Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into FromPrivateRepo

windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md

@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: manikadhiman
-ms.date: 10/04/2017
+ms.date: 07/29/2019
 ms.reviewer: 
 manager: dansimp
 ---
@@ -15,6 +15,8 @@ manager: dansimp
 
 Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. 
 
+The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account.
+
 Requirements:
 - AD-joined PC running Windows 10, version 1709 or later
 - The enterprise has configured a mobile device management (MDM) service  
@@ -22,25 +24,66 @@ Requirements:
 - The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`)
 
 > [!TIP]
-> [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)
+> For additional information, see the following topics:
+> - [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)
+> - [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan)
+> - [Azure Active Directory integration with MDM](https://docs.microsoft.com/en-us/windows/client-management/mdm/azure-active-directory-integration-with-mdm)
 
-To verify if the device is Azure AD registered, run `dsregcmd /status` from the command line.
-
-Here is a partial screenshot of the result:
-
-![device status result](images/autoenrollment-device-status.png)
-
-The auto-enrollment relies of the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered.
+The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered.
 
 > [!NOTE]
 > In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. 
 
 When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
 
-In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. See [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/) to learn more.
+In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/).
 
 For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices.
 
+## Verify auto-enrollment requirements and settings
+To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. 
+The following steps demonstrate required settings using the Intune service:
+1. Verify that the user who is going to enroll the device has a valid Intune license.
+
+    ![Intune license verification](images/auto-enrollment-intune-license-verification.png)
+
+2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](https://docs.microsoft.com/en-us/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal). 
+Also verify that the **MAM user scope** is set to **None**. Otherwise, it will have precedence over the MDM scope that will lead to issues. 
+
+    ![Auto-enrollment activation verification](images/auto-enrollment-activation-verification.png)
+
+3. Verify that the device OS version is Windows 10, version 1709 or later.
+4. Auto-enrollment into Intune via Group Policy is valid only for devices which are hybrid Azure AD joined. This means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is  hybrid Azure AD joined, run  `dsregcmd /status` from the command line.
+
+    You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**.
+
+    ![Auto-enrollment device status result](images/auto-enrollment-device-status-result.png)
+
+    Additionally, verify that the SSO State section displays **AzureAdPrt** as **YES**.
+
+    ![Auto-enrollment azure AD prt verification](images/auto-enrollment-azureadprt-verification.png)
+
+    This information can also be found on the Azure AD device list.
+
+    ![Azure AD device list](images/azure-ad-device-list.png)
+
+5. Verify that the MDM discovery URL during auto-enrollment is https://enrollment.manage.microsoft.com/enrollmentserver/discovery.
+
+    ![MDM discovery URL](images/auto-enrollment-mdm-discovery-url.png)
+
+6. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your auto-enrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**.
+
+    ![Mobility setting MDM intune](images/auto-enrollment-microsoft-intune-setting.png)
+
+7. Verify that the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM) is properly deployed to all devices which should be enrolled into Intune. 
+You may contact your domain administrators to verify if the group policy has been deployed successfully.
+
+8. Verify that the device is not enrolled with the old Intune client used on the Intune Silverlight Portal (this is the Intune portal used before the Azure portal).
+9. Verify that Azure AD allows the logon user to enroll devices.
+    ![Azure AD device settings](images/auto-enrollment-azure-ad-device-settings.png)
+10. Verify that Microsoft Intune should allow enrollment of Windows devices.
+    ![Enrollment of Windows devices](images/auto-enrollment-enrollment-of-windows-devices.png)
+
 ## Configure the auto-enrollment Group Policy for a single PC
 
 This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It is not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices).
@@ -131,6 +174,50 @@ Requirements:
 > [!NOTE]
 > Version 1903 (March 2019) is actually on the Insider program and doesn't yet contain a downloadable version of Templates (version 1903).
 
