management
+description: A report showing vulnerable device trends and current statistics. The goal is for you to understand the breath and scope of your device exposure.
+keywords: mdatp-tvm vulnerable devices, mdatp, tvm, reduce threat & vulnerability exposure, reduce threat and vulnerability, monitor security configuration
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
+ms.topic: article
+---
+
+# Mitigate zero-day vulnerabilities - threat and vulnerability management
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+
+A zero-day vulnerability is a publicly disclosed vulnerability for which no official patches or security updates have been released. Zero-day vulnerabilities often have high severity levels and are actively exploited.
+
+Threat and vulnerability management will only display zero-day vulnerabilities it has information about.
+
+## Find information about zero-day vulnerabilities
+
+Once a zero-day vulnerability has been found, information about it will be conveyed through the following experiences in the Microsoft Defender Security Center.
+
+### Threat and vulnerability management dashboard
+
+Find recommendations with a zero-day tag in the “Top security recommendation” card.
+
+
+
+Find top software with the zero-day tag in the "Top vulnerable software" card.
+
+
+
+tvm-zero-day-top-vulnerable-software
+
+### Weaknesses page
+
+Find the named zero-day vulnerability along with a description and details.
+
+- If this vulnerability has a CVE-ID assigned, you’ll see the zero-day label next to the CVE name.
+
+- If this vulnerability has no CVE-ID assigned, you will find it under an internal, temporary name that looks like “TVM-XXXX-XXXX”. The name will be updated once an official CVE-ID has been assigned, but the previous internal name will still be searchable and found in the side-panel.
+
+
+
+### Security recommendations page
+
+Clear suggestions regarding remediation and mitigation options, including workarounds if exist.
+
+When there is an application with associated zero-day vulnerability and additional vulnerabilities to address, you will get one recommendation regarding both.
+
+
+
+## Addressing the zero-day vulnerability
+
+Go to the security recommendation page and select the zero-day recommendation. A flyout will open with information about the zero-day and other vulnerabilities for that software.
+
+There will be a link to mitigation options and workarounds if they are available. Workarounds may help reduce the risk posed by this zero-day vulnerability until a patch or security update can be deployed.
+
+Open remediation options and choose the attention type. An "attention required" remediation option is recommended for the zero-day vulnerabilities, since an update hasn't been released yet. If there are older vulnerabilities for this software you wish to remediation, you can override the "attention required" remediation option and choose “update.”
+
+
+
+## Patching the zero-day vulnerability
+
+When a patch is released for the zero-day, the recommendation will be changed to “Update” and a blue label next to it that says “New security update for zero day.”
+
+
+
+## Other places to find vulnerable software
+
+### Software inventory page
+
+Find software with the zero-day tag.
+
+
+
+### Software page
+
+Find a zero-day tag for each software that has been affected by the zero–day vulnerability.
+
+
+
+## Related topics
+
+- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
+- [Security recommendations](tvm-security-recommendation.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md
index bcceac7999..071d86602f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md
@@ -21,16 +21,15 @@ ms.topic: article
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
Web protection lets you monitor your organization’s web browsing security through reports under **Reports > Web protection** in the Microsoft Defender Security Center. The report contains cards that provide web threat detection statistics.
-- **Web threat protection detections over time** — this trending card displays the number of web threats detected by type during the selected time period (Last 30 days, Last 3 months, Last 6 months)
+- **Web threat protection detections over time** - this trending card displays the number of web threats detected by type during the selected time period (Last 30 days, Last 3 months, Last 6 months)
-- **Web threat protection summary** — this card displays the total web threat detections in the past 30 days, showing distribution across the different types of web threats. Selecting a slice opens the list of the domains that were found with malicious or unwanted websites.
+- **Web threat protection summary** - this card displays the total web threat detections in the past 30 days, showing distribution across the different types of web threats. Selecting a slice opens the list of the domains that were found with malicious or unwanted websites.
@@ -38,23 +37,27 @@ Web protection lets you monitor your organization’s web browsing security thro
>It can take up to 12 hours before a block is reflected in the cards or the domain list.