+## Troubleshoot auto-enrollment of devices
+Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device. 
+
+To collect Event Viewer logs:
+
+1. Open Event Viewer.
+2. Navigate to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin.
+
+    > [!Tip]
+    > For guidance on how to collect event logs for Intune, see [Collect MDM Event Viewer Log YouTube video](https://www.youtube.com/watch?v=U_oCe2RmQEc).
+
+3. Search for event ID 75, which represents a successful auto-enrollment. Here is an example screenshot that shows the auto-enrollment completed successfully:
+    ![Event ID 75](images/auto-enrollment-troubleshooting-event-id-75.png)
+
+    If you cannot find event ID 75 in the logs, it indicates that the auto-enrollment failed. This can happen because of the following reasons:
+    - The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here is an example screenshot that shows that the auto-enrollment failed:
+    ![Event ID 76](images/auto-enrollment-troubleshooting-event-id-76.png)
+    To troubleshoot, check the error code that appears in the event. See [Troubleshooting Windows device enrollment problems in Microsoft Intune](https://support.microsoft.com/en-ph/help/4469913/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for more information.
+    - The auto-enrollment did not trigger at all. In this case, you will not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described in the following section.
+
+    The auto-enrollment process is triggered by a task (Microsoft > Windows > EnterpriseMgmt) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (Computer Configuration > Policies > Administrative Templates > Windows Components > MDM) is successfully deployed to the target machine as shown in the following screenshot:
+    ![Task scheduler](images/auto-enrollment-task-scheduler.png)
+
+    This task runs every 5 minutes for the duration of 1 day. To confirm if the task succeeded, check the task scheduler event logs:
+    Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational.
+    Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from AAD is triggered by event ID 107.
+
+    ![Event ID 107](images/auto-enrollment-event-id-107.png)
+
+    When the task is completed, a new event ID 102 is logged.
+    ![Event ID 102](images/auto-enrollment-event-id-102.png)
+
+    Note that the task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It does not indicate the success or failure of auto-enrollment.
+
+    If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required. 
+    One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (HKLM > Software > Microsoft > Enrollments). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen:
+
+    ![Outdated enrollment entries](images/auto-enrollment-outdated-enrollment-entries.png)
+
+    By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational event log file under event ID 7016. 
+    A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display less entries as shown in the following screenshot:
+
+    ![Manually deleted entries](images/auto-enrollment-activation-verification-less-entries.png)
+
 ### Related topics
 
 - [Group Policy Management Console](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)
@@ -140,6 +227,6 @@ Requirements:
 - [Enforce a Group Policy Object Link](https://technet.microsoft.com/library/cc753909(v=ws.11).aspx)
 
 ### Useful Links
-- [Windows 10 Administrative Templates for Windows 10 April 2018 Update 1803](https://www.microsoft.com/download/details.aspx?id=56880)
-- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576)
 
+- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576)
+- [Windows 10 Administrative Templates for Windows 10 April 2018 Update 1803](https://www.microsoft.com/download/details.aspx?id=56880)

windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md

@@ -56,6 +56,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
   - [What is dmwappushsvc?](#what-is-dmwappushsvc)
 
 - **Change history in MDM documentation**
+    - [August 2019](#august-2019)
     - [July 2019](#july-2019)
     - [June 2019](#june-2019)
     - [May 2019](#may-2019)
@@ -1891,6 +1892,12 @@ How do I turn if off? | The service can be stopped from the "Services" console o
 
 ## Change history in MDM documentation
 
+### August 2019
+
+|New or updated topic | Description|
+|--- | ---|
+|[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Enhanced the article to include additional reference links and the following two topics:<br>Verify auto-enrollment requirements and settings, Troubleshoot auto-enrollment of devices.|
+
 ### July 2019
 
 |New or updated topic | Description|

windows/release-information/windows-message-center.yml

@@ -50,6 +50,7 @@ sections:
     text: "
       <table border ='0'><tr><td width='80%'>Message</td><td width='20%'>Date</td></tr>
       
+      <tr><td><b>Advisory: Windows Kernel Information Disclosure Vulnerability (CVE-2019-1125)</b><br><div>On July 9, 2019, Microsoft released a security update for a Windows kernel information disclosure vulnerability (CVE-2019-1125). Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically; no further configuration is necessary. For more information, see <a href='https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1125' target='_blank'>CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability</a> in the Microsoft Security Update Guide. (Note: we are documenting this mitigation publicly today, instead of back in July, as part of a coordinated industry disclosure effort.)</div></td><td>August 06, 2019 <br>10:00 AM PT</td></tr>
       <tr><td><b>Resolved August 1, 2019 16:00 PT: Microsoft Store users may encounter blank screens when clicking on certain buttons</b><br><div>Some customers running the version of the Microsoft Store app released on July 29, 2019 encountered a blank screen when selecting “Switch out of S mode,” “Get Genuine,” or some “Upgrade to [version]” OS upgrade options. This issue has now been resolved and a new version of the Microsoft Store app has been released. Users who encountered this issue will need to update the Microsoft Store app on their device. If you are still encountering an issue, please see <a href='https://support.microsoft.com/help/4027498/microsoft-store-fix-problems-with-apps' target='_blank'>Fix problems with apps from Microsoft Store</a>.</div></td><td>August 01, 2019 <br>02:00 PM PT</td></tr>
       <tr><td><a href = 'https://support.microsoft.com/help/4505903' target='_blank'><b>Status update: Windows 10, version 1903 “D” release now available</b></a><br><div>The optional monthly “D” release for Windows 10, version 1903 is now available. Follow <a href='https://twitter.com/windowsupdate' target='_blank'>@WindowsUpdate</a> for the latest on the availability of this release.</div></td><td>July 26, 2019 <br>02:00 PM PT</td></tr>
       <tr><td><a href = 'https://support.microsoft.com/en-us/help/4511036/silverlight-end-of-support' target='_blank'><b>Plan for change: Microsoft Silverlight will reach end of support on October 12, 2021</b></a><br><div>After this date, Silverlight will not receive any future quality or security updates. Microsoft will continue to ship updates to the Silverlight 5 Developer Runtime for supported browsers and versions (Internet Explorer 10 and Internet Explorer 11); however, please note that support for Internet Explorer 10 will end on 31 January 2020. See the <a href='https://support.microsoft.com/en-us/help/4511036/silverlight-end-of-support' target='blank'>Silverlight end of support FAQ</a> for more details.</div></td><td>July 19, 2019 <br>12:00 AM PT</td></tr>

windows/security/threat-protection/TOC.md

@@ -249,7 +249,7 @@
 
 ##### [Manage updates and apply baselines]()
 ###### [Learn about the different kinds of updates](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
-###### [Manage protection and definition updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
+###### [Manage protection and security intelligence updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
 ###### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md)
 ###### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md)
 ###### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md)

windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md

@@ -49,7 +49,7 @@ The Microsoft Defender ATP service utilizes state of the art data protection tec
 
 There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Microsoft Defender ATP service, see [Azure encryption overview](https://docs.microsoft.com/azure/security/security-azure-encryption-overview). 
 
-In all scenarios, data is encrypted using 256-bit [AES encyption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum.
+In all scenarios, data is encrypted using 256-bit [AES encryption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum.
 
 
 ## Do I have the flexibility to select where to store my data?
@@ -80,7 +80,7 @@ No. Customer data is isolated from other customers and is not shared. However, i
 You can choose the data retention policy for your data. This determines how long Window Defender ATP will store your data. There’s a flexibility of choosing in the range of 1 month to six months to meet your company’s regulatory compliance needs.
 
 **At contract termination or expiration**<br>
-Your data will be kept and will be available to you while the licence is under grace period or suspended mode. At the end of this period, that data will be erased from Microsoft’s systems to make it unrecoverable, no later than 180 days from contract termination or expiration.
+Your data will be kept and will be available to you while the license is under grace period or suspended mode. At the end of this period, that data will be erased from Microsoft’s systems to make it unrecoverable, no later than 180 days from contract termination or expiration.
 