## Types of web threats
+
Web protection categorizes malicious and unwanted websites as:
-- **Phishing** — websites that contain spoofed web forms and other phishing mechanisms designed to trick users into divulging credentials and other sensitive information
-- **Malicious** — websites that host malware and exploit code
-- **Custom indicator** — websites whose URLs or domains you've added to your [custom indicator list](manage-indicators.md) for blocking
+
+- **Phishing** - websites that contain spoofed web forms and other phishing mechanisms designed to trick users into divulging credentials and other sensitive information
+- **Malicious** - websites that host malware and exploit code
+- **Custom indicator** - websites whose URLs or domains you've added to your [custom indicator list](manage-indicators.md) for blocking
## View the domain list
-Select a specific web threat category in the **Web threat protection summary** card to open the **Domains** page and display the list of the domains under that threat category. The page provides the following information for each domain:
-- **Access count** — number of requests for URLs in the domain
-- **Blocks** — number of times requests were blocked
-- **Access trend** — change in number of access attempts
-- **Threat category** — type of web threat
-- **Devices** — number of devices with access attempts
+Select a specific web threat category in the **Web threat protection summary** card to open the **Domains** page. This page displays the list of the domains under that threat category. The page provides the following information for each domain:
-Select a domain to view the list of devices that have attempted to access URLs in that domain as well as the list of URLs.
+- **Access count** - number of requests for URLs in the domain
+- **Blocks** - number of times requests were blocked
+- **Access trend** - change in number of access attempts
+- **Threat category** - type of web threat
+- **Devices** - number of devices with access attempts
+
+Select a domain to view the list of devices that have attempted to access URLs in that domain and the list of URLs.
## Related topics
+
- [Web protection overview](web-protection-overview.md)
- [Web content filtering](web-content-filtering.md)
- [Web threat protection](web-threat-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
index 263e076dda..9b9d8baad8 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
@@ -42,7 +42,7 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor
Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control
Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control
Windows 10, version 1703
-This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.Important: Using a trustworthy browser helps ensure that these protections work as expected.
+This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet. This setting does not protect against malicious content from USB devices, network shares, or other non-internet sources.Important: Using a trustworthy browser helps ensure that these protections work as expected.
Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreenWindows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen
Windows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen
@@ -160,7 +160,7 @@ For Microsoft Defender SmartScreen Edge MDM policies, see [Policy CSP - Browser]
## Recommended Group Policy and MDM settings for your organization
-By default, Microsoft Defender SmartScreen lets employees bypass warnings. Unfortunately, this can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Microsoft Defender SmartScreen to block high-risk interactions instead of providing just a warning.
+By default, Microsoft Defender SmartScreen lets employees bypass warnings. Unfortunately, this feature can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Microsoft Defender SmartScreen to block high-risk interactions instead of providing just a warning.
To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings.
Enforcement mode
SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file are allowed to run by default.
+SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file is allowed to run by default.
SRP can also be configured in the “allow list mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow.
AppLocker by default works in the “allow list mode” where only those files are allowed to run for which there is a matching allow rule.
Support for rule exceptions
SRP does not support rule exceptions.
AppLocker rules can have exceptions which allow you to create rules such as “Allow everything from Windows except for regedit.exe”.
AppLocker rules can have exceptions, which allow you to create rules such as “Allow everything from Windows except for regedit.exe”.
Support for audit mode
SRP does not support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.
AppLocker supports audit mode which allows you to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.
AppLocker supports audit mode, which allows you to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.
Support for exporting and importing policies
Rule enforcement
Internally, SRP rules enforcement happens in the user-mode which is less secure.
Internally, AppLocker rules for .exe and .dll files are enforced in the kernel-mode which is more secure than enforcing them in the user-mode.
Internally, SRP rules enforcement happens in the user-mode, which is less secure.
Internally, AppLocker rules for .exe and .dll files are enforced in the kernel-mode, which is more secure than enforcing them in the user-mode.