 
 ## Can Microsoft help us maintain regulatory compliance?

windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md

@@ -20,6 +20,8 @@ ms.topic: article
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
+[!include[Prerelease information](prerelease.md)]
+
 Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and machine configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation.
 
 The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can

windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md

@@ -23,6 +23,8 @@ ms.topic: article
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
+[!include[Prerelease information](prerelease.md)]
+
 Learn how you can use Microsoft Defender ATP to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin.
 
 >[!TIP]

windows/security/threat-protection/microsoft-defender-atp/preview.md

@@ -44,6 +44,7 @@ The following features are included in the preview release:
 
 - [Evaluation lab](evaluation-lab.md) <BR> The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can
  focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
+
 - [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016) <BR> You can now onboard Windows Server 2008 R2 SP1.
 
 - [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac) <BR> Microsoft Defender ATP for Mac brings the next-generation protection, and endpoint detection and response coverage to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices.

windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md

@@ -1,6 +1,6 @@
 ---
 title: Apply Windows Defender Antivirus updates after certain events
-description: Manage how Windows Defender Antivirus applies protection updates after startup or receiving cloud-delivered detection reports.
+description: Manage how Windows Defender Antivirus applies security intelligence updates after startup or receiving cloud-delivered detection reports.
 keywords: updates, protection, force updates, events, startup, check for latest, notifications
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@@ -32,7 +32,7 @@ You can use System Center Configuration Manager, Group Policy, PowerShell cmdlet
 
 1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
 
-2. Go to the **Scheduled scans** section and set **Check for the latest definition updates before running a scan** to **Yes**.
+2. Go to the **Scheduled scans** section and set **Check for the latest security intelligence updates before running a scan** to **Yes**.
 
 3. Click **OK**.
 
@@ -99,9 +99,9 @@ You can also use Group Policy, PowerShell, or WMI to configure Windows Defender
 
 3. Click **Policies** then **Administrative templates**.
 
-4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
+4. Expand the tree to **Windows components > Windows Defender Antivirus > Security Intelligence Updates**.
 
-5. Double-click **Initiate definition update on startup** and set the option to **Enabled**.
+5. Double-click **Initiate security intelligence update on startup** and set the option to **Enabled**.
 
 6. Click **OK**.
 
@@ -143,7 +143,7 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi
 3. Click **Policies** then **Administrative templates**.
 
 4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following:
-    1. Double-click **Allow real-time definition updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
+    1. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
     2. Double-click **Allow notifications to disable definitions based reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
     
 > [!NOTE]

windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md

@@ -36,10 +36,10 @@ If Windows Defender Antivirus did not download protection updates for a specifie
 
 1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
 
-2.  Go to the **Definition updates** section and configure the following settings:
+2.  Go to the **Security intelligence updates** section and configure the following settings:
 
-    1. Set **Force a definition update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**.
-    2. For the  **If Configuration Manager is used as a source for definition updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order).
+    1. Set **Force a security intelligence update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**.
+    2. For the  **If Configuration Manager is used as a source for security intelligence updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order).
 
 3. Click **OK**.
 
@@ -55,7 +55,7 @@ If Windows Defender Antivirus did not download protection updates for a specifie
 
 4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
 
-5. Double-click the **Define the number of days after which a catch-up definition update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update.
+5. Double-click the **Define the number of days after which a catch-up security intelligence update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update.
 
 6. Click **OK**.
 

windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md

@@ -37,13 +37,13 @@ You can also randomize the times when each endpoint checks and downloads protect
 
 1.  On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
 
-2.  Go to the **Definition updates** section.
+2.  Go to the **Security intelligence updates** section.
 
 3. To check and download updates at a certain time:
-      1. Set **Check for Endpoint Protection definitions at a specific interval...** to **0**.
-      2. Set **Check for Endpoint Protection definitions daily at...** to the time when updates should be checked.
+      1. Set **Check for Endpoint Protection security intelligence updates at a specific interval...** to **0**.
+      2. Set **Check for Endpoint Protection security intelligence updates daily at...** to the time when updates should be checked.
       3
-4. To check and download updates on a continual interval, Set **Check for Endpoint Protection definitions at a specific interval...** to the number of hours that should occur between updates.
+4. To check and download updates on a continual interval, Set **Check for Endpoint Protection security intelligence updates at a specific interval...** to the number of hours that should occur between updates.
 
 5.	[Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
 
@@ -60,9 +60,9 @@ You can also randomize the times when each endpoint checks and downloads protect
 
 5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings:
 
-    1.  Double-click the **Specify the interval to check for definition updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**.
-    2. Double-click the **Specify the day of the week to check for definition updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**.
-    3. Double-click the **Specify the time to check for definition updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**.
+    1.  Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**.
+    2. Double-click the **Specify the day of the week to check for security intelligence updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**.
+    3. Double-click the **Specify the time to check for security intelligence updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**.
 
 
 

windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md

@@ -93,7 +93,7 @@ The procedures in this article first describe how to set the order, and then how
 
 4. Expand the tree to **Windows components > Windows Defender > Signature updates** and configure the following settings:
 
-   1.  Double-click the **Define the order of sources for downloading definition updates** setting and set the option to **Enabled**.
+   1.  Double-click the **Define the order of sources for downloading security intelligence updates** setting and set the option to **Enabled**.
 
    2.  Enter the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, as shown in the following screenshot.
 
@@ -101,7 +101,7 @@ The procedures in this article first describe how to set the order, and then how
 
    3. Click **OK**. This will set the order of protection update sources.
 
-   4. Double-click the **Define file shares for downloading definition updates** setting and set the option to **Enabled**.
+   4. Double-click the **Define file shares for downloading security intelligence updates** setting and set the option to **Enabled**.
 
    5. Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](https://msdn.microsoft.com/library/gg465305.aspx) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`.  If you do not enter any paths then this source will be skipped when the VM downloads updates.
 

windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md

@@ -56,7 +56,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following
 
 5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
 
-6.  Double-click the **Allow definition updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**.
+6.  Double-click the **Allow security intelligence updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**.
 
 
 **Use a VBScript to opt-in to Microsoft Update**
@@ -75,7 +75,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following
 
 You can configure Windows Defender Antivirus to only download protection updates when the PC is connected to a wired power source. 
 
-**Use Group Policy to prevent definition updates on battery power:**
+**Use Group Policy to prevent security intelligence updates on battery power:**
 
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 
@@ -85,7 +85,7 @@ You can configure Windows Defender Antivirus to only download protection updates
 
 5.  Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following setting:
 
-    1. Double-click the **Allow definition updates when running on battery power** setting and set the option to **Disabled**. 
+    1. Double-click the **Allow security intelligence updates when running on battery power** setting and set the option to **Disabled**. 
     2. Click **OK**. This will prevent protection updates from downloading when the PC is on battery power.
 
 

windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md

@@ -94,7 +94,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
 |Protection   |Do a quick scan                            |`mdatp --scan --quick`                                                 |
 |Protection   |Do a full scan                             |`mdatp --scan --full`                                                  |
 |Protection   |Cancel an ongoing on-demand scan           |`mdatp --scan --cancel`                                                |
-|Protection   |Request a definition update                |`mdatp --definition-update`                                            |
+|Protection   |Request a security intelligence update                |`mdatp --definition-update`                                            |
 
 ## Microsoft Defender ATP portal information
 

windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md

@@ -1487,7 +1487,7 @@ Symbolic name:
 Message:
 </td>
 <td >
-<b>The antimalware definition update failed. 
+<b>The security intelligence update failed. 
 </b>
 </td>
 </tr>
@@ -1498,12 +1498,12 @@ Description:
 <td >
 Windows Defender Antivirus has encountered an error trying to update signatures.
 <dl>
-<dt>New Signature Version: &lt;New version number&gt;</dt>
-<dt>Previous Signature Version: &lt;Previous signature version&gt;</dt>
+<dt>New security intelligence version: &lt;New version number&gt;</dt>
+<dt>Previous security intelligence version: &lt;Previous version&gt;</dt>
 <dt>Update Source: &lt;Update source&gt;, for example:
 <ul>
-<li>Signature update folder</li>
-<li>Internal definition update server</li>
+<li>Security intelligence update folder</li>
+<li>Internal security intelligence update server</li>
 <li>Microsoft Update Server</li>
 <li>File share</li>
 <li>Microsoft Malware Protection Center (MMPC)</li>

windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md

@@ -124,20 +124,20 @@ Scan | Specify the scan type to use for a scheduled scan | [Configure scheduled
 Scan | Specify the time for a daily quick scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
 Scan | Specify the time of day to run a scheduled scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
 Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Security intelligence updates | Allow definition updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
-Security intelligence updates | Allow definition updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+Security intelligence updates | Allow security intelligence updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+Security intelligence updates | Allow security intelligence updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
 Security intelligence updates | Allow notifications to disable definitions based repots to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
-Security intelligence updates | Allow real-time definition updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+Security intelligence updates | Allow real-time security intelligence updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
 Security intelligence updates | Check for the latest virus and spyware definitions on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
-Security intelligence updates | Define file shares for downloading definition updates | [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
-Security intelligence updates | Define the number of days after which a catch up definition update is required | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+Security intelligence updates | Define file shares for downloading security intelligence updates | [Manage Windows Defender Antivirus protection and security intelligence updates](manage-protection-updates-windows-defender-antivirus.md)
+Security intelligence updates | Define the number of days after which a catch up security intelligence update is required | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
 Security intelligence updates | Define the number of days before spyware definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
 Security intelligence updates | Define the number of days before virus definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
-Security intelligence updates | Define the order of sources for downloading definition updates | [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
-Security intelligence updates | Initiate definition update on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
-Security intelligence updates | Specify the day of the week to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
-Security intelligence updates | Specify the interval to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
-Security intelligence updates | Specify the time to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
+Security intelligence updates | Define the order of sources for downloading security intelligence updates | [Manage Windows Defender Antivirus protection and security intelligence updates](manage-protection-updates-windows-defender-antivirus.md)
+Security intelligence updates | Initiate security intelligence update on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+Security intelligence updates | Specify the day of the week to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
+Security intelligence updates | Specify the interval to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
+Security intelligence updates | Specify the time to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
 Security intelligence updates | Turn on scan after Security intelligence update | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
 Threats | Specify threat alert levels at which default action should not be taken when detected | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
 Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)

windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md

@@ -85,7 +85,7 @@ This section describes how to perform some of the most common tasks when reviewi
 4. Click **Run a new advanced scan** to specify different types of scans, such as a full scan.
 
 <a id="definition-version"></a>
-**Review the definition update version and download the latest updates in the Windows Security app**
+**Review the security intelligence update version and download the latest updates in the Windows Security app**
 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 
 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).

windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md

@@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 author: dansimp
+audience: ITPro
 ms.date: 04/09/2019
 ms.reviewer: 
 manager: dansimp
@@ -149,6 +150,11 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
   <Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="65535.65535.65535.65535" /> 
   <Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="65535.65535.65535.65535" />   
   <Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="65535.65535.65535.65535" />  
+  <Deny ID="ID_DENY_MSBUILD_DLL" FriendlyName="MSBuild.dll" FileName="MSBuild.dll" MinimumFileVersion="65535.65535.65535.65535" />
+  <Deny ID="ID_DENY_DOTNET" FriendlyName="dotnet.exe" FileName="dotnet.exe" MinimumFileVersion="65535.65535.65535.65535" />
+  <Deny ID="ID_DENY_MS_BUILD" FriendlyName="Microsoft.Build.dll" FileName="Microsoft.Build.dll" MinimumFileVersion="65535.65535.65535.65535" /> 
+  <Deny ID="ID_DENY_MS_BUILD_FMWK" FriendlyName="Microsoft.Build.Framework.dll" FileName="Microsoft.Build.Framework.dll" MinimumFileVersion="65535.65535.65535.65535" /> 
+
   <!-- msxml3.dll pick correct version based on release you are supporting -->
   <!-- msxml6.dll pick correct version based on release you are supporting -->     
   <!-- jscript9.dll pick correct version based on release you are supporting -->
@@ -885,6 +891,10 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
   <FileRuleRef RuleID="ID_DENY_MSXML3" /> 
   <FileRuleRef RuleID="ID_DENY_MSXML6" /> 
   <FileRuleRef RuleID="ID_DENY_JSCRIPT9" />
+  <FileRuleRef RuleID="ID_DENY_MSBUILD_DLL" /> 
+  <FileRuleRef RuleID="ID_DENY_DOTNET" /> 
+  <FileRuleRef RuleID="ID_DENY_MS_BUILD" /> 
+  <FileRuleRef RuleID="ID_DENY_MS_BUILD_FMWK" /> 
   <FileRuleRef RuleID="ID_DENY_D_1"/>
   <FileRuleRef RuleID="ID_DENY_D_2"/> 
   <FileRuleRef RuleID="ID_DENY_D_3"/> 
@@ -1499,6 +1509,5 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
   <CiSigners /> 
   <HvciOptions>0</HvciOptions> 
   </SiPolicy>
-
 ```
 <br />

windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md

@@ -11,8 +11,9 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: levinec
 ms.author: ellevin
-ms.date: 11/29/2018
-ms.reviewer: 
+audience: ITPro
+ms.date: 08/05/2019
+ms.reviewer: v-maave
 manager: dansimp
 ---
 
@@ -22,14 +23,17 @@ manager: dansimp
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
-Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
+Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It protects your data by checking against a list of known, trusted apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. It can be turned on via the Windows Security App, or from the System Center Configuration Manager (SCCM) and Intune, for managed devices. Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
 
-All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
+Controlled folder access works by only allowing apps to access protected folders if the app is included on a list of trusted software. If an app isn't on the list, Controlled folder access will block it from making changes to files inside protected folders.
 
-This is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
+Apps are added to the trusted list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization, and that have never displayed any malicious behavior, are deemed trustworthy and automatically added to the list.
 
-A notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
+Apps can also be manually added to the trusted list via SCCM and Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for the app, can be performed from the Security Center Console.
+
+Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
+
+With Controlled folder access in place, a notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
 
 The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
 
@@ -49,7 +53,7 @@ You can query Microsoft Defender ATP data by using [Advanced hunting](https://do
 
 Here is an example query
 
-```
+```PowerShell
 MiscEvents
 | where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')
 ```
@@ -60,15 +64,15 @@ You can review the Windows event log to see events that are created when control
 
 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
 
-2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
 
-3. On the left panel, under **Actions**, click **Import custom view...**.
+1. On the left panel, under **Actions**, click **Import custom view...**.
 
-4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+1. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
 
-4. Click **OK**.
+1. Click **OK**.
 
-5. This will create a custom view that filters to only show the following events related to controlled folder access:
+1. This will create a custom view that filters to only show the following events related to controlled folder access:
 
 Event ID | Description
 -|-
@@ -76,7 +80,6 @@ Event ID | Description
 1124 | Audited controlled folder access event
 1123 | Blocked controlled folder access event
 
-
 ## In this section
 
 Topic | Description